Principles of Operational Risk Management and Measurement


Download Principles of Operational Risk Management and Measurement


Preview text

Principles of Operational Risk Management and Measurement
September 2014
Full Members: Aegon, Allianz, Aviva, AXA, Achmea, Ageas, Generali, Groupama, Hannover Re, ING, Munich Re, Prudential, Swiss Re, Zurich Financial Services Associate Members: Lloyds Banking Group, Manulife Financial, Old Mutual, RSA, Unipol, ACE, Legal and General, Chartis

Table of contents

Introduction

2

Executive summary

3

Part A: Best Practices

4

A1.

Definition

4

A2.

Governance and risk culture

5

A3.

Framework for operational risk management

8

Part B: Quantification

14

B1.

Introduction

14

B2.

Objectives

14

B3.

Model design

15

B4.

Scenario analysis

15

B5.

Model validation and governance

16

B6.

Application of operational risk management and measurement

18

CRO Forum – September 2014

1

Introduction
The 2014 White Paper on Operational Risk is an update to the 2009 CRO Forum White Paper. The primary objective of the 2014 White Paper is to highlight the development of operational risk in the insurance industry and of the regulatory framework Solvency II. The 2014 White Paper will summarize the important principles and considerations that should form part of the best practices for the management of operational risk within an insurance company. Additionally, a section dedicated to the measurement of operational risk has been introduced with the notion of providing guidance and considerations to the quantitative aspect of operational risk. The premise of this White Paper is to present principles of operational risk management whilst maintaining focus on the important aspects of the quality of business and risk management processes.
The White Paper is intended to be in all aspects proportional and thus applicable for both larger and smaller insurance companies. Insurance and Reinsurance companies differ from banks not only in respect of the business model, but also in respect of the risk profile. The latter is true for the high level risk classes, where insurance companies are assuming “insurance risk” with their balance sheets, it is also true for the overall composition and weighting of the various operational risks faced by insurance companies1.
Unlike market or credit risks where risk exposures are managed centrally, operational risk cannot be managed centrally and is the responsibility of every employee. As a result, robust operational risk management requires an appropriate governance structure and sponsorship of the executive management committee, accompanied by the right “tone from the top”. Especially effective operational risk management is gained through the early involvement of the subject in senior management activities and decision making processes.

1 Where this document refers to “insurance companies” it also implies that it is valid for both direct insurance companies and reinsurance companies.

CRO Forum – September 2014

2

Executive summary
Updating the 2009 White Paper on operational risk management was becoming necessary because of the substantial developments of the insurance industry in recent years. Whilst early adopters of this discipline were looking to the banking models of operational risk, it was becoming clear that insurance companies had to develop their own understanding and models to measure and manage this risk. The first part of this paper describes the principles for effective operational risk management in the insurance industry.
Insurers look to all industries to study their risk classes and risk profiles in order to implement what makes sense. Although they have largely adopted the same definition of operational risks, the risk profiles of the insurance industries are different. This is especially true as regards defining the insurance boundary event. However, a common issue is that responsibility for the awareness and mitigation of operational risk lies with every employee. Usually only a few individuals can expose insurance companies to extreme losses from insurance, financial, market or credit risks. In the case of operational risk, excessive exposure can be caused by any resource that the internal processes rely on to be executed (people, systems, infrastructure, etc.).
To embed such risk awareness and culture it takes senior management commitment, a strong and clear “tone at the top” and defined roles and responsibilities for management and employees in the business, risk management, independent assurance and audit functions. In addition it takes a robust framework, which includes all elements from identification, measurement, monitoring through to control & mitigation activities as well as business resilience and continuity processes.
Embedding operational risk management into all processes of the end-to-end value chain is a key element and because of this it is important to involve senior management early in decision making processes. The quality of the business and risk management processes drives the effectiveness of the operational risk management framework.
The second part of the document dives deeper into the topic of the measurement of operational risk. This paper focuses on the scenario based approach and elaborates on the requirements and practices needed to support this method. This focus is not meant to suggest the superiority of this method above other approaches; it has been selected because it is recognized that a number of insurance companies use this method.
Risk measurement is also a vehicle for embedding risk culture into the organization, by allowing the prioritization of risk mitigation options and by confirming that exposures to risks are within the accepted level of tolerance of the organization. More generally, it also allows for more efficient deployment of capital and assures capital adequacy allocation.
The key to the scenario-based approach is the identification, assessment, challenge and validation of the relevant scenarios through expert judgment, supporting factors and senior management signoff. The clarity and the understanding of the chosen scenarios and appropriate governance around the process help ensure the necessary credibility.
As with many things, operational risk management and measurement require continuous improvement of the process and properly skilled people in the risk organization, in order for it to be effective and successful. Measurement of operational risk is not about finding the exact truth; it is about finding a reasonable numerical assessment with the aim to support the quality of (risk) management decisions.

CRO Forum – September 2014

3

Part A: Best Practices

The practices presented in this part of the paper are all related to each other, and should not be viewed in isolation.

A1.

Definition

Practice 1: Adopt a broad scope for the management of operational risk

According to global regulatory authorities, operational risk is generally defined as “the risk of loss due to failed or inadequate internal processes, systems, people and external events.” The definition includes legal and compliance risk but excludes strategic and reputational risks. This also represents the basic definition for the measurement of operational risk, e.g. calculation of required capital for operational risk.

As operational risk events can also lead to adverse consequences (beyond a pure loss) on business outcomes, it is important to capture the scope of these operational risk impacts beyond those generating financial operational risk losses. Therefore, a broader definition for the management of operational risks reads as:

“The risk of loss or other adverse consequences on business outcomes resulting from failed or inadequate internal processes, systems, people and external events.” This definition includes legal and compliance risk but excludes strategic and business risks.

The broader definition of operational risk provides for a more comprehensive assessment of risk across financial, operational, regulatory and reputational impacts to the business. Examples of various impacts that operational risk event can lead to include: unintended economic losses or gains, negative publicity, consumer detriment (conduct), censure from supervisory agencies, operational and business disruptions, damage to customer relationships and heightened regulatory scrutiny.

Possible reputational impacts following an operational risk event should be assessed as part of the operational risk management process. As a consequence of this definition, operational risk is inherent in all insurance products, activities, processes and systems and the management of such risk is a fundamental element of an insurer’s risk management program. In addition, activities or processes outsourced to third party service providers should be considered in the operational risk framework of the organisation.

There are different root causes of operational risk. Some illustrations include the following:

■ Internal processes: failure in the design and execution of core insurance and support processes
such as sales and marketing, underwriting, policy issuance, customer billing and premium collection, reinsurance placement, claims payments, actuarial reserving and outsourcing processes;
■ Systems: inadequate data and security protections, weak access controls, unstable and overly
complex systems, lack of adequate testing prior to production, deficient systems/tools;
■ People: human errors, fraud, unmanaged staff turnover, overreliance on key personnel,
unmatched skills to job requirements, inadequate management oversight;

CRO Forum – September 2014

4

■ External events: natural disasters (floods, fires, earthquakes, etc.) as well as man-made
disasters (terrorism, political and social unrest) may impact the ability to operate on an ongoing basis; changes in the regulatory environment including new regulations.
Note: ‘Insurance boundary events’ often stem from other risk events (insurance, market, credit) that are caused by operational failures in people, process, systems and/or from external elements. It is recommended for insurers to consider all boundary events for their management of operational risk.

A2.

Governance and risk culture

Practice 2: Ensure a strong “Tone at the top” – the boards role

Operational risk governance sets the “tone at the top” that is necessary to embed a strong risk management culture throughout the organisation. It should also promote adherence to the risk tolerance defined by the board or any other administrative, management or supervisory body (AMSB), while pursuing corporate objectives and adapting to the changing regulatory and market environments.

The AMSB should play a key role in establishing a robust operational risk management practice across the organization, with the need to:
■ Embed a strong operational risk management culture throughout the organization; ■ Establish, approve and periodically review the framework for operational risk management
(FORM);
■ Monitor and approve the capital allocated to operational risk versus the risk profile of the insurer; ■ Oversee senior management to ensure effective implementation and communication across the
organization; and
■ Approve and review the risk tolerance.
The risk culture of an insurance company should foster an open dialogue of risk issues at all levels with the appropriate reporting and escalation of the most significant risks. The organisation’s management should determine which risks it will choose to mitigate, transfer or accept according to the company’s overall risk appetite and tolerances.

It is important to understand that operational risks can be triggered by any employee of the company, whereas only a finite number of individuals can expose the firm to other risks such as insurance risks, financial risks like market- and credit risks. Risk awareness and monitoring of compliance with corporate policies and standards should be implemented across the entire company. Therefore it is important that all employees have an understanding of the sources of operational risk within their day-to-day working environment. For this purpose, risk awareness programs together with operational risk policies and procedures play an important role.

Practice 3: Implement risk tolerances for operational risk
Operational risk is seen as a risk that cannot be avoided and comes as a consequence of doing business. From a semantic point of view, rather than setting an appetite, practitioners speak of setting a tolerance for operational risk.

Defining tolerances for operational risk is a key step in building a robust operational risk management framework. The tolerances serve to monitor and manage operational risk, by setting the limits and boundaries that will alert the governance structures to levels of exposure (up to and) beyond which management action needs to be triggered. Therefore, it is important that risk

CRO Forum – September 2014

5

tolerances and limits for operational risk capture, as far as possible, the type and nature of the activities run by the insurance companies. For different categories of operational risk, different tolerances may apply, e.g. internal fraud, business continuity, etc
Risk tolerances should allow the balancing of local and global views of managing risk. This can be a complex endeavour considering the diversity of business activities and countries in which insurance companies can operate, as well as the complexity in modelling operational risk drivers and compiling representative, historical event sets. One solution to consider, therefore, is to adopt different metrics to define exposure and tolerance to operational risk.
Risk tolerances should be measurable, even if based on qualitative assertions for the maximum acceptable risk. Insurance companies typically set limits for the amount of capital it accepts. Depending on how sensitive the measurement of the capital charge is to operational risk drivers (standard formula as opposed to internal models), it may need to be complemented by other, noncapital related measures, in order that management actions can have an effective impact on exposure. Insurance companies may, for instance, develop scorecard operational risk selfassessment tools. Such tools, centred around drivers, can assess exposure to operational risk, and produce qualitative scores on which limits can be set. Other organisations may set limits to key risk or key performance indicators (e.g. staff turnover, budgeted losses, etc.) where they are reasonably satisfied that the indicator serves as a good proxy for exposure to drivers or effects of operational risk.
Measures developed at group level may be insufficient in capturing local requirements, leading local management to complement group frameworks (minimum standards) with measures developed to meet local business needs (including local regulation). Typically, where a loss data collection process is in place and used for both capital calculation and risk management purposes, the threshold set for reporting losses to the group operational risk function may be too high for the management teams of a subsidiary. In this case, local management may be required to set a lower threshold more appropriate to their size and complexity.
Therefore, it is sound practice that the AMSB, at group and/or local level, should approve and review operational risk tolerances, to ensure they are consistent with the overall framework and local needs for managing the risk. Thus giving senior management at all levels the remit to develop governance mechanisms appropriate for the size and nature of the activities (monitoring, escalation etc.) relating to the approved risk tolerances.
Guidelines
■ Recognize a level of operational risk tolerance in the risk appetite framework that is
commensurate with the fulfilment of business objectives helps to place focus on the management of the risk;
■ Define tolerances that are measurable and allow for active monitoring; ■ Define tolerances that capture the type and nature of the activities run by the insurance
companies allow for active monitoring;
■ Consider, given the complexity in establishing a universal measure, more than one measure to
define operational risk tolerance (group versus local considerations); and
■ Use both group and local metrics to capture local business specificities, but ensure that both are
complementary /consistent.

CRO Forum – September 2014

6

Practice 4: Define clear roles and responsibilities for operational risk management capabilities
As part of an effective operational risk management framework, roles and responsibilities are defined according to the three lines of defence concept:

1. All employees of the organization have the primary responsibility of managing operational risk, and adopting the control framework as an inherent part of their day-to-day job (first line of defence role).
2. The oversight functions should have dedicated resources in charge of defining and maintaining the methodology and framework for operational risk (second line of defence role). Senior Management needs to ensure that there is a sufficient pool of, skilled (risk management as well as business knowledge) and trained resources available. Main responsibilities should include:
– Advising senior management to identify operational risks and establish an effective risk based internal control system;
– Providing challenge and oversight to senior management validating that the internal control system is operating effectively across the company; and
– Implementing clearly defined policies and standards.
3. Internal audit provides an objective and independent assessment of the operational risk framework including risk management activities performed in both the first and second lines of defence (third line of defence role) as well as validation through independent testing.

CRO Forum – September 2014

7

A3.

Framework for operational risk management

Practice 5: Embed robust risk identification and assessment processes

The objective of the risk identification and assessment process is to articulate operational risk exposures using probability/impact techniques, to support the prioritisation of resources in the mitigation of these exposures. The scope of the identification and assessment process should be forward looking and cover the end to end business process, including outsourcing arrangements. Internal and external data should be utilised where possible to ensure learning and thematic risks are considered from across the industry.
A risk profile is defined as an evaluation of a firm's willingness to take risks, as well as the threats to which a firm is exposed, given a firm's risk tolerance. Significant changes to the business environment should trigger a reassessment of the risks, so it delivers a more dynamic risk insight.
While it is recognised different techniques can be utilised to perform identification and assessment, a key success factor is delivering an integrated view of the risk assessment, drawn from different sources of data, including historic and forward looking assessments. Presentation of risk exposures on a probability/impact matrix to provide a risk profile is useful in ensuring that a clear view of risks is understood in order to support an appropriate treatment in mitigation, escalation and reporting.
Three approaches can be utilised to deliver an aggregated and holistic view of risk exposures:
a) Loss data collection and incident management
To improve the assessment of the overall risk profile, internal loss data can provide useful management insight in identifying risks, understanding root cause and assessing control adequacy. The collection of loss data should also capture information not usually obtained for pure measurement reasons, such as opportunity costs and reputational risks, albeit they may not be entirely quantifiable.

CRO Forum – September 2014

8

Preparing to load PDF file. please wait...

0 of 0
100%
Principles of Operational Risk Management and Measurement