Why insurers should review operational risk habits

In under two months, the International Financial Reporting Standards come into effect, exposing insurance firms around the world to more stringent conditions for reporting.

The global standardisation policy introduces insurance firms to a new regime where data visibility is a priority, making it easier for both regulators and shareholders to monitor performance.  In a bid to comply with standards, most underwriters are now working hard to improve their reporting technologies and systems, a process that has brought to the fore the previous inadequacies in accounting for operational risk. Operational risk is defined as the risk of loss resulting from inadequate internal processes, human error, technological error and/or external events, including changes in regulation. 

According to McKinsey, operational risk losses cost up to six per cent of insurance companies’ net income – in an industry with annual revenues of nearly $5 trillion. It is, therefore, a no-brainer that amidst a tough economic environment, companies must take charge of their operational risk management to remain competitive. A broadside categorisation of operational risk is process risk, people risk, systems risk, external risk and legal and compliance risk. However, translating this to the shopfloor, this speaks to issues such as execution risk, misconduct, cyber-attacks, data leakage, reputational crisis, and even faulty models in the case of insurance firms. These can be quite expensive and catastrophic to the business.

Operational risk management addresses efficiencies in the administration of a company’s resources, including its processes, people and technologies.  Progressive institutions must consistently study their systems, mapping out any gaps along entire value chains and setting up controls to mitigate the identified risk elements.  This effectively helps manage financial leakages, which very often do not just manifest on customer experience in abstract values, but rather have an impact on the financial bottom-line of businesses.

The same review process is required for people and technology assessment, where companies must capitalise on available data to set up controls for the optimiation of operational efficiency.

The review of technologies, for example, must check if the acquired equipment is fit for purpose, and adaptable to the changing needs of businesses.  This helps determine the continuity and recovery plans to institute for a seamless operation in case of system failure. It is also worth noting that in this age of innovation, forward-looking companies remain those that not only automate many of their business processes, but also their operational risk detection and response strategies.

The people element requires a granular review of employee value proposition to map out the optimum number of staff and skill set at each level. The industry best-practice uses matrices like the Segregation of Duty (SoD), which focuses on and the responsibility assignment (RACI) that outlines activities and deliverables assigned to teams.  The SoD is outward looking and studies the whole value chain to determine how the split of duties responds to the clients’ needs.  It is structured around the risk and control environment and uses risk indicators to help companies determine their risk appetite and appropriate management responses. RACI on the other hand is an inward-facing chart that maps out every task and decisions required for effective delivery of service.

The RACI matrix enables timely decision making as key stakeholders understand their respective roles and levels of intervention in different processes. However, a combination of both SoD and RACI matrices is necessary to create a scenario model for determining the likelihood of certain events happening, impact to the company and appropriate responses.

Overall, it is important to note that the insurance business is a complex network founded on risk, with players required to take up risk on behalf of other entities. It is, therefore, critical that risk management starts from within individual organisations

— Dennis Kiplang’at is the head of Operational Excellence and Analytics at Old Mutual