The first phase of a regulatory push towards operational resilience concludes at the end of the month. Insurers have made progress towards meeting the PRA’s expectations, but there is still a long journey ahead.
In this article we consider how insurers can continue to develop and enhance their approach to operational resilience by ensuring it complements existing, well embedded, operational risk activity.
Regulatory expectations - a quick recap
The PRA defines operational resilience as “the ability of firms, and the financial sector as a whole, to absorb and adapt to shocks and disruptions, rather than contribute to them”.
In March 2021 the PRA set out its operational risk expectations in supervisory statement SS1/21. In summary, insurers are required to:
- Identify important business services
- Set impact tolerances
- Map out key people, processes, and technology for each service
- Undertake disruption scenario testing
The PRA expects that firms will have carried out at least (1) and (2) by 31 March 2022. In practice, it will be difficult for firms to set impact tolerances without having undertaken at least some process mapping and scenario testing, so some progress towards (3) and (4) will be required prior to the deadline as well.
By 31 March 2025, firms must ensure that their important business services will remain within the stated impact tolerances in the event of severe but plausible disruption scenarios. In order to be able to demonstrate this, firms will need to continue to enhance their approach to operational resilience and strengthen key business processes that are shown to easily fall outside of tolerance.
Risk and resilience – strengthening each other
Many firms have developed their operational resilience frameworks separately from day-to-day risk management. Going forward, it becomes increasingly important to embed operational resilience in a way that works alongside or enhances existing operational risk activity. The below are key examples of how each can complement the other.
1) Identifying risks and setting appetites
In the past, a common approach to identifying operational risk was via discussions with experts in each individual department. Such an approach has its merits but can lead to a compartmentalised or siloed view that misses systemic or cross-departmental risks (for example, identifying critical software in each department but overlooking that all of it is hosted by a single cloud provider).
This traditional approach is naturally complemented by the much deeper end-to-end process mapping that the PRA expects for operational resilience. There is an opportunity for risk teams to use these mapping exercises to examine those operational risks that span departments and ensure that they are well captured in risk frameworks and subject to appropriate controls.
In addition, operational resilience requires firms to consider the consumer impact arising from disruption. Risk teams should adapt risk registers and frameworks to ensure they fully capture this added dimension. Traditionally, risks are ranked by financial impact, rather than focusing on the impact on policyholders. Unless risk registers and reporting are updated to consider both aspects, there is a danger of appearing to communicate mixed messages from resilience and risk reporting.
2) Stress and scenario testing
Going forwards, insurers will need to demonstrate that important business services will not exceed their impact tolerances by performing relevant and realistic stress and scenario tests. This is an area the PRA expects firms to continue developing after the 31 March 2022 deadline.
A strong starting point for operational resilience testing is the existing stress / scenario testing undertaken for the ORSA exercise.
Making use of the operational risk scenarios for resilience purposes also leads to richer scenario testing overall and to an ORSA report that provides more impact. The traditional focus of stress and scenario testing is on operational risks with the highest perceived financial impact. Adding a resilience element allows the business to simultaneously see the financial impact and the operational impact on consumers.
With increased emphasis on scenario testing, and the tests providing greater operational value than before, firms have the opportunity to take these tests a step further and carry them out as practical exercises. We have seen some firms conducting “cyber drills” to practice handling network intrusions, but there is value to expanding this type of approach to cover a wider range of high impact scenarios.
3) Management prioritisation and risk response
Combining the output of operational risk modelling and resilience testing provides a much richer and more holistic picture of the risk profile of the business than either in isolation. This allows the risk team and Board to identify and focus more easily on the most important risks.
In practice, that enhanced risk focus will help firms take mitigating actions and implement control frameworks that are more proportionate to the risks that are faced. To obtain the full benefit, existing risk reporting thresholds and KPIs should be reviewed to accommodate the outcome of resilience testing, and the control framework reviewed and adapted to ensure it focusses on the key issues.
The bottom line
Insurers should seek to embed the PRA’s Operational Resilience requirements in a way that complements and enhances existing operational risk activity.
Actuaries are often deeply involved the existing risk modelling activity that forms part of the ORSA and capital modelling processes. Risk actuaries in particular should be pro-active about engaging with the wider business to ensure that the potential synergies between operational risk and resilience are realised.
A business that effectively combines operational risk management and resilience will be in a stronger place to manage both and thus be in a better place to respond to the next financial crisis, global pandemic, or whatever else the future holds.
As published in The Actuarial Post, March, 2022. Original article here.