Managing Day-to-Day Risk

Operational risk is inherent in every aspect of insurance operations because management deals with losses incurred in day-to-day business operations, whether related to claims fraud, clerical errors, IT outages or other activities.

The management of risk has been around for a long time, but operational risk has only recently become a focus for risk management professionals in the last several decades. In the insurance sector, management practices are helping organizations identify the risks associated with people, processes, technology and events. As such, insurance companies have been motivated to develop and implement formal operational risk systems to help manage these risks.

In simple terms, these risk management systems are based on four basic steps: identify, measure, monitor and control. These steps seem easy enough until you start to look at what is involved to make them work across the organization in a way that minimizes effort and cost.

IDENTIFY

The challenge starts with the identification of operational risk. This requires an approach that identifies potential risks across the entire enterprise.

The most common approach is what many call a risk and control self-assessment (RCSA). In general, RCSA is enterprise-wide; it identifies and documents risks within day-to-day operations. Identified risks are then compiled for each business unit, along with descriptions of the risks, how they are being managed and/or mitigated and any action plans designed to lower the company’s risk exposure. Risks may be self-identified or identified by third parties (internal audits). Once the business unit has identified its risk exposure it then needs to develop action plans to mitigate the risks.

After the business units develop their RCSAs, they are typically submitted to a central group that compiles the RCSAs from all business units across the organization. The group then looks for systemic risk that may exist across multiple business units, preparing an enterprise-wide view of operational risks in the organization and actions being taken to address those risks.

Early on, many firms started the RCSA process by creating lists and expanding on them. But as organizations grew, and the process became more involved, simple lists weren’t sufficient. As a process develops within an organization, there is often a need to do more with the collected data. This might include creating summary reports, searching the data for common risks or events or manipulating the data for analysis. Thus, as operational risk practices such as RCSAs develop, many companies find an increasing need for an integrated platform that allows their business unit users to input identified risks and mitigating action plans, store the data and information, analyze data and investigate and report on the data and findings from multiple organizational perspectives. Many organizations quickly realize that information needs to be collected in a standardized way so that it can be aggregated, compared and used in other stages of the risk management process. This is especially important if operational risk processes are to be effective, efficient and economical. Without standardization, business units at risk of reporting information in different ways, thus reducing the likelihood of having a cohesive organizational perspective. Without such a perspective, it would be next to impossible to understand systemic risk that might exist within the organization. Standardization helps companies organize, analyze and report on data in a cost-effective and efficient manner; it also helps to ensure the accuracy, completeness and timeliness of information. Additionally, this information must be stored in a manner so that other individuals can access it at other stages in the risk management process.

MEASURE

Once potential operational risks are identified, the next step is to measure their loss potential in terms of likelihood of occurrence, severity of loss and, for more sophisticated users, the amount of economic capital required to cushion financially against unexpected losses.

Quantifying operational risks requires combining data on current and potential risk (and their potential severity of loss) along with information on past risk and loss experience. This requires the organization to have a database from which it can extract past observations for use in developing measures for current risk exposures. Fortunately, many organizations have not experienced significant losses across all potential areas of exposure; as such, they need to supplement internal data with third-party data and/or market expertise to properly measure current risk exposure.

Technology plays a key role here. Many of these processes were once spreadsheet-based. However, spreadsheets are no longer effective. As the quantity and variety of data increases, so too does the complexity of acquiring, storing, manipulating, analyzing and reporting on it. This is where integrated data management and analytical/business intelligence solutions play a key role. The ability to handle structured (numbers) and unstructured (text) data is also critical.

This ability to collect, organize and analyze data allows an organization to measure risk and focus on preventable losses rather than chasing phantom risks that are unlikely to occur or risks that aren’t detrimental to business.

MONITOR AND CONTROL

Once risks have been identified and measured, the next stage in the process is to monitor and control risk, ensuring that business objectives are met.

In the RCSA process, this is done in two ways. First, RCSA is a living, ongoing process, as opposed to a one-time-only process. On a regular basis, most organizations ensure all business units update self-assessments and roll the re-are sults up to an enterprise view. Second, action plans coming out of the RCSA process need to be tracked to ensure progress is being made against plans to eliminate, mitigate or manage identified risks. By putting the RCSA process on an integrated platform, users are able to provide real time updates to the risks they have identified and to add new risks as they arise. At the same time, those parties receiving and compiling the individual business unit RCSAs are able to use this up-to-date information to provide current views of the operational risk exposures across the enterprise. An informed management may thus take the appropriate action to manage the enterprise’s operational risks.

Insurance companies are always seeking new ways to ensure shareholder value and earnings consistency. To help accomplish these goals, insurance organizations often find they must pull information from many distinct and separate areas and compile it in order to get a complete picture of the enterprise’s risk profile and how it is being managed. Part of this process includes companies having the need to identify operational risks affecting business units, measuring the risk, monitoring for changes in the enterprise risk profile and controlling risk through elimination, mitigation or management.

As insurers improve their operational risk management, they will be better positioned to safeguard policyholders’ interests, by ensuring their financial well-being while at the same time protecting sensitive information.

Sidebar: Technology as an Enabler

Today’s software solutions for insurance organizations are designed to measure and manage operational risk in a scientific way — not just for regulatory compliance purposes, but also for making sound business decisions.

To support the risk management process, IT managers play a crucial role in finding better ways to integrate disparate systems and leverage existing applications in order to reduce the resources required to maintain and extend user functionality.

Technology today enables the implementation of enhanced, integrated operational risk management frameworks by:

• consolidating data so you can apply a full range of risk-management techniques;

• providing unrivaled statistical modelling capabilities for robust econometric and time series analysis so you can apply modelling insights to data for more accurate risk measurement;

• applying consistent approaches that can be used across the organization and that support the production of coherent results.

• Allowing analyses within specific time frames and the delivery of results in an easy-to-use manner;

• allowing users to access and understand risk measures across the enterprise so that everyone has a strategic vision (but without losing sight of granular details); and

• integrating easily with existing IT and management frameworks and providing an environment that meets current and future needs.

———

Without standardization, business units are at risk of reporting information in different ways, thus reducing the likelihood of having a cohesive organizational perspective.