A Study of Operational Risks in Insurance...

ISSN: 2278 – 1323 International Journal of Advanced Research in Computer Engineering & Technology (IJARCET)

Volume 5, Issue 10, October 2016

2433 All Rights Reserved © 2016 IJARCET

A Study of Operational Risks in Insurance Business

Ravi Shankar Jha

Abstract

Operational risk management in the insurance

business has gained significant momentum in

recent years, mostly due to changing

regulatory and rating agency capital

requirements. The New Basel Capital Accord

(NBCA), known as Basel III, which has been

endorsed into insurers’ Solvency II establishes

that a bank (or insurance company) should

develop a framework for managing

operational risk and evaluate the adequacy of

capital on this framework.Several studies have

been conducted across the globe and

quantitative models have been proposed to

manage the operational risks that a global

insurer typically faces in due course of its

business.

It has been identified across various studies

that there is no single unified understanding

pertinent to operational risk among insurance

carriers. The problem lies more about

definitions and the current approach to

combat operational risk aims to serve the

regulatory and capital requirements rather

than support the growth of the business in

long run.

Also, certain studies reveals that there are

many risks which are operational in nature

but difficult to correlate them under specific

category. The study also found a clear

distinction between strategic and operational

risk but difficult to decouple it at either

regulatory or organization level.

Across several studies it was found that

operational risk causes are due to internal

factors, strategic risk causes are due to

external factors. Since the action of humans

(or human behaviour and organizational

culture) plays a vital role in the level of

operational risk an insurer holds, both the

strategic risk and operational risk are not

quantifiable in the same sense as we see in

financial risks. The study will make an effort to

identify the success mantra of operational risk

management depends on how quickly the

firm identifies the underlying cause of the

problems (e.g., Underwriting risk or

managerial incompetence) and addressesit

appropriately

Keeping in view above points, firstly, this

study is an attempt to identify list of

operational risks in Insurance Business based

on its nature, frequency and severity.

Secondly, identify the leading operational

risks (among the list of identified operational




risks) based on survey response, Industry

record and recommendations from Industry

Principals. Thirdly, the study will identify

critical levers/drivers associated with

operational risk management in Insurance

Business. Lastly, this study offers

recommendation and benefits in terms of role

of technology and Internal and external

process drivers/levers in managing and

mitigating operational risks in Insurance

Business

Key Words: Insurance, Operation risk, Technology, Process, Regulatory Compliance, Claim, Social

Media, Big Data, Basel, Solvency, Product, Business, Server etc.

Introduction

The primary objective of most business

organization is to generate profit. The profit is

effectively the returns to the owners of the

business for undertaking the operating

activities of the firm, from which they bear

operational risk in the process. In a nutshell,

operational risk is loss resulting from failed

operational activities due to firm’s productive

inputs (capital and labour), to the process of

the productions of output goods and Service.

Most or perhaps all regulatory frameworks

across financial and non-financial domain

defines operational risk as a risk of loss

resulting either from inadequate or failed

processes or people and system or from

external events or mixed of all.

In Basel III, the common industry definition of

operational risk is:

“The risk of direct or indirect loss resulting

from inadequate or failed internal processes,

people and systems or from external events”

Significance of operation risk management in Insurance Business

Operational risk management provides significance values to Insurance business in following ways:

Reduce the risk of operational failure

by improvising internal processes,

systems or human capital

Increase the probability of meeting

strategic business objectives and

profitability in short and long run

Optimizing operational risk exposure

from internal and external

environment and reduce financial

uncertainty

Facilitate in making not only prudent

investment decisions but also helps in

business expansion and retaining

existing customers

Help in estimate the demand of

capital required based on exposure

level




Streamline the business processes to

drive performance and quality at

reduced cost base

Help organization in holistic growth

and enable to achieve strategic

objectives

Background, Motivation and Objective

Background

In recent times, Operational risk has received

considerable attention in Insurance and

Banking due to increase in complexity of

business execution owing to reduced product

development time, Technology upgrade,

changing market and customer needs, agile

regulatory requirements and many more.

Capital adequacy regulations (e.g., Basel III

and Solvency II, including those of a similar

nature) require appropriate capital charge for

operational risk. Financial Industries have

been spending considerable time and effort to

collect operational risk data and establish a

predictable model to subside or mitigate few

yet not all operational risk faced in course of

business. However, in Insurance companies

despite Solvency II (Capital adequacy

framework) in place but most of the insurer

pay very less attention towards managing

operational risks except for regulatory or

underwriting risk. The chief motive of this

study is to explore the characteristics of

operational risks from Insurance firms’

perspective to develop better insight of the

topic.

Motivation

Post globalization, various new factors were

introduced in insurance business from

operational aspects such as regulatory

changes, demographic profile, multi-language

support, cross currency translation and many

more. It is imperative for leading global

insurance carrier to have sustainable and

robust operational risk management

framework in place to handle current and

upcoming challenges and manage them

effectively.




Objective The primary focus in this study is to examine the holistic impact of Operational risksto anInsurer:

Identify list of leading operational risk

in Insurance Business

Study the impact of operational risk

on Insurance companies business

Identify top trending operational risks

based on its nature, frequency and

severity

Identify critical levers/drivers leading

to operational risks in Insurance

Business

Recommend approach to

manage/mitigate top

trendingoperational risks using

identified levers

Literature Review There is limited evidence of consistent and

complete understanding of operational risk in

insurance. In contrast, the idea of operational

risk in non-financial sectors such as airlines,

energy, IT and the manufacturing industry is

established and adequately enumerated in

various literatures.

The academic discussion on operational risk in

insurance is recent and imprecise. Cummins

et al. (2006) revealed that there remain a few

studies that focus on the financial sector,

specifically, banking and insurance. Most

research works on risk management have

concentrated on the financial perspective of

riskwhere the purpose of risk management

was argued to reduce the probability of costly

lower-tail (i.e., low frequency and high loss

events) outcomes (Stulz, 1996).However, the

operational risk associated with the execution

of firms’ investment strategies was

inadequately researched in the literature

about risk management.

A number of studies for example, Jobst (2007)

and Flores et al. (2006) have discussed several

statistical techniques for operational risk

measurement and subsequent regulatory

requirements.Various literatures have also

identified leading operational risks faced by

large and medium size enterprises.

Measurement issues with Operational Risk

It is evident that the measurement

methodology for operational risk in Insurance

Business follows what has been adopted in

the banking sector under Basel II capital

requirements. Three different approaches of

increasing sophistication (basic indicator,




standardized, and advanced measurement)

have been suggested under Pillar 1 of Basel II.

The basic indicator approach, which is less risk

sensitive, utilizes one indicator of operational

risk for a bank’s total activity. The

standardized approach specifies different

indicators for different business lines. The

advanced measurement approach, which is

most risk sensitive, requires banks to utilize

their internal loss data in the estimation of

required capital for operational risk. Most of

the Insurers are using mixed approach

covering standardized and advanced

management approach. A number of

researchers (Valle and Giudici, 2008; Bilotta

and Giudici, 2004; Chavez-Demoulin et al.,

2006) have used several statistical techniques,

such as actuarial, casual, and Bayesian, to

calculate operational risk capital by utilising

internal models but the adequacy, accuracy

and consistency of data remains an inherent

problem towards the accurate measurement

of operational risk.

Research Design

Operational risks assessment is generally

analysed at a granular level than at a total

level. This occurs because organizations have

a multitude of operational activities which

involve different kinds of processes and

resources giving rise to different types of

operational risks.

A mixed technique has been used for the

purpose of this study. Survey with an online

questionnaire was administered on sizable

participants from Service providers,

integrator, third party solution providers and

insurers (including Life and non-life).

Approximately sixty-four percent of the

participants were based in the US and

remaining were based in Asia Pacific region.

First phase of the survey was conducted with

an intent to identify the trending operational

risks in Insurance Business.

Format

Initial online and paper based MCQ (Multiple

Choice Question) Survey was conducted to

rank the operational risks in Insurance

business based on nature, impact and

frequency.

Qualitative analysis will be performed to

identify the feasibility and viability of

Technology as a tool to help in operational

risks identification, assessment, reporting and

monitoring.

Online Survey was administrated by survey

portal. The survey was directed via paper

based and email methods to conduct the

online survey.




Participants

For the survey, intended audience were

mainly targeted from the following groups:

1. Insurance Policy Holders

2. Insurance Companies Senior

executives

3. Service providers

4. Regulatory Authority.

Profiles of the target audience chiefly included

personnel with the designations of

Consultant, Senior Consultant, Lead

Consultant, Principal Consultant, Senior

Underwriter, Customer Service Executive,

Technology Architect and Risk manager. These

people were chosen because they held key

positions with substantial responsibility and

had an understanding of risk in the Insurance

Business Model.

The sample size for the questionnaire was

around 150with the combined online and

offline distribution channel.

Second Phase

In second phase of survey, questionnaire was

designed in a fashion (based in consultation

with Industry expert and principals) to capture

the cause, impact and current strategy in

place to combat the top 5 operational risks.

The operational risks were then mapped to

the operational levers in a way to designate

the impact of the levers upon the particular

operational risk.Upon researching in terms of

major cause of operation risk in Insurance

business especially covering Underwriting,

Internal and External fraud,

Regulatory/Compliance and Business

disruption and system failure and post

discussion with Industry principals, four key

driving levers are identified which will help

insurers to manage/mitigate its operational

risks.




Fig.1.0

Second phase of the survey was conducted

with an intent to determine the cause, impact

to the business’ top line, current strategies

and challenges associated with the top

trending operational risks from insurer and

other stakeholders such as Broker, TPA etc.

perspective. This analysis also helped in

ascertaining the key drivers/levers leading to

those top trending operational risks.

While the participants and their profile was

more or less the same for this phase of

research, the sample size targeted for this

questionnaire was around 80 mostly aiming

the highly skilled and experienced folks.

Results:

Representation of First Phase Survey outcomes as follows




Fig 2.0

A summary of trending operational risks in

insurance business based on nature,

impact/severity and frequency based on

outcome of first phase survey is described in

the Fig. 2.0 and details of each operational

risk is available in Table I under appendix

section

The entire process of ranking operational

risksis based on the nature, frequency and

severity in the Organization and across

Insurance Industry at large. As majority of

respondents are from Insurance industry as

they were well versed with range of

operational risks and

relevant details. Therefore, the response

administrated through offline and online

mode reveals that regulatory/compliance risk

is perceived as major risk and deemed Rank 1

by majority of respondent and subsequently

same for Rank 2, 3 and others.

Top trending operational risks as follows:

Regulatory/Compliance risk

Internal and External fraud

Underwriting risk

Business disruption and system failure

Client, Product and Business Practices

failure

Details of Survey outcomes for above risks as follows




Regulatory Compliance Risk

Insurers always have to adhere to many

stringent and changing compliance

requirements like Solvency II in Europe and

National Association of Insurance

Commissioner’s (NAIC) Solvency

Modernization Initiative (SMI) in the US. Any

such compliance failures in insurance

processes are quick to get the attention of

media and consumers. Companies have to

keep up with new regulatory requirements as

well as live up to stakeholder expectations

and in doing so are faced with a challenge to

maintain performance objectives, sustain

value and brand reputation.Frequent

regulatory changes is the main worry in the

industry, failure to which can lead to penalty,

reputational risk and loss of market share.

Majority of Insurers firmly believe that a

dedicated department for keeping a close

watch on regulations/compliance change will

help Insurers to excel in combating regulatory

risks.

Internal and External Fraud

Insurance fraud can be an external fraud

(fraud against insurer by policyholder and/or

other parties in the purchase and/or

execution of an insurance product),

Intermediary fraud (fraud by intermediaries

against insurer and/or policyholders) or

internal fraud (fraud against insurer by

employee on his/her own volition or in

collusion with parties that are internal or

external to insurer).

Fraudulent activities have been anticipated to

have a 7% to 10% impact on organization’s

top and bottom line and an impression that

sharing information with other Insurance

carriers will solve majority of fraud risks in an

organizations by leveraging technology and

processes.

Underwriting Risk

Underwriting risk generally refers to the risk

of loss due to underwriting activity in the

insurance industry. Underwriting risk can

either arise from an inaccurate assessment of

the risks entailed in writing an insurance

policy, or from factors wholly out of the

underwriter's control such as fraudulent

activities and misrepresentations thus

increasing the costs for the insurer. The long-

term profitability of an insurer is directly

proportional to its mitigation of underwriting

risks. Underwriting risk is expected to have a

2% to 5% impact on organization’s top line

and animpression that user training (people




and organization culture) will solve majority of underwriting losses in an organization.

Business disruption and system failure risk

The rise in disruptive natural catastrophes has

led to growth in business disruption and

interruption thus increasing this risk

probability. Some of the examples are natural

disasters, accidents and theft which can lead

to lost revenue and legal liabilities. It also

includes hardware, software, telecom, utility

outage etc.Business disruptions and system

failure is one of the most feared risk in the

industry owing to an absolute halting of the

business processes. The strategy to combat

this risk would be tosplit with various de-

risking options available at market place.

Client, Product and Business Practices failure

This category includes suitability and fiduciary

issues, inappropriate business or market

practices and product quality. Some examples

are lender liability, market manipulation,

money laundering, unlicensed activities,

product defects, improper trading on firm's

account etc.

These consequences arising from negligent

practices generally lead companies to face

lawsuits. The outcome of the survey shows

that non-unified processes and systems is the

primary cause of such failures.

Driving Levers of Operational risk

Key Levers which drive Insurers to achieve

Operational excellence in terms of being

effective and efficient are broadly classified

under four categories (People and

Organization culture, Technology, Internal

and External Processes and Business and IT

Alignment).Fig 3.0 depicts the dependence of

the top 5 operational risks on the identified

levers based on the responses of the survey

participants.

Distribution of Driving Levers across leading Operational risks in Insurance Business




Fig. 3.0

Recommendations/Conclusions

Recommendation phase will cover four

leading operational risks in terms of the two

prominent levers i.e. analyzing current

processes (internal and external) and

Technology (in terms of scalability and

manageability). Post the discussion, for each

of those operational risks, a certain set of

standard processes and technologies have

been outlined which possibly will help

Insurers to achieve operational excellence.

Recommendations were built based on

opinions from Industry SME, Insurance

Industry standards, market trends, changing

demographics and nature of Insurance

Business.

Underwriting Risk

Driver: Internal and External Processes

Underwriting processes and workflows can be

streamlined to help insurers lower their

operational costs (in terms of expense and

loss ratio) and optimize approval times. Those

carriers that take up streamlining are likely to

find themselves leading in their markets (cross

sell, upselling etc.) as they focus on changes

large and small and align themselves to do

business with them.

Few key areas in which Underwriting

processes can be streamlined to achieve

better underwriting function productivity as

follows:

UW Case Assignment and Management

Many insurers have improved turnaround and accuracy in the underwriting process by sorting cases according to attributes such as product type, face amount, underwriting class and riders. Cases can then be matched to underwriters based on skill level, product knowledge, face value and experience. Underwriting activities need to enable efficient risk assessment for




a case and not hamper it.

Outsourcing Transferring underwriting activities to an outsourcer is an established way to streamline underwriting, as the outsourcer (who holds core competency in UW) can make the process more effective and efficient to reduce costs and improve margins. Outsourcing also transfers the need to adjust staffing as the number of applications ebbs and flows.

Governance and Control mechanism

Accountability is an integral pillar which needs to be reconsidered and increased compliance built in to the underwriting environment as processes and responsibilities evolve. Clear governance and well-defined controls are key components of designing and implementing streamlined processes and achieve higher levels of automation.

Roles and responsibilities Defining clear roles and responsibilities will help to ensure that underwriting talent is used effectively and efficiently. Experienced underwriters engaged on high-risk cases may become more pro-active in the sales process (building new product – Actuarial activity), shifting the focus of their activities to spend more time on rules development including automation and sales support as they spend less time on application assessment and case management.

Continuous Processes improvements

More interactions with the sales channels, including traditional and digital, may further influence underwriting processes.

New processes will need to be introduced for maintaining and updating system rules.

Processes need to establish to manage outsourcing relationships with third-party vendors

Automation of specific services

Translating most of the activities in self-service mode (no human intervention) would require very limited intervention from IT department. For example, the advent of Straight through processing (STP) for New Business Underwriting not only simplified the processes but also improved customer/user experience and accuracy

Refine/Establish Capability Benchmark and collaterals

Most of the Insurers will need to build or refine their capability benchmark associated with underwriting function spanning across product lines, business areas, potential feasibility, capability of players( inclusive of technical and functional) and future roadmap. Also, Insures need to build capability collateral based on feedbacks and learning from prior experience across various lines of business. An example of capability benchmark is described in Table 3.0 in the appendix

Driver: Technology

As Insurers take advantage of technology,

underwriters no longer have to engage in

mundane tasks, allowing them to become

more effective and efficient in handling more

accounts. New data and tools are available to

support underwriters in making faster, more

reliable, more consistent and better informed

risk decisions. In fact, many risk decisions

need not even involve underwriters. Optimal

use of information, technology, and

outsourcing can free underwriters from the

need to review all applications and allow

them to participate more actively in strategic

and sales activities.

Rules Based Decision making

Insurers making greater use of their rules-based systems are gaining efficiencies and expanding their product offerings to include the simplified-issue policies growing in popularity among consumers. Few example of Rule




Base decision making systems (especially commercially off-the-shelf product (COTS) products are Oracle InsBridge, FirstBase underwriting rule engine etc.

Point-of-sale underwriting Point-of-sale and real-time underwriting has been deemed as disruptive evolution which can shorten the issuing time of a policy from months or weeks to just minutes. Products with direct distribution can be issued with a pre-defined set of questions through contact centers or online. A point-of-sale underwriting system that combines online data validation, real-time quotes, predictive analytics and other external data feeds can be used not only to forecast loss outcomes on an individual basis but also help in taking informed decisions. E.g. Apptical®’s underwriting-automation and life insurance sales-acquisition solutions provide simplified-issue customers with TRUE point-of-sale acquisition closure capability.

Data integrity and delivery The automated delivery of information and data from third parties eliminates the need for underwriters to search and wait for critical information. E.g. The OnBase Insurance Solution offers an MIB Integration which automatically creates an ACORD 401 message to request the MIB before the application is even sent to underwriting

Harness power of data analysis/excellence

Evolving predictive analytics may eliminate the need for intrusive procedures

such as blood tests and physical exams, which add costs, slow the sales and

underwriting processes, and deter consumers from buying life insurance. The

next generation of advanced analytics may go a step further and predict the

decision an underwriter would make by using more external information, such

as economic indicators, consumer marketing data and social media activity.

E.g. IBM predictive analytics utilizes advanced algorithms to process historical

data and to create models that help insurers make predictions about future

outcomes.

Internal and External Fraud


SIU(Special Investigation Unit) Teams for Fraud response

Front-end fraud case investigation with a triage team : These triage

teams consist of experts from the domains such as hospital nurses,

coders, and call center representatives who make sure that the case

the SIU needs to investigate has all of the necessary data elements

and is ready for full investigation

Add statisticians to the SIU team : Insurers need resources that can:

1) understand requirements for fraud scoring of insurance cases 2)

work with fraud management vendors to internalize fraud

management knowledge in the organization and 3) update analytical

fraud risk scoring models so that they are always effective at cutting

fraud losses.

Encourage data sharing between SIUs of several business lines: Using

shared case management systems and tracking the same (or at least

the same subset of) case attributes are great first steps in this

direction.

Establish Standard Metrics To Measure Fraud Efforts

Avoided fraud losses as a percentage of total transaction dollars.

Insurers can augment their earnings by detecting and preventing

fraudulent cases and by tracking avoided fraud losses as a percentage

of total insurance revenue. One carrier reported that avoided fraud




loss as a percentage of total insurance revenue is sometimes 20% to

25%.

False positive ratios in “outsorted” cases. When using analytics or

rule-based risk scoring tools, usually the risk scoring system identifies

(“outsorts”) potentially fraudulent transactions whose risk score is

above a certain risk-score threshold.

Balanced Scorecards for intake, output, and efficiency of SIU

performance: most North American insurers look at the three key

performance indicators (KPIs) of their SIU. On the intake side, they

track the total number of referred cases (cases identified as

potentially fraudulent), cases assigned (i.e., investigated in detail by

an analyst), and cases closed. On the outcome side, they track cases

that can be worked or are assigned, the sum of avoided fraud loss

dollars at various stages of the SIU process, and the total number of

positively identified and confirmed fraudulent cases.

In site checks GPS empowered data checks against entered data. E.g. If user filling

first notice of loss

Using data from Drones to check accident site in case of accident

insurance

Driver: Technology

Analytical Capabilities

Modern fraud detection tools help analysis of structured and

unstructured data to model and predict behavior. Analysis of

repeatable trends via social network also helps to identify fraud rings

Predictive analytics can be used to effectively allocate resources,

assign adjuster/units on expertise and/ workloads and enhance the

claims handling process based on claim attribute

Real time data analysis Real time data analysis at the time data is entered

Back/ forward movement of data and field changes can be tracked to

check consistency

Boost Fraud Intelligence

with Improved Data Quality

And Quantity

Improve data quality throughout the whole insurance value chain:

Successful carriers should ensure that they capture as much correct

and relevant data as possible during the whole insurance value chain

— without bothering the customer.

Build an integrated insurance contract and transactions data

warehouse: build out a data warehouse that contains a consolidated

view of all lines of business, products, and geographies. Finding

interlinked cases and transactions in an aggregated database is more

accurate and cheaper.

Use Mobile Apps To Help

Agents And Customers

Prevent Fraud

Allow agents and sales to review policies and improve data quality

right at the transaction time. One of the carriers is planning to roll out

an iPad-based mobile applications to its sales force helping in

assembling the paperwork interactively with the client, walk through

the entire policy during one visit, and capture quality data to the




carrier’s contract database.

Mobile applications can check the coherence and validity of data in

claims filed by customers and can provide much more information for

the claim than traditional paper-based or desktop application-based

processes

Provide a mobile application for customers with context-sensitive

data. Providing a mobile claim- filing application to customers will

allow for better and faster claim servicing and fraud reduction as well.

For example, if the mobile device is context-aware and has a GPS, the

carrier can ask for GPS coordinates of the accident where the

customer takes claim pictures — which will reduce fraud for auto

body work before it even happens.

Fig 7.0 in the appendix provides a brief overview of the global technology spending in the fraud

management domain of insurance.

Regulatory/Compliance Risk Driver: Internal and External Processes

The effectiveness of compliance function will

play a key role in enhancing the capabilities of

insurers to elevate the policyholder

experience. The compliance risk includes both

the risk of new regulations or changes to

existing regulations. It also includes evasive

risk on non-compliance.

Structure and duties of

Regulatory/Compliance function: Most

compliance departmentsareused to work in

acheckbox approach to conduct most of the

business matters.Along with that, it is now

also conducting numerous reviews against a

broader set of law and regulations, and

expressing an opinion on how well it is

working.There are many regulators at

multiple levels that an insurance company

must report to perform

regulatory/compliance duties

State regulators – These regulators are in

each state where the insurance company

conducts its activities, with the regulator of

the ‘state of domicile’ holding the primary

supervisory role.

Federal regulators – The federal regulation is

comprised of Financial Industry Regulatory

Authority (FINRA) and the Securities and

Exchange Commission (SEC). The Federal

Reserve Board has also been added to the list

of regulators at the onset of the financial crisis

with the Dodd-Frank Act.

To make the matters more complex, the

regulatory examination approach also keeps

changing with time and in case of any

compliance failure, the burden of proof is




always more heavily placed on insurance

companies. This necessitates the need to

refine the existing process to be compliant.

Key process areas need to be overhaul/improved in Compliance/Regulatory life cycle as follows:

Effective Communication

The compliance department stresses increasingly related to effective

communication with the board, and involve deeper interaction with business

units through the transmission of sufficient information or via well-defined

escalation processes.

Urgency of documentation An insurance company must be always ready to provide all needed data if an

insurance commissioner requests additional information on risks or how they

are mitigated e.g. NAIC has come up with a requirement to submit annual

reports of their Own Risk and Solvency Assessment (ORSA) for insurance

companies with more than $500 million in direct premium ($1 billion for

insurance groups).

Internal trainings Keeping in view that the demands in regulations are ever changing, there is an

ongoing need to increase the level of awareness of the compliance

environment among the employees though more trainings and sessions.

Compliance structure and

functions

The three key pillars of defense model are as follows –

The first line of defense in the model is the business unit, including front line

support units (such as operations). Businesses are expected to understand

their compliance risks and to take ownership and responsibility for mitigating

those risks.

The second line of defense is the necessity of a strong enterprise compliance

program. This program should have the responsibility to establish base

standards and policies for risk management activities including reporting,

escalation and remediation of issues. This program is also responsible for

aggregating the applicable risk across the enterprise and ensure senior

management and the board have the information required to provide

guidance and oversight.

The third line of defense is the internal audit function. Internal audit should be

responsible for providing the independent assurance to the audit committee

and the board on the design and operating effectiveness of the enterprise

compliance framework.

Governance and Oversight Dedicated and periodic reviews and audit should be conducted to improvise on

risk management methodologies, framework and policies. This should involve

relevant people across the organization including CXOs, compliance

department and representative from respective business units head. There

should be a constant effort to inculcate this culture into Organization DNA.

Reporting Structure and

responsibilities

Centralized enterprise compliance functions aggregate compliance reports into

a one stop report that is regularly shared with senior management and often

with the audit committee to ensure that compliance program is operating as




intended. Enterprise compliance reporting should also provide information

about the status of the annual compliance plan.

Driver: Technology It has been observed that the more modern

the policy admin system that they're using,

the better they're in compliance. The ever

increasing levels of regulation and a greater

focus on data and reporting is forcing firms to

invest in regulatory technology solution (also

called Regulatory Technology). Firms must

embrace Regulation Technology solutions as

they will help them automate compliance

tasks and reduce operational risks associated

with meeting compliance and reporting

obligations.

Information technology can bring the same

benefits to the compliance function as it

already brings to most other areas of an

organization as follows:

Reduced costs and enhance margins

Streamlined reporting

Greater consistency in the execution

of the program

Insight to support sound business

decisions

Some of the key characteristics which a Regulatory Technology solution should possess are:

Regulatory Knowledge Management

The solution should involve a team of lawyers and paralegals to process and

push out regulatory changes to insurers and keep them up-to-date

Agility The solution should provide agility by removing cluttered and intertwined data

sets by de-coupling and organizing through ETL (Extract, Transfer Load) tools

and technologies

Speed The speed of delivery should be achieved by configuring Standard and Ad-hoc

Reports to be generated quickly on the fly

Integration The solution should have seamless integration of inbound and outbound

interfaces to get the solution up and running.

Analytics and big data Regulation Technology solution should use analytic tools to intelligently mine

existing “big data” data sets and unlock their true potential e.g. using the same

data for multiple purposes to cut out redundancy. The solution should make an

increased use of big data to streamline and reduce the costs of providing data

to regulators.

Visualization and robotics

tool

The development of features like online visualization and robotic advice tools

can deliver regulatory advice and guidance more cheaply, efficiently and

effectively.

Real time and system

embedded compliance/risk

evaluation tools

Risks can be evaluated more accurately by utilizing compliance and risk

technologies which also helps in improving operational efficiency and

effectiveness. E.g. new tools can be used for financial crime risk monitoring,




anti-money laundering and customer profiling in trade surveillance.

Regulatory Technology for any insurance firm,

in short term, will help firms to automate the

more mundane/regular compliance tasks and

reduce operational risks associated with

meeting compliance and reporting obligations

and offer certain agility. In the long run, it will

empower compliance functions to make

informed risk choices based on power of data

tomanage/mitigate those risks.

Statistical details revels the trend of

continuous increase in regulatory pitfalls

across the globe. Also, emphasize the Insurers

to pay adequate attention to curb the

outgrowth of regulatory non-compliance. Fig

4.0 in the appendix provides details on the

global year on year, region wiserising costs on

regulatory non-compliance.

Business disruption and system failure

Research has demonstrated that firms which

experience disaster-induced business

disruption may experience long term

significant customer trust reduction, stock-

price decrease and equity risk increase. E.g.

Hurricane Sandy caused significant and wide-

ranging damage across the northeast coast of

the United States on October 28, which led to

the closure of the equities and options

markets on the very next day. In such events,

specific emphasis was given to firms’

implementation of their business continuity

plans (“BCPs”) and disaster recovery

procedures.


Agencies like FINRA (Financial Industry

Regulatory Authority) promulgates insurance

companies to disclose their business

continuity plan. Firms should have a corporate

policy requiring each Business Unit to develop

a business continuity plan. Pursuant to this

policy, their Risk and Compliance department

should coordinate the development, testing

and maintenance of all Business Continuity

Plans. Each of the below areas should be

considered in the plan:

Proximity Firms should consider the possibility of widespread lack of

telecommunications, transportation, electricity, office space, fuel and water

in their BCPs. Consideration should be given to multiple, redundant services

and the proximity of vendors to the potential disaster area.




Remote Access Firms should consider adequate staffing during crisis, enhancing the

capabilities of staff that work from home by identifying technology and

communications products and services that could increase efficiency.

Alternative location An alternative location (i.e., back-up data centers, back-up sites for

operations, remote locations, etc.) in close proximity to the primary site may

not protect the firm from the effects of a region wide event. Firms should

consider whether their primary site and alternative sites rely on the same

critical utility services, such as electricity, transportation and

telecommunications.

Accessibility of alternate

sites

Firms should consider the accessibility of alternative sites and the ability of

staff to travel to the site in the event of a transit shutdown or closure of

major roadways.

Staffing size Firms should consider the appropriate number of staff necessary at any

alternative site to perform critical activities, including risk functions, control

functions, finance and treasury activities, and ensure that adequate space is

available.

Telecommunications service

considerations

Firms should consider contracting with multiple telecommunications

carriers to provide a failover to a different carrier to maintain fax, voice

mail, and landline and VoIP services.

Communications with

customers and third parties

Firms should consider taking measures to ensure that their website has up-

to-date information about the firm’s operational status and general contact

information during a disruption event which will allow them to better

communicate and coordinate with regulators, exchanges, emergency

officials and other firms.

Communication with staff Firms should update emergency contact lists frequently so staff can be

contacted with firm updates. They should providefor critical staff to carry

multiple communications devices on multiple carriers

Continuous review and

testing

Firms should consider full staff BCP (Business Continuity Plan) tests to

evaluate whether all day-to-day functions, including trade processing can be

performed regardless of staff location. Firms should also consider

incorporating stress tests into their BCPs. Based on this analysis, firms may

be better prepared to adjust their position and be ready with combative

measures prior to an event.

Business continuity training Firms should provide adequate focus in conducting annual or more frequent

training on their BCPs to familiarize all personnel with the plan and their

critical pre-established roles.

Driver: Technology

Storage and Server virtualization

Virtualization helps substantially reduce the number of physical servers

required while increasing the utilization levels of remaining servers. Each

virtualized server can run its own full-fledged operating system, and each

server can be independently rebooted. Server virtualization benefits

include:

Optimal number of physical servers - Lower number of physical

servers can reduce hardware maintenance costs. However, careful




planning needs to be done about distributing applications,

operating systems and data across the available server

infrastructure.

Augmented space utilization efficiency in data center -

Implementing a server consolidation strategy saves space in data

environment. This also gives a good opportunity to address the

issue of disaster recovery.

Subside impact on applications - By having each application within

its own "virtual server," we can prevent one application from

impacting another application when upgrades or changes are

made.

Virtual server build - standard virtual server can be built that can

be easily duplicated which will speed up server deployment.

Cloud disaster recovery Cloud-based disaster recovery services are accessible anywhere there is

access to networking infrastructures. With cloud disaster recovery,

replacement assets are always standing by, but we only pay for it when we

need it, and only for as long as we need it. Applications can be backed up

and running within a few hours, without having to select, order for and wait

for new equipment to be delivered to data storage environment.

Email continuity Email continuity applications must function without interruption during an

email server failover. This is essential to maintain end user productivity and

assure regulatory compliance. Email continuity solutions, such as Email

Management Services from Dell MessageOne, MailWise Rescue from

MailWise, or Ontrack Data Recovery services from Kroll Ontrack Inc.,

typically recover Exchange components at an alternate location.

Data Deduplication Data deduplication eliminates redundant data one of the unique way of

data compression. Duplicate blocks of data are replaced by a pointer which

may be retrieved for multiple file requests by maintaining an index for the

pointers. By reducing the amount of data that has to be protected, data

backup and recovery times can be shaved off.

Smart Device Accessibility In the context of such a connected future, Insurers need to assure that their

systems, sensors, devices, should be well connected.




Benefits of managing operational risks in Insurance Business

Here are list of few benefits Insurance

Company can achieve through tightening its

operational risks in terms of streamlining

internal and external processes, managing

technical debts, Organization culture and

Business and IT alignment to curb operational

leakage and achieve efficiency and

effectiveness. Broadly benefits are

categorized in 6 areas including profit margin,

expense ratio, sustainability, operational

agility, unified processes and improve delivery

confidence. Details pertaining to each areas is

highlighted below:

Fig. 4.0

Summary of recommendations – Technology and Internal and

External Process Drivers Perspective

In this study, among four key drivers

(Technology, Internal/External Processes,

Business and IT Alignment and People and

Organization Culture) study selected two

drivers Technology, Internal/External

Processes. Selected drivers were explored

across four risks Regulatory/Compliance risks,

Business Disruption and system failure risks,

Underwriting risks and Internal and External

fraud and highlights key recommendations.

These recommendations will certainly help

Insures not only to manage the operational

risks but also help to improve their top line

and bottom line as well. Moreover, it is

equally important that how Insures align

these recommendations in their organization

context to make this happen effectively and

efficiently.




Fig 5.0

Fig 6.0




Appendix

1. Summary of leading operational risks in Insurance Business:

Risk Description

Regulatory compliance risk Insurers always have to adhere to many stringent and

changing compliance requirements like Solvency II in

Europe and National Association of Insurance

Commissioner’s (NAIC) Solvency Modernization

Initiative (SMI) in the US. Any such compliance failures

in insurance processes are quick to get the attention of

media and consumers. Some examples are regulations

like Foreign Account Tax Compliance Act (FATCA) and

Unclaimed Property Act (UPA), Anti Money Laundering

(AML) compliance etc.

Underwriting risk Underwriting risk generally refers to the risk of loss due

to underwriting activity in the insurance industry.

Underwriting risk can either arise from an inaccurate

assessment of the risks entailed in writing an insurance

policy, or from factors wholly out of the underwriter's

control. As a result, the policy may cost the insurer

much more than it has earned in premiums. The long-

term profitability of an underwriter is directly

proportional to its mitigation of underwriting risk.

Internal and External Fraud Insurance fraud encompasses a wide range of illicit

practices and illegal acts involving intentional

deception or misrepresentation. It can be Policy holder

and claims fraud (fraud against insurer by policyholder

and/or other parties in the purchase and/or execution

of an insurance product), Intermediary fraud (fraud by

intermediaries against insurer and/or policyholders) or

Internal fraud (fraud against insurer by employee on

his/her own volition or in collusion with parties that are

internal or external to insurer)

Client, Product and Business practices The conduct of a business towards its client and

products poses a high probable risk in the insurance

industry. This category includes suitability and fiduciary




issues, inappropriate business or market practices and

product quality. Some examples are lender liability,

market manipulation, money laundering, improper

trading on firm's account etc.

Business disruption and system failure The rise in disruptive natural catastrophes has led to

growth in business disruption and interruption thus

increasing this risk probability. Some of the examples

are natural disasters, accidents and theft which can

lead to lost revenue, legal liabilities and big headaches.

It also includes hardware, software, telecom, utility

outage etc.

Technology and Infrastructure failure The failure in cyber or other information security

systems, as well as the occurrence of events

unanticipated in insurer’s disaster recovery systems

and business continuity planning can be a very critical

risk.

Obsolete technology stack The risk that a process, product or technology used by

an insurer for profit will become obsolete, and

therefore be no longer competitive in the marketplace.

E.g. few of the old technology stack may not allow

insurer to provide services through mobile applications.

Consumer data protection Insurers and intermediaries collect and use vast

amounts of personal data about their customers, and

some of them are very sensitive data. Any breach of

this this can have huge risk impact.

Lack of skilled man-power The risk posed by potential lack of manpower in niche

high-end skills in complex and highly-specialized areas

like risk management, credit evaluation, financial

engineering, actuaries and professionals proficient in

underwriting, claims and customer services.

Changing consumer demand The aging of the baby-boomer generation has serious

capital expense implications. Insurance companies

have enjoyed a long period during which the baby-

boomer, the first generation to purchase a range of

insurance on a large scale, prepared for retirement by

accumulating saving. Moreover, younger generations

are contributing less for their future retirement, as




different product lines are delayed or deferred. As

consumer demand increases for shared services,

Insurer capture risk profiles and offer more customized

products to meet the demand.

Globalization Globalization has brought unprecedented benefits and

opportunities for insurers but it also poses the danger

that it creates any risk as pandemic e.g. financial risks

can quickly engulf everyone. This risk has to be handled

simultaneously while reaping the benefit of

globalization.

Table I

2. Indicative Example of Capability Benchmark as follows:

Domain(Life/P&C) Product Lines Business Areas

Potential feasibility

Capacity (Technical & Functional) of Players

Future Roadmap

Property and Casualty

Home/Auto

NB Self Service

H M M

Servicing Transactions

M H L

Renewal M H M

Portfolio monitoring

H L L

Table II

Capacity Definition

High (H) – Systematic Underwriting process by more than 30% players

Medium (M) - Systematic Underwriting process between 15 and 25 % players

Low (L) - Systematic Underwriting process less than 10% players

Future Roadmap

High (H) – doable in near future

Medium (M) – challenging but viable

Low (L) - Very challenging and high cost implications

3. Technology Spends:




Statistical details highlighting the need for adequate focus on Fraud Management including Internal

and External. It further shows that the global fraud management systems spending will increase by

50% in 2016 and focus will be on big data based solutions.

Fig. 7.0

Source of above Data: CEB Report Enterprise Fraud Management

4. Rising costs due to non-compliance year on year

Source of below Data: THE RISING COSTS OF NON-COMPLIANCE: FROM THE END OF A CAREER TO

THE END OF A FIRM (https://risk.thomsonreuters.com/sites/default/files/GRC01700.pdf)




Fig. 8.0

5. Technology Vs. Operational Risk Grid Summary

There are plethora of technologies such

as big-data, analytics, product

platform,cloud etc. which has the

capability to create significant impact

across operational risks e.g. implementing

a well defined and matured data analytics

solution will help reduce risks across all

the categories in various degrees. Such

technologies should be implemented with

higher priority to reduce overall operation

risks with less cost per risk mitigation. In a

nutshell, mapping of such

leading/emerging Technologies with

Underwriting, Internal and External fraud,

Regulatory/Complaince and Business

disruption and system failure operational

risks will certainly help Insurance

organization to manage/mitigate

operational losses. Below figure highlights

the impact of technologieson leading

operational risks:

Fig. 9.0




References/Bibliography

[1]. Palmer, T. B. and Wiseman, R. M., 1999. Decoupling risk taking from income stream uncertainty: a holistic model of risk. Strategic Management Journal, 20(11), 1037-1062

[2]. Jensen, M. C. and Meckling, W. H., 1976. Theory of Firm: Managerial Behaviour, Agency Cost,

and Ownership Structure. Journal of Financial Economics, 15 (4), 305-360

[3]. Valle, L. D. and Giudici, P., 2008. A Bayesian approach to estimate the marginal loss distributions

in operational risk management. Computational Statistics & Data Analysis. 52(6), 3107-3127 [4]. Risk Measurement and Management of Operational Risk in Insurance Companies under Solvency

II - AFIR/ERM Colloquium 2012, Mexico City October 2nd, 2012 Nadine Gatzert and Andreas Kolb Friedrich-Alexander-University of Erlangen-Nuremberg

[5]. The growing role of the insurance compliance officer. http://blogs.reuters.com/financial-

regulatory-forum/2015/09/24/the-growing-role-of-the-insurance-compliance-officer/

[6]. FS Insights. Solvency II Moves Closer to Integrating Risk and Capital Management. Across the Insurance Industry. http://www.protiviti.co.in/en-US/Documents/Newsletters/FS-Insights/FS-Insights-V3-I9-Protiviti.pdf

[7]. Quantifying Operational Risk in General Insurance Companies. Academy Comments to NAIC on

Operational Risk

https://www.actuary.org/files/Capital_Adequacy_NAIC_OpRisk_Comments_010715.pdf

[8]. Structure and governance of the compliance function. How Smart, Connected Products Are

Transforming Companies. Harvard Business Review 2015-10-01 [Vol. 10 Issue. 10]

[9]. How Smart, Connected Products Are Transforming Companies. Harvard Business Review 2015-

10-01 [Vol. 10 Issue. 10]

[10]. BUSINESS CONTINUITY SOFTWARE REPORT 2013-14

http://www.cirmagazine.com/cir/reports/BCSoftwareReport2013-14.pdf

[11]. Risk Management in the Insurance Business Sector by Everis Inc. Sep 2009

[12]. Deloitte Risk Management Survey -

www2.deloitte.com/ng/en/pages/risk/articles/insurance_risk_survey.html

[13]. RISK DISCLOSURES IN THE P&C INDUSTRY -

http://www.stjohns.edu/sites/default/files/tcb/riskfactoranalysis_whitepaperfeb915.pdf

http://blogs.reuters.com/financial-regulatory-forum/2015/09/24/the-growing-role-of-the-insurance-compliance-officer/

http://blogs.reuters.com/financial-regulatory-forum/2015/09/24/the-growing-role-of-the-insurance-compliance-officer/




[14]. Operational Risk Management – KPMG -

https://www.kpmg.com/lu/en/services/advisory/risk-

consulting/financialregulatoryreporting/documents/operational-risk.pdf

[15]. RegTech Is The New FinTech. How Agile Regulatory Technology Is Helping Firms Better

Understand and Manage Their

Risks.http://www2.deloitte.com/content/dam/Deloitte/ie/Documents/FinancialServices/ie-

regtech-pdf

[16]. The growing role of the insurance compliance officer. http://blogs.reuters.com/financial-

regulatory-forum/2015/09/24/the-growing-role-of-the-insurance-compliance-officer/

[17]. The Geneva Papers on Risk and Insurance - Issues and Practice.

http://www.ingentaconnect.com/content/pal/gene

[18]. Structure and governance of the compliance function.

http://www.ey.com/Publication/vwLUAssets/EY-compliance-seeks-a-path-to-regulatory-

readiness/$FILE/EY-compliance-seeks-a-path-to-regulatory-readiness.pdf

[19]. MetLife Business Continuity Plan Disclosure.

https://www.metlife.com/assets/investments/products/mutual-funds/MSIBUSCONTINUITY.pdf

[20]. Acharyya, M (2012). The scope of developing optimization models for insurer’s operational

riskfrom risk-return trade-off perspective. Society of Actuaries. www.soa.org/Files/Research/

Projects/The-Scope-of-Developing-Optimization-Models-for-Insurer-s-Operational-Riskfrom-

Risk-Return-Trade-Off-Perspective.pdf




About Author

Mr. Ravi Shankar Jha currently works as Lead

Consultant with Infosys Limited. Prior to

Infosys, he had worked with Cognizant

Technology Limited. He has extensive

experience in Project Management, Package

Implementation and Consulting in global

delivery model. He holds Bachelor of

Engineering (B.E.) in Computer Science from

Central University, Bilaspur, Chhattisgarh and

Master of Business Administration (MBA)

from Indian Institute of Technology,

Kharagpur.

Date post:	11-Apr-2020
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times