Solvency II and the need for Operational Risk
Since the European Council has postponed the deadline for Solvency II to January 2014, insurance companies have bought themselves more time to prepare for Solvency II. Most insurance companies are already working on the quantitative side of Solvency (Pillar I of the solvency model, capital requirements) but have not started on the qualitative part (Pillar II, Operational Risk). According to visionaires, the biggest risk for insurers is in Operational Risk!
Interesting enough these organizations do not know how to respond to Own Risk Solvency Assessment (ORSA) requirements and the local regulators are not providing much guidance on this. From what I hear from my clients is that they are looking for guidance how to implement Operational Risk for Solvency II. This is where IBM OpenPages can help you. We have done this for many clients already, even in joint effort with business partners in the risk consulting area.
In fact, Operational Risk is no rocket science. Let me guide you through the process that one of my clients has taken.
1. Risk Governance and Culture
This is a reflection of your policies in place to govern your risks, and the risk culture in your organization. My client reviewed how risk awareness was embedded in the daily processes and which policies were in place to manage risks in the business.
2. Risk Identification and Prioritization
My client conducted workshops guided by a risk expert to identify risks in the current processes and aligned to the strategic business goals. Through the outcome of risk assessments he was able to prioritize risks.
3. Risk response formulation and Control design
Now we understand the impact (also called inherent risk exposure) we can start talking about how to create a risk response. Is a risk response needed, can we assure the risk, can we ignore / accept the risk or should we come up with mitigating controls? And of course since risks are not completely new what controls do we already have in place. Compliance and Audit has played an advising role in the formulation of the response and the (re)design of these controls.
4. Risk monitoring
Having the understanding of our risk environment and the outcome of the risk exposure we started developing risk monitoring by reporting, dashboarding and risk analysis. This gives answers to the questions where are we today and how did we get there? Subjects like risk appetite, risk tolerance and risk limits were formulated.
5. Issue and Action Management
Last step we took to close the loop was answering the question what will we do about it? What actions will be taken by whom and when? A centralized approach to action management was a great relief to our CRO. Main benefit was the ability to provide auditors and the board with an integrated view on all actions and the follow up progress.
Best practice is to start with a single, but simple risk and control framework. Do not try to automate everything in the first phase, keep it simple first and try to get the basic process of risk management running. Once this is done you can start automation in phase II. Only automate where you can benefit from it, where it will save you significant amount of time.
Phase II is really about automating manual processes. With automation I mean workflow in risk and control assessment processes and alerting & notification. For example coming to a final judgment on risk impact and likelihood has been a manual process where only the final result was stored in the system. Next step to get a better qualified result can be the setup of automated questionnaires / voting system where first a decentralized voting will be done and a centralized final verdict will be held in a group workshop. A decentralized first round has proven to give a better and more effective (read shorter) discussion and a better final judgment on the risk assessments. Another example of automation is the collection of losses. Up till now they were kept in Excel sheets and uploaded in the system. Qualifying the categories in which the loss belongs and the validation of the loss can be a time consuming process. Automating this process will help the person registering the loss to make a correct classification and will speed up the process to validate the loss including the assessment of the impact and the recovery.
Phase III is the step to the next maturity level. You have an understanding now how risks and controls are related to each other, so you can bring KRIs (Key Risk Indicators) in place. With these KRIs in place you will have an early warning system available that helps you respond in a timely manner. This will shorten the time to respond to failures and might even prevent a loss from happening. Also non financial risk dashboards and scenario analysis are steps that fit in this next level of maturity. Scenarios can help you to better calculate your capital requirements. Through risk assessments you can get the business input of what losses are likely to happen in the near and longer future. The more sample data you put in your calculations the better the outcome will be.
The last phase is about automating control testing. Here you start looking for control tests that can be done automatically. Especially control tests performed on a frequent basis and performed systematically might be nominated for automation. Examples can be found in General Ledger systems, like samples of invoices that can all be matched with PO numbers or IT tests (endpoint tests) like are all harddisks containing sensitive data encrypted or do all systems have password changed every month.
Blog post from Erwin Boeren, Governance Risk & Compliance Leader IBM Europe
Twitter : @erwinboeren