Insurers meet for their annual European forum in Munich
- 13 June 2019
In May, representatives from 15 insurance firms gathered in Munich for the annual ORX European Insurance Forum. The event was very kindly hosted by Munich Re at their offices, and we were very fortunate to be joined by their CRO, Bernhard Kaufmann, who made the opening address.
Priorities and challenges
Bernhard Kaufmann confirmed to the group the ongoing, in fact increasing, importance in financial services of operational risk, and therefore the need for effective operational risk management. We then discussed the major risks and operational risk challenges currently facing the industry.
What are the top risks your firm faces in 2019
Consensus on major risks, with cyber top risk
Cyber dominated the discussion of major operational risks facing the industry. Insurers are increasing their efforts to improve controls, assess the risks more effectively and guide senior management understanding. The group agreed that a considerable part of the cyber challenge is this latter point – educating senior management and boards and presenting them with a coherent view of risk exposure and the state of controls. Many insurers were also continuing to build capability in the second line of defence to manage cyber risk. We urge anyone who is not yet participating to get involved with the ORX cyber initiative.
Other notable risks included the continued challenge of conduct, particularly considering the associated organisational cultural challenges, as well as the other regulatory favourite – outsourcing and third party management. Model and transformation risk were also more prominent in discussions this year.
More from ORX: Risk-managing change to be published later this month
This discussion was dominated by two priorities:
- Implementing an effective risk culture – how do you drive risk management ownership and the right behaviours, how do you measure risk culture?
- Resources – bringing in the right people to effectively support the business, linking with risk specialists and delivering the right messages to senior management.
In addition, insurers continue to grapple with effectively evolving their risk frameworks, delivering effective and aligned views of risks and control (linking across the three lines of defence and even delivering combined assurance models) and ensuring GRC tools support their needs.
What are your top three current challenges?
Developing a strategy for operational risk management
Simon Wills, Executive Director at ORX, led a session on developing a strategy for the future of operational risk management, concentrating on how to ensure the discipline stays fit for purpose to support our businesses. The consensus was that this needs to be a key focus and discussion and conclusions centred around three areas.
1. What we should leave behind
There was agreement that we need to reduce the focus on the risk management process, leave behind our world of acronyms and also change the ‘data heavy’ information overload in our risk reporting.
2. What we need to build anew
- Skills – increase the ability of our teams to interact with and challenge senior management, as well as increasing analytical capability within teams
- Value – determine and agree our value proposition, as well as determining roles and responsibilities
- Brand – articulate what we stand for and the objectives of operational risk management
- Measure – develop a more practical and business focused way of measuring operational risk
3. What do we keep
- First line – retain but improve our dialogue, making it more business focused
- Reporting – retain but improve, including analytics and more insights
- Risk tool set – making it more efficient and risk/trigger based
Next Step: ORX will continue this dialogue with members and aims to be in a position to drive forward an industry consensus on operational risk strategy by Q2 next year.
Lessons learnt from the Australian Royal Commission
A royal commission in Australia has looked in detail at business practices across the retail financial services industry. In this session, the findings and lessons learnt were shared with the group.
Discussion identified some similarities experienced in Europe, including the need for risk to have a loud enough voice and a ‘seat at the table’ more often and early enough (e.g. for new products and initiatives). There was also a discussion on the need to work more closely with compliance to do this and the related benefits of the umbrella approach – pulling the second line together to interact with and challenge the business more effectively and driving responsibilities into the first line – as well as the need for risk to be able to articulate challenge more clearly.
Defining the future of operational risk loss data
Swiss Re and Generali provided an introduction to the progress they’re making in this area, the current challenges and the need for progress within member organisations and with ORX data. Conclusions from the ensuing discussion included:
- Senior management – interest levels are historically low and there is a need to focus on reporting lessons learnt from big losses, updates on control improvements or providing insightful analysis. There is limited interest in general statistics on loss levels etc. There is also a need to create a link between loss levels and risk appetite.
- Regulatory interest – seems to be increasing in Europe, with a number of regulators recently asking for copies of loss databases. We are waiting to see what questions come back.
- Internal changes – organisations are continuing to focus on improving completeness and quality. They would also ideally like to link more to accounting to both identify losses and to ensure accuracy of data. Finally, they want to increase and improve the analysis of data and begin to use advance analytics approaches, particularly to review descriptions.
- ORX enhancements – there is a desire for ORX to increase levels of analytics on the data and report this back to members, as well as to continue driving improvements in descriptions (an action agreed by all members) and to consider whether we reduce thresholds for descriptions. There is also a need to consider evolving the exposure indicators further and considering how risk categories can be implemented in the data to support analysis.
Next Step: ORX to raise the points above relating to ORX data at the next Insurance Definitions Working Group.
The challenge that is RCSA
AXA shared with the group the work they have undertaken to enhance their risk and control assessment process, including the challenges they faced and the successes they have experienced. This was an excellent insight to a program of work that has been running across the AXA group. It also generated significant conversation about how insurers would like to develop and evolve their processes, with focus in a number of areas:
- Process – there has been too much and the RCSA has generally been too formulaic, not risk or trigger based and not efficient. Also, supporting GRC tools have been too customised and reporting and analysis has been difficult.
- Ownership – the RCSA works better when senior management are engaged and take ownership for the data, including having responsibility for risk and control identification, reporting the data and following up on actions.
- Reporting – we need to ensure reports focus on key issues and actions and there is a real interest to improve analytics on the data in order to provide insights to management, demonstrating value to the first line.
Next Step: If you're not yet signed-up, we urge you to participate in the current RCSA practice benchmark, which will explore these issues further.
Digital and risk management
We were lucky to be joined by Peter Hairs from Accenture who spoke to the group about the projects he has undertaken to deliver a digital overlay to operational risk data.
He described the approach to making this a reality and the difference stages you can run through to deliver value in this area. Peter’s work has included delivering reporting portals that create interfaces for risk management to have faster access to data, and to be able to drill into information from mobile devices (supporting real time challenge). Work has also included developing advanced analytics for data, such as text mining event descriptions in ORX News to look for common causal factors. Most of the projects have involved applying reporting technology to existing GRC tools, with a particular focus on enhancing the user’s experience and therefore increasing the operational risk value proposition (a step forward from the traditional approach to accessing and reporting on operational risk data).
The three lines of defence model
The final session at the forum explored current considerations and challenges in relation to the three lines of defence model. There is quite a strong desire to break free of the traditional shackles of this model and for risk to be a catalyst for improved collaboration between the business, other risk specialists and internal audit. Some examples included work undertaken to improve risk support and collaboration in traditional first line activity (risk often rolling up their sleeves), as well as improved collaboration with audit and compliance (some have developed combined assurance models and aligned reporting).
Overall, there is a general consensus that operational risk needs to lead the charge in driving increased collaboration and dialogue to embed risk management across the three lines of defence, breaking down barriers and supporting wider risk functions and management more.
ORX would like to thank all participants for their attendance at the forum, as well as their open, honest and constructive contribution to discussion. We would especially like to thank everyone who led sessions during the event. Members who attended the forum can download the presentations from the event here.