ORX hosts its third North American Insurance Forum
- 8 August 2019
By Steve Bishop, Head of Risk Information and Insurance
In late June, representatives from 15 insurers, as well as the NAIC, met in New York for the ORX North American insurance Forum. Here are some of my key takeaways from the event.
Priorities and challenges
We kicked off the event by polling delegates on their current top risks. We followed this with an open discussion on the current risk priorities and challenges for operational risk in the region.
What are the top 3 operational risks your firm is facing in 2019?
Top risks stand out
Cyber was the clear winner in terms of the top risk facing firms in 2019. There is significant effort underway to evaluate the risk, build risk management expertise in the second line (2LOD), manage senior management’s understanding and consider how best to address the risk from an organisational perspective. There was particular discussion on the role of 2LOD risk experts versus the role of the CISO. Many are evaluating the role of the CISO, particularly considering concerns that a CISO’s role may be compromised reporting to a Head of Technology.
Wrapped into the cyber discussion was the ongoing concern about data, specifically the security and privacy aspects. There are also concerns regarding data storage (including the cloud), as well as the increased use of AI and the potential ethical questions that this raises. Other notable risks raised included outsourcing and the increasing use of third parties, leading to a subsequent growth in use of fourth parties. While operational resilience isn’t a significant item on the regulatory agenda yet, the increasing focus is evident.
It is worth stating that there were notable differences to the risks raised at the European Insurance Forum. Particularly, there is currently less focus on conduct and model risk for North American insurers. The challenge of change was also discussed and transformation risk is important, but they are not currently as high up the agenda as in Europe.
I encourage anyone not yet participating to get involved with the ORX cyber programme. We have recently published the programme definitions and the results of our own work on roles and responsibilities in cyber risk management. Read more on the CISR webpage.
Frameworks and people main challenges
The discussion about the main operational risk priorities particularly focused on risk frameworks. There were two aspects to the conversation:
- Developing and embedding – a number of forum participants are focused on developing, implementing and embedding complete operational risk frameworks across their businesses. This is particularly the case where the corporate operational risk function is relatively new. Activity here includes driving risk management into the first line of defence (1LOD) and making the business take responsibility for risk.
- Increasing efficiency – in relatively more mature organisations, there is a focus on improving efficiency and effectiveness of frameworks, making processes more risk based and making it easier for the business to operate these processes. There was also discussion regarding increasing alignment across control functions, adopting a consistent framework across the 2LOD (i.e. the umbrella approach) and having a consistent language and approach with audit functions. Those insurers implementing such an approach have seen significant benefits with the business, even if it has been painful getting there!
The ‘people discussion’ was another focus of the session. Several participants are still finding it difficult to recruit the right people with the right skills. In particular, people with the skills to effectively support and challenge senior business stakeholders. Many also continue to grapple with the implementation of their GRC tools, trying to make them easier to use in the first line and trying to extract meaningful output.
Over the last year, we've done a significant amount of research on the umbrella approach to operational risk management. Read our report, Operational Risk: The Umbrella Function, and the follow up, The role and scope of operational risk, to find out more about the benefits of the umbrella approach.
What are your top 3 operational risk management priorities?
Active risk management and the three lines of defence
Guardian Life shared their experiences with the group of the three lines of defence and the work they have underway to implement enhancements in their organisation. The latter is focused on enhancing their risk culture, getting people to ‘do the right thing’ and moving away from the three lines of defence terminology, which they see as a distraction.
Key conclusions from the ensuing discussion included the view that there is a high level of confusion in the business over the three lines of defence. Risk needs to change the language and market the requirements more effectively. Alongside this, risk has a role to ensure they can demonstrate the operation of the model to regulators, without embroiling the business in the technical debate. Clarifying roles and responsibilities with clear messaging is key, and this needs to be driven home with training and monitoring – such as using culture assessments and surveys. Operational risk also needs to lead the charge to simplify the approach and coordinate this with other risk and control functions.
The future of operational risk loss data
Roland Kennett, Head of Membership & Service Development at ORX, introduced an open discussion on the use of operational risk loss data across participant firms. This centred on four key questions:
1. Have you implemented a loss data collection process?
Ninety-five per cent of participants confirmed that they have a process in place, with the remaining 5 per cent stating that it is work in progress. Part of the discussion focused on identifying events that sit on the operational/insurance risk boundary. Participants were keen to see our insurance/op risk boundary guidance, which we published to our membership in 2016.
2. How are interested are senior management in loss data?
Just under half of participants said that management have an interest in the data, with more than a quarter describing management interest as 'high'. We discussed a need to focus on key messages from the data for the senior audience, rather than just statistics, and to look at causal analysis, lessons learnt and investigating/reporting on major losses or identified trends. In addition, delegates want to start using AI to drive improved insights from the data. They also agreed that presenting management with a view that links loss data to other framework information helps present a more coherent picture and enhances value.
3. What are your top 3 challenges with loss data?
Unsurprisingly, completeness and quality dominated this section. Work to improve this has included:
- Corporate teams increasing levels of oversight and challenge
- Enriching data in corporate teams
- Balancing cultural change (openness) with escalating issues not being reported
A number of participants are using attestations and asking business leaders to confirm completeness, while others are holding working groups to share lessons learnt and discuss particular events, helping to raise overall awareness. There is also a desire to use the general ledger more, but it was acknowledged that this is particularly difficult in insurance.
4. What should be the top 3 industry developments to enhance value from loss data collection?
This discussion focused on how we can continue to enhance and evolve the ORX data set. As seen in the accompanying word cloud, there is a desire to derive better information on the root cause, allowing better analysis of lessons learnt. Related to this was a desire for ORX to undertake further analysis of the loss data and, as an industry, there is a real interest in exploring how we can begin to use AI/machine learning approaches to examine and learn more from the loss data. The group also showed a strong interest in exploring further benchmarking options, particularly as the membership and dataset continues to grow.
Delivering value from operational risk management
Prudential Financial introduced this topic and their thoughts on delivering value in operational risk management. In light of this, the subsequent breakout discussion then focused on how the operational risk discipline needs to evolve to add more business value. This highlighted three leading questions:
1. What should we keep?
Overall, the view was that we should retain the core operational risk framework tool set, but we should look to enhance and build on this (see question three). As part of this, we need to retain the collaborative, commercial approach many strive for when working with the business to enhance the way risks are managed and controlled.
2. What do we need to stop doing?
Everyone agreed that we need to stop operating in silos from other risk and oversight teams, including audit, particularly reducing the duplication of process and halting the use of differing and often overcomplicated risk-related terminology, acronyms and taxonomies.
3. What do we need to build?
There were three core areas where the group agreed enhancement is required:
- Analytics and reporting – needs to be more concise, provide better insights and be aligned across control functions. We also need to leverage and analyse existing risk-related business data (not just rely on the operational risk data). There was an overall consensus that we need to be better at measuring operational risk and an industry standard would help.
- Simplification and efficiency – this should be driven through everything we do, particularly the risk processes.
- People – upskilling teams to bring in risk professionals that can work with, and challenge, senior business leaders in a way that adds value, as well as recruiting individuals with skills to deliver better insights and analysis of data.
We are currently talking with our members about this topic, and hope to be in a position to drive forward an industry consensus on operational risk strategy by the second half of next year.
RCSA – What is good practice?
Based on their own experiences, AIG led an interactive discussion on the evolution of Risk and Control Self-assessment (RCSA) and the key building blocks that drive good practice. Attendees agreed that an effective organisational culture is essential if the RCSA process is to work, particularly having clear roles and responsibilities with the first line accepting responsibility for risk and control management, and therefore assessment. It was also noted that leadership stability, in both risk and the business, helps with this. However, when there are changes, you must meet with new leaders and gain their buy-in at the earliest opportunity.
It was agreed that ensuring the process is efficient and risk-based is important in delivering an effective RCSA. Some participants are making moves to only assess risks defined as material and/or move to risk assessment on a trigger basis – i.e. when an internal/external factor has changed requiring a re-assessment, rather than just on a periodic basis.
Reporting approaches were also discussed, with many agreeing that regular reporting of issues and actions to 1LOD meetings helps to embed the process. However, there is more of a challenge at corporate level to aggregate the information effectively and work out what view is best to report to senior committees. There appeared to be limited progress in this space, with the majority reporting a view of material risks. Another key factor discussed to help enhance the RCSA process was making GRC systems simpler for the first line to use and considering how they can extract the information in a meaningful way.
Many participants are involved in the current RCSA practice benchmark project, which looks in detail at a number of the topics discussed. If you've not taken part, you can still request to receive your own customised benchmark report. Contact us to find out more and request one.
On behalf of ORX, I'd like to thank all participants for their attendance at the forum, as well as their open, honest and constructive contribution to discussion. We would especially like to thank members that led sessions during the event.