Operational resilience relies on a series of linked processes and is complex to implement. Sonia Shah looks at the key challenges for the insurance sector and what to do now.
In 2019, the Prudential Regulation Authority (PRA), and the Financial Conduct Authority (FCA) released consultations papers highlighting the importance of operational resilience and the need to minimise the impact of service outages. They defined operational resilience as the ability to prevent, adapt and respond to, recover and learn from operational disruptions.
Firms have begun to make progress in this space, and the regulators have published the regulations which come into force on 31 March 2022, with a transition period of three years for compliance with tolerance levels.
The operational resilience framework
On a fundamental level, operational resilience looks at how well firms and financial market infrastructures (FMI) can respond to high-impact events.
While the regulators recognise that service disruptions are inevitable, they require firms to have frameworks in place to reduce the impact of these disruptions on customers and markets. This will not be easy, and firms must complete a complex operational mapping activity for all underlying business processes.
For insurers, the operating environment is already complex with key considerations including:
ever-changing client requirements
use of new technologies be that cloud-based or through the development of more algorithmic applications
The new requirements will apply to all UK Solvency II firms, the Society of Lloyd's (and its participants), and enhanced firms under the Senior Managers and Certification Regime (SM&CR). The FCA is also considering extending operational resilience requirements to core and limited scope firms.
Under operational resilience requirements, insurance firms must have plans in place to restore key products and services in the event of disruption within a timeline acceptable to their customers.
Key expectations are outlined below:
Identify important business services
Examples of important business services will differ between different types of firms but will include:
the areas of pricing and rating
annuity payments processes
policy and documentation issuance
customer service operations
Firms need to identify critical people, processes, technology and associated facilities and any other information supporting important business services in order for the firm to assess its resilience.
This mapping exercise helps insurance firms identify vulnerabilities weaknesses in delivering important business services within an impact tolerance and helps firms formulate remediation plans.
Setting impact tolerances
Insurance firms must set at least one impact tolerance for each important business service they have identified, with clear metrics. This includes metrics to assess the extent of disruption and gauge what is acceptable.
These metrics may include the length of time of an outage or the number of customers or transactions affected.
Regulators expect insurance firms to regularly test their ability to deliver critical business services within the set tolerance levels in the event of a disruption. As part of this scenario testing, firms need to assess a range of situations to see where they may exceed their tolerance levels and reduce the effect of disruptions to stay within them.
After testing, or if an incident has occurred, regulators expect insurance firms to follow up on lessons learned to improve resilience.
Senior manager self-assessments
Insurance firms must prepare and keep up-to-date a written self-assessment of their compliance with the FCA and PRA's operational resilience requirements.
The relevant Senior Manager Function under the SM&CR will sign off the self-assessment, which the board will approve.
In the event of an operational incident, firms also need a clear communications strategy to make sure all stakeholders and customers are up to date with details of the outage.
Communication and governance
Boards and senior management need to approve the critical-business services, impact tolerance levels and the self-assessments
This includes gaining assurance over strategies, processes, and systems to support operational resilience and approving and testing communication plans that must come into force in the event of an outage. Investment decisions also need assessment in-line with the firm’s operational resilience strategy.
Senior management must have the appropriate skills, knowledge and experience to carry out their duties, while boards must have the necessary background knowledge to offer an effective challenge.
Key considerations and next steps
With a compliance deadline of the end of 2021, insurance firms have a lot of work to do to meet regulatory expectations within the given timeframe. When implementing the framework, some key areas to consider from an operational standpoint include:
An entity-level approach
Regulators expect insurance firms to take an entity-level approach to operational resilience, with an understanding of how group-level risks will affect the ability to stay within pre-agreed tolerance levels.
Outsourcing and third-party risk
When mapping and assessing processes, this must include those that are outsourced to a third party. This may include intermediaries underwriting businesses, which would be considered a critical service, and third-party payment service providers.
It’s important to differentiate between business continuity arrangements and operational resilience while recognising that business continuity is an important component of operational resilience.
Bearing in mind the complex operating environment for insurers, including intra-group and third-party risks, firms need to make sure they have an appropriate framework and target operating model in place to embed operational resilience standards and prevent economic harm in the event of an outage.
For support in improving your firms' operational resilience, contact Sonia Shah.