Policy clarifications issued by regulators in December 2019 made it clear that operational resilience needs to continue to be a key focus for insurers throughout 2020. Bradley Chadwick discusses practical implications of these regulatory requirements for the insurance industry.
Operational resilience is about how institutions address, recover and rebuild when things go wrong. It is about assuming a failure will occur and putting recovery plans and processes in place to reduce disruption to key services and consumers, regardless of the reason. Regulators expect a firm’s focus to be the continuity of service for customers.
While there is little that should be new to firms in the operational resilience papers published so far (they do not differ substantially from those requirements in Solvency II), regulators are now asking institutions to take a more holistic approach to operational resilience. Firms must focus on the end-to-end customer experience and not only the operational or capital impact on the firm.
Why focus on operational resilience?
According to a report by the Institute and Faculty of Actuaries1, over 45% of failures at insurance companies can be attributed to operational risks. Examples of these failures in the financial services sector and the consequences for consumers have been well publicised: Equitable Life and Independent, as well as TSB, Visa and Barclays in the banking sector, to name a few.
Recent events at Travelex demonstrate how a failure in operational resilience can severely impact, not only a firm itself, but customers and broader market stability. The currency provider suffered a cyber-attack on December 31 2019. Travelex took 30 days to re-instate its own online services and saw its share price lose 57% of its value2. More than two months later, RBS, Lloyds, Barclays and Sainsbury’s Bank were still unable to offer online currency services3 and millions of customers were unable to acquire foreign currency through these providers.
Regulators have been explicit that, in assessing the whole customer journey, financial institutions now need to assess and prepare for failure at any critical third-party suppliers. For insurers, this includes any outsourcing intermediaries, such as third-party operational outsourcing arrangements, brokers, distributors and other service providers. Regulators will no longer accept the argument that it was a third party’s fault if a customer is prevented from accessing products or services.
What is required from insurance carriers?
Put simply, insurance carriers are required to map every process that supports the provision of a product or service to a client, including the entire customer journey. This will include in-house customer acquisition activities, underwriting, policy-holder administration and third-party administrators (TPAs), as well as regulatory functions, such as complaints, oversight and audits.
Potential failures must then be identified. Cyber security and IT disruption are key areas of interest for the regulators, but they are not the only potential areas of risk. Other threats could include third-party insolvency, climate events, terrorist attacks and transformational change programs.
Tolerances need to be allocated for each of these potential failures, based on the most-suitable metric. This could be based on the duration of the failure (time), the number of customers impacted (customer), the value of transactions affected (financial), the number of people affected (people) or number of systems involved (systems). The regulatory clarifications published in December state that firms need to allocate at least two or more of these tolerances for each potential failure point. One is not likely to be sufficient.
Regular scenario testing on major failure points must be undertaken to ensure that suitable mitigation and recovery strategies are put in place. Insurance companies must not only focus on their own internal systems and processes, but must also consider which critical services are supported by third-party suppliers and ensure that these suppliers are also prepared for any failures.
It can be challenging for firms to balance regulatory expectations with what management believe is acceptable. These are a few key areas that need to be considered in any operational resilience planning:
Management need to assess inter-dependencies between service providers and review how they affect critical services, with consideration of how they can cause disruptions for other organisations
Performing due diligence on third-party suppliers is a key part of ensuring operational resilience. Who holds the relationships with the third-party supplier – the group or local entities? Management should ensure there are alternative providers who can step in quickly should a supplier fail. Does the firm have step-in rights within third-party contracts?
Consider how important your firm is to any third-party supplier. Should that supplier suffer downtime, what priority will be given to getting services restored to your firm, compared to others?
Similarly, consider inter-company dynamics. Does operational resilience planning happen at group level? Where does each entity within the group rank in terms of service recovery? Is management within each entity aware of the hierarchy?
Particular attention should be paid to IT services and concentration risk. There are often a limited number of organisations delivering certain IT services, so an outage could have a significant impact on key services and the potential for substitution.
Broader strategic implications
We believe this regulatory focus on operational resilience may lead to an increased focus on operations and cyber risk when doing diligence on transactions. It could also lead to a rationalisation of product distribution and intermediary networks.
Management may consider that if they are to be held more accountable for failures within the entire customer journey, it would make more strategic sense to acquire key intermediaries. Similarly, we could see an increase in horizontal integration as carriers seek to bring third-party service providers or other specialists (for example, claims handling and IT) in-house. Given the amount of regulatory oversight for each product and service line, management may also consider disposing of non-core operations or assets.
A value-adding process
Although complying with regulator requirements will take both time and money, investing in robust operational resilience plans may increase an insurer’s competitive advantage in the market. Identifying key risks enables a firm to consider improvements both internally, as well as with third-party supplier relationships. Being operationally resilient helps protect your reputation with regulators, shareholders and the public, and ensures a firm does not hit the headlines for the wrong reason.
It can also help maintain the confidence of debt and equity providers, and act as a powerful tool in preparing for any transaction. With this increased regulatory focus, a firm’s operational resilience is likely to form part of any due diligence process in M&A activity. By streamlining processes, extracting better performance from third-parties and improving the consumer experience, insurance carriers will ultimately be driving value.