Case Study Operational risk

8/8/2019 Case Study Operational risk

1/27

Quantifying Operational Risk InGeneral Insurance Companies


2/27

Introduction

Due to a number of recent business failures and the unpredictable events, Insurance companies are to improve their

approaches to operational risk( Actuarial Approach). Operational risk can be described as the risk of direct or indirect loss

resulting from inadequate or failed internal processes, people and systems or external events.

Categories of operational risk

Cause: critical elements / internal deficiency that help the event to take place. The detrimental event exploits the risk

factor in terms of greater frequency and/or severity.

Event (actual or potential): is the single detrimental occurrence that can resolve directly in one or more damaging

happening for the bank (later effect) and at the same time provoke subsequent single correlated events.

Effect: is the single damaging happening coming from a detrimental occurrence (event). The effect marks every single

consequence in a unique event time-space context; the effect amount is the incurred operational loss.


3/27

Causes

People

Process

Systems

External events

Events

Internal Fraud

External Fraud Employment Practices and

Workplace Safety

Clients, Products & Business

Practices

Damage to Physical Assets

Business Disruption and SystemFailures

Execution, Delivery and Process

Management

Effects

Direct Actual Losses only

Gross Losses

Failed Recoveries

Potential Actual Losses

Indirect Losses (Reputation etc)

Near Misses

Gains

Operational risk3


4/27

Four levels of operational risk

People risk-Risks due to human errors, lack of expertise and fraud.

Processes risk-This risk emerges as a result of malfunction in the information system and can be external or internal, includes

inadequate procedures and controls for reporting, monitoring and decision making, errors in the recording processes of

transactions.

Technical risk-The third level of operational risk relates to model errors, implementation and the absence of adequate tools

for measuring. A technical risk can also be the risk of loss of electricity at a crucial time or the incorrect installment of certain

software, or an outdated computer.

Technology risk-This relates to deficiencies of the information system and system failure. It is more advanced and more

complex. Some examples of specific loss scenarios of technology risks include system maintenance and external disruption

such as failures of exchanges, Software problems, System outdated etc.

Further it has been pointed out that not having the right processes to manage Operational risk is itself operational risk.

Ultimately to mitigate and manage operational and strategic risk the following is need:

Design: The right controls, people and processes

Implementation: To make sure controls are implemented with trained and motivated people (To avoid Human errors)

Review: Processes to ensure a continual rethink and refresh of the whole system.

The pull of business benefits is seen as the main driver towards the effective operational risk management. Measurement of risk

is become an essential tool of effective business management.

4


5/27

General Background

This article originates from a General Insurance Research Organization (GIRO) working group on operational risk, its application is

much wider covering life assurance, fund management, pension funds, other forms of security business and banking.

Any organization using analytic approaches to risk identification, management and measurement, including stochastic risk analysis

modeling techniques are covered. In 2001 an operational risk working group was set up that reported at the 2002 GIRO

conference in Paris. A good start had been made, but there was more to do, especially in desire to be able to quantify

operational risks and understand both their magnitude and correlation with other risks. Adding value to business

management often requires measurement and quantification. Management decisions are better informed by a well

considered understanding of the scale of investments and returns. Quantification requires data. The initial reaction is often

that operational risk is difficult to quantify and losses are hard to categorize.


6/27

The Actuarial Contribution

Typically, one of the actuarys tasks is to assist with the quantification of capital and risk, preparing analyses and report ing to the

Board.

Quantification Techniques

The quantitative methods that are applicable to the problems of understanding and quantifying operational risk:

Statistical/curve fitting-This covers the following: Empirical studies, Maximum loss approach, Theoretical probability distribution

functions (PDFs) and Regression analysis

Frequency/Severity analysis-This includes Extreme value theorem (EVT)-which is a advanced version of frequency/severity

analysis and Stochastic differential equations.

Statistical (Bayesian) - This includes systems (dynamic) models, influence diagrams, Bayesian belief networks and Bayesian casual

models, process maps and assessments.

Expert-which include, fuzzy logic, direct assessment of likelihood/preference among bets, capital asset pricing models (CAMP)-

market view less insurance/asset risk values, and RAMP

Practical- Gives the practical approaches of stress testing and scenario analysis, business/industry scenarios, dynamic financial

analysis and market beta comparison for individual companies within market sectors.


7/27

Paper Overview

Description of a hypothetical case study of an insurance company, named Middle England Life & General plc.

Background to the quantification of operational risk.

Stress testing and scenario analysis are discussed.

Frequency/severity modeling and casual/Bayesian approaches to risk.

Case Study

The main objective is to examine the applicability of various methods for quantifying operational risk and quantification requires

data. An attempt has been done to ensure that the case study is:

Based in reality

Practical

Easy for readers to relate to their circumstances.

The case study is based on U.K insurance company called: Middle England Life & General plc (MELG)

The case study only discusses the general insurance aspects of the business. The director of the group has been charged with

producing a report that: Reviews a wide risk management practices for MELG plc Ensures that MELG plc takes steps to

establish and maintain appropriate risk management practices. Inform the group risk committee about past and current

wide risk management issues


8/27

Historical Beginnings of MELG plc

Originated in the U.K, early 1900s based in Midlands. Launch of direct operation in 1993 Acquired a commercial insurance

company in 1995. In 1997 MELG restructured into three separate business units-Commercial, personal intermediary and

personal direct. In 1998 MELG became the target of a hostile takeover bid. In 1999 the company became the U.K subsidiary

of a large multinational company with its parent Megacentral Insurance Corporation Inc (MICI) based in New York, United

States of America.

Current Operations of MELG

Currently operates through three major sites with ten local offices. 2600 general insurance staff. The organization is now

considered as three main strategic businesses:

Commercial Insurance

Personal intermediary insurance

Personal direct insurance


9/27

MICI imposes Investment and Business Strategy

MICI set an aspect of policy for MELG that was on group investment objectives. It appears that the MELG plc balance sheet was

used to make strategic investments for the parent company. A group management decision to aim for 70% personal lines

and 30% commercial lines business mix was taken.

Management Changes

The MELG management decision-making process changed during 1999, following its acquisition by MICI. Prior to that time it

operated a more consensus, delegated decision-making style.

Some Major Historical Actions and Incidents

1. Launch of direct writing.

The projected cost at that time was 30m to P & L, based on a new marketing budget of 10m per annum, extra staff costs

and a 5m investment in systems, all offset by growth of business and eventual profit.

A retrospective analysis undertaken suggested that the actual cost was in the region of 70m, partly due to expense

overruns and lower than business growth


10/27

The commercial insurance business was self contained and largely staffed by people from the acquired commercial company.

The personal direct business was now given autonomy for all aspects of its business It decided to outsource its claims handling to

the personal intermediary business

3. External supplier fraud

External fraud had led to a loss of 5m ,the fraud involved a third-party supplier selected by the U.K company to provide servicesto insurance clients. This due to a lack of confidence in whistle-blowing procedures (Indicative signs of risk)

4. Reinsurance failure to respond

Group management also overrode local management with respect to reinsurance policy. This led to a gross loss of 100m and

only 10m was recovered. The group internal audit blamed both parties for their evident lack of communication. The overall

result was an unexpected loss of 40m

5. Block account loss

A key corporate relationship for MELG plc collapsed as a result of the group initiated management changes at MELG plc.As a

result, this 100m block account was lost, with an assumed profit value of 20m.

2. Outsourcing of claims handling


11/27

6. Loan default investment loss

The parent company had, in effect, set an aspect of investment policy that had a detrimental effect on MELG plc because it put

group objectives before the prudent management of the U.K insurance firm. Local management either lost autonomy or

they did not properly check the suitability of the investments being made, such a strategic investment loan defaulted costing

75m.

6. Stop loss reinsurance loss

The result was an unexpected loss of 25m.

7. Systems overspend loss

System development often lead to overspends due to being behind schedule or when there is no effective co-ordination.

Consequences-This could be seen as the situation where the reputational risk easily blow up into a full scale crisis.


12/27

Basic Risk Management Control Cycle


13/27

OPERATIONAL RISK

MANAGEMENT MATURITY

MODEL


14/27

Introduction

There has been several attempts to describe the evolution of risk management. MELG has been

relying on traditional measures To control operational risk

Internal Control

Internal audit

Quality of its staff

But these measures are insensitive to the quality of the organizations system of management We

must construct a model that measures objectively the quality level of the organizations

management system (O.R.M.M.M.)


15/27

Risk Management Maturity Model

The procedure consists of evaluating an organizations management system with respect to five levels of maturity:


16/27

Risk Management Maturity Model (cont)

1st. Traditional:

Organizations whose management simply follows Traditional House Style.

Management is unaware of the need to manage O.R.

2nd. Awareness:

Awareness of the benefits of O.R. Management exists, but with no implementation of systematic controls.

Concern is limited to the management of I.O. , And to making procedure manuals and job descriptions available.

3rd. Monitoring:

Control systems, in the main processes.

Indicators established, even though qualitative, of the evolution of O.R. Including reporting elements.


17/27

4th. Quantification:

Quantitative indicators in the main processes, allowing quantitative objectives to be established

Risk management by means of application of the calculation routines ofS.C.R. of QIS3.

5th. Integration:

Annual valuation of the O.R. of all the organizations processes

Active use of the O.R. Information to improve the firms organizational processes with the AIM of gaining competitiveadvantage.

STRATEGIC INDICATORS OF OPERATIONAL RISK

These are references allowing from a qualitative to a precise quantitative valuation to be made.

There exist three types of indicators:

Those relative to exposing the risk (E):

Such as volume of premiums or technical provisions (QIS3).

Indicative of the volume of processes with the possibility of operational failure.

They do not detect changes in the ratio of losses, and must be accompanied by such indicators.


18/27

Those relative to losses (l):

E.G., N of complaining clients.

They measure events with incurred losses, and are thus not predictive, allowing only reactive action.

They are typical of ex-post contexts, a necessary complement of every analysis.

Those relative to causes (C):

E.G., The rotation of staff.

They measure factors related to causes of failures, and are thus predictive indicators, allowing pro-active

action.

They are the hardest to identify, it being necessary to establish the causal relationship between indicator and

loss.

Very valuable, being predictive.


19/27

Additional examples of the different kinds of indicators:

Those relative to exposing the risk (E):

Number of claims processed

Growth of sales

Number of important claims

Number of it projects underway

Size of outsourced contracts

% Of the business corresponding to each supplier

Those relative to losses (l):

Number of claim complaints

Number of budget overruns


20/27

Those relative to causes (C):

Number of "severe" audit incidences unresolved in 2 years

Employee turnover

Number of employees, by category, needing training

Hours of training per employee

Overtime per employee

Number of different P.C. Configurations in use


21/27

STRATEGIC INDICATORS

OF O.R (Cont)


22/27

Capital requirements- Stress and Scenario Testing

Stress testing and scenario analysis are part of best practice in the overall management of a non-life insurance company Stress

testing and scenario analyses, being based on an analysis of the impact of unlikely, but not impossible events, enable a

company to gain a better understanding of the risks that it faces under extreme conditions.

Stress testing is the process of evaluating a number of statistically defined possibilities to determine the most damaging

combination of events, and the loss that they would produce

Scenario analysis is the process of evaluating the impact of specified scenarios on the financial position of a company. The

emphasis here is on specifying the scenarios and following through their implications.


23/27

Case Study Application

For each of these sources of operational risk, ,appropriate separate tests, are carried out:

Administration risk:

In order to set up stress tests and scenario

analyses for administration risk

administrative deficiencies, taking account of both the actual losses recorded in the exception reports and the

results of the Delphi analysis (see {2.7.8).

Other relevant factors include the nature and extent of centralised and decentralised functions and the

segregation of duties between staff.

Compliance risk:

Principal compliance risk to arise from the risk of non-adherence to legislative and internal company

requirements.

An investigation into compliance over the last five years found no history of non-compliance with policy and

control systems, nor had there been any reported areas of non-compliance with legislation or other

requirements


24/27

Case Study Application (cont)

Event risk:

Event risk is the risk associated with the potential impact of significant events on the company's operations.

The risks are those that are directly related to the products and services offered, and not to events impacting

other business risk areas, e.g. non-life insurance business, credit exposure or market risk.

No additional capital was required for this type of risk.

Fraud risk:

In assessing fraud risk, a major incident that involved fraudulent activity in relation to an external supplier

which resulted in a loss of R5m was used

After allowing for the improvements in controls that resulted from this incident, the scenario analysis produced

a range of estimates for the amount of capital Required to cover future fraud.

Governance risk: Governance risk is the risk that the Board and/or senior management will not perform their respective roles

effectively.

The existence and level of directors and officers insurance in place were investigated, and compared it to the

known incidence of claims of this type.

The current level of corporate governance was considered, and an assessment made of the likelihood that its

shortcomings might result in the Board and/or senior management not adequately undertaking their roles.


25/27


Governance risk:

Governance risk is the risk that the Board and/or senior management will not perform their respective roles

effectively.

The existence and level of directors and officers insurance in place were investigated, and compared it to the

known incidence of claims of this type.

The current level of corporate governance was considered, and an assessment made of the likelihood that its

shortcomings might result in the Board and/or senior management not adequately undertaking their roles.

In addition, costs of altering or strengthening the current Board structure were analysed. Given the

uncertainties involved, the risk director was unable to

come up with a single point estimate of the capital required, and instead used a range of estimates.


26/27


Strategic risk:

Strategic risk arises from an inability to implement appropriate business plans and strategies, make decisions,

allocate resources or adapt to changes in the business environment.

MELG's risk director assessed the prudence and appropriateness of the future business strategy in the context

of the competitive and economic environment.

forecasting and projections were assessed, considering the possibility of a fundamental market change due to

higher numbers of competitors, changes in sales channels, new forms of insurance or changes in legislation.

Technology risk:

MELG's risk director considered the risk of error or failure associated with the technological aspects (IT

systems) of MELG's operations, including both hardware and software risk.

The risk director also considered the past reliability and future functionality of the information systems to be

adequate.

Plans for business continuity management and disaster recovery are reviewed regularly and tested quarterly.

There is a back-up site with full recovery capabilities. When performing the scenario analysis, the risk director

allowed for the costs associated with utilising the site and the associated business interruption insurance.


27/27

Conclusion

Overall Assessment

The analysis took into account scenarios which might reasonably be linked, the difficulty with which capital might be

replaced if the scenarios occurred, and the changes in strategy which might need to be adopted if the scenarios

occurred.

Case Study Operational risk

Documents

Transcript of Case Study Operational risk