Insurtech: Active approach to adopting a resilience mindset
Pressures from regulators are triggering reviews of traditional risk areas for insurers. Considering the multiple external uncertainties facing insurers, it is important that firms take proactive steps to assess the adequacy of their risk management and control frameworks. Firms need to be prepared for novel risks and changes in risk correlations
On January 10th, the Bank of England’s Prudential Regulation Authority (PRA) wrote to chief executives of financial services companies setting out its “planned work for 2023”. One of its top priorities is to see them improve their risk management and governance frameworks to build financial resilience. Here, we explore some of the implications of this initiative.
Organisations are not ‘risk-ready’
Conventional approaches to risk assessment in the insurance sector, such as relying on historical data to model risk, are not always prepared for new or unexpected risks. These approaches assume that the future will be like the past Confirmation bias effect means organisations are placing too strong an emphasis on the preventative control environment.
Instead, resilience managers are now encouraged to focus on impacts and recoverability, even once in a hundred-year events such as Covid-19 (extreme but plausible!). This shifts the mindset from ‘what if?’ to ‘assume failure’. Tell yourself that whatever theoretical calamitous event has actually occurred and map the fallout and your organisation’s response to it. This deconstructs the conversation to focus on the recovery plan, enabling us to ask: how would one adapt? Who would be responsible for what? How do we ensure the customer is at the hub of the decision-making process when disaster strikes?
From specific threat prediction to building resilience
According to the FCA guidance, this is a key focus for 2023. What happens when your Important Business Services (IBS)fails? This is the exam question. Currently, many companies lack the ability to effectively test their processes end-to-end, including third parties and suppliers, however, regulators expect a level of sophistication to be achieved in this area by 2025. Invest the necessary time and resources to test comprehensively and adopt the learnings quickly and seamlessly. This will build resilience and improve fault tolerance.
Enabling continuous risk monitoring through accurate and valid data
Operational resilience is focused on outcomes and the continual observation of the risk landscape. Begin by establishing clear risk management processes and procedures that are well-defined and consistently applied across the organisation. Define your range of data sources, including internal and external data, to develop a comprehensive understanding of the risks faced by the organisation and its policyholders.
Organisations, particularly large ones in the financial sector, struggle to implement comprehensive control assurance programmes due to the sheer volume and the vertical, siloed nature of the business. The key is to establish a centralised data repository to host gathered data. With valid and accurate data in place, use advanced analytics and machine learning techniques to analyse data in real-time, identify emerging risks, and assess the potential impact of those risks on the organisation. Then, develop risk scenarios and stress tests to evaluate the potential impact of different risk scenarios on the organisation's financial position and its ability to continue to provide coverage to its policyholders.
Finally, use risk dashboards and other business intelligence tools to provide regular updates on the organisation's risk exposure and risk management activities to key stakeholders, including senior management, the board of directors, and regulators. By taking these steps, insurance companies can create a more dynamic and responsive risk management framework that is better able to adapt to changing risk environments.
Building a future state of resilience
Third party management is another key theme for 2023. To create a future state of resilience where third parties are connected to the nerve centre of the business, it's vital to take a strategic and proactive approach to third-party risk management by following these guidelines:
- Identify critical third-party relationships and assess the risks associated with those relationships, including assessing the third-party's ability to maintain continuity of operations and protect sensitive data.
- Enable secure data-sharing to support testing scenarios.
- Develop a framework for monitoring and managing third-party risk, including policies and procedures for due diligence, contract management, and ongoing monitoring.
- Establish regular communication and collaboration with third-party partners, including regular updates on risk management activities and any changes in the risk environment.
- Invest in technology and tools that can help automate and streamline third-party risk management, including monitoring tools and risk dashboards.
- Foster a culture of collaboration and information-sharing across the organisation and with third-party partners, including sharing insights and best practices related to risk management.
These will help build a future state of resilience where third-party partners are fully integrated into the risk management framework and better able to contribute to the overall resilience of the business. Such an approach will help protect companies and their policyholders from a wide range of risks, including those that may originate from third-parties, helping them to meet the expectations set out in the PRA’s letter.
About the author: Gary Lynam is the Director of ERM Advisory for Protecht Group