case study operational risk
TRANSCRIPT
-
8/8/2019 Case Study Operational risk
1/27
Quantifying Operational Risk InGeneral Insurance Companies
-
8/8/2019 Case Study Operational risk
2/27
Introduction
Due to a number of recent business failures and the unpredictable events, Insurance companies are to improve their
approaches to operational risk( Actuarial Approach). Operational risk can be described as the risk of direct or indirect loss
resulting from inadequate or failed internal processes, people and systems or external events.
Categories of operational risk
Cause: critical elements / internal deficiency that help the event to take place. The detrimental event exploits the risk
factor in terms of greater frequency and/or severity.
Event (actual or potential): is the single detrimental occurrence that can resolve directly in one or more damaging
happening for the bank (later effect) and at the same time provoke subsequent single correlated events.
Effect: is the single damaging happening coming from a detrimental occurrence (event). The effect marks every single
consequence in a unique event time-space context; the effect amount is the incurred operational loss.
-
8/8/2019 Case Study Operational risk
3/27
Causes
People
Process
Systems
External events
Events
Internal Fraud
External Fraud Employment Practices and
Workplace Safety
Clients, Products & Business
Practices
Damage to Physical Assets
Business Disruption and SystemFailures
Execution, Delivery and Process
Management
Effects
Direct Actual Losses only
Gross Losses
Failed Recoveries
Potential Actual Losses
Indirect Losses (Reputation etc)
Near Misses
Gains
Operational risk3
-
8/8/2019 Case Study Operational risk
4/27
Four levels of operational risk
People risk-Risks due to human errors, lack of expertise and fraud.
Processes risk-This risk emerges as a result of malfunction in the information system and can be external or internal, includes
inadequate procedures and controls for reporting, monitoring and decision making, errors in the recording processes of
transactions.
Technical risk-The third level of operational risk relates to model errors, implementation and the absence of adequate tools
for measuring. A technical risk can also be the risk of loss of electricity at a crucial time or the incorrect installment of certain
software, or an outdated computer.
Technology risk-This relates to deficiencies of the information system and system failure. It is more advanced and more
complex. Some examples of specific loss scenarios of technology risks include system maintenance and external disruption
such as failures of exchanges, Software problems, System outdated etc.
Further it has been pointed out that not having the right processes to manage Operational risk is itself operational risk.
Ultimately to mitigate and manage operational and strategic risk the following is need:
Design: The right controls, people and processes
Implementation: To make sure controls are implemented with trained and motivated people (To avoid Human errors)
Review: Processes to ensure a continual rethink and refresh of the whole system.
The pull of business benefits is seen as the main driver towards the effective operational risk management. Measurement of risk
is become an essential tool of effective business management.
4
-
8/8/2019 Case Study Operational risk
5/27
General Background
This article originates from a General Insurance Research Organization (GIRO) working group on operational risk, its application is
much wider covering life assurance, fund management, pension funds, other forms of security business and banking.
Any organization using analytic approaches to risk identification, management and measurement, including stochastic risk analysis
modeling techniques are covered. In 2001 an operational risk working group was set up that reported at the 2002 GIRO
conference in Paris. A good start had been made, but there was more to do, especially in desire to be able to quantify
operational risks and understand both their magnitude and correlation with other risks. Adding value to business
management often requires measurement and quantification. Management decisions are better informed by a well
considered understanding of the scale of investments and returns. Quantification requires data. The initial reaction is often
that operational risk is difficult to quantify and losses are hard to categorize.
-
8/8/2019 Case Study Operational risk
6/27
The Actuarial Contribution
Typically, one of the actuarys tasks is to assist with the quantification of capital and risk, preparing analyses and report ing to the
Board.
Quantification Techniques
The quantitative methods that are applicable to the problems of understanding and quantifying operational risk:
Statistical/curve fitting-This covers the following: Empirical studies, Maximum loss approach, Theoretical probability distribution
functions (PDFs) and Regression analysis
Frequency/Severity analysis-This includes Extreme value theorem (EVT)-which is a advanced version of frequency/severity
analysis and Stochastic differential equations.
Statistical (Bayesian) - This includes systems (dynamic) models, influence diagrams, Bayesian belief networks and Bayesian casual
models, process maps and assessments.
Expert-which include, fuzzy logic, direct assessment of likelihood/preference among bets, capital asset pricing models (CAMP)-
market view less insurance/asset risk values, and RAMP
Practical- Gives the practical approaches of stress testing and scenario analysis, business/industry scenarios, dynamic financial
analysis and market beta comparison for individual companies within market sectors.
-
8/8/2019 Case Study Operational risk
7/27
Paper Overview
Description of a hypothetical case study of an insurance company, named Middle England Life & General plc.
Background to the quantification of operational risk.
Stress testing and scenario analysis are discussed.
Frequency/severity modeling and casual/Bayesian approaches to risk.
Case Study
The main objective is to examine the applicability of various methods for quantifying operational risk and quantification requires
data. An attempt has been done to ensure that the case study is:
Based in reality
Practical
Easy for readers to relate to their circumstances.
The case study is based on U.K insurance company called: Middle England Life & General plc (MELG)
The case study only discusses the general insurance aspects of the business. The director of the group has been charged with
producing a report that: Reviews a wide risk management practices for MELG plc Ensures that MELG plc takes steps to
establish and maintain appropriate risk management practices. Inform the group risk committee about past and current
wide risk management issues
-
8/8/2019 Case Study Operational risk
8/27
Historical Beginnings of MELG plc
Originated in the U.K, early 1900s based in Midlands. Launch of direct operation in 1993 Acquired a commercial insurance
company in 1995. In 1997 MELG restructured into three separate business units-Commercial, personal intermediary and
personal direct. In 1998 MELG became the target of a hostile takeover bid. In 1999 the company became the U.K subsidiary
of a large multinational company with its parent Megacentral Insurance Corporation Inc (MICI) based in New York, United
States of America.
Current Operations of MELG
Currently operates through three major sites with ten local offices. 2600 general insurance staff. The organization is now
considered as three main strategic businesses:
Commercial Insurance
Personal intermediary insurance
Personal direct insurance
-
8/8/2019 Case Study Operational risk
9/27
MICI imposes Investment and Business Strategy
MICI set an aspect of policy for MELG that was on group investment objectives. It appears that the MELG plc balance sheet was
used to make strategic investments for the parent company. A group management decision to aim for 70% personal lines
and 30% commercial lines business mix was taken.
Management Changes
The MELG management decision-making process changed during 1999, following its acquisition by MICI. Prior to that time it
operated a more consensus, delegated decision-making style.
Some Major Historical Actions and Incidents
1. Launch of direct writing.
The projected cost at that time was 30m to P & L, based on a new marketing budget of 10m per annum, extra staff costs
and a 5m investment in systems, all offset by growth of business and eventual profit.
A retrospective analysis undertaken suggested that the actual cost was in the region of 70m, partly due to expense
overruns and lower than business growth
-
8/8/2019 Case Study Operational risk
10/27
The commercial insurance business was self contained and largely staffed by people from the acquired commercial company.
The personal direct business was now given autonomy for all aspects of its business It decided to outsource its claims handling to
the personal intermediary business
3. External supplier fraud
External fraud had led to a loss of 5m ,the fraud involved a third-party supplier selected by the U.K company to provide servicesto insurance clients. This due to a lack of confidence in whistle-blowing procedures (Indicative signs of risk)
4. Reinsurance failure to respond
Group management also overrode local management with respect to reinsurance policy. This led to a gross loss of 100m and
only 10m was recovered. The group internal audit blamed both parties for their evident lack of communication. The overall
result was an unexpected loss of 40m
5. Block account loss
A key corporate relationship for MELG plc collapsed as a result of the group initiated management changes at MELG plc.As a
result, this 100m block account was lost, with an assumed profit value of 20m.
2. Outsourcing of claims handling
-
8/8/2019 Case Study Operational risk
11/27
6. Loan default investment loss
The parent company had, in effect, set an aspect of investment policy that had a detrimental effect on MELG plc because it put
group objectives before the prudent management of the U.K insurance firm. Local management either lost autonomy or
they did not properly check the suitability of the investments being made, such a strategic investment loan defaulted costing
75m.
6. Stop loss reinsurance loss
The result was an unexpected loss of 25m.
7. Systems overspend loss
System development often lead to overspends due to being behind schedule or when there is no effective co-ordination.
Consequences-This could be seen as the situation where the reputational risk easily blow up into a full scale crisis.
-
8/8/2019 Case Study Operational risk
12/27
Basic Risk Management Control Cycle
-
8/8/2019 Case Study Operational risk
13/27
OPERATIONAL RISK
MANAGEMENT MATURITY
MODEL
-
8/8/2019 Case Study Operational risk
14/27
Introduction
There has been several attempts to describe the evolution of risk management. MELG has been
relying on traditional measures To control operational risk
Internal Control
Internal audit
Quality of its staff
But these measures are insensitive to the quality of the organizations system of management We
must construct a model that measures objectively the quality level of the organizations
management system (O.R.M.M.M.)
-
8/8/2019 Case Study Operational risk
15/27
Risk Management Maturity Model
The procedure consists of evaluating an organizations management system with respect to five levels of maturity:
-
8/8/2019 Case Study Operational risk
16/27
Risk Management Maturity Model (cont)
1st. Traditional:
Organizations whose management simply follows Traditional House Style.
Management is unaware of the need to manage O.R.
2nd. Awareness:
Awareness of the benefits of O.R. Management exists, but with no implementation of systematic controls.
Concern is limited to the management of I.O. , And to making procedure manuals and job descriptions available.
3rd. Monitoring:
Control systems, in the main processes.
Indicators established, even though qualitative, of the evolution of O.R. Including reporting elements.
-
8/8/2019 Case Study Operational risk
17/27
4th. Quantification:
Quantitative indicators in the main processes, allowing quantitative objectives to be established
Risk management by means of application of the calculation routines ofS.C.R. of QIS3.
5th. Integration:
Annual valuation of the O.R. of all the organizations processes
Active use of the O.R. Information to improve the firms organizational processes with the AIM of gaining competitiveadvantage.
STRATEGIC INDICATORS OF OPERATIONAL RISK
These are references allowing from a qualitative to a precise quantitative valuation to be made.
There exist three types of indicators:
Those relative to exposing the risk (E):
Such as volume of premiums or technical provisions (QIS3).
Indicative of the volume of processes with the possibility of operational failure.
They do not detect changes in the ratio of losses, and must be accompanied by such indicators.
-
8/8/2019 Case Study Operational risk
18/27
Those relative to losses (l):
E.G., N of complaining clients.
They measure events with incurred losses, and are thus not predictive, allowing only reactive action.
They are typical of ex-post contexts, a necessary complement of every analysis.
Those relative to causes (C):
E.G., The rotation of staff.
They measure factors related to causes of failures, and are thus predictive indicators, allowing pro-active
action.
They are the hardest to identify, it being necessary to establish the causal relationship between indicator and
loss.
Very valuable, being predictive.
-
8/8/2019 Case Study Operational risk
19/27
Additional examples of the different kinds of indicators:
Those relative to exposing the risk (E):
Number of claims processed
Growth of sales
Number of important claims
Number of it projects underway
Size of outsourced contracts
% Of the business corresponding to each supplier
Those relative to losses (l):
Number of claim complaints
Number of budget overruns
-
8/8/2019 Case Study Operational risk
20/27
Those relative to causes (C):
Number of "severe" audit incidences unresolved in 2 years
Employee turnover
Number of employees, by category, needing training
Hours of training per employee
Overtime per employee
Number of different P.C. Configurations in use
-
8/8/2019 Case Study Operational risk
21/27
STRATEGIC INDICATORS
OF O.R (Cont)
-
8/8/2019 Case Study Operational risk
22/27
Capital requirements- Stress and Scenario Testing
Stress testing and scenario analysis are part of best practice in the overall management of a non-life insurance company Stress
testing and scenario analyses, being based on an analysis of the impact of unlikely, but not impossible events, enable a
company to gain a better understanding of the risks that it faces under extreme conditions.
Stress testing is the process of evaluating a number of statistically defined possibilities to determine the most damaging
combination of events, and the loss that they would produce
Scenario analysis is the process of evaluating the impact of specified scenarios on the financial position of a company. The
emphasis here is on specifying the scenarios and following through their implications.
-
8/8/2019 Case Study Operational risk
23/27
Case Study Application
For each of these sources of operational risk, ,appropriate separate tests, are carried out:
Administration risk:
In order to set up stress tests and scenario
analyses for administration risk
administrative deficiencies, taking account of both the actual losses recorded in the exception reports and the
results of the Delphi analysis (see {2.7.8).
Other relevant factors include the nature and extent of centralised and decentralised functions and the
segregation of duties between staff.
Compliance risk:
Principal compliance risk to arise from the risk of non-adherence to legislative and internal company
requirements.
An investigation into compliance over the last five years found no history of non-compliance with policy and
control systems, nor had there been any reported areas of non-compliance with legislation or other
requirements
-
8/8/2019 Case Study Operational risk
24/27
Case Study Application (cont)
Event risk:
Event risk is the risk associated with the potential impact of significant events on the company's operations.
The risks are those that are directly related to the products and services offered, and not to events impacting
other business risk areas, e.g. non-life insurance business, credit exposure or market risk.
No additional capital was required for this type of risk.
Fraud risk:
In assessing fraud risk, a major incident that involved fraudulent activity in relation to an external supplier
which resulted in a loss of R5m was used
After allowing for the improvements in controls that resulted from this incident, the scenario analysis produced
a range of estimates for the amount of capital Required to cover future fraud.
Governance risk: Governance risk is the risk that the Board and/or senior management will not perform their respective roles
effectively.
The existence and level of directors and officers insurance in place were investigated, and compared it to the
known incidence of claims of this type.
The current level of corporate governance was considered, and an assessment made of the likelihood that its
shortcomings might result in the Board and/or senior management not adequately undertaking their roles.
-
8/8/2019 Case Study Operational risk
25/27
Case Study Application (cont)
Governance risk:
Governance risk is the risk that the Board and/or senior management will not perform their respective roles
effectively.
The existence and level of directors and officers insurance in place were investigated, and compared it to the
known incidence of claims of this type.
The current level of corporate governance was considered, and an assessment made of the likelihood that its
shortcomings might result in the Board and/or senior management not adequately undertaking their roles.
In addition, costs of altering or strengthening the current Board structure were analysed. Given the
uncertainties involved, the risk director was unable to
come up with a single point estimate of the capital required, and instead used a range of estimates.
-
8/8/2019 Case Study Operational risk
26/27
Case Study Application (cont)
Strategic risk:
Strategic risk arises from an inability to implement appropriate business plans and strategies, make decisions,
allocate resources or adapt to changes in the business environment.
MELG's risk director assessed the prudence and appropriateness of the future business strategy in the context
of the competitive and economic environment.
forecasting and projections were assessed, considering the possibility of a fundamental market change due to
higher numbers of competitors, changes in sales channels, new forms of insurance or changes in legislation.
Technology risk:
MELG's risk director considered the risk of error or failure associated with the technological aspects (IT
systems) of MELG's operations, including both hardware and software risk.
The risk director also considered the past reliability and future functionality of the information systems to be
adequate.
Plans for business continuity management and disaster recovery are reviewed regularly and tested quarterly.
There is a back-up site with full recovery capabilities. When performing the scenario analysis, the risk director
allowed for the costs associated with utilising the site and the associated business interruption insurance.
-
8/8/2019 Case Study Operational risk
27/27
Conclusion
Overall Assessment
The analysis took into account scenarios which might reasonably be linked, the difficulty with which capital might be
replaced if the scenarios occurred, and the changes in strategy which might need to be adopted if the scenarios
occurred.