Quantifying Operational Risk In

General Insurance Companies

 Introduction
Due to a number of recent business failures and the unpredictable events, Insurance companies are to improve their
approaches to operational risk( Actuarial Approach). Operational risk can be described as “the risk of direct or indirect loss
resulting from inadequate or failed internal processes, people and systems or external events”.

Categories of operational risk

Cause: critical elements / internal deficiency that help the event to take place. The detrimental event “exploits the risk
factor” in terms of greater frequency and/or severity.

Event (actual or potential): is the single detrimental occurrence that can resolve directly in one or more damaging
happening for the bank (later “effect”) and at the same time provoke subsequent single correlated events.

Effect: is the single damaging happening coming from a detrimental occurrence (event). The effect marks every single
consequence in a unique event time-space context; the effect amount is the incurred operational loss.
 Causes Events
• Internal Fraud
• People • External Fraud
• Process • Employment Practices and
Workplace Safety
• Systems • Clients, Products & Business
• External events Practices
• Damage to Physical Assets
• Business Disruption and System
Failures
• Execution, Delivery and Process
Management
Effects
• Direct Actual Losses only
• Gross Losses
• Failed Recoveries
• Potential Actual Losses
• Indirect Losses (Reputation etc)
• Near Misses
• Gains

Operational risk
3
 Four levels of operational risk

 People risk-Risks due to human errors, lack of expertise and fraud.

 Processes risk-This risk emerges as a result of malfunction in the information system and can be external or internal, includes
inadequate procedures and controls for reporting, monitoring and decision making, errors in the recording processes of
transactions.

 Technical risk-The third level of operational risk relates to model errors, implementation and the absence of adequate tools
for measuring. A technical risk can also be the risk of loss of electricity at a crucial time or the incorrect installment of certain
software, or an outdated computer.

 Technology risk-This relates to deficiencies of the information system and system failure. It is more advanced and more
complex. Some examples of specific loss scenarios of technology risks include system maintenance and external disruption
such as failures of exchanges, Software problems, System outdated etc.

Further it has been pointed out that not having the right processes to manage Operational risk is itself operational risk.

Ultimately to mitigate and manage operational and strategic risk the following is need:

 Design: The right controls, people and processes

 Implementation: To make sure controls are implemented with trained and motivated people (To avoid Human errors)

 Review: Processes to ensure a continual rethink and refresh of the whole system.

The pull of business benefits is seen as the main driver towards the effective operational risk management. Measurement of risk
is become an essential tool of effective business management.

4
 General Background

This article originates from a General Insurance Research Organization (GIRO) working group on operational risk, its application is
much wider covering life assurance, fund management, pension funds, other forms of security business and banking.

Any organization using analytic approaches to risk identification, management and measurement, including stochastic risk analysis
modeling techniques are covered. In 2001 an operational risk working group was set up that reported at the 2002 GIRO
conference in Paris. A good start had been made, but there was more to do, especially in desire to be able to quantify
operational risks and understand both their magnitude and correlation with other risks. Adding value to business
management often requires measurement and quantification. Management decisions are better informed by a well
considered understanding of the scale of investments and returns. Quantification requires data. The initial reaction is often
that operational risk is difficult to quantify and losses are hard to categorize.
 The Actuarial Contribution

Typically, one of the actuary’s tasks is to assist with the quantification of capital and risk, preparing analyses and reporting to the
Board.

Quantification Techniques

The quantitative methods that are applicable to the problems of understanding and quantifying operational risk:

Statistical/curve fitting-This covers the following: Empirical studies, Maximum loss approach, Theoretical probability distribution
functions (PDFs) and Regression analysis

Frequency/Severity analysis-This includes Extreme value theorem (EVT)-which is a advanced version of frequency/severity
analysis and Stochastic differential equations.

Statistical (Bayesian) - This includes systems (dynamic) models, influence diagrams, Bayesian belief networks and Bayesian casual
models, process maps and assessments.

Expert-which include, fuzzy logic, direct assessment of likelihood/preference among bets, capital asset pricing models (CAMP)-
market view less insurance/asset risk values, and RAMP

Practical- Gives the practical approaches of stress testing and scenario analysis, business/industry scenarios, dynamic financial
analysis and market beta comparison for individual companies within market sectors.
 Paper Overview

 Description of a hypothetical case study of an insurance company, named Middle England Life & General plc.

 Background to the quantification of operational risk.

 Stress testing and scenario analysis are discussed.

 Frequency/severity modeling and casual/Bayesian approaches to risk.

Case Study

The main objective is to examine the applicability of various methods for quantifying operational risk and quantification requires
data. An attempt has been done to ensure that the case study is:

 Based in reality

 Practical

 Easy for readers to relate to their circumstances.

 The case study is based on U.K insurance company called: Middle England Life & General plc (MELG)

The case study only discusses the general insurance aspects of the business. The director of the group has been charged with
producing a report that: Reviews a wide risk management practices for MELG plc Ensures that MELG plc takes steps to
establish and maintain appropriate risk management practices. Inform the group risk committee about past and current
wide risk management issues
 Historical Beginnings of MELG plc

Originated in the U.K, early 1900s based in Midlands. Launch of direct operation in 1993 Acquired a commercial insurance
company in 1995. In 1997 MELG restructured into three separate business units-Commercial, personal intermediary and
personal direct. In 1998 MELG became the target of a hostile takeover bid. In 1999 the company became the U.K subsidiary
of a large multinational company with its parent Megacentral Insurance Corporation Inc (MICI) based in New York, United
States of America.

Current Operations of MELG

Currently operates through three major sites with ten local offices. 2600 general insurance staff. The organization is now
considered as three main strategic businesses:

 Commercial Insurance

 Personal intermediary insurance

 Personal direct insurance

 MICI imposes Investment and Business Strategy

MICI set an aspect of policy for MELG that was on group investment objectives. It appears that the MELG plc balance sheet was
used to make strategic investments for the parent company. A group management decision to aim for 70% personal lines
and 30% commercial lines business mix was taken.

Management Changes

The MELG management decision-making process changed during 1999, following its acquisition by MICI. Prior to that time it
operated a more consensus, delegated decision-making style.

Some Major Historical Actions and Incidents

1. Launch of direct writing.

 The projected cost at that time was £30m to P & L, based on a new marketing budget of £10m per annum, extra staff costs
and a £5m investment in systems, all offset by growth of business and eventual profit.

 A retrospective analysis undertaken suggested that the actual cost was in the region of £70m, partly due to expense
overruns and lower than business growth
2. Outsourcing of claims handling

The commercial insurance business was self contained and largely staffed by people from the acquired commercial company.

The personal direct business was now given autonomy for all aspects of its business It decided to outsource its claims handling to
the personal intermediary business

3. External supplier fraud

External fraud had led to a loss of £5m ,the fraud involved a third-party supplier selected by the U.K company to provide services
to insurance clients. This due to a lack of confidence in whistle-blowing procedures (Indicative signs of risk)

4. Reinsurance failure to respond

Group management also overrode local management with respect to reinsurance policy. This led to a gross loss of £100m and
only £10m was recovered. The group internal audit blamed both parties for their evident lack of communication. The overall
result was an unexpected loss of £40m

5. Block account loss

A key corporate relationship for MELG plc collapsed as a result of the group initiated management changes at MELG plc.As a
result, this £100m ‘block account’ was lost, with an assumed profit value of £20m.
 6. Loan default investment loss

The parent company had, in effect, set an aspect of investment policy that had a detrimental effect on MELG plc because it put
group objectives before the prudent management of the U.K insurance firm. Local management either lost autonomy or
they did not properly check the suitability of the investments being made, such a strategic investment loan defaulted costing
£75m.

6. Stop loss reinsurance loss

The result was an unexpected loss of £25m.

7. Systems overspend loss

System development often lead to overspends due to being behind schedule or when there is no effective co-ordination.
Consequences-This could be seen as the situation where the reputational risk easily blow up into a full scale crisis.
Basic Risk Management Control Cycle
 OPERATIONAL RISK
MANAGEMENT MATURITY
MODEL
 Introduction

There has been several attempts to describe the evolution of risk management. MELG has been
relying on traditional measures To control operational risk

 Internal Control

 Internal audit

 Quality of its staff

But these measures are insensitive to the quality of the organization’s system of management We
must construct a model that measures objectively the quality level of the organization’s
management system (O.R.M.M.M.)
 Risk Management Maturity Model

The procedure consists of evaluating an organization’s management system with respect to five levels of maturity:
 Risk Management Maturity Model (cont)

• 1st. Traditional:

– Organizations whose management simply follows “Traditional House Style”.

– Management is unaware of the need to manage O.R.

• 2nd. Awareness:

– Awareness of the benefits of O.R. Management exists, but with no implementation of systematic controls.

– Concern is limited to the management of I.O. , And to making procedure manuals and job descriptions available.

• 3rd. Monitoring:

– Control systems, in the main processes.

– Indicators established, even though qualitative, of the evolution of O.R. Including reporting elements.
• 4th. Quantification:

– Quantitative indicators in the main processes, allowing quantitative objectives to be established

– Risk management by means of application of the calculation routines of S.C.R. of QIS3.

• 5th. Integration:

– Annual valuation of the O.R. of all the organization’s processes

– Active use of the O.R. Information to improve the firm’s organizational processes with the AIM of gaining competitive
advantage.

STRATEGIC INDICATORS OF OPERATIONAL RISK

• These are references allowing from a qualitative to a precise quantitative valuation to be made.

• There exist three types of indicators:

– Those relative to exposing the risk (E):

• Such as volume of premiums or technical provisions (QIS3).

• Indicative of the volume of processes with the possibility of operational failure.

• They do not detect changes in the ratio of losses, and must be accompanied by such indicators.
– Those relative to losses (l):

• E.G., Nº of complaining clients.

• They measure events with incurred losses, and are thus not predictive, allowing only reactive action.

• They are typical of ex-post contexts, a necessary complement of every analysis.

– Those relative to causes (C):

• E.G., The rotation of staff.

• They measure factors related to causes of failures, and are thus predictive indicators, allowing pro-active
action.

• They are the hardest to identify, it being necessary to establish the causal relationship between indicator and
loss.

• Very valuable, being predictive.

• Additional examples of the different kinds of indicators:

– Those relative to exposing the risk (E):

• Number of claims processed

• Growth of sales

• Number of important claims

• Number of it projects underway

• Size of outsourced contracts

• % Of the business corresponding to each supplier

– Those relative to losses (l):

• Number of claim complaints

• Number of budget overruns

– Those relative to causes (C):

• Number of "severe" audit incidences unresolved in 2 years

• Employee turnover

• Number of employees, by category, needing training

• Hours of training per employee

• Overtime per employee

• Number of different P.C. Configurations in use

STRATEGIC INDICATORS
OF O.R (Cont)
 Capital requirements- Stress and Scenario Testing

Stress testing and scenario analysis are part of best practice in the overall management of a non-life insurance company Stress
testing and scenario analyses, being based on an analysis of the impact of unlikely, but not impossible events, enable a
company to gain a better understanding of the risks that it faces under extreme conditions.

Stress testing is the process of evaluating a number of statistically defined possibilities to determine the most damaging
combination of events, and the loss that they would produce
Scenario analysis is the process of evaluating the impact of specified scenarios on the financial position of a company. The
emphasis here is on specifying the scenarios and following through their implications.
 Case Study Application

• For each of these sources of operational risk, ,appropriate separate tests, are carried out:

• Administration risk:

• In order to set up stress tests and scenario

• analyses for administration risk

• administrative deficiencies, taking account of both the actual losses recorded in the exception reports and the
results of the Delphi analysis (see {2.7.8).

• Other relevant factors include the nature and extent of centralised and decentralised functions and the
segregation of duties between staff.

• Compliance risk:

• Principal compliance risk to arise from the risk of non-adherence to legislative and internal company
requirements.

• An investigation into compliance over the last five years found no history of non-compliance with policy and
control systems, nor had there been any reported areas of non-compliance with legislation or other
requirements
 Case Study Application (cont)

• Event risk:

• Event risk is the risk associated with the potential impact of significant events on the company's operations.

• The risks are those that are directly related to the products and services offered, and not to events impacting
other business risk areas, e.g. non-life insurance business, credit exposure or market risk.

• No additional capital was required for this type of risk.

• Fraud risk:
• In assessing fraud risk, a major incident that involved fraudulent activity in relation to an external supplier
which resulted in a loss of R5m was used
• After allowing for the improvements in controls that resulted from this incident, the scenario analysis produced
a range of estimates for the amount of capital Required to cover future fraud.

• Governance risk:
• Governance risk is the risk that the Board and/or senior management will not perform their respective roles
effectively.
• The existence and level of directors and officers insurance in place were investigated, and compared it to the
known incidence of claims of this type.
• The current level of corporate governance was considered, and an assessment made of the likelihood that its
shortcomings might result in the Board and/or senior management not adequately undertaking their roles.
 Case Study Application (cont)

• Governance risk:

• Governance risk is the risk that the Board and/or senior management will not perform their respective roles
effectively.

• The existence and level of directors and officers insurance in place were investigated, and compared it to the
known incidence of claims of this type.

• The current level of corporate governance was considered, and an assessment made of the likelihood that its
shortcomings might result in the Board and/or senior management not adequately undertaking their roles.
• In addition, costs of altering or strengthening the current Board structure were analysed. Given the
uncertainties involved, the risk director was unable to
• come up with a single point estimate of the capital required, and instead used a range of estimates.
 Case Study Application (cont)
• Strategic risk:

• Strategic risk arises from an inability to implement appropriate business plans and strategies, make decisions,
allocate resources or adapt to changes in the business environment.

• MELG's risk director assessed the prudence and appropriateness of the future business strategy in the context
of the competitive and economic environment.

• forecasting and projections were assessed, considering the possibility of a fundamental market change due to
higher numbers of competitors, changes in sales channels, new forms of insurance or changes in legislation.

• Technology risk:

• MELG's risk director considered the risk of error or failure associated with the technological aspects (IT
systems) of MELG's operations, including both hardware and software risk.

• The risk director also considered the past reliability and future functionality of the information systems to be
adequate.

• Plans for business continuity management and disaster recovery are reviewed regularly and tested quarterly.
There is a back-up site with full recovery capabilities. When performing the scenario analysis, the risk director
allowed for the costs associated with utilising the site and the associated business interruption insurance.
 Conclusion

• Overall Assessment

– The analysis took into account scenarios which might reasonably be linked, the difficulty with which capital might be
replaced if the scenarios occurred, and the changes in strategy which might need to be adopted if the scenarios
occurred.