The Intelligent Quarterly from the publishers of The Insurance Insider

Spring 2018

Search archive


Smooth running

A long time ago in a galaxy far, far away...there existed a bank on Wall Street called Bankers Trust.

After a near-death experience following massive trading losses by one of its "star performers", Bankers Trust invented a system of relative risk/reward measurement called RARoC - risk-adjusted return on capital.

The underlying concept was that if a trader made huge profits by taking huge (possibly existence-threatening) gambles with the balance sheet, then those profits should be "downgraded" to reflect the risk/reward imbalance. Conversely, the trader who made less enormous profits by not betting the bank should be rewarded for getting the trade-off right.

Thus Bankers Trust gave us the first rudiments of market risk calculations.

At around the same time, JP Morgan published Credit Risk Metrics on the then-nascent internet - and founded the entire science of credit risk in financial institutions.

Not to be outdone, Bankers Trust soon came back with the first operational risk measurement and management framework.

Bankers Trust is long gone, but at the time it was well ahead of the curve in defining operational risk. Everyone can define credit risk: it's the danger that you won't get paid. But how do you define operational risk? You can't model "everything that isn't credit risk or market risk".

Identifying operational risk
That early operational risk work has since found its way into the Basel II/III capital framework, which requires banks to hold capital against the risk. The risk itself is defined as "the risk of loss arising from inadequate or failed people, processes or systems, or from external events".

One could be forgiven for needing help to understand this definition, so to clarify, the risk arises when...

People make mistakes: sell 30,000 Coca Cola shares instead of 30; commit fraud (e.g. transfer money from clients to their own account); or mislead customers (e.g. regarding the riskiness of an investment product).

Processes fail, for example: a fraudster's mortgage application is accepted when it should be declined; or a bank transfers money for a sanctioned individual or company and is fined for the failure.

Systems fail, such as: a successful hack enables thieves to steal client identity and credit card information, with the result that customers complain that large amounts have been spent on their cards; or a computer glitch occurs - e.g. debiting bank customers three times for their monthly mortgage payments.

And external events occur: for example, severe flooding in the north of England damages bank premises, staff are unable to reach their workplaces and must be lodged and work in London until the waters recede, and the bank incurs significant extra expenses; or, perhaps terrorists attack the building where the bank's main trading activities are located, meaning the bank loses people and trading opportunities.

Measuring the risk
Financial services firms are regulated in the UK by the Prudential Regulatory Authority. Banking regulation around operational risk is currently in flux, but the consideration and measurement of operational risk has long since moved beyond banks to insurance companies and asset managers.

Looking at insurance companies, the Solvency II capital rules require them to hold up to 30 percent of the calculated solvency capital requirement (SCR) against operational risk. Stock analysts have been critical of companies that cannot demonstrate high levels of capitalisation - 175-200 percent of statutory requirement (SCR) is approximately the number they like to see - so managing that potential 30 percent operational risk charge becomes important.

Underpinning operational risk with capital also focuses the corporate mind on managing it, which in turn requires a robust framework and model, so as to help: identify key risks (establish a taxonomy); collect internal loss data, preferably including near misses; and develop scenario analysis to provide a comprehensive view and valuation of existing and emerging threats.

Ultimately, the goal is to understand how much enterprise value could be destroyed by operational risk.

Managing the number
After much internal strife, the capital model will produce a £ value of capital at risk from operational risk. In practice, most insurance companies have calculated that their operational risk SCR is between 8 and 12 percent of the total SCR.

Compared with the much larger capital blocks they are required to set against underwriting, market and counterparty risk, the operational risk number appears modest. But capital is expensive. So the thinking finance director suggests that the capital need not be his own - he could just as easily rent someone else's capital, i.e. buy an insurance policy.

The capital rules specifically state that, in calculating their operational risk SCR, insurance companies may take into account any appropriate insurance or reinsurance. So it's tempting to look at the company's property, crime, professional indemnity and general liability policies and simply subtract those policy limits from the capital requirement as calculated.

Unfortunately, it's not that easy. The regulator expects firms to demonstrate that there is a consistent, robust, transparent and repeatable process for mapping the insurances they buy to the operational risks they have identified.

Achieving that goal may require some external expertise to help with: mapping insurance policies to the operational risk taxonomy; establishing the mitigation effect of insurance (how much is the policy likely to pay out?); estimating the likely timeframe (how long will it take to get the money?); and modelling a pre- and post-mitigation figure for economic capital at risk from operational risk.

Stakeholder buy-in
Oddly enough, getting regulatory clearance may not be the biggest hurdle. The keepers of most companies' capital models are the actuaries.

Actuaries deal in hard numbers and binary responses to questions:

Is the scenario set out here covered under the insurance policy [Y/N]?

If [N], move on to the next scenario.

If [Y], what percent of the loss would be covered and how soon will the policy pay out?

Insurance practitioners know that insurance policy response is seldom that clear. The policy is likely to respond under certain circumstances but...

Thus, the insurance buying team cannot provide simple [Y/N] answers, and the actuaries are inclined to bin the whole possibility of insurance mitigation for the operational risk charge.

Even where insurance exists that might respond for operational risk scenarios, that response is so equivocal that the actuaries will likely ignore its existence. This means that capital is set aside for a specific risk that might be insured - thus creating a double provision for the same risk. When this is pointed out to them, their immediate reaction is that their job is to model the risk, not manage the capital charge.

Taking ownership
If our thinking CFO wishes to avoid double-provisioning for operational risk, he needs to take a strategic decision regarding the company insurances. Namely, should these be: as broad as possible, acknowledging that any claim is likely to be the subject of a lengthy court case before payout is negotiated; or narrow policies that respond for specific top risk scenarios and are worded in such a way that coverage is narrow but policy performance is certain.

Once this decision is implemented, the CFO then needs to take ownership of incorporating those policies into the capital calculation.

This might require some confrontation with the actuaries and will almost certainly require external expertise to: review the breadth of insurance coverage as compared to the risk scenarios; document coverage conclusions (why do we think it's covered?); and ensure results are consistent, logical and repeatable.

The outputs from this review can then generate a "post-mitigation" model for operational risk.

Properly executed, documented and presented to the regulator, the exercise may also help the insurer to achieve that all-important 175-200 percent of SCR.

This article was published as part of issue Spring 2017

Euromoney Trading Limited - 3rd Floor, 41 Eastcheap, London, EC3M 1DT, United Kingdom. The content of this website is copyright of Euromoney Trading Limited 2018. All rights reserved Euromoney Trading Limited actively monitors usage of our website and products and reserves the right to terminate accounts if abuse occurs.