To view this article in PDF format with all figures and images included please click here

PREFACE

Globalization as well as technical, political and social changes are resulting in insurance companies being increasingly exposed to greater and more complex risks. Thus, to successfully operate in the market, insurers are being compelled to take considered and controlled risks. Consequently, their need for active risk management is increasing.

Within the framework of active risk management, the subject of "operational risks" (OpRisk) is increasingly growing in relevance for insurance companies. In addition to new value-adding strategies, such as outsourcing/offshoring or the necessity of comprehensive risk management in terms of Enterprise Risk Management (ERM), there are first and foremost regulatory demands (e.g. Solvency II, Swiss Solvency Test and the Sarbanes-Oxley Act), which require to manage this risk category. These legal regulations are at present in the initial stages of development and have partially still not been specified in detail with regard to concrete requirements. For numerous insurance companies, the resulting leeway with reference to the development of Operational Risk Management (ORM) thus leads to the need for intensive and detailed contemplation and discussion around the subject of OpRisk.

During the course of these developments, insurers will be faced with the following questions:

  • What driving factors led to the introduction of ORM?
  • What is the understanding of OpRisk?
  • What components of the ORM framework have been implemented and how are responsibilities assigned?
  • What developments can be expected and where is potential for improvement?

The present study will provide positive answers to these questions. Furthermore, the results serve to derive recommendations for action by management. The study serves as a contribution to the discussion and provides knowledge with regard to OpRisk in the German-speaking insurance sector.

We would like to thank all those who, by their participation, contributed to the success of this study.

KEY FINDINGS

This study was produced with the support of 54 companies in Germany (D), Austria (A) and Switzerland (CH) by the University of St. Gallen's Institute of Insurance Economics (I.VW-HSG), in collaboration with Deloitte. Starting from the driving factors leading to the introduction of ORM, it explains how the insurance industry assesses its current state of development and its requirements with regard to ORM (policies/strategies, definitions and categories, processes, reporting, governance and organization), as well as its integration into a company's overall Enterprise Risk Management (ERM) framework.

The study shows that, although the majority of insurance companies cannot conclusively determine OpRisk damage potential, they have, however, clearly recognized the dangers. Hence, ORM in the German-speaking insurance sector is today mostly being set up.

Ten key findings of the study

  1. The main reasons for introducing ORM are regulatory guidelines, the need for a comprehensive view of risk (in connection with establishing company-wide ERM systems) and protection from OpRisk-related losses.
  2. Most of the insurers surveyed have an elaborated risk policy and philosophy. Only a third of these, however, have concretized this into strategies for OpRisk management.
  3. The majority of the insurance companies use the Basel II banking standard for the definition and classification of OpRisk.
  4. Operational risks are assessed differently in A, CH and D, but legal and political risks, IT risks, inadequately defined processes and the turnover of key personnel are, without exception, assessed as critical.
  5. Whereas "classic" elements in the risk-management process (communication, reporting) are considered to be well implemented by a majority of those questioned, systematic loss-data collection, an essential basis for overall ORM, is rarely carried out. Two thirds of those questioned do not consider themselves in a position to assess their annual OpRisk losses.
  6. Internal OpRisk reporting is carried out by all those questioned. For half of them it is part of the internal controlling system. The vast majority of those questioned have also established external reporting.
  7. The majority of companies have at least one ORM function. In two thirds of the cases, overall responsibility lies with management or the CEO.
  8. The observed inadequate institutionalization of ORM is also related to the fact that a wide range of organizational units, in different roles, are involved in the process.
  9. The companies in the survey identified the need for action as being moderate to high in all the ORM areas, wheras the building up of OpRisk data collection and the increase of risk quantification was mentioned most frequently.
  10. For insurance companies in Switzerland, in comparison with Germany, ORM is still in its infancy, with regulatory guidelines being the primary driving factor. The institutes concerned have recognized additional requirements for implementation.

STUDY CONCEPT

Objectives of the study

The study identifies the understanding and characteristics of, and trends in the management of operational risks in the Swiss, German and Austrian insurance industries. Based on a large-scale survey of executives and specialists in the branch, and against the background of increasing regulatory demands, aspects concerning the concrete implementation and integration into companies were first of all solicited. In particular, ORM definitions, organizational implementation/processes, reporting and governance were covered.

By summarizing and comparing the individual opinions in this survey, areas of consensus and dissent within the industry become visible. This offers the individual companies a grid for positioning their organization and a possibility for benchmarking. The study thus serves both as a checklist, in order to close gaps, as well as to point out ideas for differentiation in the market.

Methodology and random sample

The present study is the result of a joint investigation by Deloitte and the Institute of Insurance Economics of the University of St. Gallen (I.VW-HSG). The questionnaire was based on the results of relevant research work, and was completed by means of focused in-depth interviews. The survey was carried out in Switzerland, Germany and Austria from June to September 2006. In total, 54 companies participated. This corresponds to a response rate of 47%. 53% of the participants were from Germany, almost a third from Switzerland, and 16% from Austria. In Switzerland, half of the companies contracted participated in the survey.

More than half the participants came from companies that had a premium volume of EUR 500 million or more. 10% of the companies responding are active in pure life insurances and 20% in pure non-life insurances. Most of the companies are thus active in both lines of business. The study also took reinsurance and health insurance companies into consideration.

Compared with Germany and Austria, Switzerland has an above-average share of large insurance companies. This was also reflected in the study, where the average number of employees in the companies surveyed was 4,126 in Germany, 6,338 in Switzerland and 2,195 in Austria.

Setup and structure

The definition of a suitable overall framework forms the starting point for implementing structured and efficient risk management. The study analogously follows the structure of an operational risk management (ORM) framework1, and, therefore subdivided into 10 chapters.

Chapter 1 deals with the fundamental driving factors for ORM from today's point of view. Based on the observable motivation in the past, the current situation is examined and corresponding needs for action derived.

The survey results for the seven building blocks of the ORM framework follow in chapters 2 to 6. Systemized risk management requires the definition of a risk policy and strategy which is adapted to the needs of the specific company (chapter 2). This is operationally implemented in the company via the elements risk definition and categorization (chapter 3), risk-management process (chapter 4) and reporting (chapter 5). The risk strategy is supported by a clear risk organization and risk governance (chapter 6), which includes all areas of risk management.

Chapter 7 deals with today's situation and the further development of integrating ORM into a complete enterprise risk management (ERM) framework. In chapter 8, the results of the survey are highlighted with regard to the perceived future development potential in ORM. Chapter 9 summarizes the results from the Swiss perspective. The conclusions of the study are presented in chapter 10.

1. DRIVING FACTORS OF OPERATIONAL RISK MANAGEMENT

Dealing with risks arising from operational activities, for instance, as a result of imperfect processes or dishonest employees, is not a new topic for insurance companies. Company crises, however, have reinforced the opinion of supervisory authorities and financial service providers that OpRisk has to be thoroughly and centrally controlled, and should constitute an integral part of ERM.

In this context, external and internal factors led the insurance companies surveyed to develop and introduce ORM.

Increasing regulation

For the vast majority of companies, the main reason for introducing ORM is growing regulatory demands. In Europe, the focus is on the Solvency II regulations2. Besides financial securitization in the 1st pillar, OpRisk are part of the supervisory screening process and risk management of the 2nd pillar and of the transparency regulations of the 3rd pillar. These regulations only exist in the form of proposals and are not to be reckoned with before 2009, with the introduction of Solvency II. The new Swiss insurance-supervision law should also be taken as an example. This anticipates many of the developments of Solvency II and includes the first requirements of ORM3.

Comprehensive risk perspective and other factors

The desire for a comprehensive risk perspective, respectively the completion of ERM around OpRisk represents another very important driving factor for the introduction of ORM. Protection from losses as a result of OpRisk events is named in third place only, which for many companies must also be seen in connection with the lack of ability to quantify these losses. Thus, what is central to actuarial and financial market risks, namely the avoidance of costs, is not once named as the trigger by 40% of the participants. Further, ORM is regarded as a process improvement tool for quality control and continuous process improvement. Likewise, the assessment of rating agencies, which increasingly assess companies from the point of view of adequate risk management, is cited as a reason. Reputation risks are not mentioned as ORM driving factors. If the individual countries are compared with the overall result, only slight differences can be detected. Only in Austria is the development of a comprehensive risk perspective cited more often than the regulation trend.

As a consequence of these various demands on ORM, there is an increasing need for action. In this context company development stages vary. Figure 4 illustrates the difference between insurance companies where ORM was introduced for regulation reasons and those where it was introduced as a strategic intention.

The strategic value of ORM, such as the improvement of a company's own processes or compliance with corporate governance, is assessed more highly by those companies who have already had an ORM strategy for a long time. In addition, these companies are able to better assess the damage potential of OpRisk. The emphasis on strategic reasons for the introduction also primarily correlates with the "age" of the initiative.

In contrast to groups with advanced ORM, there are numerous small- and medium-sized companies (almost 40%) where the ORM initiative is less than a year old, and these primarily see it as a regulatory obligation. This shows that the growth of regulations was the primary contributing factor for the introduction of nascent ORM initiatives. Since internal driving factors are of little relevance in these cases, no, or only few, tools for determining damage potential have been developed thus far, which is why effective risk assessment, or even securitization with own capital, is impossible.

Strategic processes, if existing, were started by management or the CEO in almost half the cases. CFOs and CROs played a decisive role in a further third of the companies interrogated. Other initiators, such as external auditors, internal auditors, board members or supervisory board members were mentioned only rarely, as also was the open category "Others", where sporadically the parent company or the controlling department were named as the prime movers.

When sorted by country, no major differences were identified with regard to this question. Only in Switzerland does the impetus for ORM come somewhat less frequently from management/CEO, but rather from the CRO or internal auditing. However, the size of the insurance company surveyed certainly plays a decisive role.

In the two smaller categories, <500 and 500 to 2000 employees, the activity was started by management or the CEO in most cases. For larger insurance companies, this only applies in a third of the cases, since there, the CFO (or the CRO) and occasionally the external auditor were the prime initiators.

Intermediate conclusion

  • The main reasons for introducing ORM are regulatory pressure, the need for a comprehensive risk overview and protection from OpRisk related losses.
  • Companies with advanced ORM initiatives notably emphasize strategic reasons for ORM, whereas those with more recent processes are more likely driven by regulation.
  • Management attributes a high degree of attention to strategic ORM initiatives and management or the CEO initiates them in most cases.

2. RISK POLICY AND STRATEGY

Risk policy for managing operational risks

An operational risk policy (OpRisk policy) is the foundation for institutionalized management of operational risk. It serves as a thinking and orientation framework, in order to better integrate existing approaches and tools when dealing with operational risks in companies. In terms of the management of operational risks, the risk policy must, amongst other things, fulfil the task of establishing the following guidelines:

  • The definition of a decision criterion (success measure), enabling risk and return to be weighed up.
  • The introduction of an upper limit for the magnitude of risk of a company.
  • The definition of the extent of own capital as potential for covering risk, derived from the aspired rating.
  • The establishment of operational risks deemed unavoidable from the insurance companies' point of view, as well risks which should normally be transferred, taking the related costs into account.

84% of the companies questioned within the framework of this investigation have a risk policy that also covers OpRisk. However, of these, most do not have a specific OpRisk policy, but instead only cover this kind of risk within the framework of a process-oriented or general risk policy. A mere 10% of the insurance companies, in general those with more than 10,000 employees, have a specific OpRisk policy. Over a quarter of the smaller companies (<500 employees) have not yet implemented any policy. It becomes clear that, for many companies, more intensive consideration of this topic will still only become a necessity in the coming years.

Basic strategies for managing OpRisk

In the management of OpRisk, the following four action alternatives, referred to as elementary, are often defined, dependent on probability and the expected effect of a risk: accept, minimize, avoid and transfer.

In practice, these strategies are not to be considered only as action alternatives in the strategic sense, but, according to the decision level where they are used, they can also be operative measures or packages of measures within the framework of normal business risk management. With far-ranging measures, such as the outsourcing of IT or the sale of a complete business sector, that have significant influence on the risk potential of an insurance company, it would not be unreasonable to speak of actions of strategic importance and consequently also of a risk management strategy.

Within the framework of managing OpRisk, specific measures or packages of measures that focus on defined sections of an organization are regarded as distinct or special strategies. They are thus not an addition to the described elementary action alternatives, but concrete shapings of these. In practice, examples frequently seen are: disaster recovery, business continuity planning and outsourcing.

It is worth noting that of the 84% of companies surveyed that have an OpRisk policy, only about a third convert them into basic strategies for the management of OpRisk. However, only by doing this can measures or packages of measures be effectively defined in order to genuinely increase the strategic value of the company's ORM. Within this cluster, these are above all medium-sized and small insurance companies that have already been addressing ORM for more than three years. The lack of a definition for basic strategies can thus be justified by the fact that OpRisk management is still a relatively young discipline and is thus not yet integrated into existing management structures in a non-overlapping way. The appropriate package of measures should then be taken based on a clearly defined ORM structure.

When an OpRisk event occurs, as well as a respective financial loss, the lack of such a control mechanism can also entail a considerable share price movement, particularly in the case of listed insurance companies (cf. excursus).

Intermediate conclusion

  • Most insurance companies have a risk policy that also basically covers OpRisk.
  • Only about a third of companies turn their risk policy into one for the management of operational risks by means of basic strategies or package measures.

3. RISK IDENTIFICATION AND CLASSIFICATION

An effective and efficient OpRisk management process with corresponding risk identification and assessment has to be based on a common understanding of OpRisk and clear risk classification. Definition and classification enable complete risk coverage and the definition of measures.

Alignment on Basel II – for insurance companies too

In general, with regard to OpRisk definition and classification, insurance companies have aligned themselves to Basel II, even though the guidelines contained therein were originally developed for banks. This trend confirmed the investigation: 42% of the insurance companies cited Basel II as the basis used when contemplating OpRisk. With 26%, orientation towards a different basis was also popular. Only 19% of those questioned developed their OpRisk definition and classification from scratch, without using the support of an existing basis. In shape and form however, these differ widely from one another. One reason for aligning analogous approaches in insurance (such as Solvency II, Swiss Solvency Test) on Basel II is that bank rules and regulations have been available for some time already.

If an analysis is made according to company size (number of employees) and starting date of the ORM initiative, various tendencies in the selection of the basis for risk definition and classification become clear. Large insurance companies (>15,000 employees) in particular align themselves 80% to the Basel II standards. In contrast medium-sized companies (1,000 to 15,000 employees) have a strong tendency to use a different basis, either an existing one or self-developed. In the case of small- and medium-sized insurance companies, the initiation date of the ORM initiative even increases this tendency. However, smaller insurance companies (<1,000 employees), which only initiated the ORM initiative during the course of the previous year, tend to align themselves on Basel II.

Definition: Operational risk

Against the background of this initial situation, it is not surprising that more than a third of the insurance companies surveyed define OpRisk according to Basel II, namely:

"The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risks but not, however, strategic or reputation risks." (Basel Committee for Banking Supervision, 2004)

A further popular basis, particularly for German companies, is the German accounting standard "DRS 5-20: Risk reporting for insurance companies". It defines OpRisk as operational risks that result from human and technical failures or from external influencing factors. In addition, analogous to Basel II, legal risks which originate from contractual agreements or legal general conditions are also taken into consideration. The use of a miscellaneous OpRisk definition, in which all risks that cannot be classified in any other category are summarized, was only chosen by a few insurance companies. This fact should be seen as positive, since it has been shown in practice that a miscellaneous OpRisk definition frequently causes problems in delimitation and meaningful classification. Surprisingly, almost every fifth company surveyed indicated that it used no definition at all (18%). It must be concluded that, in these companies, ORM is only in the initial stages.

Classification of operational risks

Based on the chosen risk definition/definition interpretation, in a next step, risk classification is derived. By way of example, figure 12 shows risk classification along the cause-effect chain, based on the definitions in Basel II:

As shown in figure 12, Basel II divides OpRisk into categories entitled "Human", "Internal processes", "Systems" and "External events", and assigns them to the corresponding risk events (second classification level). On a third classification level, losses are assigned to risk events and hence also to their causes. Thus, an optimum basis for the definition of adequate measures is created, which can be directly oriented towards fighting the cause or towards preventing the risk event. Potential damage or loss can thus be greatly reduced.

The study shows that two thirds of those questioned classify according to causes. Only 39% of the insurance companies classified risks on the basis of risk events, whereas 43% of those questioned claimed to use the consequence of the risk event, i.e. the risk loss, as the classification criterion.

Altogether, less than half of those questioned (44%) give more than one registration criterion or have established more than one classification level. Only seven participants mentioned all three levels as relevant for their classification. This is independent of whether Basel II is used as the basis or not. Only 13% indicated that another classification criterion formed the basis of their classification.

This shows that, in the German-speaking region, there is still no consistent comprehensive classification of OpRisk. Wrong classification can, however, lead to false estimations with regard to damage potential and appropriate measures.

Main risk categories in practice – 1st level "Risk causes"

Based on the insurance company survey, figure 14 shows the breakdown in practice of the main risk categories currently used.

Three of the four suggested risk categories from Basel II, namely "Human", "Internal process" and "Systems" are, with 76 to 89%, used as the most important main categories by the majority of companies. "External events", the fourth category, is nevertheless still named as the main category in 63% of cases. With 76%, the main category "Technology risks" attracts also high attention. Basel II records these risks under "Internal processes" and "Systems". Unexpectedly, over 50% of the companies oriented in one way or another to Basel II consider either "Reputation risks" or "Strategic risks", frequently even both, as the main category under OpRisk, even though Basel II explicitly excludes them. However, the naming of these risk categories by those companies not oriented towards Basel II was significantly less.

Under "Other", individual risks were mentioned such as "Cultural and ethical risks", "Leadership and organizational risks" and "Sales risks". Interestingly, even companies without a specific OpRisk definition have a clear classification grid.

Classification of risks on the 2nd level "Risk events"

On the "Risk event" level, the companies questioned identified "legal and political risks", "IT system interruptions" and "inadequately defined processes" as OpRisk with the highest potential danger. While German companies see legal and political risks and IT matters as priorities, Swiss companies put the emphasis on inadequately defined processes and all kinds of employee misconduct. Detailed results show that while large companies particularly emphasize deliberate employee misconduct, small ones have to contend with employee turnover. Here, the necessity of systematic employee support and development is clear. In addition, it is apparent that small companies mention classification according to "Reputation risks" more than the average, whereas for large companies, the same is true for "Strategic risks". Furthermore, it appears that small companies in particular go into more detail with regard to their risk classification.

Based on the study, it can be seen that at the "Risk event" both technical risks, in particular IT risks, as well as soft factors, such as employee conduct, are important. This explains the wide spectrum that has to be embraced within the framework of ORM.

In the following excursus, effective, historically measured OpRisk losses are compared with the loss or potential damage assessment of the insurance companies. Since there is no such historical data for the German-speaking insurance branch in Europe, a US study was used. In view of this, country and market-specific differences in the interpretation of this comparison should be taken into account.

Intermediate conclusion

  • Basel II standards are also used by a large percentage of insurance companies for orientation with regard to the definition and classification of OpRisk.
  • A multi-level, full classification according to the costs-by-cause principle (reason, event, loss) is still relatively rarely applied by insurance companies.
  • Operational risks are assessed differently in different countries, with legal and political risks, IT risks, inadequately defined processes and the turnover of key personnel generally assessed as critical.
  • The growing relevance of ORM in the insurance sector will, in future, lead to OpRisk definition and classification being increasingly adapted to the specific needs of insurance companies.

4. RISK MANAGEMENT PROCESS

In the risk management process, classic process management matters, such as uniformity of definitions and clear communications, play an essential role. By the same token, the areas of risk identification, classification and assessment play a particularly key role. Since entrepreneurial activity is constantly changing, these process steps must follow steadily and in harmony with other control processes. With the regulation of suitable methods and indicators for risk identification, risk assessment and risk prioritization, data collection generally represents the biggest challenge. Data also has to be provided in a form suitable for appropriate analysis.

The survey showed that there were differences in the degree of implementation of the various ORM initiatives. Certain processes have for the most part been introduced, whilst others have been postponed to a "later" date. Such postponement can either be a consequence of prioritization or an illustration that the importance of the process is still unclear. In general, it can be assumed that the ORM systems are only in the start-up phase.

Today, 70% of the companies have already implemented risk monitoring or reporting and 65% OpRisk identification. Tools for internal communication have also been installed in the majority of cases. Insurers seem to have recognized that, in the risk management process too, there is the challenge of cultural integration into the actual company. On the contrary, external communication is not a primary focus for the moment. Risks are seldom measured or modelled systematically. Loss-data acquisition, an essential backbone for comprehensive ORM, is already rarely carried out systematically. Processes/systems for capital securitization are probably also still in the process of being set up in insurance companies for this reason.5

Germany and Austria are generally further advanced than Switzerland with regard to implementation. In the next two years, more than 40% of the companies want to introduce solutions in the areas named. In this context company size does not play a significant role.

Identification and assessment

For identifying operational risks, more than half the surveyed companies primarily used expert interviews and self assessments. Brainstorming methods and scenario analysis were likewise frequently used. Large companies with high premium volumes today already use a larger number of tools and methods for OpRisk identification. In general, country-specific differences exist in this connection. In Switzerland, expert interviews were used less frequently, and self assessments or questionnaires more frequently, than in Germany and Austria.

For OpRisk assessment, various qualitative and quantitative tools and methods were called upon by the surveyed companies. A significant majority of those questioned put their trust in a traditionally simple treatment of damage potential/probability. One third uses threshold values, while some 20% work with scenarios and the value-at-risk concept. On three of these four methods, the focus also lies on the company's preparatory work over the next two years. Advanced methods6 are used by less than 10% of those questioned, whereas 80% of the companies are planning to work without such tools, even in the future. This could particularly be justified by the fact that the acquisition and modelling of risk data in the OpRisk area is made even more difficult as a result, and that the tool portfolio for OpRisk will be limited due to the heterogeneity and company-specific peculiarities of risk types.

If the assessment methods/tools are pulled together with the timing of ORM initiation, it can be seen that today, medium-sized companies that introduced ORM three to four years ago, almost exclusively use advanced quantitative methods, i.e. a rich method set. The vast majority of companies, whose ORM program is more recent, use a distinctly simpler, smaller method set. This is more or less true for all large companies as well. The trade-off between data use and acquisition/calculation cost, and development over time is accentuated here.

If the planned use of methods and tools in the future is considered, it is shown that many companies in all size classes plan to organize their ORM a lot better quantitatively than they do today. This is valid for all the categories considered, if the medium-sized companies that are already the most advanced – having started their ORM initiative 3 to 4 years ago – also intend to progress furthest in the future. In this connection, it is not unreasonable to speak of a really clear general trend towards higher quantification in ORM, independent of the initiation date of the ORM initiative. At the same time, the influence of increased regulation and the sector trend on integration into ERM is clearly shown.

Loss-data acquisition

On the one hand, the systematic acquisition of loss data is the ORM element with the lowest degree of implementation and on the other, useful data acquisition is a key prerequisite for determining damage potential in companies, i.e. risk identification, assessment and calculation.

If the results of the survey for the practical assessment of damage potential are considered, a clear picture emerges. At 64%, the majority of insurance companies questioned indicated that they were unable to assess the level of their annual OpRisk damages. 20% of the companies said that they could estimate the potential annual damage only approximately. Those companies that could make an estimate mostly mention amounts above five million Euros.

Excursus: Risk-data acquisition

Risk-data acquisition can generally be made top down or bottom up, with considerable differences in meaningfulness and collection effort7. Moreover, the unavailability of forward-looking data, survivor bias8 and the complexity of assessing risks with a low probability of occurrence, but a high degree of potential damage, are fundamental problems. For operational risks, the heterogeneity of risks, which can be distributed over all processes and areas of the organization and most of which are financially quantifiable only with difficulty, also arises. In particular, the following issues emerge:

1. What is an event and how should it be recorded? Should all OpRisk events be recorded or only from a certain threshold?

  • What threshold (i.e. lower limit) is appropriate, depends on the size and complexity of the company, but also on its respective risk policy. But how should near-event without damage consequences or events with a non-intended positive outcome be handled? In both cases, the (potential) damage amount can be covered, which increases the number of events, but also worsens the validity of the data.
  • A further point is the question of how events should be recorded in a database. If the Basel II framework is used, entry according to the risk actuator depending on the definition and classification is appropriate. This assignment of individual risks was chosen by 65% of those surveyed. Classification would, however, be relatively rough. However, in order to understand the specific character of a risk event, from which concrete measures may also be derived, this must also be entered after the risk event has passed and after the risk repercussions9.

2. Where and by whom should events be recorded?

Ideally, a reporting system, such as an internal control system for recording events exists, where the person responsible for risks can enter the corresponding data. In practice, this requires corresponding systems and employee knowledge. Without training and continuous support by system administrators or a central ORM, such a system cannot properly function. A further hurdle can be missing incentive structures for reporting events at all.

External databases or data exchange within a group represent one possibility for completing own data. In the insurance sector, professional offers already exist. None of the surveyed companies uses external data. Meaningful data exchange is thought to be difficult because of varying collection criteria and differences in company size, complexity and process structures. In addition, only a few insurance companies have appropriate databases. It is probable that this topic will increasingly become a focal point for establishing standards and progressively developing proposals for data sharing.

Intermediate conclusion

  • The majority of the surveyed companies consider classic sub-processes in the risk-management process (communication, reporting) as being implemented.
  • Loss-data acquisition, an essential basis for comprehensive ORM, rarely takes place systematically, which also explains the still low extent of modelling and capital securitization.
  • Operational risks are today mainly identified and assessed by means of qualitative and simple quantitative methods. A clear trend to sophisticated methods is apparent in medium-sized companies with increasingly longer ORM initiative running times and in all the companies surveyed for the future.

Footnotes

1. A framework encloses all aspects that have to be considered in a risk system (e.g. strategy, process, quantification model, etc.). In addition, the interaction of the various elements can be represented as a model in order to obtain a complete overview of the risk system.

2. Within the framework of "Solvency II", a complete revision of the current regulations of insurance companies is planned. The objective is to protect insurance-policy holders fairly in all the EU member states and to put in place competitive conditions within the sector (source: European Commission).

3. Since 1/1/2006, Swiss insurance companies have been obliged to record and assess OpRisk, and to report the results periodically to the supervisory authorities. Furthermore, it is planned from the supervision side to introduce regulations for financial securitization as soon as OpRisk can be quantified. In particular, with the coming into force of Art. 98 of the Swiss Supervision Ordinance (AVO), in the future, insurance companies will not only be compelled to record and assess operational risks on their own responsibility, but the regulator will additionally demand the acquisition and analysis of loss data as a basis for quantification.

4. Source: Basel Committee for Banking Supervision, "International Convergence of Capital Measurement and Capital Standards (Basel II)" (2004).

5. The capital securitization of OpRisk is the ORM element with the second lowest degree of implementation (figure 17). On the other hand, the most recent studies point out that 13% of the average capital securitization requirement in the insurance industry concerns OpRisk. Thus, the 2007 Deloitte study "A stabilizing effect – the ICAS (Individual Capital Adequacy Standards) in action" mentions the following repartition of the average capital securitization requirement of insurance companies in Great Britain: insurance risk 41%, market risk 37%, OpRisk 13%, credit risk 8%, other 1%.

6. Like, for instance, scoring models, extreme value theory, sensitivity analysis, fault tree analysis, earnings-at-risk or capital market oriented approaches.

7. Here, holistic acquisition, cause transparency and correlation between risks (advantage of bottom up) face collection effort and reaction speed.

8. This means that statistically over time, only those units that have "survived" until today will be taken into consideration. The characteristic features of unsuccessful units are thus not considered in the analysis.

9. Compare also with definitions and consideration levels of OpRisk in chapter 3.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To view Part 2 of this article please click on the "Next Page" link below