To view this article in PDF format with all figures and images included please click here

5. REPORTING

In order to define an individualized, optimally designed reporting system for each company, the main question is what general objective should be achieved by the overall company ORM. This originates from the risk policy (cf. chapter 2), in which the corporate ORM guidelines are formulated. Only based on the defined objective is it possible to address further important questions concerning the organization of a reporting system, and these are then tackled in a targeted way to achieve the individual objective.

Who is responsible for the reporting and what reporting lines should be considered? What form, content and scope should the reporting system have? At what moment should which addressee be informed? How were measures developed from the reporting results?

Within the framework of the study, focus was especially put on the form of reporting, internal as well as external, the reporting frequency and information recipients.

Form of reporting (internal)

Internal reporting can consist of a daily status report of all OpRisk to management, be limited to reporting only events exceeding a certain threshold or reduced to simple loss-data acquisition with half-yearly reporting.

Differences in the form and specificity of the reporting are also shown in the study. Here, the following trends can be recognized:

  • Almost all those surveyed have internal OpRisk reporting, with only 2% of insurance companies declaring that they did not carry out any internal reporting.
  • In half of the insurance companies, internal reporting is part of the internal controlling system, and OpRisk categories are recorded and controlled separately (cf. chapter 3).
  • 11% of the insurance companies, mainly the larger insurers with high premium volumes, declared they had a separate OpRisk report.

Independent of the chosen form of reporting, attention should basically be paid to ensure that all levels of the insurance company management are suitably supported by the reporting system, both contextually and procedurally, and that they are provided with adequate information.

Form of reporting (external)

Within the legal framework requirements, supervisory authorities have been working for some years on the Solvency II project (EU) and the Swiss Solvency Test (Switzerland). Analogous to the three pillars in Basel II for banks, these guidelines describe three principles that solvency supervision will follow in future:

1st principle: Minimum demands on capital set-up

2nd principle: Auditing process according to supervisory regulations

3rd principle: Transparency

For external reporting, the 3rd principle in particular will be crucial in the future. It essentially concerns using existing market forces as a corrective, which is primarily reflected in extensive obligations to publish and strong dovetailing with the IFRS (International Financial Reporting Standards). At present however, Solvency II and the Swiss Solvency Test (SST) merely form a set of rules intended as a recommendation for insurance companies. But what is today's situation with regard to external OpRisk reporting in the German-speaking insurance sector?

Analogous to internal reporting, the defined general objective of ORM is also crucial for the form of external reporting. Thus, the scope of reporting ranges from mentioning the topic of OpRisk as a part of risk management to descriptions of the ORM organization and the most important company-specific OpRisk in a special ORM report. The study makes it clear that, in contrast to internal reporting, external reporting is less widespread. For almost two thirds of the insurance companies that carry out external reporting, OpRisk reporting is part of the general risk-management report. In addition, the presentation of OpRisk as part of the company report (37%) or of the audit report (15%) is widespread.

Based on a detailed evaluation, country-specific differences can be recognized. In Switzerland, OpRisk is only a minor topic of discussion both in the risk management report (33%) and in the company report (27%), whereas audit and compliance reports are more important. In particular, the larger companies (measured both by employee numbers as well as by premium volumes), mainly communicate by means of audit reports. In Germany, there is an opposite trend, with 85% identifying ORM as part of the risk-management report and almost half as part of the company report. Other forms of reporting are not very widespread in Germany. Similar tendencies are apparent in Austria, where in addition, 13% of insurance companies identify OpRisk as part of the financial report.

Reporting frequency and information recipients

Based on the differing and general ORM objectives of insurance companies, both the reporting frequency and the recipients of information also vary. The survey additionally shows a dependency on both dimensions, which infers the existence of level-adapted reporting. Thus, annual reporting, which in 44% of the cases is addressed directly to management, constitutes the norm. This trend is particularly evident in Switzerland. In 6% of the insurance companies, the report is sent to other internal target groups, with the parent company or supervisory/auditing offices in particular being mentioned most frequently. Only 2% of those questioned declared that they reported on a yearly basis to the risk manager. In Germany, reports are submitted more frequently, mainly on a quarterly basis. In the case of quarterly reporting, management, with 22%, still represents the most important target group. The internal report in this frequency, is also increasingly addressed to the risk manager, with 19%. Both in Switzerland and in Germany, reports are primarily addressed to management. In Austria, no clear trend has been identified.

Intermediate conclusion

  • Internal OpRisk reporting is carried out by all those questioned, for half of whom it is part of the internal controlling system.
  • The principle recipient of internal reports is management, being predominantly informed annually, followed by the risk manager with predominantly a quarterly reporting frequency.
  • External reporting is carried out by 85% of those surveyed and is part of the risk-management or company report in the majority of cases.

6. RISK GOVERNANCE AND RISK ORGANIZATION

Following explanations of the risk-management process and reporting with reference to the risk-management processes, this chapter deals with structural and organizational matters.

In the organization of risk governance, the following central questions arise: what does the ORM structure look like in German-speaking insurance companies? How many people work in ORM today and what is planned for the future? How is the current repartition of responsibility in the organization arranged? What other departments in the company are involved with ORM and form an interface to integral ERM? The answers to these questions give a first insight as to what importance is given to ORM in the company, and in particular by management. The tangible effects of this are shown in the structure of risk governance and risk organization, i.e. in the number of ORM jobs created and the assignment of responsibility, as well as in the other organization units involved in the ORM initiative.

Structure of the risk organization

The study shows that a clear majority have at least one function in operational risk management. Thus, at the present time, 61% of the companies have a line manager who deals with ORM. For a further 10%, the introduction of such a function is planned.

In the strictest sense, risk management is part of the ORM staff function. Almost a third of the companies surveyed had already institutionalized such a function, but however more than half of the companies have no plans for this. The situation with the chief operational risk officer looks similar. Only a fifth of the companies have a corresponding position and in nearly 70% of them, especially the smaller insurance companies, none is planned either. As a rule, the risk committee is responsible for risk policy at the management level, takes care that the management pays the necessary attention to ORM and thus represents the connecting link between the staff function and management. A specific OpRisk committee exists in only 11% of cases but is, however, being planned by 17% of the insurance companies surveyed. Furthermore, the study identified country-specific trends. In Switzerland, many ORM staff functions are already in existence. The larger multinational insurance companies, above all in Germany and Austria, have, however, frequently defined line personnel as responsible for OpRisk.

Creation and development of governance structure

The study shows a clear connection between the existence of an ORM function and the number of employees in the insurance company.

The majority of insurance companies have introduced an ORM function, the smaller companies tend to have only one, while the medium and larger companies frequently have several. It is further apparent that, more frequently than the medium- and large-sized insurance companies, the smaller ones had only introduced such a function within the past year, or as yet, not at all.

In future, the majority of those insurance companies that as yet have no ORM are planning to establish their own ORM functions. Only two insurance companies without an ORM initiative do not plan to create a corresponding position.

In companies that have had an ORM strategy for one to two years, no expansion plans with regard to the functions were identified. In contrast to this, insurance companies that have been following an ORM strategy for three to four years show the highest growth with regard to new functions. This development will lead to a deeper rift between the two groups of companies. Those insurance companies with very recent ORM initiatives (less than one year) are interested in extensively building up their ORM functions, but will have to make huge efforts in order to close the existing gaps. It is an interesting fact that medium-sized companies which have to date not yet implemented ORM, tend towards the introduction of either no positions at all or many of them in ORM. For their part, the smaller companies plan to create one to two positions in the future.

Repartition of responsibility in risk organization

The institutionalized participation of management – management attention – is a decisive prerequisite for successfully tackling OpRisk. On the corporate management level, it is apparent from the study that, in practice, in 44% of the insurance companies surveyed, overall responsibility for ORM lies with management. In 20% of those questioned, the CEO was named. The CFO as the person with overall responsibility, with 6%, represents the exception case. A similar picture emerges with regard to the responsibility for developing risk policy and risk strategy. In view of its many facets, together with overall responsibility for ORM, great significance is also attached to the definition of roles, tasks and responsibilities of all the other ORM functions. As the study shows, the responsibility and task definitions for the functions subordinated to management are, however, hardly ever institutionalized. In the future, there will be a need for further action by insurance companies, and this will depend on the one hand on the company size and, on the other, on the degree of implementation of the ORM initiatives, and there will thus be corresponding variances between them.

Departments involved and interfaces to ERM

Risk management touches on various areas of responsibility. Links between already existing systems and ORM initiative may also be seriously affected. This is reflected predominantly by the participation of the internal control system and internal auditing in ORM. In companies with high premium volumes (more than EUR 2 billion), other organizational units very often participate in ORM. In particular, the Chief Information Officer is regularly involved in ORM, which gives an indication as to what importance is basically given to technology risks.

Intermediate conclusion

  • The majority of companies surveyed have at least one ORM function (e.g. line person responsible for OpRisk).
  • In two thirds of cases, overall responsibility is taken by management as a whole or by the CEO. However, other responsibilities such as loss-data acquisition are, in most cases, not yet institutionalized.
  • The still inadequate institutionalization has to do with the fact that numerous other organizational units participate in ORM. This demands an organizational structure and the consideration of interfacesof interface with the ORM function.

7. INTEGRATION OF ORM INTO ENTERPRISE RISK MANAGEMENT (ERM)

The objective of enterprise risk management (ERM) is the integral examination of a company's risk situation, which results in an optimized operational and interdisciplinary control of all risks in the company. For this reason, the management of operational risks also becomes a focus of consideration for ERM. Thus, both the company-inherent and the Solvency II/Swiss Solvency Test points of view are taken into consideration.

Although the survey shows that the desire for comprehensive ERM is one of the main driving factors for the development of ORM, procedural or resource gaps frequently exist in the concrete implementation of risk-management strategies. Procedural gaps are created due to missing or insufficient integration into ERM, while resource problems can be attributed to deficient or missing specialist qualifications. This problem is aggravated by the fact that current regulatory developments (Solvency II, SST) initially focus on financial security and that management sets a lower priority for the supervision of frequently unquantifiable OpRisk. Thus, 15% of the companies explicitly stated that ORM is not integrated into ERM. Two thirds have implemented integrated risk reporting and almost 60% work with integrated risk identification or risk prioritization. A country-specific comparison shows that integrated risk reporting is less widely distributed in Austria. While Austrian insurance companies plan no integrated risk modelling or risk measurement, in both Switzerland and Germany, a fifth of the companies surveyed make use of this high level of integration.

If integration is planned, this is mostly at a company-wide level (37%). However, in 30% of the companies, all types of risk are aggregated together and in 22%, they are aggregated within the individual company units. It should be noted here that every fifth company gave no details concerning to what extent risk aggregation takes place. Insurance companies with low premium volumes seldom aggregate risks all together. This leads to the conclusion that the insurance companies surveyed place the emphasis for controlling operational risks at different decision levels.

Intermediate conclusion

  • ERM is one of the main driving factors for the development of ORM.
  • In general, considerable effort is still necessary in order to accomplish the integration of ORM into ERM.
  • There are large differences in risk aggregation with regard to the decision level. The company-wide level was the most frequently mentioned.

8. WAY FORWARD

The study shows that the insurance sector is today also orienting towards ORM as the target system, whether for reasons of regulatory pressure or strategic planning. What do the companies surveyed now see as the necessary steps for further development? Independently of the declared status of individual ORM initiative elements (cf. chapter 4), companies see a moderate to strong need for action in all areas.

On the one hand, stated concerns about insufficient implementation have been confirmed in the case of acquisition of OpRisk data and the use of quantitative methods. On the other hand, it is clear that, even in the case of ORM elements considered as extensively introduced, such as, for example risk identification and monitoring, a need for improvement is perceived. Furthermore, as a process, ORM receives quite high attention from management, and OpRisk organizations have been and will be expanded (cf. chapter 6). The awareness of OpRisk in the overall organization, however, is clearly described as "needs to be improved". Something similar applies in the perception that risk policies have room for improvement, even if OpRisk is, in principle, seen as covered by general risk policies. It can therefore be concluded that companies consider this coverage to be insufficient.

Intermediate conclusion

  • In all the areas considered, the need for action is perceived as moderate to high. The necessity for consistent ORM is increasingly coming to the fore.
  • There is considerable need for action in the area of OpRisk data acquisition and risk quantification.
  • Consideration is being given to improving the quality of already implemented ORM elements (e.g. risk monitoring).

9. FOCUS ON SWITZERLAND

ORM is relatively new in Switzerland. While 19% of insurance companies in Germany and 13% in Austria have been active in ORM for more than 4 years, this is the case for only one of the companies surveyed in Switzerland. In most cases, the ORM initiatives were also initiated because of regulatory guidelines rather than for strategic considerations. For most insurance companies, the consequence of this is that ORM is frequently less developed than it is in German or Austrian companies. For those companies that are strongly oriented towards, and are faithful to, rules and regulations, it is important not to lose sight of the strategic components of ORM.

For this reason, in comparison to Germany and Austria, ORM in Swiss insurance companies has a number of particularities, which are briefly presented below.

Governance and organisation

In Switzerland, a relatively high number of insurance companies already have a specific OpRisk policy. This results from the major influence of regulatory guidelines. However, there is still potential for improvement in the area of organization. Thus, OpRisk is only rarely included as part of the internal control system. In order to benefit from synergies, it would make sense to link ORM with the internal controlling system, with which it already overlaps in certain areas.

Risk definition/classification

In Switzerland, insurance companies mostly follow the risk definitions and classification according to Basel II, and the majority use Basel II as a general basis. "Inadequately defined processes" were cited as the most important operational risk in Switzerland, whereas IT security gaps and system interruptions were rated much lower than in Germany or Austria.

Risk management process

Swiss insurance companies are frequently less successful in assessing damage potential. They generally calculate with higher losses than their foreign competitors. In Switzerland the coverage of OpRisk is often carried out on a high level. A few companies also record and administer them separately.

Reporting

In comparison with the other countries, external reporting in Switzerland is more often carried out within the framework of the auditing report and less frequently in the risk-management or company report. In addition, OpRisk in Switzerland is sometimes listed in the compliance report or in a special ORM report.

Implementation

Swiss insurance companies basically lag behind in the implementation of almost all elements of OpRisk. Thus, for instance, risk monitoring and reporting, as well as external risk communication, have been implemented by only some half as many companies in Switzerland.

Outlook

Swiss insurance companies want to shape the development of qualitative and quantitative methods. In the future, they would prefer to go in the direction of advanced quantitative assessment methods. It is clear that the existing potential for improvement has been recognized. If the Swiss companies succeed in implementing their future plans as desired, they must at least keep pace with existing quantitative standards and in many cases even be able to set them.

Intermediate conclusion

  • ORM is a relatively young process in Switzerland, the primary driving factor for its initiation being regulatory guidelines.
  • Consequently, a few particularities have developed in the Swiss insurance sector, such as the above-average orientation towards Basel II, in particular when designing the ORM initiative.
  • In the implementation of ORM, Swiss insurance companies lag slightly behind those in Germany and Austria, but they have already recognized that potential for improvement exists in the future.

10. CONCLUSIONS AND OUTLOOK

ORM is increasingly becoming the focus of attention in the insurance sector. Because of regulatory developments (Solvency II, SST), all companies will be basically obliged to establish an appropriate risk-management system. From the present study, it is evident that those companies that began implementation because of internal strategic considerations have more widely developed tools and methods at their disposal, and are already benefiting from the advantages that can be achieved by effective ORM, such as improved process quality, better risk prevention and enhanced emergency planning.

However, for the whole sector, while there is definitely sensitivity with regard to OpRisk, ORM is still in the development phase, and companies are confronted with various issues because of the idiosyncrasies of this risk category.

Driving factors

The main reasons for introducing ORM are regulatory pressure, the need for a comprehensive risk overview and protection from OpRisk related losses. It is evident that companies with older ORM initiatives increasingly emphasize strategic reasons for the introduction of ORM, while companies with younger processes are driven by regulations. The importance of strategic ORM initiatives is recognized by the insurance companies, but this may be attributed to a high degree of attention by management: most of the processes were started by management/the CEO.

OpRisk policy and strategy

Most of the insurance companies surveyed have a risk policy that also covers OpRisk, whereas a mere 10% of them, mainly the large companies, have also implemented a specific OpRisk policy for OpRisk. Over a quarter of the smaller companies have still not implemented any policy, so for these, there is a more pressing need for action. However, only a third of the companies that do have a policy have also turned this into basic strategies for managing OpRisk.

Risk identification and classification

Basel II is also used by a large percentage of insurance companies for orientation with regard to the definition and classification of OpRisk. Multi-stage, complete classification according to the costs-by-cause principle (cause, event, loss) is still rarely applied by insurance companies. Operational risks are assessed differently in different countries, with legal and political risks, IT risks, inadequately defined processes and the turnover of key personnel generally being assessed as critical. The growing relevance of ORM in the insurance sector will in the future also lead to OpRisk definition and classification being increasingly adapted to the specific needs of insurance companies.

Risk management process

The majority of the companies surveyed consider classic sub-processes in the risk-management process (communication, reporting) as being implemented. Loss-data acquisition, an essential basis for complete ORM, rarely takes place systematically, which also explains why the extent of modelling and capital securitization is still limited. Today, risks are predominantly identified and assessed by means of qualitative and simple quantitative methods (e.g. self-assessment). A clear trend to sophisticated methods, which increases with the maturity of the ORM initiative, is apparent in medium-sized companies today, as well as in all the companies surveyed in the future.

Reporting

Internal OpRisk reporting is carried out by all the companies surveyed. For half of them it is part of the internal controlling system. The principle addressees of internal reports are management, which for the most part is informed annually, followed by the risk manager, where the reporting frequency is predominantly quarterly. External reporting is carried out by 85% of the companies surveyed, and is, in the majority of cases, part of the risk-management or company report.

Risk governance and risk organization

The majority of companies surveyed have at least one ORM function (e.g. line person responsible for OpRisk). In two thirds of cases, overall responsibility is taken by management as a whole or by the CEO. Other responsibilities, such as, for instance, loss-data acquisition are, however, in most cases not yet institutionalized. The still inadequate institutionalization has to do with the fact that numerous other organizational units participate in ORM. This demands for a clear organizational structure and consideration of its interfaces with the ORM function.

ORM and ERM

ERM is one of the main driving factors for the development of ORM. There are considerable gaps in the implementation of integration. There are large differences in risk aggregation with regard to the decision level. The company-wide level was the most frequently mentioned.

Way forward

In all the areas considered, the need for action is generally perceived as moderate to high. The necessity of a consistent ORM is also increasingly understood. There is considerable need for action in the area of OpRisk data acquisition and risk quantification. Further, consideration is being given to improving the quality of already implemented ORM elements (e.g. risk monitoring).

Focus on Switzerland

ORM is a relatively young process in Switzerland, the primary driving factor for its initiation being regulatory guidelines. Consequently, a few particularities have developed in the Swiss insurance sector, such as the above average orientation towards Basel II, in particular when designing the ORM initiative. In implementation, the Swiss insurance companies lag behind, although they have recognized existing potential for improvement in the future.

Excursus: Special focus and trend groups

Small companies: facing considerable challenges

Small companies are not in the lead in any ORM area. This lagging behind stems from the fact that these companies only began elaborating ORM recently and have few specialists and little financial resources for risk management. The smaller insurance companies almost exclusively started working on an ORM strategy for regulatory reasons. None of these companies is in a position to assess the annual OpRisk damage potential concerned. This is not really astonishing, since practically no quantitative assessment methods and only few qualitative approaches have been established in these companies. These gaps have been recognized by most small companies and, in the methods area, should be closed by further expanding ORM. In part, they are also planning a huge expansion of ORM jobs and functions. While today, there is not more than one employee per company, in future, on average, three people are planned in the ORM area.

Big companies: only slow progress

In the largest companies (more than 15,000 employees), there is a very inconsistent picture in the various application areas. The large companies have strongly oriented the organization of their ORM framework towards Basel II. That there is no tendency in the large companies to strive for improvements is serious, although various gaps have been clearly identified. Here too, for the moment, qualitative methods, particularly for identification, are primarily used. The use of quantitative methods is not planned. Likewise, there is a tendency to renounce building up ORM jobs and functions (today 100 to 200 full-time jobs).

Medium-sized companies: leaders of the pack

Medium-sized companies have the most advanced approaches in practically all areas. In addition, in contrast to the big companies, they show interest in the further development, or rather the continual improvement and extension, of their ORM initiatives. As opposed to the small insurance companies, the decision to develop ORM is not driven exclusively by regulation tendencies. Strategic considerations play a decisive role. This proactive approach may also be the reason for the identifiable progress. Consequently, it is the medium-sized companies which succeed best in assessing their annual damage potential. Similarly, they tend to plan to build up ORM functions and jobs in the coming years. With the methodical implementation of this plan, the most comprehensive approaches should be found in the medium-sized companies.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.