Six wrong ideas on operational risk transfer via insurance


Wrong idea n°1 : Insurance mapping

“Let’s map our insurance policies to our operational risk map in order to see which part of it they cover”.

The problem is the wrong way : The usual “From Insurance to Risk” (I->R) work, often proposed by insurance sellers, leaves aside the insurable risk remaining uninsured. The other way, “From Risk to Insurance” (R->I) preliminary work guarantees that insurance is embedded in the ORM project.

Wrong idea n°2 : Taxonomy

“Insurance is impossible to map to an Operational Risk taxonomy. For instance, “External Fraud” is too wide to be qualified (“Yes or No”) to insurability.

We just need a minimum detail here : experience proves that, even if such event cannot be qualified, the trees “cause->event->consequences” can be. Moreover if this tree is detailed by process or business line.
Obviously, the level of granularity of the exercise must be carefully defined. For instance, a post-disaster event consequence like “site fencing / guarding costs” will be sublimited in the property insurance policy… Always balance pros and cons of getting into this details in scenario assessment.

Wrong idea n°3 : Risk and Control Self Assessment (RCSA)

“ When it comes to RCSA (“low”/ “medium”/”high” risk), insurance mitigation mapping never comes right, thus such mapping exercise is never conclusive”.

The answer is certainly not a “Low” / “medium” / “high” insurance coverage, but an actual scoring of the current insurance (just as controls can be scored), via the Insadeq scoring model.

Wrong idea n°4 : Transfer

“Insurance is about transferring the risk.”

No, insurance is about Risk Management, and should represent one of the use tests for any Operational Risk Management (ORM) process.
Smart ORM based insurance decision means an R->I work (i.e. the assessment of the famous “insurable” risk profile of the F.I.) before trying the “way back” I->R. Below are some examples of “insurance based” questions challenging the ORM process :

Loss data collection : “Why no loss has been captured in the system by this entity whereas the this same entity declared several claims on our liability insurance policy ? This means that early warnings, near misses etc… are not captured by the entity, then not compliant with the group loss capture rules”

Scenarios : “Why does the insurance market considers risk scenarios, or specific causes or consequences, that we have not highlighted in our workshops ?”

Reputation : “On this cover, why do insurers propose our competitors better insurance terms than ours ? Where are the flaws in our ORM or in our communication to the insurers that lead to this situation ? And what if our Regulation Authority is made aware of this ?”

Frequency : “Why is the insurance market keeping adjusting its deductibles at a level that does not match the results of our loss collection exercise. Could our process be flawed, and our measured internal loss level over or under estimated ?”

Cost of capital : “Is there any specific risk where there appears a discrepancy between the additional insurance premium to cover it, and the marginal cost of capital for such risk ? Such a discrepancy should alert us on the reliability of our Cost of Capital calculation in this risk area.”

Premium allocation : “Can the Group OR manager use the insurance premium allocation between entities (group program and captive insurance program) as a piloting tool ? Is such an allocation framework, based on each entity’s insurable risk profile, understood by them ? Is it an actual incentive, leading them to actively monitoring and mitigating their own IOR profile, either via insurance transfer or other mitigation like new controls enforcement ?”

Insurance Underwriting Process : “How could the insurer’s due diligence process help us enhance our own ORM process ? From our experience, lots of key questions on risk exposures, whether in the fire prevention or cyber risks areas, have been first raised to Financial Institutions by their insurer as part of the underwriting process. Never forget that an insurer bets its capital on the efficiency of its clients’ controls. Insurance is definitely a committed partner in the Risk Management of its clients”.

Assistance : Assistance, not risk transfer, is the key part of some insurance policies in the cyber risks, property and kidnapping/ransom areas.

Wrong idea n°5 : Small World

“Insurance addresses only a small part of the OR world.”

As a first answer, does 25 to 30 %, the generally agreed share of insurable risk, represent a small part of the risk landscape ?

A second answer is : the Directors and Officers’ Liability insurance covers these Directors when they are personally sued for gross negligence, and a large OR event, even not belonging to the insurance world, like Compliance / Regulatory fine issue, could trigger such claims.

Third answer to the argument “Property insurance is straightforward : when it is burnt it is paid out by the insurer”. The answer is “certainly, and property insurance is not the issue for F.I.s, and generally less than 10% of the insurance premium budget.”

Wrong idea n°6 : The Insurance Manager Function

“Insurance purchase and management requires specific expertise, which justifies a specific headquarter function”

Though such dedicated and isolated “Insurance Management” functions exist in most Financial Institutions, whether located in the Legal Department or General Secretary, there are some drawbacks in maintaining such a black box in the organization :

– No Informed Decision : the ultimate decision on the Insurance Transfer is generally taken by the General Management of the FI, but this decision is based on the recommendation of the Insurance manager, and often with no tools provided to the management for any informed decision to transfer or retain the risk.

– Outsourced Risk Management : A third party to the bank (most often the insurance broker) can, sometimes without adequate information to the rest of the FI, become invasive in the management of the insurance program, notably if no sufficient resource is allocated to the Insurance Manager.

– Specific controls : on the legal validity of the insurance policy wording and signature and on the handling of claims, must be put in place.No Synergies with Operational Risk : such an organization prevents the insurance manager from interacting with the OR division.

In fact, there is no « Insurance Purchasing / Insurance Management Function », there are only specific skills required in it, all of which can, and should be, taken in charge by the appropriate professionals in the firm :

– The Operational Risk Division : can usefully update the insurable risk maps, scenarios and loss database, with the broker’s input on the status of the insurance market, and on such basis :

– Build up an argumentation framework on the optimal level of transfer
– Update and justify the premium allocation scheme among entities, based on their most recent OR profile.

– The Procurement Division : can efficiently run insurer or broker tenders,

– The Compliance Officer can dispatch the required proofs of insurance when such insurance is mandatory,

– The Legal Division is in charge of the formalism of insurance policies and of the signature process

– Control and IT Security Divisions answer the underwriting questions of insurers in order to bring comfort to the insurance market.