With the world in a state of coronavirus-related flux, the need for solid and effective operational resilience has never been more pertinent – but how can this be achieved?

In December last year, the FCA – in conjunction with the Bank of England and the Prudential Regulation Authority (PRA) – launched a joint consultation on operational resilience.

In a corresponding speech at The Investing and Saving Alliance’s (TISA) Operational Resilience Forum, the FCA’s executive director of supervision – investment, wholesale and specialists Megan Butler said the consultation was designed to achieve “a shift in mindset”.

She continued: “The proposals in the consultation papers make it clear that we expect you to understand your vulnerabilities, invest in protecting those and protecting yourselves, consumers and the market.”

These proposals include expectations of firms to identify important services, considering how disruption to these services can have impacts beyond the organisation’s commercial interests; setting a tolerance for disruption for each key business service; and requiring businesses to map and test their services in order to find vulnerabilities in their operational resilience and drive change where needed.

For the insurance sector specifically, however, Justin Elks, managing director and UK enterprise risk management (ERM) and insurance lead at consultancy Crowe believes that operational resilience is centred in trust.

He explained: “It’s about building trust: trust that an organisation can adapt to changing circumstances - withstanding, absorbing and recovering from stresses and disruption [while] delivering on promises to customers and achieving critical business objectives.

“Trust is foundational to insurance, which is fundamentally about a customer trusting the industry to take, pool and manage risk.”

Benefits of resilience

The connection between good operational resilience and customer trust is vital if insurers wish to stand out from their rivals, added Elks.

“If services are less likely to be disrupted, the downside risk of customer harm is reduced,” he said. “Some companies outside of insurance [are] using operational resilience as a competitive differentiator; I expect to see more of this in insurance going forward, as insurance is a ‘trust’ business.

“I believe customers will increasingly only use companies they trust to deliver services, so operational resilience will be a crucial competitive differentiator.”

Other advantages of finessing operational resilience, according to Elks, is that firms can glean valuable insights into business models and processes, evaluating what contributes or detracts from achieving set goals.

Furthermore, operational resilience helps to bring risk management to the fore. “Operational resilience can make risk management more real – enhancing the value, practicality and ownership of operational risk management by shifting the focus from assessing to managing risk and driving operational risk awareness to the front line of the business,” Elks said.

Strategy

But, how can insurers and brokers achieve this holy grail of effective operational resilience?

Alongside the FCA’s advice regarding operational resilience, these strategies should ensure to take a collective business view rather than separating into siloes, to “join the dots” through internal collaboration and shared responsibilities.

Elks said: “To enable an effective programme of activity, organisations need first to get their arms around these disparate areas, understand their current position and their aspirations, then ruthlessly focus and prioritise what’s important for their business.

“Conducting an independent-minded gap analysis across existing processes, capabilities and resources will enable the business to focus and prioritise their effort in the right areas and not waste money where it won’t add value by mobilising a large, costly programme.

“Insurers should look to join the dots between existing capabilities and approaches by building on established operational components that contribute to resilience.”

Elks added that firms should be aware of how third and fourth parties can impact upon their operational resilience, and that engaging board members and non-executives is also important.

“Non-executive directors are typically very interested in operational resilience, as it helps them focus on the important operational issues where their experience and expertise should be focused,” he said.

Operational risk

However, could operational resilience itself actually be a risk factor for insurers and brokers? These firms collect and store a lot of personal data from customers, and with technology developing in leaps and bounds every few months, surely keeping pace with operational risks is a challenge?

“Operational resilience is an outcome of good operational risk management,” Elks confirmed.

“In thinking about managing operational risks and operational resilience, insurers and brokers need to recognise that the operational risk environment [has] shifted in the past decade.

“Factors such as the increasing use of technology and increasing use of third parties means the business world is increasingly interconnected; insurers rely on technology in almost all processes from front-end customer interaction to management, analytical, administrative and settlement functions, and rely on third parties to both supply technology and provide enhanced capabilities.

“This is why regulators are focusing on operational resilience now – they want firms’ operational readiness to be on a par with their financial and strategic readiness.

“In some insurers under solvency II, these non-financial risk areas have been under-invested and have often felt like the ‘poor relation’. I believe the focus on operational resilience will change and enhance operational risk management to enable it to more effectively provide insight, impact decision-making and support the delivery of strategic objectives. This will help firms to enhance returns as well as manage regulatory compliance risk.”

Elks further warned not to underestimate how people can influence these risks too. He explained: “We’re increasingly focusing on helping clients address the role people play as the first line of cyber security defence, their values and behaviours, and the implications on risk exposures.

“We are seeing an increasing focus on influencing culture and educating people on security behaviour to effectively mitigate the risk.”

Coronavirus impact

Undoubtedly, one of the greatest tests of operational resilience this year is the Covid-19 pandemic; Elks described this as a “live test” of current operational resilience models.

He continued: “Prior to coronavirus, pandemic scenarios were incredibly difficult to engage businesses in thinking about, as the sort of requirements and behaviour we are now expecting from people wasn’t something business people were thinking was plausible.”

David Miller, insurance regulatory partner at KPMG, agreed. He added: “Operational resilience, until now, was seen by many firms as a theoretical planning exercise in response to the requirements set out by the PRA, FCA and Bank of England.

“In a matter of weeks, Covid-19 has demonstrated the intrinsic link between operational resilience in theory and crisis management in real-time, as firms battle to maintain operational continuity under some of the tightest restrictions our society has ever seen.”

For Miller, the key for organisations looking to survive the economic impacts of the coronavirus outbreak is to identify key business services and the infrastructures that these rely on, as well as understand the firm’s tolerance for any service outages.

He further recommended using past experiences of crisis to analyse any potential blind spots and that contingency planning should not revolve solely on processes, but also around senior leaders and their deputies.

Elks concurred: “People and culture are key in an effective response, so it’s important to balance meeting customer needs with a duty of care to your people.

“My advice to insurers is don’t waste the crisis – use the current challenges to learn lessons and improve your approaches to operational resilience.”

He added that business resumption plans should also be reviewed – these typically centre around localised events, like location outages, however many firms will have to manage employees returning from remote working en masse.

A proactive mindset

Despite all the forward planning that firms can implement in order to become operationally resilient, Elks added that it also comes down to having “a proactive mindset”.

He continued: “Being operationally resilient can deliver significant competitive advantages, but benefits will only be realised if firms adopt a proactive mindset that assumes events will happen, and think in advance about how to deal with them when they do, building in flexibility to adapt and deal with the unexpected.

“Companies can be operationally resilient by dealing with problems quickly, by timely and effective direct communication, understanding the impact of disruption and making sure customers don’t lose out.”

Insurers have been agile to respond to Covid-19 operational challenges

According to Steve Whitfield, senior consultant at Altus, large scale insurers have been incredibly agile in their business continuity response to the Covid-19 pandemic.

He said: “Most people’s business continuity plans wouldn’t [have] been adequate to cope with the entirety of this situation, purely because the likelihood of this sort of event is typically pretty low. I would guess that [insurers’] business continuity plans would get them 50% [to] 75% of the way, but typically most people’s business continuity plans are not about having to get all of your front line staff working from home due to self-distancing.

“But what I have seen is the ability of most insurers to move really quickly to combat those issues. Their ability to move and put their staff first and protect their staff has been quite impressive.”

Altus colleague Patrick Hayward, consultant, added that the coronavirus outbreak will also impact business continuity plans of the future too, as firms seek to mitigate the detrimental impacts that have emerged from this year’s pandemic.

Hayward added: “One of the things it probably will mean is it will change the nature of how people look at business continuity management in the future; having an actual understanding of [what] the true nature of some of these risk events taking place will mean.

“There will be quite a lot of activity in the immediate aftermath of this to get themselves closer to 100% and being ready. That’s not just large insurance companies; that flows down to their policyholders as well, [such as] commercial insureds and smaller businesses, and will possibly become a focus for insurers – understanding what their customers’ preparations look like for these kinds of events.”

 

PASS NOTES

Considering operational resilience

Justin Elks, managing director and UK enterprise risk management (ERM) and insurance lead at Crowe, outlines the five key elements that businesses need to address when it comes to operational resilience:

1. Operational resilience strategy: Firms need to identify their important business services that, if disrupted, could cause harm to consumers or threaten their viability. They also need to set impact tolerances for each important business service, which clearly quantify the maximum level of disruption they would tolerate. These elements need to meet regulatory requirements, but also, critically, need to be closely linked and supportive of a firm’s business strategy and mission.

2. Mapping and optimisation of the business model: Operational resilience is, at heart, about how an organisation can deal with stresses and disruption. By mapping how firms deliver their important services and linking these to their operational resilience strategy, firms can make choices as to how they are set up to prevent, respond to, recover and learn from stresses and disruption.

3. Tools and techniques: Firms will need to develop a toolkit that helps them to anticipate and plan, test, detect, respond and remedy, learn and adapt to stresses and disruption. The elements of this toolkit aren’t necessarily new – for example, all firms will have business continuity plans – but this will need to be refined to reflect the priorities of their operational resilience strategy, to make sure the focus is on the most important areas.

4. Governance: Firms will need to make sure operational resilience is effectively considered in a business’s decision making, communication and oversight structures, including self-assessing operational resilience.

5. Capabilities: Firms will need to make sure they have the right people, processes and systems to achieve and maintain operational resilience.