operational resilience in insurance: uk’s ... › hubfs › website-files › ...agile,...
TRANSCRIPT
WHITE PAPER
OPERATIONAL RESILIENCE IN INSURANCE: UK’S CHANGING REGULATORY LANDSCAPE
Prakhar AgrawalPractice Director, GRC
Written by
May 27, 2020
Mohit ManchandaHead of Insurance, UK & EU
Prashant ChaturvediVP & Leader, Finance Transformation
EXLSERVICE.COM 2
A significant operational disruption to an insurance firm may send shockwaves to policyholders and other market participants. Resilience is defined as ability of a firm, and the financial system as a whole, to absorb and adapt to such shocks. Neither the pace of innovation nor the possibility of serious adverse events will subside, and many firms may not have sufficiently planned to manage the resulting disruptions. As such, there is a need for regulatory supervision to ensure firms embed adequate resilience in their products and processes.
This was the driving factor when Bank of England, Prudential Regulatory Authority (PRA) and Financial Conduct Authority (FCA) came together with a set of guidelines for UK’s insurance and broader financial services sector. These guidelines, while presently consultative, will become the regulatory norm by the end of 2020 or early 2021. While both PRA and FCA have their specific set of objectives, combined regulatory objectives can be summarised as (i) avoidance of any harm to consumers (e.g. insurance policyholders), (ii) sustainability of firms, and (iii) avoidance of any harm to wider financial services industry.
Regulatory Objectives
Financial Conduct Authority
1. Consumer Protection: The ongoing availability of business services reduces consumer harm. Focusing on critical business services will improve how firms ensure the ongoing availability and supply of business
services to consumers, both retail and wholesale
2. Market integrity: The ongoing availability of business services reduces harm to market integrity. Operational disruptions pose risks to the soundness, stability, and resilience of the UK financial system and the orderly operation of financial markets. These proposals will help build the resilience of the market to continue to function as effectively as possible and quickly return to full operations following a disruption
3. Effective Competition: Resilient firms can promote effective competition. Consumers may be more likely to choose firms that are more resilient to operational disruptions. This may drive firms to improve their operational resilience as one way to compete for and retain customers
Prudential Regulatory Authority
1. Financial Stability: To ensure financial stability of the firms and avoid material economic harm
2. Safety and Soundness of Firms: To avoid material adverse impacts on firms’ profitability or viability as a result of operational disruption. This would be done by ensuring insurers remain within impact tolerances for their critical business services
3. Policyholder Protection: To ensure businesses avoid any harm to anyone who may become a policyholder by failing to deliver critical business services
The scale and pace of technological innovation in the last decade have brought about endless opportunities for insurance firms. From one-touch claims to straight-thru-processing, insurers have upped their game. With a growing reliance on technology, soaring customer expectations, increasing dependencies on supply chain and sheer pace of change, however, both the points of failure and likelihood of disruptions seem to have increased. This and other factors such as growing sophistication of cyber threats are leading to a regulatory shakeup for insurance firms.
EXLSERVICE.COM 3
What These Regulations Mean for Insurance Firms
Supervisory authorities propose that insurance firms undertake the following steps towards enhancing their operational resilience:
• Identify critical business services Insurance firms will need to review their value chains and identify ‘important’ business services that, when disrupted, may genuinely lead to significant harm to customers. This requires that firms first identify each distinct business service in the value chain, ensuring to break down the individual services within connected processes. These services will then be assessed for the degree of harm that, if disrupted, they may induce on customers. Harm factors to consider include time criticality, substitutability, and vulnerable customer base, among others. This assessment (also termed as important business services assessment or IBSA) will help determine services that are important.
• Set impact tolerances For business services that are defined as important, firms will need to define minimum operational standards, or maximum degree of disruption that may be tolerated before consumers face intolerable levels of harm. These thresholds will include time-based metric such as the maximum tolerable duration of a disruption, and other metrics such as number of customers affected.
• Map resources Firms will then require an in-depth mapping of resources including people, processes, technology systems, facilities, and information that support the successful delivery of important business services. This will include both organisational resources and those supplied by third parties within the supply chain.
As an example, the following may be included when mapping the policy renewals service:
— People, such as call handlers, live chat assistants and digital sales support team
— Technology, such as software application database servers, remote connectivity software
— Facilities, including premises where the relevant staff work plus components such as telephones, internet connections, and other equipment
— Supplier, such as the one that firm contracts to issue renewal correspondence by post
A careful assessment of underlying risks and threats to each of these resources would give a good perspective on the overall threats to the business service they support.
• Perform scenario testing Firms will then need to test their ability to remain within the defined impact tolerances through a range of severe but plausible disruption scenarios. These scenarios should assume one or more of the
2020 2021 2022 2023 2024
Consultation ends Final Policy Initial Implementation Complete Transition
H2H1H2H1H2H1H2H1H2H1
Exhibit 1 : Proposed regulatory timeline
EXLSERVICE.COM 4
well as their supply chain.
As an example, cloud data migration may be one of the remediation strategies for policy renewals service.
• Monitor Operational resilience is an outcome. Firms will need to build in a mechanism to continuously monitor their resilience needs. For example, firms will need to monitor the changing threat landscape for emerging newer threats. They will have to monitor for any new services for their customers, or changing criticalities of existing services. This will in turn require firms to revisit their impact tolerances, scenarios and perform the entire cycle of activities on an ongoing basis.
resources defined above are not available or are otherwise disrupted, and determine the impact this would cause on the continued delivery of important business services.
As an example, in case of policy renewals, complete power loss at one of the operations site may be a valid scenario to test, and so will water leak in server room that houses database server.
• Enhance resilience capabilities Scenario testing will identify gaps which firms will need to invest in to remediate. Firms will need to develop adequate contingencies and mechanisms that enable them to meet the defined operational standards and bounce back during and after a disruption. This will require a holistic review and remediation effort across the firm at a group level, as
To align the operational resilience requirements, insurance firms will have to...
Identity critical business services
(e.g.renewal of motor insurance policy)
Set impact tolerances
(e.g. 24 hrs a�er policy renewal date )
Map resources
(e.g. call handlers, remote connectivity
so�ware etc. ) Perform scenarios testing
(e.g. fail-over test )
Enhance resilience
capabilities(e.g. cloud migration)
Monitor(e.g. changing
business or threat landscape)
EXLSERVICE.COM 5
• Detailed resource mapping for important business services
• Impact tolerances and scenario testing
MITIGATE This stage involves implementing strategies, processes, and systems to remediate gaps. The firm will enhance their resilience capabilities and toolkit, such as by reinforcing their business continuity and crisis response efforts and putting greater assurance on maintaining their supply chain.
Key activities are:
• Analyse and prioritise resilience gaps
• Gap remediation
• Enhance resilience toolkit
• Enhance BCP/DR and crisis response capabilities
• Implement communication channels
MONITOR Operational resilience is not a destination; new threats
emerge and firms must continuously review and refresh
their resilience efforts. Here, the firm will review their
critical business services, associated resources and impact
tolerances, and monitor and report on the metrics and
KPIs they originally set.
Key activities are:
• Monitor and report on metrics and KPIs
• Monitor for emerging threats
• Review and refresh business services mapping
• Revisit impact tolerances
• Periodic assessments & audits incl. third parties
Where to start
Insurance firms may adopt what we call a 4-M methodology: Mandate, Measure, Mitigate and Monitor to envision their end-to-end operational resilience journey. This will help them effectively structure a resilience programme to align with the regulatory requirements
MANDATE This is where ownerships and accountabilities will be assigned, which will then lend oversight as the firm goes about its resilience journey. The firm will develop an operational resilience strategy and framework, which will enable them to embed resilience practices across the value chain. Other policies and standards will be defined, and metrics/KPIs will be set to guide the implementation.
Key activities are:
• Operational resilience ownership and accountability
• Operational resilience framework
• Establish communication needs
• Define metrics, KPIs and reporting needs
MEASURE This is about fact finding. The firm will measure its current state and identify areas that may require further work. This will form the basis for a formal implementation programme. Other types of assessments will help determine business services that are critical, supporting resources and areas in which impact tolerances may not be currently met. This stage will help discover resilience gaps.
Key activities are:
• Initial maturity / readiness assessment • Important business services assessment (IBSA)
EXLSERVICE.COM 6
Recipe for Success We strongly believe there are seven tenets of a successful resilience programme. The ongoing COVID crisis provides for a perfect example of how invaluable these can be in times of disruption:
SEVEN TENETS OF A SUCCESSFUL RESILIENCE
PROGRAMME
Clear ownership(accountability)
Common understanding
of building blocks(business service,harm
factors etc.)
Meaningful metrics and
KPIs(impact tolerances and early warning
signals)
E�ective communication
strategy(Messaging is key, both internal and
external)
Feedback mechanism
(Lessons learned from past disruptions and
near misses)
Holistic e�ort
(Move away from silos to critical business
services focus)
Collaboration(All functions, three
lines of defense)
Conclusion
Resilience is critical for firms to survive in today’s
threat landscape and thrive in a competitive business
environment. In the race to offer better products faster
and cheaper than the competitors, firms have exposed
themselves to myriad non-financial risks, such as those
resulting from a complex IT environment, poor cyber
security posture, lack of control over supply chain, and
legacy infrastructure, among others. Such risks can no
longer be deemed as a cost of running business. They
have the potential to disrupt critical business services,
causing significant harm to customers, the firm, or wider
industry. Disruptions will happen. Firms need to be
resilient so they can withstand and recover from these
disruptions.
Supervisory authorities are jointly reinforcing UK’s
operational resilience regulatory framework, and are
encouraging similar collaboration among insurance firms
and industry bodies towards building a resilient industry.
Operational resilience should not be deemed as just a
compliance tick as it offers far greater business benefits. As
the FCA puts it, “consumers may be more likely to choose
firms that are more resilient to operational disruptions”.
In light of the ongoing pandemic, while the regulatory enforcement timelines may be extended, insurance firms are actually accelerating their resilience efforts. EXL is uniquely positioned to help clients by bringing together its deep insurance domain expertise, experience of delivering large regulatory change programmes, and extensive compliance toolkit.
EXLSERVICE.COM
United States • United Kingdom • Australia • Bulgaria • Colombia • Czech Republic • India • Philippines • Romania • South Africa
EXL (NASDAQ: EXLS) is a leading operations management and analytics company that helps our clients build and grow sustainable businesses. By orchestrating our domain expertise, data, analytics and digital technology, we look deeper to design and manage agile, customer-centric operating models to improve global operations, drive profitability, enhance customer satisfaction, increase data-driven insights, and manage risk and compliance. Headquartered in New York, EXL has more than 32,600 professionals in locations throughout the United States, the UK, Europe, India, the Philippines, Colombia, Australia and South Africa. EXL serves multiple industries including insurance, healthcare, banking and financial services, utilities, travel, transportation and logistics, media and retail, among others.
For more information, visit www.exlservice.com
To find out more , contact us
EXLservice.comUNITED STATES (GLOBAL HEADQUARTER)320 Park Avenue, 29th FloorNew York, New York 10022T +1 212.277.7100 F +1 212.771.7111
UNITED KINGDOM AND EUROPESt Clare House, 30-33 Minories London, EC3N 1DD T +44 7904.256.431
AUSTRALIA AND NEW ZEALAND1198 Toorak Road, Camberwell Victoria 3124,Melbourne, AustraliaT +61 448.305.819
Facebook LinkedInTwitter
© EXL Service, Inc. All rights reserved.