Operational resilience in insurance: Top tips for doing it well (Part one)
In this two-part blog series, we look at the upcoming implementation of operational resilience regulation and what this means for the insurance industry. We also explain how organisations can ensure that they are compliant prior to the March 2022 and March 2025 deadlines, which areas of an organisation may be impacted, and how to turn a regulatory challenge into an opportunity.
Part one looks at the regulation in focus and the importance of a robust operating model in meeting its requirements.
What is operational resilience and why is it important?
The Bank of England defines operational resilience as “the ability of firms and the financial system as a whole to absorb and adapt to shocks, rather than contribute to them.”
The reliance on automated processes, the integration of legacy and new systems, and the growing role of third-party providers means firms must consider how they would continue to provide key services to customers in the event of a service disruption.
There is uncertainty around how and when economies will return to pre-COVID levels, as well as how people will work in the future, leading to a greater regulatory focus on the topic.
What are regulators doing - and when?
In 2019, The PRA & FCA published a discussion paper: ‘Building the UK financial sector’s operational resilience.’ This set out a series of proposals to improve operational resilience across UK firms and to “protect the wider financial sector and UK economy from the impact of operational disruption.” Following a consultation period, an updated paper was published in March 2021, laying out the requirement for firms to:
Identify important business services, considering how disruption would impact PRA objectives;
Set an ‘Impact Tolerance’ for disruption to each important business service;
Ensure they can continue to deliver their important business services and remain within tolerances during severe but plausible scenarios.
The paper also specifies a deadline for completing this: 31st March 2022. This comes with a requirement to prove that firms have tested and are within their tolerance limits. They also need to have made all necessary investments to operate and remediate any vulnerabilities by the end of March 2025. From March 2022, firms must also complete an annual self-assessment to document their compliance.
Similarly, the European Commission laid out a proposal for new regulations on the digital operational resilience of the financial sector in a communication published in September 2020. This aims to improve existing rules, supplier governance, risk management, and supplier incident reporting whilst also implementing new requirements on digital testing, information sharing, and an oversight framework for critical third-party service providers to monitor digital risks. Under these changes, third-party service providers would be required to provide a complete description of services, an indication of locations and the storage of data, and provisions on security and the protection of personal data.
Unlike other regulations, which focus on specific sectors of the financial services industry, the jurisdiction of the operational resilience regulation is uniquely broad. In the United Kingdom, the regulation applies to firms that fall under both FCA and PRA jurisdiction, meaning retail banks, investment banks, insurance firms, and financial market infrastructure providers are all potentially impacted.
What do insurance firms need to do to prepare for March 2022?
As a first step towards meeting their operational resilience requirements, insurance firms should consider carrying out an operating model maturity assessment. This will help identify the key business services and any vulnerabilities and define a target operating model, which builds in the core principles of operational resilience and business continuity.
A robust operating model, with the principles of operational resilience built-in, will allow every aspect of the business to manage any potential disruption. From the operational staff who carry out the impacted tasks all the way through to the senior leadership team (who are accountable to the regulator), each person involved will have a defined set of responsibilities and escalations. This will ultimately help to ensure that the disruption remains within the set tolerance.
The first step to achieving this is to apply a comprehensive “As-Is” assessment of your operating model. In our recent series of blogs focussed on organisational transformation, we recommend an eight-layer assessment to form a comprehensive view of your current state operating model.
In recent years, the insurance industry has embraced increasingly digitised customer journeys, with the level of self service available shifting customer expectations. The complex nature of the insurance industry, with its network of brokers and agencies, sets it apart from other financial markets and presents a challenge when aiming for compliance with operational resilience regulation. If companies do not have an integrated operational model that is based on business outcomes and customer value, they risk siloed and misaligned processes. This can result in difficulty prioritising process improvements and disjointed KPIs, meaning operational tolerances cannot be measured and reported. By building operational resilience into an operating model at the earliest possible stage, firms are more likely to avoid these pitfalls.
To succeed in meeting this challenge, firms should view operational resilience as an opportunity to build a solid business case. The legislation offers firms an opportunity to carry out a holistic review of their services and processes where they rely on third-party suppliers and where they are vulnerable to process failures.
By achieving an operationally resilient operating model, underpinned by scalable and robust technology platforms, firms are better protected from future unforeseen market conditions and will be able to react faster than competitors who have not fully embraced this change.