Operational resilience can be defined as the ability of a firm to bounce back from an unexpected event. Given what’s happened in 2020 so far, operational resilience is therefore at the top of the agenda for re/insurers – as well as everyone else in the financial market.
Ironically, operational resilience has been on the agenda for some time now, said Michael Faber (pictured), Senior Consultant, Crisis Management and Operational Resilience for GreenKite Associates, pointing out that the original consultation papers from the regulators PRA, FCA and Bank of England first came out in 2018. He stressed that this isn't some form of knee-jerk reaction on the back of COVID-19.
“Less than 20 years ago Operational Risk came to the fore, with the previous key focus based more around credit risk, market risk and insurance risk,” he explains. “A lot of the things that we see coming from the regulators aren't necessarily new, but it's new in terms of some of the definitions and approaches that come from the regulators for which our organisations need to be able to demonstrate compliance. So operational resilience is an important and very new topic for us to focus on.”
Faber said that the consultation papers were due to close in April this year, but because of COVID-19 the regulators moved the date to the 1st of October – so the consultation is now closed and they will be looking at the responses. Once published there will be a period for organisations and firms to fully comply with the new regulations, although a number of finance and insurance firms have already done considerable work in this area.
“I think one of the key elements of focus from the regulators is what I would call an ‘outside-in’ approach. We may often look from the inside out, looking at issues like how do we protect our revenue, our reputation, etc. The regulators in turn are saying we need to demonstrate a view from the client and customer perspective, such as if something is causing customer harm or client harm. For example, if you take a retail bank, then ‘harm’ might be the failure to complete a funds transfer on a mortgage completion date. You're expecting the funds to come in as part of the sale and purchase, and if the funds don't come in that will cause customer harm.”
According to Faber the first thing is to identify what key services exist within the organisation and then look at the “impact tolerance” to then create an impact tolerance statement. This should be agreed at the board level/top management of an organisation and should look at what tolerance should be set against a disruption in a key service to a client, such as the maximum length of time acceptable for disruption to a key service.
Faber confirmed the benefit of adopting or maintaining the standard bronze, silver, gold approach for managing crisis events should they occur. This was first developed by the Metropolitan Police in the UK after the Broadwater Farm riots in 1985 and uses three levels of control. Gold is the strategic view at a high level, silver is the tactical view and bronze is the operational view.
For example, for an international company with offices all over the world, the gold level looks at the strategic side from a group perspective, separate silver teams might cover areas like EMEA, the Americas and APAC and then bronze would be local to an event, such as a power failure or gas leak or terrorism incident.
“What I found often missing was a link between the executives and the non-executives within a crisis-management structure – and that's where I’ve introduced a platinum level above gold that’s identifying the link between the gold executive team and the non-exec's, allowing the necessary oversight of critical decisions for the organisation.”
Faber also stressed that in this year of COVID-19 not just insurers but the financial market as a whole needs to make sure that it actually learns the right lessons from events. He cited an example of what not to do in the case of Nick Leeson and the fall of Barings Bank in the 1990s. Although the scandal was a major one at the time, the lessons that were learned were swiftly forgotten, with other similar rogue-trader events occurring thereafter.
“Looking at the human race, generally we've maybe not always been the best at learning lessons,” he adds. “However, what we need to do at the end of COVID-19 – and indeed any other event – is hopefully say, ‘look, these are the things we did well which we need to promote and do more of, and these are the things that we could have done better and these are the areas that we potentially have identified where we need to make sure that we don’t make the same mistakes again.
“If implemented successfully, we can then sleep better at night knowing that we have actually learned those lessons, ensuring that they are put into practice and remain current for the future.”