The role of insurance in operational risk mitigation

Based on Daniel Butler's presentation at RMA's Third Annual Operational Risk Forum, this article presents Aon's five-step approach to risk mitigation and shows what a financial institution needs to know before attempting to integrate insurance into its capital framework.

It does sound fearsome: "...loss resulting from inadequate or failed internal processes, people, and systems or from external events." The Basel Committee's Revised Working Paper of September 2002 makes operational risk sound like loss and failure. No one wants to be labeled "inadequate" or a "failure." Of course, that also means everyone wants to have a handle on mitigating operational risks. And that's where the challenges begin.

Banks have developed a range of risk management techniques for credit and market risk. It is on these risks that banks have traditionally focused their risk management resources. Although not new, operational risk management in banking is an evolving and challenging discipline. Operational risks can come from practically anywhere within the organization. The nature of these risks makes them hard to measure as well; so while we may insure against a certain risk, we really don't know if we're underinsured or overinsured. It's hard even to tell exactly what certain insurances cover. Anyone attempting to deal with operational risk management will agree that the data just isn't there...yet. Add to that its evolving nature and the fat-tail tendencies toward highly unlikely but highly disastrous events, and operational risk begins to look as formidable as the Basel Committee has painted it.

Aon takes a five-step approach to effective operational risk mitigation for institutions:

1. Identification and risk mapping, which begins with setting forth the framework for implementation and formalizing an overall operational risk strategy. Definitions help everyone get on the same page; for example, just how does the organization as a whole define a loss? Data capturing mechanisms must then be set up, and losses must be mapped into risk categories communicated to the entire organization.

2. Quantification, which is where technology steps in as we select and apply modelling techniques. Aoa enhances its ability to provide banks with external benchmarking, modeling, and forecasting by using its own operational risk database. A risk profile is set up by first identifying the organization.

3. A risk profile is set up by first identifying the organization's risk appetite overall and then the risk appetites of individual businesses. This is benchmarked against the risk appetites of peer firms as well as the organization's own actuarial trends, and analyzed further by including geographical factors. The organization's strategic vision must overlay the identified risk appetite, aggregation issues are taken into account, as well as the benefits of market and credit risk diversification.

4. Risk solutions are divided into those can be handled internally--through captive analysis, risk financing analysis, of risk retention--and those that are mitigated externally through insurance or capital markets. When considering insurance, Aon maps available insurances against identified risks, next reaches an accord with the organization concerning appropriate retention levels and limits, and then designs an insurance program that provides alternative game plans in conjunction with the organization's business goals.

5. Monitoring and updating is important in ensuring that the organization's operational risk management strategy is implemented and maintained. Aon also provides updates on operational risk developments.

Integrating Risk Finance into Capital Framework

Historically, banks buy insurance on a case-by-case basis, rather than holistically. Insurances may include those against employee fidelity, external computer crime, professional indemnity, directors' and officers' liability, property, and general liability. Figure 1 shows how insurance can hedge against operational risk exposure.

Traditionally, a firm's capital base has been considered as comprising some mixture of debt and equity, with the implication that all risks faced by the firm will be funded primarily by shareholders funds and, in the last resort, by creditors. A more realistic approach is to recognize the role that insurance and other forms of risk finance can play in providing alternative sources of capital that can absorb losses.

Much of senior management's time is devoted to putting in place a capital framework that will fund the activities of the bank at the lowest possible overall cost of capital commensurate with a given degree of protection for the bank and its stakeholders. As with any part of a bank's business, operational risk exposures must be financed. In the absence of an active operational risk hedging regime, operational risk is funded, by default, through exposing shareholder capital to potential losses.

There are two main sources of capital that are available to finance operational risk exposures:

1. Shareholder capital, which must be retained in instruments that are sufficiently liquid so that it may be accessed, without delay, in any crisis situation. Unfortunately, such instruments typically provide very low returns.

2. Transfer techniques, such as insurance, whereby the bank pays a premium up front in return for funds to cover losses when they occur. These techniques have the additional advantage of potentially providing both balance sheet protection and income smoothing.

The issue of capital is particularly sensitive for commercial banks, as the level of business they can undertake depends directly on the amount of regulatory capital available on the balance sheet to cover that business. Therefore, any capital framework must take into account not only the absolute cost of the relative forms of capital available but also the opportunity cost in the form of reduced returns to shareholders of the business forgone if a capital-inefficient regime is introduced.

In essence, the issue of funding operational risk exposures comes down to accessing the correct amount and mix of shareholder and other capital at the lowest cost. The main argument for including insurance and other risk financing techniques in the bank's capital framework is that these techniques offer an additional pool of risk capital that may be accessed by the bank beyond that available from shareholders. Due to the diversification and pooling benefits available to the sources of this capital, the cost per unit of insurance/hedging capital will likely be less than that of shareholder capital. This cost advantage is reinforced by taking into account the opportunity cost, in terms of lost revenue, of using shareholder capital to fund operational risk.

Should these expectations of a relatively inexpensive capital source be justified, then, from the bank's point of view, the only practical limits to the amount of such capital used are regulatory restrictions, which demand that a minimum amount of shareholder capital is retained specifically to cover operational risk. In the regulators' defense, however, they have stated that they do not expect banks to hold capital for truly catastrophic events, such as major transnational natural disasters that can cause the total collapse of the financial system. In the end, central banks and, by extension, governments do remain the financial system's guarantors of last resort. Within the regulatory limitation, the bank's management must decide how best to apply this available "portfolio" of capital to actual risk exposures.

Every bank faces three broad categories of losses from operational risk: expected, unexpected, and severe/catastrophic unexpected. Keeping in mind the objective of retaining as much shareholder capital as possible for the bank's core business, it makes sense to apportion risk capital according to the requirements of each potential loss category (see Figure 2).

Expected costs are those common, relatively small losses whose frequency and amount can be predicted with a strong degree of accuracy. These losses are viewed as being simply "part of doing business," and their cost is factored into the pricing structure of the bank's products. As such, their impact is primarily on the income statement and not immediately on capital.

The next two categories are the unexpected and severe/catastrophic losses, which are relatively rare but of sufficient severity to seriously affect the bank or, in extreme cases, cause it to cease trading altogether. It is at this level where the diversification and pooling benefits available to insurers become apparent and the capital framework of the bank can be optimized by using risk-finance capital to replace shareholder capital.

It is very inefficient to hold shareholder capital to cover these or losses. It is a far better use of shareholders' funds to finance these risks through the risk transfer mechanisms of insurance coupled with other hedging techniques, such as capital markets instruments, and retain the shareholders' capital to fund the core business of the bank, which is to generate a return for shareholders. To integrate insurances, however, a financial institution must understand the value of each product--and there's the challenge. Rarely do banks have a full grasp of what they're buying or even why they're buying it. Institutions must understand the benefits to know whether the risks being transferred are being covered adequately by the contracts.

A risk finance road map can help institutions come to a better understanding of their needs versus levels of insurance. If the institution knows that a standard contract provides only 30% of the desired hedge, it can act accordingly.

How Robust Is Insurance?

When entering into an insurance contract, a financial institution must have confidence that the insurance will pay when you want it to pay. What the industry has historically lacked is sufficient evidence to demonstrate the efficacy of insurance contracts. Aon is in the process of constructing a database that will provide banks with the tools not only to benchmark their internal data with accurate external data but also to measure the effectiveness of insurance contracts, thereby addressing concerns regarding scope of cover and speed of payment. This database will be launched in the second quarter of 2003. Initial findings from the database demonstrate that in 75% of the cases studied, clients received funds within 100 days of settlement (see Figure 3). When looking at such issues as speed of payment, a vital indicator is the time between when the claim is settled and when the funds are received. Once banks can calculate the true value and effectiveness of their insurance contracts, they can incorporate the b enefit into a capital framework.

The Future

More advanced contracts, such as rogue trading or broad-form liability, actually transfer a greater degree of operational risk to insurance. Again, the portfolio management principle applies. Assume that an insurance company has 10 risks in a room; it analyzes the potential for one of those 10 risks turning into reality and prices accordingly. If risks are being diversified over an industry, an insurance firm can price more competitively.

Leading-edge insurance contracts are moving toward the industry providing loss definitions that are more akin to those developed by banks, thus providing greater risk protection.

Eventually, using capital tools as an enhancement to insurance tools will provide greater limits and greater liquidity for particular events.

Contact Butler at [email protected]

[FIGURE 2 OMITTED]

[FIGURE 3 OMITTED]

Butler is a director at Aon Limited, London, UK

COPYRIGHT 2003 The Risk Management Association
COPYRIGHT 2005 Gale Group