Viewpoint: Sandra E. Giuffre, Insuring Operational Risk: How Good Is the Coverage?

****JavaScript based drop down DHTML menu generated by NavStudio. (OpenCube Inc. - http://www.opencube.com)****

Home About MMC MMC Overview: Our Businesses Board of Directors and Executive Officers International Advisory Board Corporate Governance Code of Business Conduct and Ethics Company History MMC Memorial Site: Remembering Our Colleagues Investors Quarterly Earnings Annual Report and Proxy Statement Current Archive Request for Annual Reports Annual Meeting and Official Business SEC Filings Shareholder Information Dividend Information Stock Price Information News Current MMC News MMC News Archive 2008 2007 2006 2005 MMC Knowledge Center Knowledge Center Home Climate Change Data Theft Doing Business in China Economic Insight and Analysis Global Pandemics Global Risks Report Healthcare Benefits Human Capital Managing Strategic Risks Mergers and Acquisitions Natural Disasters New Technologies Outsourcing Pension Liabilities Strategy Terrorism Viewpoint - The MMC Journal Careers Search Positions at MMC Search Positions at MMC and Our Operating Companies Learn More About Careers at Our Operating Companies Marsh Careers Guy Carpenter Careers Mercer Oliver Wyman NERA Economic Consulting Lippincott Risk Consulting and Technology Kroll How Do I Apply? General Questions Marsh Guy Carpenter Mercer Oliver Wyman NERA Economic Consulting Lippincott Risk Consulting and Technology Kroll Contact Us

MMC Knowledge Center

Knowledge Center Home

Viewpoint - The MMC Journal

Viewpoint Archive

Order Viewpoint

Viewpoint

Insuring Operational Risk: How Good Is the Coverage?

Printer version

PDF

By Sandra E. Giuffre

Is insurance a good way to manage operational risk? Financial institutions are under particular pressure to find precise answers to this question, because under the Basel II regulatory regime, the purchase of insurance can reduce the amount of capital a bank must hold against operational risk by as much as 20 percent. As implementation of the regime approaches, financial institutions will need to devise methods for valuing insurance that will be rigorous enough to pass muster with bank regulators.

Underlying this industry-specific challenge is a more significant and more general one: All corporations need to devise rational ways to structure their insurance programs.

Calculating Risk and Its Mitigation

To apply a credit of up to 20 percent of its capital held for operational risk, a bank must meet a number of regulatory requirements, one of which is making explicit the relationship between a bank’s operational risks and insurance. How, in fact, do banks determine the likelihood (or frequency) and impact (or severity) of losses from operational risks? And how do they use this analysis to determine how much operational risk capital they should set aside?

One way banks approach this is by using scenarios and selfassessment processes, typically on the level of the individual business unit – for example, their retail banking unit, corporate finance, or trust department. Banks then classify these risks/scenarios into the Basel II loss event categories – for example, internal fraud, external fraud, and damage to physical assets. This allows financial institutions to generate frequency and severity parameter information to be used in determining an appropriate amount of capital to set aside to satisfy their operational risk exposures.

According to the Basel II framework, a bank’s “risk mitigation calculations must reflect the bank’s insurance coverage in a manner that is transparent in its relationship to, and consistent with, the actual likelihood and impact of loss used in the bank’s overall determination of its operational risk capital.” Thus, if a bank wishes to reduce the amount of capital it must hold by purchasing insurance, it must develop a process for understanding the relationship between insurance and operational risk determined by the bank. Methodologies for this process fall within two basic categories:

A bank can model the value of its insurance independently and then put this value into the context of the operational risks it faces. This is called an insurance-based analysis.
A bank can measure the operational risks it faces and then value the insurance in the context of these risks. This is called an operational risk-based analysis.

The two categories differ in complexity, cost, and the level of consistency and transparency associated with the bank’s particular operational risk environment.

Insurance-based Analysis

Probability distributions for losses falling under a bank’s insurance policies can be used to draw conclusions about the effect these policies have on the institution’s operational risk capital. The process of matching insurance product loss events (or insurance claims) to operational risk loss-event categories provides insights into the operational risk and insurance environment. The diagram below depicts this relationship within the narrow scope of insurable operational risk.

This process shows that virtually all loss events associated with the various insurance policies fit within the Basel II operational risk loss categories. Basically, what insurance transfers is operational risk. Accordingly, almost 100 percent of insured loss events map to operational risk loss event categories.

Operational Risk-based Analysis

The alternative approach tests the relevance of insurance coverage against a bank’s assessment of the broader scope of insured and uninsured operational risks.

As reflected by the large circle, operational risk loss events exist for which there are currently no insurance solutions – for example, a “nonphysical peril” business interruption, first-party processing errors, and some technology risks. The diagram above also shows that a single operational risk loss event can trigger more than one insurance policy.

As mentioned earlier, insurance-based analyses show that almost 100 percent of insured loss events map to operational risk loss event categories. But operational risk-based analyses show that the converse is not true when trying to map operational risk loss events to insurance policies. These two processes do not provide the same information, as the scope of each is different. Although the approaches do not produce the same analysis, they can be complementary, and potentially reinforce each other, as they typically draw data from different sources.

Which Methodology Will Prevail?

The insurance-based analysis has a narrower scope, and it can be performed using inputs derived from insurance information. But it is still unclear how regulators will interpret Basel’s requirement that a methodology used to derive the capital credit for insurance be “consistent” with the frequency and severity of loss used in the bank’s overall determination of its operational risk capital. It is possible that regulators will decide that the insurance-based approach by itself may not be sufficient.

Even if the insurance-based calculations can be used to obtain capital credit from a regulator, their narrower scope makes them ill-adapted for developing risk transfer solutions for types of operational risks that are currently uninsured. The operational risk leader of a large financial institution used the following analogy to explain the shortcomings of the insurance-based approach: “Understanding that insurance covers me for three hours during two different days of the week is interesting and somewhat helpful, but the approach doesn’t tell me which hours within the day or which days.” How can a company buy a gap risk-transfer solution, for example, when it cannot tell whether it would actually fill a gap or possibly duplicate existing insurance coverage? Operational risk leaders who cannot tell if insurance is definitely going to be there will often assume that it is not.

By contrast, the process used in an operational risk-based analysis moves from operational risks (typically events and/or scenarios) to insurance. If the analysis is performed with rigor, the results will be consistent with the bank’s operational risk capital calculations, and, therefore, more likely to obtain regulatory credit under Basel II. More important, this kind of analysis can form the basis for understanding the economic value of the insurance against the background of operational events that cause the bank its greatest concerns. It can also help a bank allocate its insurance capital and premiums to particular operations and geographies as a part of its overall capital allocation process.

Operational risk-based analyses require a wider range of data. The number of variables will depend on the desired level of precision, but even the most streamlined operational riskbased analysis will require more detail, greater knowledge of insurance, and deeper knowledge of the bank than the insurance- based approach. In the end, given the relative costs and complexities of these approaches, many financial institutions will probably opt for some combination of the two.

Does Insurance “Cover” Operational Risk?

The differences between the two types of analyses described above are symptomatic of a significant divide between the sellers and buyers of insurance. Insurance companies tend to believe that insurance “covers” operational risk. But insurance buyers know that the coverage is far from complete.

The split reflects a simple fact: The experience of the insurance industry is limited almost exclusively to insured events. Insurers hear about loss events that their clients expect will be covered; they tend to not hear about loss events their clients do not expect to be covered. But in fact, covered events are a subset of the total loss events associated with operational risk.

Standard errors and omissions (E&O) policies, for example, often require a judicial or formalized proceeding before a claim can be made. Furthermore, E&O policies primarily cover third-party liability, not first-party losses. E&O policies may not cover “cost of corrections,” which is a third-party loss where liability has not been established. Some banks with trading operations spend tens of millions of dollars to correct erroneous trades; other banks have significant losses associated with processing errors. Yet most of these losses never trigger the E&O policy and are never reported to insurers.

Business interruption coverage is another case in point. The power blackout of 2003 forced many financial institutions to close offices temporarily because they could not run computers or clear trades at the affected sites. Yet few banks, if any, were able to present claims for the losses they suffered because business interruption coverage typically must be triggered by an insured loss and because of the distance limitation wording contained in most property policies. Here, too, insurers were unlikely to capture information about losses that clearly fell outside the scope of the policies in force.

Toward More Useful Forms of Insurance

This is not to suggest that insurance has little value in the context of operational risk. What it does mean is finding smarter ways to use insurance – whether by evolving traditional forms of coverage or by developing new risk transfer and risk financing solutions. Marsh has been conferring with banks, rating agencies, and regulators at national, regional, and global levels about a variety of techniques for transferring and financing operational risk with the goal of qualifying for capital relief under Basel II.

We are working with clients to analyze the regulatory and economic value of their insurance for operational risk, enhance their decision making about such insurance, and lay the groundwork for obtaining maximum regulatory credit for insurance when Basel II is implemented in 2007. Under the pressure of this regulatory regime, financial institutions will likely be the first insurance buyers to take advantage of innovative approaches to transferring and financing operational risk. And if past trends are any precedent, corporations in other sectors will not be far behind.

***

Sandra Giuffre is a Marsh managing director and the FINPRO global operational risk practice leader. She is based in Norwalk, Conn., and can be reached at .