turkey solvency ii and operational risk 200911 v2
TRANSCRIPT
-
8/4/2019 Turkey Solvency II and Operational Risk 200911 v2
1/33
2010 IBM Corporation
Planning Considerations
Operational Risk and Solvency II
David W. Kerr
Partner and Insurance Practice Leader, Growth Markets
-
8/4/2019 Turkey Solvency II and Operational Risk 200911 v2
2/33
2010 IBM Corporation2
Risk has never been a biggerchallenge than in todays businessenvironment
new regulations, globalization, increased risk and business velocity,and an explosion of information
all demand more effective compliance and risk management practices and better alignment
of risk and performance management objectives for better business outcomes
Todays Business environment is increasing focus on Operationaland IT Risk
Source: IBM Global CFO Study 2010, Insurance POV
-
8/4/2019 Turkey Solvency II and Operational Risk 200911 v2
3/33
2010 IBM Corporation3
Agenda
An introduction to Operational Risk
An introduction to Solvency II
-
8/4/2019 Turkey Solvency II and Operational Risk 200911 v2
4/33
2010 IBM Corporation
Planning Considerations for Operational
Risk
-
8/4/2019 Turkey Solvency II and Operational Risk 200911 v2
5/33
-
8/4/2019 Turkey Solvency II and Operational Risk 200911 v2
6/33
2010 IBM Corporation6
UK Insurers have analyzed Operational Risk Events
Operational Risk
InternalFraud
ExternalFraud
EmploymentPractices and
Workspace Safety
Damage to PhysicalAssets
Business Disruptionand System
Failures
Execution, Deliveryand ProcessManagement
Clients, Productsand Business
Practices
Distribution of Loss Amounts (% of Total)1
Insurance 0.5
Banking 6.1
1.8
8.0
0.8
6.0
-
8/4/2019 Turkey Solvency II and Operational Risk 200911 v2
7/33 2010 IBM Corporation7
Distribution of Operational Risk by Insurance Function shows that all areasof the enterprise can contribute to risk events
OperationalRisk Event
% of
TotalLoss1
Execution, Delivery andProcess Management 65.5 27.7 13.2 7.0 6.3 4.0 7.3
Accounting, Finance &Investment
PolicyholderService
Sales &Marketing
Underwriting Claims Other
Clients, Products andBusiness Practices
Business Disruptionand System Failures
External Fraud
Internal Fraud
Employment Practicesand Workspace Safety
24.0
7.4
1.8
0.5
0.8
19.4 2.8 1.8
OtherITSales & Marketing
6.0 1.4
IT Other
0.7 0.7 0.4
Claims Sales & MarketingPolicyholder Service
0.2 0.1 0.2
Claims Policyholder Service Other
0.2 0.40.2
OtherHumanResources
Facilities
Source: Association of British Insurers (ABI); Operational Risk Consortium (ORIC)
1Based on data in the ORIC database which contains operational risk events with losses totaling more than 10,000 as reported by 18 UK carriers across the life and non-life segments. Asof 1Q 2009, the ORIC database contained over 2,000 incidents representing a gross loss amount of approximately 900m ($1.3B at 3/09 rates)
Operational Losses by Insurance Function (% of Total Operational Risk Event)1
-
8/4/2019 Turkey Solvency II and Operational Risk 200911 v2
8/33 2010 IBM Corporation8
Frequency and Severity of Insurance Operational Risk
Damage to Physical Assets
Internal Fraud
Employment Practice and Workplace Safety
External Fraud
Business Disruption and System Failures
Clients, Products and Business Practices
Execution, Delivery and Process Management
0 300 600 900 1,200
12
14
16
18
20
Frequency (number of events)
AggregateLosses(inNaturalLogarithm)
Severity and Frequency of Operational Risk Events
Level 1 Category
Source: Association of British Insurers (ABI); Operational Risk Consortium (ORIC)
Advisory activities, which fallsunder clients, products andbusiness practices, have a highrate of occurrence (9% of lossevents) and the highest loss perevent (13% of reported losses)
Accounting errors, which areincluded in execution, deliveryand process management, donot happen often (2% of events)but have a significant impact(12% of losses)
Customer service failures occurthe most often, accounting for16% of loss events
Reported loss experience from
ORIC database by level 2 category
-
8/4/2019 Turkey Solvency II and Operational Risk 200911 v2
9/33 2010 IBM Corporation9
Operational Risk events have a very large direct and indirect financialimpact on the Insurance Industry
Indirect Costs Associatedwith Operational Failures
Higher surrender rates/lowercustomer retention
Loss of new business
Fines
Lower customer satisfactionrates
Loss of reputation in the market
Source: Association of British Insurers (ABI); Operational Risk Consortium (ORIC)
3Q07 4Q07 1Q08 2Q08 3Q08 4Q08 1Q09 2Q09 3Q09
10
20
30
40
50
60
70
0
Submission Quarter
ReportedLoss
(millions)
Insurance Operational Losses by Quarter: 3Q07 3Q09As reported by 18 ORIC members
-
8/4/2019 Turkey Solvency II and Operational Risk 200911 v2
10/33 2010 IBM Corporation1010
But there are many challenges to address Operational Risk
Automating the process of identifying, measuring, monitoring, analyzing andmanaging operational risk
Insurance companies globally are under scrutiny to practice sound GovernanceRisk and Compliance (GRC)
Most insurance companies lack a consistent business capability to meet internalneeds and external demands
Inefficient, time consuming and manual processes make risk managementstrategically un-actionable
Many systems do not accommodate the companys specific needs
-
8/4/2019 Turkey Solvency II and Operational Risk 200911 v2
11/33 2010 IBM Corporation11
Identify
Quantify
Decide
Identify risk objectives and suitable business impact metrics
Catalog past, present, future failure events and root causes Map business processes and locate pain points
Assess frequency and severity of root causes & failure events
Map interdependencies between failure events and root causes
Forecast business impacts of expected and unexpected risks
Identify appropriate mitigation strategies for major risks
Assess costs of mitigation strategies
Perform scenario analysis to assess mitigation benefits
Anal
yticalTools
There areStructured Methodologies for Operational RiskManagement
Structured methodologies, supported by advanced analytics, are required to addressthe challenges insurers face when seeking to manage their operational risk exposures
-
8/4/2019 Turkey Solvency II and Operational Risk 200911 v2
12/33
2010 IBM Corporation12
One can apply both Top Down and Bottom Up approaches to analyzeOperational Risks
-
8/4/2019 Turkey Solvency II and Operational Risk 200911 v2
13/33
2010 IBM Corporation
Planning Considerations for Solvency II
-
8/4/2019 Turkey Solvency II and Operational Risk 200911 v2
14/33
2010 IBM Corporation14
An Introduction to Solvency II
Solvency 2 (S2) legislation wasinitiated by the European
Commission to fundamentallychange the current Europeaninsurance solvency framework
S2 evolved from the Basel II threepillar approach to Bankingregulation - it will produce a moreconsistent solvency standard
ensuring that capital requirementsare more reflective of the risksbeing accepted.
The date for the legislation tocome into effect is 01/2013 butinterim progress milestones arefast approaching.
Each insurer should decide nowwhat Solvency 2 means for them.
There is not one solution for all -Insurers need to understand the drivers that will influence both the scale of
investment and the value to be derived from their Solvency 2 Programme.
Valid for all insurance companies in EU after
forming the directive into national law
Solvency IIProtection of policyholders
against failure of insurance companies
CapitalAdequacy
Pillar I
Quantitative
Supervisionand
Governance
Pillar II
Qualitative
Disclosure
Pillar III
Market
Discipline
Underwriting Risk
Market Risk
Credit Risk
Asset/Liability
Management Risk
Operational Risk
Liquidity Risk
Valid for all insurance companies in EU after
forming the directive into national law
Solvency IIProtection of policyholders
against failure of insurance companies
CapitalAdequacy
Pillar I
Quantitative
CapitalAdequacy
Pillar I
Quantitative
Supervisionand
Governance
Pillar II
Qualitative
Supervisionand
Governance
Pillar II
Qualitative
Disclosure
Pillar III
Market
Discipline
Disclosure
Pillar III
Market
Discipline
Underwriting Risk
Market Risk
Credit Risk
Asset/Liability
Management Risk
Operational Risk
Liquidity Risk
Valid for all insurance companies in EU after
forming the directive into national law
Solvency IIProtection of policyholders
against failure of insurance companies
CapitalAdequacy
Pillar I
Quantitative
Supervisionand
Governance
Pillar II
Qualitative
Disclosure
Pillar III
Market
Discipline
Underwriting Risk
Market Risk
Credit Risk
Asset/Liability
Management Risk
Operational Risk
Liquidity Risk
Valid for all insurance companies in EU after
forming the directive into national law
Solvency IIProtection of policyholders
against failure of insurance companies
CapitalAdequacy
Pillar I
Quantitative
CapitalAdequacy
Pillar I
Quantitative
Supervisionand
Governance
Pillar II
Qualitative
Supervisionand
Governance
Pillar II
Qualitative
Disclosure
Pillar III
Market
Discipline
Disclosure
Pillar III
Market
Discipline
Underwriting Risk
Market Risk
Credit Risk
Asset/Liability
Management Risk
Operational Risk
Liquidity Risk
-
8/4/2019 Turkey Solvency II and Operational Risk 200911 v2
15/33
2010 IBM Corporation15
Implementation of Asset Liability Management or Dynamic Financial Analysis for alldivisions
Quantification of all significant risks and fair / realistic valuation of assets and liabilities
Adequate solvency capital for all lines and divisions
Adequate reserves
Quantitative requirements
Collecting, handling and controlling all significant risks
Prompt and comprehensive information on the risk situation for the management
Regular checks of the valuation and controlling of risks through internal audits
Precise hierarchies, communication channels and ownership for implementing and livinginternal controls
Defining and supervising limits and regulation (investment decisions and risk unterwriting)
Extensive separation between management and controlling
Implementing an early-warning system (key performance indicator based forecasts)
Regular profitatility and stress tests (scenario analysis, sensitivity tests)
Adequate asset allocation strategy (within given risk margin)
Qualitative requirements
Comprehensive and timely reporting (internal and external)
Disclosure (based on IFRS principles)
Market discipline and transparency
Solvency II Requirements
-
8/4/2019 Turkey Solvency II and Operational Risk 200911 v2
16/33
2010 IBM Corporation16
Solvency 2 Objectives Overview
Pillar I Risk Quantification and
Capital Adequacy Demands that firms explicitly quantify: The level of risk they face and the amount of capital needed to
support that risk. To perform these calculations, firms
can elect to: Apply a standard model
prescribed by the regulator, Operate a full internal model
across all business lines, or Operate a partial internal model,
with some areas remainingunder the standard model
The regulator will need to approveeach internal model after beingsatisfied that following tests have been
passed: Statistical quality Calibration Profit & loss attribution Validation Documentation Use
Pillars II & III: Internal Control and
Reporting Address the supervisory, reportingand disclosure requirements
Define the risk managementprocesses and practices that a firmneeds to have in place fordemonstration to the regulator.
To achieve compliance, the firm willhave to prove that it has :
Strong internal reportingmechanisms and a thoroughinternal audit function.
End to end, timely data sharingbetween the various functionaldepartments - from underwriting,claims, actuarial, operations, IT,
investment management, finance,risk and compliance, right up to boardlevel.
Reality : Many Western EuropeanInsurers are still only working towardsPillar 1 Compliance
-
8/4/2019 Turkey Solvency II and Operational Risk 200911 v2
17/33
2010 IBM Corporation17
Risk categories
-
8/4/2019 Turkey Solvency II and Operational Risk 200911 v2
18/33
2010 IBM Corporation18
Although Solvency II is less than 2 years away, many insurers still have themajority of work still to do
PWC S2 Report - 'Insurers face tough and
expensive push for S2 deadline'. More than 40% ofinsurers are still only in the preparatory stages or haveyet to launch their Solvency II projects.
According to a recent PwC survey of 115 insurers in 22countries across Europe and outside the EEA, 11%have not yet launched their Solvency II project. Ofthose that have started the implementation process, the
majority of respondents are only a quarter of the waythrough.
0 20 40 60 80
Projectplan
Gapanalysis
No
Partially
Yes
Status NL insurers Mid 2010 (N= 118)
Accenture, Most European Insurers Say
Compliance with Solvency II Will Cost MoreThan Originally Expected
Nearly one-third (29 percent) of the insurerssurveyed said they expect to spend more than25million to comply with the directive, including 7percent that anticipate spending more than100million. In a similar 2007 survey, only 4 percent of
insurers said they expected to spend more than26million and none said they expected to spend morethan100 million.
Lloyd's Solvency II costs estimated at about$480M: Levene
Compliance for Solvency II may cost insurers in the
Lloyds of London market as much as 300 million($480.2 million), according to the markets chairman.
The situation
-
8/4/2019 Turkey Solvency II and Operational Risk 200911 v2
19/33
2010 IBM Corporation19
Experience from western Europe shows challenges and suggested focusareas
Technology implementation issues are now becoming real. The designs that havebeen developed are being handed over to the IT development teams and delivery plans arebeing developed. These plans are now showing that either timescales are going to have tomove or scope is going to have to be reduced.
Data remains a key area of concern, be it accessibility or granularity of data and in manycases its quality. Therefore many organizations are now looking at how they can simplifytheir data requirements in order to achieve a realistic solution.
much effort has been placed, especially in the Quantitative Impact Study 5 (QIS5) on thedevelopment of sophisticated internal models that allow customization of SCR and MCRcalculations according to the companys needs. However, it is less valuable to fine-tuneinternal models without making sure they are fed with high quality data
BUT
insurers are beginning to appreciate the real implications it will have for theirbusinesses.
Solvency II is acting as a catalyst for businesses to restructure (it) is likely to lead toM&A activity in the form of acquisitions or disposals of portfolios, teams or companies asbusinesses look to achieve the scale and diversity they see as optimal under the newregime
Sources : Solvency II Survey 2011 (UK) Deloitte LLP, Meeting the Data Quality Challenges of Solvency II Moody Analytics
-
8/4/2019 Turkey Solvency II and Operational Risk 200911 v2
20/33
2010 IBM Corporation20
Solvency II is challenging but the potential business benefitsare big.
Ambition level Objectives Main benefits
Compliance with external
model
Compliance reached with minimal required
effort
Compliance with internal
model with auditableprocesses
Integrated data and reporting
platform feed calculations
Lower capital costs, improved credit rating,
optimization of reinsurance
Comparability with peers
Higher efficiency in risk & finance reporting,
rationalization of information systems
Value creation based on
Economic Capital return
Reporting based on fair
value combining external
demands with internal needs
Improved pricing
More value creating products
Performance mgmt, culture and rewards
based on true value
Complianceonly
Sustainablesolution
Managing onValue
-
8/4/2019 Turkey Solvency II and Operational Risk 200911 v2
21/33
2010 IBM Corporation21
Solvency II requires insurers to collect detailed asset, liability and risk data to beable to come up with the market consistent balance sheet
Performancemanagement
Reporting &information usage
External & internalmodels
Datastorage
Source systems &local databases
Typical numbers for top 10 insurers
10 to >50source systems
in multiple
(business) unitsExternal data
1000-1500attributes to be
modeled for
different risksand LOBs
Multiple modelsfor different
LOBs, different
calculationsteps
44 reports,1400 line items
for CP58
Internalreports
-
8/4/2019 Turkey Solvency II and Operational Risk 200911 v2
22/33
2010 IBM Corporation22
Based on our western Europe experience, we see data related gaps inmost Insurers environments
Parts of current IT application landscape under control of different parties who owns all the spreadsheets?
No specific policy on data management
No clearly formulated data quality checks
No central data dictionary across multiple legacy systems
Inadequate recoding of data history
Internal controls for business processes may be in place but not formalized ordocumented or tracked
Lack of controls on use of externally provided data note exposure from distribution channels. Are you even certain of clientnames?
-
8/4/2019 Turkey Solvency II and Operational Risk 200911 v2
23/33
2010 IBM Corporation23
The lack of good quality data will also have financial consequences
Granularity toolow to makemore detailedanalyses
-Much time spenton movementanalysis,-E.g..reconciliationbetween GL andRisk outcomes
Performance
management
Reporting &
information usage
External & internal
models
Data
storage
Source systems &
local databases
-Delays in modelupdating, testing &validation- Difficulty keepingaudit trail in riskoutcomes- Increased manualintervention
-Increase incapital due tocapital addon or use ofstandardformula-No basis forperformancemanagement
Changes in dataof sourcesystems can becostly to digest
-
8/4/2019 Turkey Solvency II and Operational Risk 200911 v2
24/33
2010 IBM Corporation24
Data integration makes up the majority of the implementation costsin a Solvency II project
0 10 20 30 40 50 60 70 80 90 100
Leverage Sol II findings
Build DWH
Retrieve and normalise
data
Detail requirements
Build internal model
Assessment current
situation
Rough estimate of cost break-up of a Solvency II project
% of total costsSource: IBM analysis
-
8/4/2019 Turkey Solvency II and Operational Risk 200911 v2
25/33
2010 IBM Corporation25
Data Sources/Operational Systems Extraction &Staging
InsuranceInformationWarehouse
Calculation EnginesData MartsDecision Support/
Reporting
Meta Data & Reference Data
Software Infrastructure
Development Environment and System Management
Enterprise DataIntegration
&historitation
Stress Test
Fair Value
Controlling
Scenarios
Other
RegulatoryReporting
Financialreporting
ActuarialReporting
ManagementReporting
Risk Analytics
Dashboards
Products
Partner/Clients
Contracts
Sales
Claims
FinancialAccounting
CapitalInvestment
Other
Challenge 1:Source systems
Many differentsource systems, ofvarying quality,technology, ageand accessibility
The data delivery challenges
Challenge4:
One versionof the truth
TransformationCalculation
(e.g. Risk Engine)Market Risk
Operational RiskActuarial Risk
Other Risk
Challenge 3:
Data Quality
Define rules,process and monitor
Challenge 5:
Requirementsmanagement
Challenge 6: Meta data
One language:
operational, technical, business
DataAcquisition
DataQuality
DetermineChanges
Challenge 2:
Data governance
Organise the
ownership, use,definition andstructure of thedata
-
8/4/2019 Turkey Solvency II and Operational Risk 200911 v2
26/33
2010 IBM Corporation26
Challenge 1: Many different source systems, of varying quality,technology, age and accessibility
IBM View Recommendations
Prioritize connection of source systemsbased on your relevant criteria (future proof,materiality, maturity)
Industrialize the data extraction process
Profile the data of the source systems beforethe business starts to map source to target
Use a repeatable Data migration approach
Use a strong tool for data profiling
Discover Validate Remediate
Discovery
Data profiling is simply taking a picture of the dataof the source systems
Should be done before the source to targetmapping
Skipping data profiling leads to:Unexpected source data
Old source data, business rules unknownMultiple versions of the dataIncomplete, out-of-date, untrusted dataRework and higher cost
Executing data profiling results in complete view:Relationships between data elementsData integrityDuplicate Values
Exceptional ValuesEmpty Fields
-
8/4/2019 Turkey Solvency II and Operational Risk 200911 v2
27/33
2010 IBM Corporation27
Challenge 2: Organize the ownership, use, definition and structure of thedata
IBM View Recommendations
Step 1: Get the (right) people in place togovern
Step 2: Do initial assessment, calculate valueof data and probabilities of risk
Step 3: Develop a data-governance strategy
Build a Data Governance Framework and assessyour current maturity
Consider available industry data models
Exploit Tooling
DataQuality
Management
InformationLife-Cycle
Management
InformationSecurity
and Privacy
Core Disciplines
Data Risk Management &Compliance
Outcomes
Value Creation
DataArchitecture
Classification &Metadata
Audit InformationLogging & Reporting
Supporting Disciplines
Organizational Structures & Awareness
Enablers
Policy Stewardship
IBM Data Governance Framework
-
8/4/2019 Turkey Solvency II and Operational Risk 200911 v2
28/33
2010 IBM Corporation28
Challenge 3: Define rules, process and monitor
IBM View Recommendation
Data Quality Management is a continuousprocess
Functional data quality rules should bedefined by the business
After definition of rules monitoring of DQshould be put in place
Data Quality Management approach as part of DataGovernance Framework
Use tools to enable processes
Data Quality
User can access
data
Accessability
Access Rights
Transactions
SystemAvailability
User can
understand data
User can use data for
decisions
User can exploit data
in processes
Interpretability
Semantics
Syntax
Plausibility
Reliability
Accuracy
Completeness
Consistency
Usefulness
Timeliness
Relevance
Up-to-Dateness
Non-Volatility
-
8/4/2019 Turkey Solvency II and Operational Risk 200911 v2
29/33
2010 IBM Corporation29
Challenge 4: One version of the truth
IBM View Recommendation
Use standard reference data model for theinsurance industry
Requirements are clear: Repository of historical data for validation /
calibration of internal models and reporting Capturing of results from calculation engines Central data store for all analytic purposes
Storage of detailed raw data from multiplesources
Build a robust data warehouse architecturesupported by an enterprise data dictionary
One physical Enterprise Data Warehouse is notnecessarily the (only) solution
FOUNDATION MODELSEnterprise Insurance
Concepts Definition forCommunication and
Standardization
DATA MODELSInsurance data content foran enterprise-wide view of
information and data
rationalization
SERVICE MODELSEnterprise Insurance Services
Definition for componentbased development and
Service Oriented ArchitectureProduct Models for
accelerating insuranceproduct design
PROCESS MODELSEnterprise Insurance
Processes Definition forbusiness process
modelling, simulation,and executionSample :
IBMsInsurance
InformationWarehouse
-
8/4/2019 Turkey Solvency II and Operational Risk 200911 v2
30/33
2010 IBM Corporation30
Challenge 5: Requirements management
IBM View Recommendation
Solvency II requirements are extensive &changing
Define high level data requirements right fromthe start based on needed reporting
Iteratively sharpen/add data reqs in releases,realise 1st working source-report chain forsmall scope, then extend LOB/LOR scope
Use accelerators from vendors to get started.Define long term tool and asset strategy once base
model is in place
Generation data-
marts
Reqsanalyis
Determination of facts,measures
anddimension
s
Determinedata
definitions
Designlogicaldata
model
Sourceanalysis
andextractio
n
DWHbuild
Data related activities for acquiring Solvency II compliancy
Use Accelerators Use tooling and own models
-
8/4/2019 Turkey Solvency II and Operational Risk 200911 v2
31/33
2010 IBM Corporation31
Challenge 6: Meta data, one language, operational, technical, business
IBM View Recommendation
Full audit ability from report-source requiresdata lineage and metadata management
Standardization of business terms and theirdefinitions is a critical first step
Build an architecture that considers the end to endaudibility requirements (even with narrow scope)
Select tooling that supports the broader traceabilityrequirements
-
8/4/2019 Turkey Solvency II and Operational Risk 200911 v2
32/33
2010 IBM Corporation32
Investment in a Solvency 2 solution can provide significantbusiness opportunities for insurers
Improving capital allocation by giving a common basis for comparing projects /business strategies
Providing management with deeper insight into risks to identify areas ofcompetitive advantage
Delivering improved MI to facilitate decision making
Creating value through improved product design and pricing
Enabling better alignment of employee remuneration with risk-basedperformance
Minimizing cost of raising capital, reinsurance and other risk transfer productsby making the firms risks more transparent and measurable
Driving investment in scalable / extendable models to minimize cost of futurechange (such as IFRS Phase 2)
Efficiency improvements, e.g. removing duplications across different reportingprocesses; increased automation
Realising these benefits need not require an instant, wholesale businesstransformation.
-
8/4/2019 Turkey Solvency II and Operational Risk 200911 v2
33/33
Urgent Decisions and Guiding Principles
1.Define and articulate the vision and ambition for the Solvency 2 programme, gaining
committed buy-in from across the business and IT
2.Agree the calculation model approach to be used i.e. Standard vs. Partial Internal vs.
Full Internal and select between achieving basic compliance, or to invest smartly and
gain business benefit.3.Understand the S2 Risk and MI needs of different roles and user groups so the
solution can be designed to support these requirements and deliver MI to an appropriate
level of granularity for each constituent member or group
4.Decide the degree to which the risk calculation process is to be industrial strength?
Capture the organizations ambitions towards end-to-end data integration
5.Agree their appetite for technology as an enabler to support and embed the desired
change.
IBMs experience from similar projects indicates that insurers must act nowto: