Ralph Baxter highlights the importance of managing external data and how it is integral in maintaining operational best practice
It goes without saying that successful risk management has always been crucial to the long-term health of the insurance industry. But the increasing focus on corporate governance brings a new dimension to the issue. Regulators are not only interested in the risk metrics produced; they also want to know how reliably these numbers have been generated. This concern is one dimension of operational risk, but one might also call it 'the risk of managing risk'.
It is the role of actuaries to monitor and price market risks. It is therefore imperative that when approaching the topic of operational risk, one does not fall into the trap of suggesting that actuaries are ignorant about risk. They are clearly not.
Actuaries deal with change on a daily basis in the form of sophisticated, mutable data held in humble spreadsheets and similar databases. They are also working in an industry that is currently undergoing intense upheaval as regulators, analysts, shareholders and other stakeholders demand greater transparency, more effective 'own risk and self-assessment' data controls, and stronger risk-based capital management.
The fact that these demands are putting greater pressure on actuaries heightens the need to better manage the operational risks that insurance firms and their staff are exposed to. It is unsurprising, perhaps, that 'operational' risk is major part of Solvency II's second Pillar.
The volume of data and the data chains that actuaries work with are significant. It is not unthinkable that firms use several thousand data files to feed into the main actuarial process, which contain information about a variety of processes, including running claims, the reserving process and reinsurance. Departments are increasingly aware of the need to own internal data risk, and as a result of this, a large amount of human resources are dedicated to checking and reconciling data.
Head actuaries manage these processes accurately and effectively within their network; however, the focus on operational best-practice has shone the spotlight on challenges such as data security and audit, external access to data, and the quality of data that is fed into an insurer from business partners such as brokers. It is often these 'un-owned' risks imported into the actuarial system that pose the greatest hazards.
For instance, actuaries might make the assumption that the data they receive is correct. This confidence means that while the operational risk can be clearly managed by internal risk management processes, the system could already have been fundamentally undermined from the start. This essentially negates the benefits of the risk management process.
The question that few ask is: who owns the risk while the data is outside individual systems? The responsibility for answering this question must rest on the shoulders of those who are most at risk the actuaries themselves.
While firms are increasingly aware of the need to establish a clear risk management 'tree' for their operational risks, it appears that there is a very real reluctance to acknowledge the risks outside their perceived sphere of responsibility.
In order to minimise their level of exposure to these, there are a few key steps that actuaries should take:
- Identify the integrity of the data at its source;
- Establish clear controls to manage its transition into the internal system; and
- Clearly allocate ownership of the risk management process at all stages.
It is imperative that insurers take action now to understand the weaknesses of their data systems. Challenges relating to 'Big Data' continue to grow, not just for insurance firms but all businesses. The issue has become even more pronounced as regulators demand more information and directives such as Solvency II (to name just one) proliferate and intensify. Pillar 2 of Solvency II sets out requirements for the governance and risk management of insurers, among other things; Pillar 3 focuses on disclosure and transparency requirements.
Recent research carried out by ClusterSeven on actuaries and financial professionals working at insurers found discrepancies in their operational risk management processes as well as their understanding of the challenges of Solvency II.
Asked about the FSA's 2011 review of the Internal Model Approval process, for instance, and its requirement for a control system for key spreadsheets, 32% of respondents said they were not aware at all of any Solvency II related regulatory statement on the control of spreadsheets.
The survey found that around half (49%) of respondents use spreadsheets more than any other software application for modelling, data management and reporting activities. It also indicated that people had real concerns about the inability of other people to understand their company's spreadsheets and the lack of standardisation of data management.
Over half (53%) of respondents said that a qualified actuary could work out what was happening with their work in their absence but they would have to rely on skills and experience as the internal corporate documentation is not sufficient. Only 30% said that there is full and sufficient documentation in place. It is also a strong endorsement for better in-house training as well as the use of software that can help trace and prevent data errors fomented by a lack of management continuity.
The first step for actuaries is to understand where their data is coming from and what measures have been put in place to maintain its integrity when connecting it to their internal business applications. The second, critical aspect is to implement control and oversight processes that make sure that calculations are based on this data. This responsibility must be clearly allocated through unified risk management processes only then can organisations begin to mitigate the threats they face.
Firms that fail to take ownership of the data at an early stage of the process and instigate a transparent control environment are leaving themselves unnecessarily exposed to very real financial and reputational risks. In the past these risks were only implicit within the day-to-day work of the business. Now they are truly an explicit requirement. The risk of managing risk is here to stay.
Ralph Baxter is CEO of ClusterSeven