David W.

Kerr Partner and Insurance Practice Leader, Growth Markets

Planning Considerations Operational Risk and Solvency II

2010 IBM Corporation

Todays Business environment is increasing focus on Operational and IT Risk

Risk has never been a bigger challenge than in todays business environment

new regulations, globalization, increased risk and business velocity, and an explosion of information all demand more effective compliance and risk management practices and better alignment of risk and performance management objectives for better business outcomes

Source: IBM Global CFO Study 2010, Insurance POV 2

2010 IBM Corporation

Agenda

An introduction to Operational Risk

An introduction to Solvency II

2010 IBM Corporation

Planning Considerations for Operational Risk

2010 IBM Corporation

With all the attention on reporting and Solvency II, the issues relating to Operational Risk may actually have an even greater impact to Insurers
... the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.
Internal Processes External Events

People

Systems

Credit Risk

Market Risk

Operational Risk

Operational risk can kill financial institutions. Credit and market risk are now well understood and are therefore more likely merely to wound. It is the relative lack of understanding of operational risk that is threatening.
-- Adrian Belton, director of operational risk, Barclays Group worldwide, London
5 2010 IBM Corporation

UK Insurers have analyzed Operational Risk Events

Operational Risk

Internal Fraud

External Fraud

Employment Practices and Workspace Safety

Clients, Products and Business Practices

Execution, Delivery and Process Management

Business Disruption and System Failures

Damage to Physical Assets

Distribution of Loss Amounts (% of Total)1 Insurance Banking 0.5 6.1 1.8 8.0 0.8 6.0 24.0 52.4 65.5 24.9 7.4 1.2 <1.0 1.4

Description of Event
Acts involving internal parties intending to defraud, misappropriate property, or circumvent the law, regulations or company policy Acts by a third party with the intent or result of defrauding the institution, misappropriating property, or circumventing the law Acts inconsistent with employment, health and safety laws or agreements, personalinjury claims and diversity/discrimination issues Failure to meet professional obligations to specific clients (including fiduciary and suitability requirements), or such failure caused by nature and design of a product or service Failed transaction processing or process management, relations with trade counterparties, and relations with vendors Failures of hardware or software, telecommunications outages, utility outages, and real estate facilities problems Loss or damage to physical assets from natural disasters or other events such as terrorism, vandalism, fires, floods, storms, civil wars and strife

Insurance Examples
An employee colluding with or impersonating a customer to make a fraudulent claim Use of irregular accounting procedures for financial gain Failure to disclose investment losses
1Based

Policyholder supplying Wrongful termination incorrect data to obtain Workplace harassment cover or reduce cost Discrimination based Supplier deliberately on religion, sex, age, overcharging for their ethnicity, etc. services or submitting false claims Fraudulent surrenders to generate commissions

on reported losses provided by 18 UK carriers in the ORIC database

Regulatory breach by a financial advisor Failure to ensure claimant had sufficient information during the claims process Non-qualified individuals selling or giving advice Breach of data privacy rules

Policyholder service failures (i.e., failure to implement address or beneficiary changes) Claims payments to the wrong policyholder or incorrect amount Policy pricing errors Unintentionally exceeding underwriting limits Missing policy documents

IT system or telecom Loss of building housing downtime data and/or call center Viruses and security Theft of equipment breaches Unauthorized access to internet site or data center

Source: Association of British Insurers (ABI); Operational Risk Consortium (ORIC) 6 2010 IBM Corporation

Distribution of Operational Risk by Insurance Function shows that all areas of the enterprise can contribute to risk events
Operational Risk Event Execution, Delivery and Process Management % of Total Loss1 65.5 Operational Losses by Insurance Function (% of Total Operational Risk Event) 1

27.7
Accounting, Finance & Investment

13.2
Policyholder Service

7.0

6.3

4.0

7.3
Other

Sales & Underwriting Claims Marketing

Clients, Products and Business Practices

24.0

19.4
Sales & Marketing

2.8
IT

1.8
Other

Business Disruption and System Failures

7.4

6.0
IT

1.4
Other

External Fraud

1.8

0.7
Policyholder Service

0.7
Claims

0.4
Sales & Marketing

Internal Fraud

0.5

0.2
Claims

0.1
Policyholder Service

0.2
Other

Employment Practices and Workspace Safety

0.8

0.2
Facilities

0.2
Human Resources

0.4
Other

1Based

on data in the ORIC database which contains operational risk events with losses totaling more than 10,000 as reported by 18 UK carriers across the life and non-life segments. As of 1Q 2009, the ORIC database contained over 2,000 incidents representing a gross loss amount of approximately 900m ($1.3B at 3/09 rates) Source: Association of British Insurers (ABI); Operational Risk Consortium (ORIC) 7 2010 IBM Corporation

Frequency and Severity of Insurance Operational Risk

Severity and Frequency of Operational Risk Events Level 1 Category
20 Execution, Delivery and Process Management

Reported loss experience from ORIC database by level 2 category

Clients, Products and Business Practices

Aggregate Losses (in Natural Logarithm) 18

Business Disruption and System Failures

Advisory activities, which falls under clients, products and business practices, have a high rate of occurrence (9% of loss events) and the highest loss per event (13% of reported losses) Accounting errors, which are included in execution, delivery and process management, do not happen often (2% of events) but have a significant impact (12% of losses) Customer service failures occur the most often, accounting for 16% of loss events

16

External Fraud
Employment Practice and Workplace Safety Internal Fraud

14

Damage to Physical Assets 12

300

600

900

1,200

Frequency (number of events)

Source: Association of British Insurers (ABI); Operational Risk Consortium (ORIC) 8 2010 IBM Corporation

Operational Risk events have a very large direct and indirect financial impact on the Insurance Industry
Insurance Operational Losses by Quarter: 3Q07 3Q09
As reported by 18 ORIC members

70

Indirect Costs Associated with Operational Failures Higher surrender rates/lower customer retention Loss of new business Fines Lower customer satisfaction rates Loss of reputation in the market

60

50 Reported Loss ( millions)

40

30

20

10 0 3Q07 4Q07 1Q08 2Q08 3Q08 4Q08 1Q09 2Q09 3Q09

Submission Quarter

Source: Association of British Insurers (ABI); Operational Risk Consortium (ORIC) 9 2010 IBM Corporation

But there are many challenges to address Operational Risk

Automating the process of identifying, measuring, monitoring, analyzing and managing operational risk Insurance companies globally are under scrutiny to practice sound Governance Risk and Compliance (GRC) Most insurance companies lack a consistent business capability to meet internal needs and external demands Inefficient, time consuming and manual processes make risk management strategically un-actionable Many systems do not accommodate the companys specific needs

10

2010 IBM Corporation

There are Structured Methodologies for Operational Risk Management

Structured methodologies, supported by advanced analytics, are required to address the challenges insurers face when seeking to manage their operational risk exposures

Analytical Tools

Identify

Identify risk objectives and suitable business impact metrics Catalog past, present, future failure events and root causes Map business processes and locate pain points Assess frequency and severity of root causes & failure events Map interdependencies between failure events and root causes Forecast business impacts of expected and unexpected risks

Quantify

Decide

Identify appropriate mitigation strategies for major risks Assess costs of mitigation strategies Perform scenario analysis to assess mitigation benefits

11

2010 IBM Corporation

One can apply both Top Down and Bottom Up approaches to analyze Operational Risks

12

2010 IBM Corporation

Planning Considerations for Solvency II

2010 IBM Corporation

An Introduction to Solvency II
Solvency 2 (S2) legislation was initiated by the European Commission to fundamentally change the current European insurance solvency framework S2 evolved from the Basel II three pillar approach to Banking regulation - it will produce a more consistent solvency standard ensuring that capital requirements are more reflective of the risks being accepted. The date for the legislation to come into effect is 01/2013 but interim progress milestones are fast approaching. Each insurer should decide now what Solvency 2 means for them.
Solvency II Protection of policyholders against failure of insurance companies

Underwriting Risk Market Risk Credit Risk

Pillar I Quantitative

Pillar II Qualitative

Pillar III Market Discipline Disclosure

Capital Asset/Liability Adequacy Management Risk Operational Risk Liquidity Risk

Supervision and Governance

Valid for all insurance companies in EU after forming the directive into national law

There is not one solution for all - Insurers need to understand the drivers that will influence both the scale of investment and the value to be derived from their Solvency 2 Programme.
14 2010 IBM Corporation

Solvency II Requirements
Quantitative requirements
Implementation of Asset Liability Management or Dynamic Financial Analysis for all divisions Quantification of all significant risks and fair / realistic valuation of assets and liabilities Adequate solvency capital for all lines and divisions Adequate requirements Qualitative reserves Collecting, handling and controlling all significant risks Prompt and comprehensive information on the risk situation for the management Regular checks of the valuation and controlling of risks through internal audits Precise hierarchies, communication channels and ownership for implementing and living internal controls Defining and supervising limits and regulation (investment decisions and risk unterwriting) Extensive separation between management and controlling Implementing an early-warning system (key performance indicator based forecasts) Regular profitatility and stress tests (scenario analysis, sensitivity tests) Adequate asset allocation strategy (within given risk margin)

Market discipline and transparency

Comprehensive and timely reporting (internal and external) Disclosure (based on IFRS principles)
15 2010 IBM Corporation

Solvency 2 Objectives Overview

Pillars II & III: Internal Control and Pillar I Risk Quantification and Reporting Capital Adequacy Address the supervisory, reporting Demands that firms explicitly quantify: and disclosure requirements The level of risk they face and Define the risk management the amount of capital needed to processes and practices that a firm support that risk. needs to have in place for To perform these calculations, firms demonstration to the regulator. can elect to: Apply a standard model To achieve compliance, the firm will prescribed by the regulator, have to prove that it has : Operate a full internal model Strong internal reporting across all business lines, or mechanisms and a thorough Operate a partial internal model, internal audit function. with some areas remaining End to end, timely data sharing under the standard model between the various functional The regulator will need to approve departments - from underwriting, each internal model after being claims, actuarial, operations, IT, satisfied that following tests have been investment management, finance, passed: risk and compliance, right up to board Statistical quality level. Calibration Profit & loss attribution Validation Reality : Many Western European Documentation Insurers are still only working towards Use

Pillar 1 Compliance

16

2010 IBM Corporation

Risk categories

17

2010 IBM Corporation

The situation

Although Solvency II is less than 2 years away, many insurers still have the majority of work still to do
PWC S2 Report - 'Insurers face tough and expensive push for S2 deadline'. More than 40% of insurers are still only in the preparatory stages or have yet to launch their Solvency II projects. According to a recent PwC survey of 115 insurers in 22 countries across Europe and outside the EEA, 11% have not yet launched their Solvency II project. Of those that have started the implementation process, the majority of respondents are only a quarter of the way through. Accenture, Most European Insurers Say Compliance with Solvency II Will Cost More Than Originally Expected

Nearly one-third (29 percent) of the insurers surveyed said they expect to spend more than 25 million to comply with the directive, including 7 percent that anticipate spending more than 100 million. In a similar 2007 survey, only 4 percent of insurers said they expected to spend more than 26 million and none said they expected to spend more than 100 million.
Lloyd's Solvency II costs estimated at about $480M: Levene Compliance for Solvency II may cost insurers in the Lloyds of London market as much as 300 million ($480.2 million), according to the markets chairman.

Status NL insurers Mid 2010 (N= 118)

Gap analysis

No Partially Yes
Projectplan

18

20

40

60

80

2010 IBM Corporation

Experience from western Europe shows challenges and suggested focus areas
Technology implementation issues are now becoming real. The designs that have been developed are being handed over to the IT development teams and delivery plans are being developed. These plans are now showing that either timescales are going to have to move or scope is going to have to be reduced. Data remains a key area of concern, be it accessibility or granularity of data and in many cases its quality. Therefore many organizations are now looking at how they can simplify their data requirements in order to achieve a realistic solution. much effort has been placed, especially in the Quantitative Impact Study 5 (QIS5) on the development of sophisticated internal models that allow customization of SCR and MCR calculations according to the companys needs. However, it is less valuable to fine-tune internal models without making sure they are fed with high quality data BUT insurers are beginning to appreciate the real implications it will have for their businesses. Solvency II is acting as a catalyst for businesses to restructure (it) is likely to lead to M&A activity in the form of acquisitions or disposals of portfolios, teams or companies as businesses look to achieve the scale and diversity they see as optimal under the new regime

19

Sources : Solvency II Survey 2011 (UK) Deloitte LLP, Meeting the Data Quality Challenges of Solvency II Moody Analytics
2010 IBM Corporation

Solvency II is challenging but the potential business benefits are big.

Ambition level Compliance only Objectives Main benefits

Compliance with external model Compliance with internal model with auditable processes Integrated data and reporting platform feed calculations Value creation based on Economic Capital return

Compliance reached with minimal required effort Lower capital costs, improved credit rating, optimization of reinsurance Comparability with peers Higher efficiency in risk & finance reporting, rationalization of information systems Improved pricing More value creating products

Sustainable solution

Managing on Value

Reporting based on fair value combining external demands with internal needs

Performance mgmt, culture and rewards based on true value

20

2010 IBM Corporation

Solvency II requires insurers to collect detailed asset, liability and risk data to be able to come up with the market consistent balance sheet
Producing & use test Steering

Source systems & local databases Goals

Data storage

External & internal models

Reporting & information usage

Performance management

Typical numbers for top 10 insurers

1000-1500 attributes to be modeled for different risks and LOBs Multiple models for different LOBs, different calculation steps 44 reports, 1400 line items for CP58 Internal reports

10 to >50 source systems in multiple (business) units External data

21

2010 IBM Corporation

Based on our western Europe experience, we see data related gaps in most Insurers environments
Parts of current IT application landscape under control of different parties who owns all the spreadsheets? No specific policy on data management No clearly formulated data quality checks No central data dictionary across multiple legacy systems Inadequate recoding of data history

Internal controls for business processes may be in place but not formalized or documented or tracked
Lack of controls on use of externally provided data note exposure from distribution channels. Are you even certain of client names?

22

2010 IBM Corporation

The lack of good quality data willuse test have financial consequences also Producing & Steering

Source systems & local databases Goals Changes in data

Data storage

External & internal models

Reporting & information usage

Performance management

of source systems can be costly to digest

Granularity too low to make more detailed analyses

-Delays in model updating, testing & validation - Difficulty keeping audit trail in risk outcomes - Increased manual intervention

-Much time spent on movement analysis, -E.g.. reconciliation between GL and Risk outcomes

-Increase in capital due to capital add on or use of standard formula -No basis for performance management

23

2010 IBM Corporation

Data integration makes up the majority of the implementation costs in a Solvency II project
Rough estimate of cost break-up of a Solvency II project
Assessment current situation

Build internal model

Detail requirements Retrieve and normalise data Build DWH

Leverage Sol II findings 0

Source: IBM analysis

10

20

30

40

50

60

70

80

90

100

% of total costs
2010 IBM Corporation

24

The data delivery challenges

Products

Partner/Clients

Contracts

Challenge 2: Data governance Organise the ownership, use, definition and structure of the data

Stress Test

Regulatory Reporting

Challenge 4: Fair Value One version of the truth

Controlling

Financial reporting

Challenge 1: Source systems Sales Many different source systems, of Claims varying quality, technology, age and accessibility Financial
Accounting Capital Investment Other

Data Acquisition Determine Changes Data Quality

Enterprise Data Integration & historitation

Scenarios

Challenge 5: Requirements management

Actuarial Reporting

Management Reporting

Other Transformation Calculation (e.g. Risk Engine) Market Risk Operational Risk Actuarial Risk Other Risk

Risk Analytics

Challenge 3: Data Quality Define rules, process and monitor

Extraction & Staging Insurance Information Warehouse Data Marts

Dashboards

Data Sources/ Operational Systems

Calculation Engines

Decision Support/ Reporting

Meta Data & Reference Data Development Environment and System Management Software Infrastructure

Challenge 6: Meta data One language: operational, technical, business

25

2010 IBM Corporation

Challenge 1: Many different source systems, of varying quality, technology, age and accessibility
IBM View Prioritize connection of source systems based on your relevant criteria (future proof, materiality, maturity) Industrialize the data extraction process Profile the data of the source systems before the business starts to map source to target Data profiling is simply taking a picture of the data of the source systems
Discover Validate Remediate

Recommendations Use a repeatable Data migration approach Use a strong tool for data profiling

Should be done before the source to target mapping Skipping data profiling leads to: Unexpected source data Old source data, business rules unknown Multiple versions of the data Incomplete, out-of-date, untrusted data Rework and higher cost Executing data profiling results in complete view: Relationships between data elements Data integrity Duplicate Values Exceptional Values Empty Fields 2010 IBM Corporation

Discovery

26

Challenge 2: Organize the ownership, use, definition and structure of the data
IBM View Step 1: Get the (right) people in place to govern Step 2: Do initial assessment, calculate value of data and probabilities of risk Step 3: Develop a data-governance strategy Recommendations Build a Data Governance Framework and assess your current maturity Consider available industry data models Exploit Tooling

IBM Data Governance Framework

Outcomes Data Risk Management & Compliance Enablers Value Creation

Organizational Structures & Awareness

Policy Core Disciplines Information Life-Cycle Management Supporting Disciplines Classification & Metadata Stewardship

Data Quality Management

Information Security and Privacy

Data Architecture

Audit Information Logging & Reporting

27

2010 IBM Corporation

Challenge 3: Define rules, process and monitor

IBM View Data Quality Management is a continuous process Functional data quality rules should be defined by the business After definition of rules monitoring of DQ should be put in place
Data Quality

Recommendation Data Quality Management approach as part of Data Governance Framework Use tools to enable processes

Interpretability Syntax Semantics

Usefulness Relevance Timeliness Up-to-Dateness Non-Volatility

Plausibility Completeness Consistency Accuracy

Accessability System Availability Transactions

Access Rights Reliability

User can understand data

28

User can exploit data in processes

User can use data for decisions

User can access data

2010 IBM Corporation

Challenge 4: One version of the truth

IBM View Use standard reference data model for the insurance industry Requirements are clear:
Repository of historical data for validation /

Recommendation Build a robust data warehouse architecture supported by an enterprise data dictionary
One physical Enterprise Data Warehouse is not

necessarily the (only) solution

calibration of internal models and reporting Capturing of results from calculation engines Central data store for all analytic purposes Storage of detailed raw data from multiple sources

FOUNDATION MODELS Enterprise Insurance Concepts Definition for Communication and Standardization

Sample : IBMs Insurance Information Warehouse

PROCESS MODELS Enterprise Insurance Processes Definition for business process modelling, simulation, and execution SERVICE MODELS Enterprise Insurance Services Definition for component based development and Service Oriented Architecture Product Models for accelerating insurance product design 2010 IBM Corporation

DATA MODELS Insurance data content for an enterprise-wide view of information and data rationalization

29

Challenge 5: Requirements management

IBM View Solvency II requirements are extensive & changing Define high level data requirements right from the start based on needed reporting Iteratively sharpen/add data reqs in releases, realise 1st working source-report chain for small scope, then extend LOB/LOR scope Recommendation Use accelerators from vendors to get started. Define long term tool and asset strategy once base model is in place

Data related activities for acquiring Solvency II compliancy Determinati

Reqs analyis on of facts, measures and dimension s Determine data definitions Design logical data model Source analysis and extractio n DWH build Generati on datamarts

Use Accelerators

Use tooling and own models

30

2010 IBM Corporation

Challenge 6: Meta data, one language, operational, technical, business

IBM View Full audit ability from report-source requires data lineage and metadata management Standardization of business terms and their definitions is a critical first step Recommendation Build an architecture that considers the end to end audibility requirements (even with narrow scope) Select tooling that supports the broader traceability requirements

31

2010 IBM Corporation

Investment in a Solvency 2 solution can provide significant business opportunities for insurers
Improving capital allocation by giving a common basis for comparing projects / business strategies Providing management with deeper insight into risks to identify areas of competitive advantage Delivering improved MI to facilitate decision making Creating value through improved product design and pricing Enabling better alignment of employee remuneration with risk-based performance Minimizing cost of raising capital, reinsurance and other risk transfer products by making the firms risks more transparent and measurable Driving investment in scalable / extendable models to minimize cost of future change (such as IFRS Phase 2) Efficiency improvements, e.g. removing duplications across different reporting processes; increased automation Realising these benefits need not require an instant, wholesale business transformation.
32 2010 IBM Corporation

Urgent Decisions and Guiding Principles

IBMs experience from similar projects indicates that insurers must act now to: 1. Define and articulate the vision and ambition for the Solvency 2 programme, gaining committed buy-in from across the business and IT 2. Agree the calculation model approach to be used i.e. Standard vs. Partial Internal vs. Full Internal and select between achieving basic compliance, or to invest smartly and gain business benefit. 3. Understand the S2 Risk and MI needs of different roles and user groups so the solution can be designed to support these requirements and deliver MI to an appropriate level of granularity for each constituent member or group 4. Decide the degree to which the risk calculation process is to be industrial strength? Capture the organizations ambitions towards end-to-end data integration 5. Agree their appetite for technology as an enabler to support and embed the desired change.

33

2010 IBM Corporation