One of the most extreme operational risk examples in the Dutch insurance industry is the 2001 Stock-lease case in which policyholders invested not only with their own money, but also with borrowed money. The Dutch fair trade organisation decided that the communication of the insurance companies was not in line with regulations. As a result, one of the insurance companies, Dexia, showed a loss in profit of 1 billion euro. Despite this and other examples of operational risk (AIG, Equitable Life), only recently have most insurance companies taken steps to fully model their operational risks.
What is operational risk?
The Basel II definition of operational risk is the following:
“Operational risk is the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events”
Operational risk is a very broad concept, not always straightforward to classify, leading to issues as:
- Risks are attributed incorrectly to operational risk (double counting/prudence): e.g. a capital requirement for insurance fraud is calculated both for operational risk and life insurance risk.
- Risks are incorrectly not included in operational risk: e.g. project risk is not included in both operational risk and expense risk.
- Risks are classified incorrectly leading to an incorrect aggregation and different capital requirements.
How to classify operational risks?
A Taxonomy (aka risk universe) seeks to establish a consistent interpretation of risks within an organisation. This prevents double counting, exclusion of risks and incorrect classification. Once a comprehensive risk taxonomy has been established this will facilitate establishing a risk register. A risk register is used to capture risk events. A decent risk register distinguishes between cause, event and financial impact:
- Cause: required for preventing the event in the future
- Event: not all causes lead to actual losses. Both potential and actual losses need to be registered.
- Financial impact: necessary for the calculation of required capital
The operational risk capital requirement is more difficult to determine than for other risk categories mainly due to a lack of data:
- Operational risk is company specific hence market data does not always reflect risks correctly.
- A limited number of events is available reducing the number of tail events. In comparison, there is daily market risk information for stock and interest rate developments.
- Companies are hesitant to share their data because of reputational damage.
Three approaches that can be used to collect operational risk data:
1) Internal loss data: the insurance company develops a risks register and collects loss data:
+ Company specific data are the best reflection of the risks within a company;
+ Because the data are company specific, there is no need for scaling;
+ Useful for determining loss frequency;
– Internal data can be limited hence not all risks are taken into account;
– Internal data don’t always contain events with the highest financial impact, although these events do most harm to the company.
2) Consortium loss data: the insurance company participates in a consortium of insurance companies that share data with each other:
+ Increases the amount of data and the number of higher impact events;
– The risk register of the insurance company can differ from the register of the consortium, therefore mapping is required. Insurance companies may give different interpretations to this process resulting in events classified incorrectly;
– Consortium participants prefer not to share their largest loss events. Therefore the consortium database does not include the entire distribution of possible losses;
– Participation involves costs, and loss data need to be provided on certain time intervals.
3) External loss data: the insurance company buys a dataset of an external loss data provider (e.g. Aon, Algo):
+ These data also include extreme losses in the tail of the distribution;
– The costs for participation are higher than with a consortium.
Due to a lack of data, there is no single method to quantify and manage operational risk. Consequently, every quantitative method needs to be supported with qualitative insights: Key Risk Indicators (KRIs) can provide an understanding for the causes of operational risk on a frequent basis. There are four methods to determine the capital requirement for operational risk:
1) Factor method: these models use a regression technique in which the goodness of fit tests the portion of variance explained by the factors. An example of the factor method is the operational risk capital requirement in QIS5:
+ Cost efficient;
+ Consistency between insurance companies as long as similar account standards are applied (e.g. when determining reserves);
– Not risk-sensitive (controls and governance are not taken into account);
– Low frequency-high severity events can distort the results;
– Can be mis-used, e.g. QIS5 rewards low pricing/reserving.
2) Deterministic scenarios: risks that can threaten company objectives are agreed upon by experts. Thereafter, experts determine the frequency, impact and mitigation effects of these risks. The total capital requirement per risk is the product of frequency, impact, and mitigation. There are no diversification benefits within a risk group (eg. There are two external fraud risk events: the capital requirement for external fraud is the sum of the two components). Hereafter, different risk groups are aggregated with a correlation matrix and diversification between risk groups applies:
+ Flexible (can be done both bottom-up and top-down), can be applied in conjuncture with KRIs;
– Allocation of risk events is subjective;
– Estimation of risk events is subjective, correlations between risk groups are subjective due to lack of data.
3) Stochastic modelling by expert judgement: experts/risk owners estimate the frequency and impact of possible events in workshops. These participants determine the average frequency of an event and if one assumes a Poisson distribution the entire frequency distribution is established with this information. Each scenario needs to be defined (storyline) to make it feel realistic making it easier to estimate the financial impact.
Next, participants determine the impact of a scenario by repeating the event an x number of times: e.g. when there would be 10/50/100 cases of external fraud, in this set of 10/50/100 what is the event with the highest financial impact? With the worst 1 in 10, 1 in 50, and 1 in 100 impact levels, you can determine the severity distribution.
Stochastic modelling based on the distributions of frequency and severity results in a loss distribution from which a 1 in 200 VaR is determined.
+ Provides more insights in the risks of a company because frequency and severity are modelled separately;
– Time consuming as experts need to determine the scenarios and this can’t be done every week/quarter (like KRIs);
– Behavioural bias can occur (e.g. status quo bias, prudence, confirming evidence) making the estimates less reliable.
4) Stochastic modelling with data (internal, external): like method 3 but instead of expert judgement use loss data.
It is also possible to use a weighted average of the capital requirements of the four methods and assign weights depending on the level of comfort.
Operational risk capital modelling is one of the areas in which many insurance companies are investing heavily. The first step for Insurance companies is to start by establishing a risk register and modelling their risks, using one of the techniques outlined in this article. However, good operational risk management depends both on quantitative and qualitative factors. Establishing a high quality Operational Risk Management Framework will make it possible for them to increase their understanding of their risks, take actions to mitigate causes and endorse their operational risk capital requirement numbers. Internal models under Solvency II have now caused many insurance companies to commence modelling their operational risk in more detail, but there is generally still some way to go before such models are at the same level of sophistication as other aspects of companies’ business.
This article was also published in the Dutch actuarial magazine “The Actuary” on 18 July 2011