Unlock sustainability in facilities management ESG; Internal Control Over Sustainability Reporting; coso framework examples

Insurers Targeted in UK Supervisory Authorities’ Latest Effort to Develop Formal Operational Resilience Regulations

Andrew Retrum, Managing Director Security and Privacy
Douglas Wilbert, Managing Director Risk and Compliance

The resiliency of the insurance industry, especially its ability to protect policyholders from the impact of severe operational failures, is a major focus of the latest regulatory effort to strengthen the operational resilience of the UK’s financial services sector.

When the Bank of England (BOE), the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) signaled their intention to develop policies around operational resilience in their jointly issued July 2018 discussion paper, they were relatively silent on the issue of resilience supervision for the insurance industry. However, in the series of consultations papers published on December 5, 2019, the supervisory authorities made no qualms about their expectations: UK Solvency II firms, including the Society of Lloyd’s and its managing general agents (collectively “insurers”), are expected to deliver improvements to their operational resilience and will be held accountable if they fall short of proposed standards.

The consultation papers address other specific types of firms such as recognized payment system operators and specified service providers, central securities depositories and central counterparties. However, the focus on insurers is noteworthy. The UK is home to Lloyd’s, the largest insurance market in the world run by managing general agents, as well as global insurance and reinsurance companies. These companies are already governed by Solvency II, a risk-based capital directive aimed at strengthening the solvency requirements of European Union insurers.

Still, insurers with UK operations should prepare now to comply with the proposed operational resilience rules. This means implementing the appropriate resilience programs and governance structures, educating their senior leadership on the topic and allocating resources as appropriate to align with pending regulations. Given the international nature of the insurance industry, the proposed regulations are likely to have broad implications for global insurers.

As interest in operational resilience expands to other jurisdictions, insurers, regardless of domicile, should take steps now to build resilience, including continued focus on front-to-back mapping of business services and improving upon existing programs around data protection, incident response and crisis management, to name a few.

What Is Operational Resilience and Why Is It Gaining Visibility? 

Recent IT outages across the financial sector have highlighted gaps in the ability of individual firms to maintain business services for their clients and support the broader markets. Regulators across the globe have identified operational resilience – the ability of an organization to withstand adverse changes in its operating environment and continue the delivery of business services and economic functions – as a key area of focus for enhanced supervision over the next several years.  Events that can adversely impact firms’ operating environment include cyberattacks, technology failures or changes, as well as environmental and natural catastrophes.

In the July 2018 discussion paper, the UK supervisory authorities emphasized the need for regulated financial institutions to develop and improve response capabilities against such disruptions and signaled their intention to create rules that would formalize this and other expectations. In December 2019, the regulators released a series of consultation papers, proposing formal regulations on operational resilience for UK-regulated financial institutions. Firms have until April 3, 2020 to submit responses to the proposals, which are slated to be implemented in mid-2020.

While the momentum around operational resilience is clearly in the United Kingdom, other global regulators are following suit. The U.S. Federal Reserve and the Monetary Authority of Singapore are among those considering resilience-focused rules. Financial institutions are eager to stay ahead of the regulatory curve, with many leading firms, industry executives and trade organizations collaborating on a framework on operational resilience. 

What Are the Expectations for Insurance Companies With UK Operations?

Under the proposed standards for operational resilience, firms are expected to identify important business services, define and articulate impact tolerance or the specific maximum levels of disruption they can tolerate, and maintain contingency arrangements to enable the continuity of important business services following severe but plausible disruptions.

Important business services will differ for banks and insurers, as well as by regulator. According to the PRA, a service can be defined as “important” if its disruption poses a risk to the safety and soundness of the institution, its policyholders and the wider financial sector. For instance, the sudden removal of a compulsory business insurance coverage across an industry could pose a significant risk to financial stability.

Severe disruption to an important business service may also harm policyholders. Examples may include disruption to annuity payments that policyholders rely on to pay bills, or the removal of a compulsory insurance coverage a small business needs to continue to operate. As such, when identifying important business services, insurers are expected to consider the protections provided to policyholders by the business service and the impact tolerance for the delivery of this business service, in addition to its own safety and soundness if that business service is severely disrupted.

An operationally resilient insurer should set specific levels for impact tolerance using a time-based metric. For example, if an insurer identifies annuity payments as an important business service, it should be able to articulate the length of time after which a disruption in this service would create an unacceptable level of impact to vulnerable customers who are reliant on the payments. Assuming it is two days, the PRA expects the insurer to set its tolerance for disruption to annuity payments below two days.

At Protiviti, we are at the center of the industry’s discussion on the topic of operational resilience, working closely with thought leaders and regulators across the sector. Our experts have produced several critical insights on the topic of operational resilience, including the latest regulatory developments. Protiviti has also developed a framework with which institutions can approach and evaluate operational resilience. To learn more about this framework, visit our website.

Add comment