Why Insurance Companies Should Review Their Operating Models
April 01, 2022DownloadsDownload Article
This article from Risk & Compliance magazine was published in the Apr-Jun 2022 Issue. The entire publication is available at https://riskandcompliancemagazine.com/why-insurance-companies-should-review-their-operating-modelsIn an article for Risk & Compliance magazine, Graham Handy and Darko Popovic from FTI Consulting’s Global Insurance Services team outline why insurance companies should review their operating models.
R&C: Could you explain why insurance companies may need to review the operating model for their risk function?
Handy: There are three major reasons to think the operating model for risk functions needs an overhaul. First, businesses are recognising the risk function as more central and more strategic, as shown by the appointments of former chief risk officers (CROs) as chief executive officers (CEOs). Second, they need to ensure that the three lines of defence concept is fit to support new ways of working, including remote working. Third, and perhaps most importantly, today’s volatile business environment, with its many cost and other pressures, makes it vital to maximise agility and efficiency within the risk function.
R&C: What signs are there that insurance companies are assigning greater importance to the risk function?Handy: One sign is that, over the past five years, an increasing proportion of former CROs have been making the CEO grade, rather than a tendency toward CFOs to move into that role.
In addition, CROs are leading ever more complex interactions with regulators. This change is especially significant because it comes at a time when businesses are moving away from simply complying with regulations to establishing a more proactive relationship with regulators. In this new relationship, companies seek to ensure up front that they correctly understand regulations, and may sometimes even help to shape them, rather than simply responding to queries and issues that arise retrospectively. These developments highlight the fact that, when the risk function is run the right way, it is now a central part of the business rather than an afterthought. It is also apparent that the risk model has matured significantly, with an increased emphasis on strategic aspects.
R&C: How would you rate the effectiveness of the three lines of defence concept prior to, and during, the pandemic?
Popovic: Since the advent of the European Union’s (EU’s) Solvency II directive, companies have done some hard thinking about exactly what the three lines of defence should look like in their businesses. By the time the pandemic happened, the model was well bedded in, and companies had been able to turn their attention to issues like efficiency, effectiveness and value add. A particular area of focus was the relationship between the first and second lines. Although each company has its own way of implementing the concept, many had clarified the second line’s role to make sure that it was not a bottleneck, and that it did not end up as a kind of ‘line 1.5’ doing all the work. Organisations were also tackling cultural issues, for example stopping the first line from passing off the checking and duty of care to the second line. Work had also been done to make sure the second line got involved in discussions early on in any project, rather than once the work was finished, to avoid last-minute delays. This relatively informal and collaborative way of working made risk management more effective because problems were anticipated and prevented, rather than detected and rectified after the event. But it had an even more important advantage: it made the company more agile and responsive to change, since the three lines could work together to find a compliant solution to any new challenge, instead of being locked into inflexible processes. All this work stood companies in good stead when the pandemic came along, and we have been impressed by how well most were able to adapt to home working and the other sudden disruptions they were faced with. Naturally there was some flexing of roles and processes to make sure all urgent work got done, but the majority were able to maintain their essential controls.
R&C: What effect might new ways of working have on the three lines of defence concept in the future?
Popovic: With most insurers expecting hybrid working patterns to persist, it is time to revisit the operating model to make sure that it is optimal for this new way of working. Of course, risk functions have always had to make governance succeed across multiple sites and geographies. What is different is that many are now coping with distributed working within teams daily.
Handy: To remain agile, it is vital to strike the right balance between formality and informality, and between objectivity and collaboration, across the first and second lines, in particular. At present, many firms are finding themselves too near the formal end of the spectrum because of the limitations of hybrid working. With the first and second line mostly communicating by phone and email, rather than face to face, it becomes much harder to maintain those informal, collaborative relationships.
R&C: What challenges do companies face in becoming more agile?
Handy: Agility is not at all easy for the average insurance company. The whole idea may appear to clash with the traditional insurance culture and structure, which is built around strong governance and rigorous processes. In fact, it is possible to reconcile agility with rigour, but that is difficult to do overnight. The tone from the top must change fundamentally, and the work has to be done by a special type of person, who is not typically found in every risk team. In addition, the intensive bursts of work that agile working requires make difficult demands on resources that are already overstretched. The idea of asking someone from a key function to step out into a multi-day ‘garage’ is a big ask at the moment.
Popovic: Another agile concept that is challenging for most insurance companies is that of ‘failing fast’ — abandoning projects that are clearly not going to meet their success criteria. When you are already working to 110 percent of your capacity, it looks like a luxury to invest resources into a task that may be abandoned. And culturally, failing fast is still seen as failing. The adoption of agile practices is also hampered by Solvency II’s principles-based regulatory environment. Whereas it is relatively easy to tell whether you are complying with a rule, principles constantly require insurers to guess how the regulator will interpret them. That can reduce agility.
R&C: What steps can the insurance industry take to get the risk function into shape for its new business environment?
Handy: First, re-establish the right level of formality in the three lines of defence model. There are several ways to do this. Once first and second-line staff are made aware of the issue, they may well come up with ways to fix the balance themselves. Apart from that, options include the use of observational technologies to help people understand where their time could be spent more productively, or where they could be collaborating more closely. In addition, collaborative technology platforms can, to some extent, replace the traditional discussions at the water cooler and help teams to visualise shared targets and outcomes, and the relationships between tasks. Another vital step is to box clever when it comes to talent, especially the talent needed for achieving agility. Universities are training people to blend agile thinking with good discipline, and it is well worth recruiting those people. But to see where they fit in, it may be necessary to re-evaluate the design of the risk function, and its processes.
Is it better to have a few really smart people or lots of foot soldiers? Is it best to debate issues on an ongoing basis or take a one-and-done approach to executive-level challenge? Different approaches can work provided it is a deliberate choice. It is also important to make the most of existing talent. Is all the work that is being done adding value? If not, consider stopping or changing the work. This is an area where you may value outside help, as people who are working more than full time do not have time to reassess what needs to change. A key element of this rethinking of work is to review the metrics and indicators that drive decision making. Particularly after the pandemic, you may well find that reports are being produced more often than is necessary, or that only a few metrics on them are used by the board. Consider the use of digital dashboards as an efficient way of giving decision makers the information that they really need, although it may also be necessary to upgrade the processes and activities that generate that information.
Popovic: Another valuable way of overcoming obstacles to agility is to parcel relevant work up as projects rather than treating it as business-as-usual. This makes it easier to tackle intensive sprints and to make failing fast acceptable. External resources can be brought in on a fixed-term basis if there are not enough resources in-house. In fact, maybe it is time to rethink outsourcing altogether. In a fully remote environment, is everyone in a sense an outsourced service provider? If so, that renders the ‘them-and-us mentality’ that used to be a concern in managing external relationships obsolete. To overcome the constraints that a principles-based regulatory environment imposes on agility, embed risk management into everything you do.
Work closely with major development programmes affecting the front line to inject a risk and governance perspective. Make sure that new systems for claims, underwriting, financial reporting and so on have the right controls built in. This approach, together with automation in the second line, should reduce the amount of second-line activity required in the future. The hardest part is to prove that risk management really is embedded across the organisation. That is mainly a question of showing how information and processes support the principle.
This article has been reprinted with kind permission from Risk & Compliance magazine.