Lessons Learnt from Covid-19 ... or Not?

Covid-19 is a health crisis, a business crisis and an economic crisis which has struck the insurance industry hard.

Claims spiked in some areas while volatile financial markets made it almost impossible to steer the investment portfolio, and lockdown measures kept staff at home while struggling to cope with surging call and claim volumes. Meanwhile, there is vocal pressure from some quarters for a “flexible” approach to claims, where “flexible” is shorthand for dishing out large amounts of money for claims which may or may not be covered.  

How has the industry coped, and what lessons has it learned?

To answer that question, Crescendo Advisors carried out a series of structured interviews with a selection of risk and finance professionals from insurance firms. Most of the firms were UK based, with an aggregate turnover of £120 billion in 2019.

Although the firms varied in size and portfolio mix, there was a high degree of consensus in their opinions. Here are Crescendo’s top five findings and conclusions:

• While most UK firms have weathered the crisis to date, it appears that few did so as laid out in their pre-Covid-19 business continuity planning.  Business continuity plans usually assumed local outbreaks and had to be re-created in the face of a total and global shutdown.

• All firms who viewed their lockdown experience as ‘successful’ attributed that to excellent, ongoing communication from senior management to all stakeholders;

• The traditional hostility to staff working from home has changed from “not possible” to “why not?”. Going forward firms expect staff to continue working at least part-time from home, and hence plan on reductions in their office footprint;

• As remote working and virtual teams have become the post-Covid vogue, the purpose and value of The Office is being critically re-evaluated. It may still be the best place for meetings and staff onboarding, but do we really need all those desks crowded together?

• With staff working remotely, the cost-benefit dynamic of outsourcing could be changed so that firms will find it beneficial and desirable to bring activities back in-house.

Interestingly, while most participants anticipated the need for a lessons learnt exercise, only one of them acknowledged at the time that his firm was already kicking off such an exercise.

Are insurers perhaps being complacent? They had six weeks to prepare for lockdown and they put the time to good use. By the time staff were required to stay home, many did so with newly acquired laptops and secure connections. The main limitations on productivity came from the lack of suitable home office facilities or from inadequate broadband speeds. The show stayed on the road with remarkably few wobbles.

Next year UK insurers are likely to work in the implementation of operational resilience requirements.  There are lessons to be learnt from Covid-19.  But here’s a thought, if working from home is no longer the backup disaster recovery plan – it is the new normal – what is the new disaster recovery plan?

This post has been written by Isaac Alfon (Managing Director) and Shirley Beglinger (Advisory Board Member) at Crescendo Advisors.  

Crescendo Advisors (www.crescendo-erm.com) is a boutique risk management consultancy.  We would be happy to share an overview of the findings of this survey.  We can also support your efforts to both learn lessons from Covid-19 using the tools we developed for this survey and consider the implications of working from home arrangements for the risk and control environment.

Out Outsourcing?

Well, not really.  But I am sure you have heard regulatory concerns about the lack of appropriate controls around outsourcing in financial services.  It is therefore not entirely surprising that the UK’s Prudential Regulation Authority (PRA) has recently fined a bank £1.2 million for failures in the controls associated with outsourcing (here).  There are, however, a number of interesting points about this enforcement case that have broader lessons about the supervisory expectations associated with the use of outsourcing in financial services.

1.  The regulatory expectations with respect to outsourcing within a group or to a third party outside the group are the same.  I have heard this before but I was still expecting to see a recognition that there may be a difference.  I could not really find an obvious distinction in the enforcement notice.  This is particularly relevant in financial services where brands are typically a collection of companies, sometimes with a core staff serving a number of companies, in particular with respect to finance (and, in insurance, actuarial).  This also has implications for risk functions which will also need to articulate how their oversight relates to the various companies.

2.  The outsourcing arrangements are documented appropriately in a timely manner. While putting contracts in place within a group is probably understood to be a regulatory expectation, there are two important dimensions that this case highlights.  The first of these is the importance of putting contracts in place at the outset and undertaking due diligence; bear in mind point 1 above.  This also includes signing the contracts!  Secondly, in the case of internal outsourcing involving a control function, it is important that the roles and responsibilities of the various parties are clearly defined.  This can include determining the different roles of people and teams probably sitting near each other.

3.  The legal form of the outsourcing provider does not matter.  A JV form that effectively provides an outsourcing activity should also be treated as outsourcing. 

4.  The consequences of a lack or breakdown of controls matter a great deal.  If the finance function is outsourced within the group, then a breakdown can have severe financial implications (e.g. unauthorised payments) and can include misreporting of the capital and liquidity position to the PRA.

Last but not least, the response when the issue is discovered remains crucial.  In this case, it involved terminating certain outsourcing contracts and putting in place new ones, transferring finance teams to the relevant company and ensuring operational separation of the Bank from the rest of the group.  In addition, the bank commissioned a firm of accountants to review the matter, undertook its own review of all outsourcing contracts and was subject to a skilled persons review by the PRA.  As in other cases, the fine may not have been the largest cost to the bank.

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here.  My target is to post on a regular basis but I will not be flooding your inbox. 

This post is part of a series of posts on the practical lessons for risk management from enforcement cases.  The posts are all brought together in the page Enforcement Cases of the blog.