Tuesday, 6 October 2020

Five Lessons for Operational Resilience from Covid-19: The Goldilocks Approach

Earlier this year, Crescendo Advisors undertook a survey of the insurers’ lessons learnt from managing Covid-19 disruption.  This was based on in-depth discussion with 24 senior stakeholders with a turnover of about £120bn.  We covered readiness before Covid-19, how the crisis was managed and lessons for the future.

In parallel, regulators were consulting on requirements for operational resilience.  They do not plan to require firms to meet them before the end of 2021.  This is then the time to think in earnest about implementation.  One aspect of the requirements is learning from events like Covid-19.  We thought that we would review our findings and identify what we can learn for the implementation of operational resilience. 

Broadly speaking we identified two contrasting views.  Some saw Covid-19 as an unprecedented event and thought that there was little that could be learnt for the implementation of operational resilience.  Others were concerned that the industry’s success at keeping the show on the road could give an impression that operational resilience is not an issue.  We do not subscribe to these views and identified five practical lessons, which is more consistent with the Goldilocks approach – not too little, not too much.

Lesson 1:  Do not assume that you will get the same advance warning for the next operational resilience event  

While few firms anticipated a pandemic of the scale of Covid-19, firms had a 6 to 8 weeks before lockdown to prepare, which many used very well to prepare for the inevitable lockdown and social mobility restrictions that were anticipated.  Our survey suggested that industry readiness would have been very poor absent these preparations. 

Looking ahead, it is unlikely that in the type of operational resilience scenarios that are more likely in the future, e.g. system failures, firms will have such a luxurious amount of time in which to enhance your resilience.

Lesson 2: Invest in crisis management as part of operational resilience preparations

Operational resilience requirements rightly focus on governance, planning (identification of key business services, setting tolerance and analysis of resilience in severe but plausible scenarios), and enhancing resilience where it falls below the agreed tolerance. 

However, when an operational resilience event takes place you will also need a well-oiled crisis management capability.  Participants who chanced to have tested crisis management capabilities before Covid-19 noted the benefits from that.  It is important to review and test your crisis management capabilities (e.g. war games) as part of the implementation of operational resilience. 

Lesson 3:  Working from home (WFH) is useful but challenges your potential back-up

The ability to work from home was a key aspect of the response to Covid-19; at the same time recovery sites proved to be not very useful in this scenario.  This has also led to a wider discussion about the role of the office and the possibility of home being the new BAU. But if WFH is the new BAU, what is the back-up for the next operational resilience event? 

Lesson 4: Think about scenarios and stress testing in an integrated manner

While insurers considered scenarios before Covid-19, few anticipated a pandemic of this scale with all of its financial and economic implications.  Looking ahead at the development of scenarios for operational resilience, this raises a challenge about the importance of consistently considering the financial and operational implications of scenarios in ORSA and operational resilience.

Lesson 5: Outsourcing of key activities is likely to be a challenge for operational resilience

Participants identified outsourcing as an area where they would like to spend more time monitoring performance.  Where outsourcing was material, the experience of Covid-19 was mixed. Interestingly, good performance during Covid-19 in outsourcing was associated with a business rationale going beyond cost savings or managed as an integral part of the business.

These are industry lessons.  But what lessons can you extract from your own business experience of managing Covid-19?  We encourage you to formalise the lessons learnt exercise.  You may learn something new or unexpected about your business. But more generally the exercise can inform wider decision making; one insurer had a clear vision that their Covid-19 lessons learnt should feed into a strategic review. At the very least it will support your operational resilience planning and delivery.

This post has been written by Isaac Alfon (Managing Director) and Shirley Beglinger (Advisory Board Member) from Crescendo Advisors.  It is based on a presentation to ORIC’s Covid-19 Industry Group.

Crescendo Advisors (www.crescendo-erm.com) is a boutique risk management consultancy.  We would be happy to share an overview of the findings from the Covid-19 lessons survey.  We can also support your efforts to both learn lessons from Covid-19 using the tools we developed for this survey and implement the regulatory requirements for operational resilience.

Photo by João Cabral from Pexel





Tuesday, 22 September 2020

The FCA business interruption Test Case – Closure, or grinding onward?

The UK High Court handed down its verdict on the Financial Conduct Authority’s test case on Business Interruption on September 15. Some of the 370,000 policyholders affected will now be hoping to receive insurance payouts in time to stave off bankruptcy. Others will now be considering whether they have viable grounds for appeal.

There were a number of battlegrounds in the case. BILA (British Insurance Law Association) will be holding a webinar on September 28, but in the meantime some of the interesting points were:

  • Causation: The Court held that the proximate cause of the business interruption was the composite peril of the business interruption following the occurrence of the notifiable disease. Individual outbreaks were deemed to be part of a national whole.
  • Public authority and prevention of access clauses differed between the policy wordings under consideration, with some being deemed to provide narrow, localised cover while others were deemed to respond to government regulation when it was issued on March 26.
  • Trends clauses are relevant to the calculation of the insured loss because they take account of the circumstances/trends of the insured business.  Insurers relied on the decision in Orient Express Hotels v Assicurazioni Generali Spa (UK)* to argue that the insured could not show that the business loss would not have been suffered ‘but for’ the insured peril because many businesses would have suffered loss in any event due to the Covid-19 epidemic. The court felt that Orient Express had been incorrectly decided and therefore did not follow the precedent.

Appeals from both sides are likely, and then a key question will be whether the Court of Appeal chooses to hear the case or leapfrog it straight to the Supreme Court. An expedited appeal might be heard in late 2020 / early 2021, but not even that will really bring closure. Major UK insurers who are not currently part of the FCA test case will likely find that policyholders seek to read judgments across to their coverage, and thus find themselves embroiled in coverage disputes.

Meanwhile in the background and on the sidelines, the skirmishing will continue.

The FCA has published a Dear CEO letter suggesting quite strongly that insurers should not seek to deduct furlough and similar government payments from any claim settlement, but they have not provided any guidance on how else such payments might be fairly treated.

Reinsurers have already given strong indications of their intention to scrutinise any payments which insurers may make and for which they may seek to recover under their reinsurance arrangements. Certainly catastrophe reinsurers will be considering:

  • The operation of hours clauses: the treaties are designed to respond for specific identifiable events such as earthquakes and windstorms. In the case of a disease outbreak, is it a natural catastrophe? When does the event begin and end? Is it one event, or several?
  • Loss quantification: if an insurer has been using poorly drafted policy wordings which resulted in coverage being awarded where none was intended, can the reinsurer argue that this qualifies as some sort of ex gratia payment and is hence not recoverable?
  • Loss aggregation: a large composite insurer may have multiple portfolios of risk – say SME property/BI, marine and event cancellation (to name just a few). If treaties are written on different bases (eg occurrence vs risks attaching) how will insurers aggregate their losses? 

And so the Business Interruption battle will grind onward – in adjudication as well as in arbitration. Certainly many new precedents will be set. It’s an interesting time to be considering insurance and reinsurance disputes.

* Trading as Generali Global Risk, [2010] EWHC 1186 (Comm).

This post has been written Shirley Beglinger (Advisory Board Member) at Crescendo Advisors.  

Crescendo Advisors (www.crescendo-erm.com) is a boutique risk management consultancy. Crescendo Advisors has a solid track record of successful engagements in both adjudication and arbitration. 

Wednesday, 9 September 2020

Lessons Learnt from Covid-19 ... or Not?

Covid-19 is a health crisis, a business crisis and an economic crisis which has struck the insurance industry hard.

Claims spiked in some areas while volatile financial markets made it almost impossible to steer the investment portfolio, and lockdown measures kept staff at home while struggling to cope with surging call and claim volumes. Meanwhile, there is vocal pressure from some quarters for a “flexible” approach to claims, where “flexible” is shorthand for dishing out large amounts of money for claims which may or may not be covered.  

How has the industry coped, and what lessons has it learned?

To answer that question, Crescendo Advisors carried out a series of structured interviews with a selection of risk and finance professionals from insurance firms. Most of the firms were UK based, with an aggregate turnover of £120 billion in 2019.

Although the firms varied in size and portfolio mix, there was a high degree of consensus in their opinions. Here are Crescendo’s top five findings and conclusions:

  • While most UK firms have weathered the crisis to date, it appears that few did so as laid out in their pre-Covid-19 business continuity planning.  Business continuity plans usually assumed local outbreaks and had to be re-created in the face of a total and global shutdown.
  • All firms who viewed their lockdown experience as ‘successful’ attributed that to excellent, ongoing communication from senior management to all stakeholders;
  • The traditional hostility to staff working from home has changed from “not possible” to “why not?”. Going forward firms expect staff to continue working at least part-time from home, and hence plan on reductions in their office footprint;
  • As remote working and virtual teams have become the post-Covid vogue, the purpose and value of The Office is being critically re-evaluated. It may still be the best place for meetings and staff onboarding, but do we really need all those desks crowded together?
  • With staff working remotely, the cost-benefit dynamic of outsourcing could be changed so that firms will find it beneficial and desirable to bring activities back in-house.

Interestingly, while most participants anticipated the need for a lessons learnt exercise, only one of them acknowledged at the time that his firm was already kicking off such an exercise.

Are insurers perhaps being complacent? They had six weeks to prepare for lockdown and they put the time to good use. By the time staff were required to stay home, many did so with newly acquired laptops and secure connections. The main limitations on productivity came from the lack of suitable home office facilities or from inadequate broadband speeds. The show stayed on the road with remarkably few wobbles.

Next year UK insurers are likely to work in the implementation of operational resilience requirements.  There are lessons to be learnt from Covid-19.  But here’s a thought, if working from home is no longer the backup disaster recovery plan – it is the new normal – what is the new disaster recovery plan?

This post has been written by Isaac Alfon (Managing Director) and Shirley Beglinger (Advisory Board Member) at Crescendo Advisors.  

Crescendo Advisors (www.crescendo-erm.com) is a boutique risk management consultancy.  We would be happy to share an overview of the findings of this survey.  We can also support your efforts to both learn lessons from Covid-19 using the tools we developed for this survey and consider the implications of working from home arrangements for the risk and control environment.

Sunday, 14 June 2020

Delegating Decision Making to AI Tools – Choices and Consequences*


Sometimes when I hear about Artificial Intelligence (AI) tools it seems like it is all about the technical details of the model and the data, which is certainly very important. This post is about another important aspect: the operating model in which the AI tool will operate.

There are many aspects of such an operating model.  Some are practical, such as ensuring that the tools integrate with other parts of the business.   In this post, I am focusing on the delegation of decision making to the AI tool – the choices that exist in most cases and the implications for the control environment.  These are summarised in the figure below.

At one extreme of the delegation of decision making, you have AI tools that operate independently of human intervention.  An example is algorithmic trading or an automated trading system which trade without any human intervention to use the speed and data processing advantages that computers have over a human trader.  Interestingly, this also represents one of the few prescriptive examples of PRA intervention where it requires that a human has the possibility of stopping the trading system.[1]

At the other end of the spectrum, there are AI tools used by experts in a professional environment.  For example, actuaries might use machine learning techniques to undertake experience analysis and support reserving work.

Between these two examples, you have AI tools that provide a forecast or recommendation for consideration by an analyst.  For example, the AI tool could provide a credit rating that validates a rating derived using more traditional methods.

Another middle of the road alternative is ‘management by exception’.  This means that the AI tools have a degree of autonomy to operate within a ‘norm’, which is inferred from historical data.  Cases that are outside the norm are then referred to an analyst for consideration to improve and verify the predictions. 

These are business choices and in turn have implications for the development process of AI tools.   You would expect controls around data and model documentation in all cases.  But broadly speaking you would also expect a tighter control and a more intense validation for AI tools that operate more independently of human intervention.  This includes the depth of model’s understanding, including:

  • explainability – why did the model do that;
  • transparency – how does the model work;
  • the impact on customers – e.g., the difference between Netflix recommendations and credit card underwriting.

The choices of operating model also have important implications for staff training.  AI tools operated by staff that have not been involved in its development must be trained to the appropriate level to ensure that the AI tool operates effectively.  For example, where ‘management by exception’ is adopted, staff would need the appropriate knowledge and skills to deal with the exceptions.

There are important choices for the operating model into which AI tools are deployed.  These choices have risk management and control implications and these choices may change over time.  An AI tool might start operating in an advisory capacity.  As trust in the AI tool increases then the delegated decision making can be increased.

These implications and choices should be considered as part of the model design.

We hope you found this post of interest. You can subscribe and receive further posts by email. See the box on the right-hand side of the blog's screen or click here.



*  This post is based on my contribution to a virtual panel discussion organised by ActuarTech on AI Governance & Risk Management.

[1] Prudential Regulation Authority (PRA), Algorithmic trading, Supervisory Statement, 5/18, June 2018.


Wednesday, 26 February 2020

Good risk management is not just about good ideas



One might say that this is stating the obvious and that it is understood that implementation also matters.  A recent FCA enforcement case against Moneybarn would suggest that it is not so obvious after all.

Moneybarn is a lender that provides motor finance for used vehicles to ‘non-standard’ customers.[1] The case against them related to the regulatory expectations for treatment of and communication to customers that fall into financial difficulties, i.e. the exercise and communication of appropriate forbearance by the lender.  Here, we seek to tease out the implications of this case for the risk management activities of FCA regulated business.

1.  Appropriate policy design

As one would expect, policies need to cover the appropriate ground.  This can include articulating the appropriate range of options (in this case, for customers forbearance and resolution), the considerations that would be taken into account and the governance that would apply to different options. 

It is worth noting that in this enforcement case, it appears that the FCA had no obvious concerns about the relevant policies and procedures reviewed.  

2.  Implementation

The challenge is how these policies and procedures are translated in the business, e.g. whether the call scripts are consistent with the policies.  In some case, this means that calls would be far from “linear”.  Customer service agents will have to consider a range of options and guide the customer.  This would have implications for training and tools available for customer service agents. 

The FCA notes that “from the review of the sample the use of any other forbearance options”, other than clearing their arrears over a short period of time, “despite the fact that policies and procedures referred to other available options”.   

3.  Monitoring and assurance

There is usually a combination of first line monitoring and oversight by 2nd and 3rd line functions.  To some extent, who provides assurance becomes less important than whether assurance is provided.

It is important to recognise that assurance should be provided about the processes and about the outcomes.  Where the nature of the issue involves considering customers’ individual circumstances in response to financial difficulties, then it is important to evidence that the range of options set out in the policy have been delivered.   This is more challenging to monitor than following a process. 

It is interesting that in this enforcement note there are no references to assurance or to the role of 2nd and 3rd line functions.

4.  Regulatory relationship management

The FCA initial engagement starts with a seemingly low-profile review of a “limited number” of files and call records leading to a visit in July 2016 to assess forbearance and termination practices.  There were then several interactions with the FCA in September 2016 and January 2017, leading to a formal request for imposition of a requirement in June 2017 and eventually enforcement action.  One must wonder if a more proactive engagement with the FCA would have prevented the escalation to enforcement.

It is usually noted that proactive engagement with the FCA and the issues raised would have been expensive.  Hindsight may be a powerful tool but it is not clear that the cost of the proactive engagement would have been unlikely to exceed the enforcement costs, which ended up being very substantial – the fine of £2.7m, the impact on senior management’s time, and the £30.3m of compensation paid to customers potentially affected by these failings. 

This post is part of the materials discussed in episode 3 of RegNut Podcast.   If you found this post of interest, subscribe to RegNut.  You can also subcribe to the blog and receive further posts by email. See the box on the right-hand side of the blog's screen or click here.






[1] Non-standard customers are those that cannot access finance from mainstream lenders because they have a poor or no credit history or past problems with credit due to unemployment, ill health or other adverse events.

Monday, 27 January 2020

Operational Resilience


By Shirley Beglinger, Advisory Board Member, Crescendo Advisors

In today's interconnected financial world, "organisational resilience" must be taken to mean much more than just "a fully tested disaster recovery plan". Regulators are requiring boards to see beyond the walls of their own firm and identify its position in the economic, IT and service-delivery ecosystem with an emphasis on important services provided. This is a completely different perspective on risk.  Boards and CROs need to reconsider many tried and tested risk methodologies and metrics.

In reviewing the drivers of potential operational disruption, the CRO may identify several which are difficult or expensive to address. "Reliance on legacy infrastructure" for example will likely lead to a lengthy boardroom discussion of the expense and dangers of IT integration projects. Supply chains and data sharing quickly lead to the realisation that even if the firm's own arrangements are top-notch, there are probably other firms in their ecosystem who may not have the same level of preparedness.

Having identified potential sources of disruption, the board must then quantify potential costs (internal and external) and assess the ability to recover from severe and plausible scenarios of operational disruption and compare these with the firm's stated tolerance for operational disruption. Where necessary, remediation plans must be put in place.

While no board member wishes to explain to the regulator why their firm was the first domino in the ecosystem to fall over, such far-reaching change needs to be carefully managed.  To implement these requirements firms will benefit from a pilot that enables them to develop an understanding of the steps that would be required.  This will be less disruptive and more beneficial than a firm-wide initiative.

However, the need to scale up means that firms will need to identify or acquire in-house "resilience capabilities". A key aspect of the output from a successful pilot project would be to identify exactly what capabilities are required and how they can best be embedded within the firm's business.

If you found this post of interest, you can subscribe and receive further posts by email. See the box on the right-hand side of the blog's screen or click here.



Thursday, 1 August 2019

ERM in Three Lines*



One of the challenges with enterprise risk management (ERM) is how much is written on the subject.  I find it useful to identify the key components.  This provides a structure to sort out the detailed views and comments, though it is also more than that. If you are a busy CRO or senior risk leader, identifying the key components enables you to take stock and think about challenges and improvements that may be relevant to your priorities. 

Here is an attempt to sum up ERM and provide that clarity in three headlines.

1.       A vision of the ERM purpose 

My preference for financial services is ‘protect and enable’. This highlights that risk management is more than just about avoiding the downside; it is about how risk management supports decision making, including the role of the CRO in that decision making. (More on ‘protect and enable’ and different views from practitioners shared on Crescendo Advisors’ blog are available here.)

2.       An articulation of how to deliver and embed ERM in the business 

This is your ERM framework, roles and responsibilities, policies, and risk appetite. They must provide the right balance between the level of detail and clarity to create a durable product and support business implementation.

3.       Evidence of the outcomes of vision and articulation of ERM (1 and 2 above) 

This is the outcome of the ERM, i.e. the assurance that is provided to the Board. This means that a feedback mechanism that supports improvement is in place. This is partly about risk or thematic reviews, but it also represents a wider perspective that involves 1st line and 3rd line as well. I also find that focusing on assurance is more ‘real’ than a discussion on the extent to which processes are implemented or embedded.

At the risk of oversimplifying, here is my own take on the UK insurance business position on these three aspects
  • The articulation of the ERM vision is progressing but there is still work to be done. There is a sense that, broadly speaking, people operate according to the ‘protect and enable’ vision without articulating it as clearly as it could be.  
  • Good progress has been made articulating how to deliver and embed ERM in businesses; all businesses have ERM frameworks and policies in place.  Some are considering external reviews after the frameworks have been in place for some time.  
  • The biggest challenge ahead is evidencing ERM implementation and providing structured assurance to the Board about ERM expectations. This is a challenge for risk management function (risk reviews?), first line (business and control reviews?) and internal audit (coordinate with first and second line?).  Please get in touch if you want to receive a paper with initial thoughts on this challenge. 

Do you agree with views about these views about the insurance sector in the UK? How about banking and asset management? How is this seen in other countries?

*  No pun intended about the three lines of defence.

If you found this post of interest, you can subscribe and receive further posts by email. See the box on the right-hand side of the blog's screen or click here.

Thursday, 18 July 2019

AI and Risk Management


Earlier this year, I gave a presentation to a group of actuaries - the Network of Consulting Actuaries - on the challenge of adopting Artificial Intelligence tools in Financial Services and how risk management help.  I have transformed the speaking notes into a paper - here.  

Happy reading!

If you found this post of interest, you can subscribe and receive further posts by email. See the box on the right-hand side of the blog's screen or click here.


Thursday, 4 July 2019

3+1 Types of Digital Transformations and How to Prioritize Them


A former insurance CEO once said that if you want to understand risk in financial services, you should start by looking at the products you are offering. I have been exploring how incumbents in financial services, and specifically risk management, should change to embrace FinTech. Inevitably then the subject of ‘digital transformation’ comes up. I have been speaking with various colleagues and friends recently and I realised that there are rather different forms of digital transformations with different implications for risk management and the business.  Here is my take on the various types. 

1.       Data-driven

Someone in the business takes the initiative and starts collating, curating and using the many data sources in the business to address specific analytical issues and enhance the quality of decision making.  This represents a bottom-up transformation with potential transformational features. 

In this case, buy-in is unlikely to be an issue. The main risk management challenge may arise from the scaling up of this initiative. For example, scaling up may involve using external data rather than internal data or bringing new technology to store the data, e.g. a data lake, which needs to be integrated into existing systems. It is also important that the consideration of analytical issues in the business factors in the need to maintain (and enhance, where necessary) an understanding of the risk profile of the business. For example, if additional data allows the business to modify its underwriting approach in a significant way, you should also consider how the (different) exposures would be monitored. There are a couple of examples here.

2.       Enhancing Customer Journeys 

This can be about how customers are serviced, given their existing journeys, and might include enhancing the front-end applications or rolling out new IT equipment to service customers. Alternatively, the transformation may be about changing or enhancing aspects of customer journeys. This might include, for example, introducing chat-bots as part of customer journeys (e.g. claims management) or applying an artificial intelligence-based tool to a specific process (e.g. underwriting).

This type of transformation has become the most visible form of digital transformation thanks to the various accelerators that incumbents in financial services have created. The challenge of buy-in is typically addressed by specifying that the accelerator should partner external providers with business leaders for whom the technology may be relevant. The impact on the risk profile of the business is also dependent on the specific transformation and should be considered from the outset. 

3.       IT-enabler

There are cases where the legacy systems become the main challenge and where the adoption of cloud-based services can be part of the answer. There are several approaches here, ranging from incremental steps to a ‘big-bang’ approach. One interesting idea is focusing on reducing the functionality of the legacy system and replicating that outside using new technology. 

These transformations may be motivated by concerns about operational resilience in the short term but might also support the transformations outlined above and enable more effective risk management. 

4.       Digital ‘Non-transformation’

This involves applying new technologies in the context of a new product line where there is no transformation as such. This clearly avoids the transformation in the short term but it can also provide the business with the means to build confidence in specific technologies (AI, blockchain) and the capability to execute and bring on board new technologies.

These types of digital transformations are not mutually exclusive, but it is important to be clear that they are different. Equally, they are not substitutes for each other and the real challenge is prioritising between them. This will inevitably vary between businesses, though I believe that there are standard considerations shaping the priorities such as the need to change the culture in order to mobilize the business for the digital era and the state of the core IT infrastructure, including the need to leverage technology as an enabler.  

What do you think about these categories? 

If you found this post of interest, you can subscribe and receive further posts by email. See the box on the right-hand side of the blog's screen or click here.

Monday, 27 May 2019

The New and the Old in Risk Management


I have been writing about the new and the old in risk management over the past year. This starts with the slow pace of adoption of FinTech by incumbents in financial services. I have suggested that an important component of the change needed includes incumbents amending and enhancing risk management frameworks to reflect new FinTech innovations. (See my last post on the subject.)

Recently, I came across an article from McKinsey that makes a similar point in the context of model risk and the adoption of artificial intelligence (AI) and machine learning. It turns out I am in good company! 

McKinsey’s article notes that banks have developed and implemented frameworks to manage model risk, including model validation reflecting specific regulatory frameworks, in this case from the US Federal Reserve (here). They recognise that the implementation of these frameworks is not appropriate to deal with the model risk associated with AI and machine learning. Banks are therefore proceeding cautiously and slowly introducing new modelling approaches even when these are available.

The article then shows how a standard framework for model risk management is used to identify extra considerations required for this framework to cover appropriately AI and machine learning models.  The key message is that the challenge of adopting AI and machine learning can be addressed through a careful consideration of existing approaches. 

Two further thoughts from McKinsey’s article. Firstly, the article rightly refers to model management rather than validation. It is always useful to reiterate that model validation undertaken by the risk function is just a component of how models are managed in the business. Secondly, model management should not apply only to internal models used to calculate regulatory capital, but should apply more widely to models used in the business such as those used for pricing, valuation of assets and liabilities.

The article ends with a cautionary tale of an unnamed bank where the model risk management function took initial steps to ready itself for machine learning models on the assumption that there were none in the bank. It then discovered that an innovation function had been established and was developing models for fraud detection and cybersecurity.

If you found this post of interest, you can subscribe and receive further posts by email. See the box on the right-hand side of the blog's screen or click here.