PS-1: The Insurance Company and Operational Risk

Transcription

SEPTEMBER 2012 SEMINAR FOR THE APPOINTED ACTUARY – TORONTO (PS-1)
PS-1:
The Insurance Company and Operational Risk
SP-1 :
Les sociétés d’assurance et les risques
opérationnels
MODERATOR/
MODÉRATEUR :
SPEAKERS/
CONFÉRENCIERS :
1
Ralph Ovsec
Tim Deacon*
Elaine Lajeunesse
?? = Inaudible/Indecipherable
ph = phonetic
U-M = Unidentified Male
U-F = Unidentified Female
Moderator Ralph Ovsec: Welcome to the 2012 Appointed Actuary Seminar. First, I’d like to take the opportunity to
acknowledge and thank all of our sponsors. At the patron level, Deloitte. At the benefactor level, Aurigen Re, Axis,
KPMG, SCOR Global . . . the Society of Actuaries and Sun Life Financial.
This is plenary session number one. The Insurance Company and Operational Risk. My name is Ralph Ovsec, I’ll be
your moderator for this session. Speaking with us at the far end, Elaine Lajeunesse from BMO, and to my immediate
left, Tim Deacon from Manulife Financial. I’ll introduce them a little bit more later.
So what is operational risk? Basel II defines it as “The risk of loss resulting from inadequate or failed internal processes,
people and systems or from external events”. Just to give you a little bit of highlight on a couple of types and some
examples.
Internal fraud and external fraud, for example, misappropriation of assets, bribery, hacking. Some real life examples. You
may have heard SNC-Lavalin earlier in the year made some extra payments to certain people. You’ve heard of the Rupert
Murdoch newspaper’s phone-hacking scandal.
Clients, products, and business practices relating to fiduciary breaches, market manipulations. You’ve heard of Bernie
Madoff, I’m sure, and most recently we had the Libor scandal, which is still ongoing.
Damage to physical assets such as earthquakes: Japan had an earthquake last year. They were well protected against the
earthquake but what really nailed those nuclear reactors was the fact that the generators were on the same level as the
building and they got wiped out by the tsunami, so no backup generators.
And a business disruption systems failure. You can have software failures. A recent example of that one is the Knight
Capital Group earlier this year. They put a new computer program in place. It somehow woke up a dormant program
and it had the zombie effect. The old program kicked in, they lost $440 million in 45 minutes. That’s a rate of about
$10 million a minute. And then we’ve heard of the J. P. Morgan credit swap issue earlier in the year, which cost the
company $5.8 billion.
So you say that’s nice, but why are we talking about it here? We’re actuaries . . . we’re not big banks, therefore we are
immune. Really big earthquakes don’t happen in Canada. Our underwriters are very experienced. Our staff are really
nice people, they would never do that. We don’t have any operations in Africa. Somebody else develops our valuation
software. Each year we have a meeting to discuss the things we shouldn’t do. We’re insurance companies, we already
PROCEEDINGS OF THE CANADIAN INSTITUTE OF ACTUARIES
Vol. 23, September 2012
2
SEPTEMBRE 2012 COLLOQUE POUR L’ACTUAIRE DÉSIGNÉ – TORONTO (SP-1)
know everything about risk. We don’t use complex systems, we use spreadsheets. And lastly, actuaries don’t make
mistakes.
Seriously . . . it can happen to anyone and it can start from something as simple as a co-op student forgetting to update a
link in the spreadsheet. It can be embarrassing and it can be costly.
Let me introduce today’s speakers.
Elaine Lajeunesse is vice-president and chief risk officer of the insurance group at BMO Financial. At BMO Elaine is
accountable for leadership, overall risk leadership of the insurance business including the design, implementation, and
management of an integrated risk management framework for the insurance lines. Elaine has a BSc in actuarial science
from Laval and is a Fellow of the Canadian Institute of Actuaries, a Fellow of the Casualty Actuarial Society and also a
Chartered Financial Analyst. Outside of work, Elaine has done bungee jumping in New Zealand, hang-gliding in
Germany, and has just returned from a six-day bicycle tour in France.
Tim Deacon is senior vice-president of enterprise risk management at Manulife Financial. Tim has oversight
responsibilities for operational risk, economic capital, integrated risk measurement models and company-wide risk
reporting for Manulife. Before Manulife, Tim was director at PwC in the global capital markets group here in Toronto.
Tim holds a Bachelor of Commerce degree from Queen’s University and is a Chartered Accountant and a Certified
Public Accountant. Outside of work, Tim is an accomplished pianist and also sits on the board of several not-for-profit
arts organizations.
At this point I’ll turn it over to Tim and Elaine.
Speaker Elaine Lajeunesse: Thank you, Ralph. It’s a pleasure to be here this morning.
Speaker Tim Deacon: Good morning everyone, and thank you, Ralph, for the introduction. Elaine and I are very
excited to be here this morning to talk to you about a topic that’s very near and dear to both of us. And frankly, one that
hasn’t had a lot of airtime in these types of sessions in the past. For the life and P&C insurance industry, the topic of
operational risk is still very much a new and emerging risk discipline, certainly when compared to underwriting or
insurance risk or market risk. And we want to share our experiences with you. So we’re very honoured to have this
opportunity.
There is a number of things we wanted to go through this morning. In the spirit of back to school, we have put together
a little crash course on operational risk for you and the idea is to level set and make sure that by the end of our session
every one of you are experts in operational risk. Having established that grounding, we’re going to move in and talk a
little bit about some recent examples. Ralph had touched on a few but we thought we’d explore a few of those a little bit
further to look at some of the lessons that we can all take away from some of those loss events. And then Elaine and I will
each share our experiences about implementing operational risk within our respective organizations.
It’s a large group here this morning, but we’re counting on you to ask us some very tough questions. In the spirit of
earning CPD credits, we’ll make sure that there’s a quiz on operational risk at the end of this session.
Speaker Lajeunesse: We also will not be reading the slides. So we encourage you to download and read the slides in
detail.
Speaker Deacon: At the outset, too, we’ll make sure to be clear that all of our remarks here this morning are equally
applicable to both the life and the P&C insurance industry unless otherwise noted.
So without further ado, as Ralph mentioned, operational risk, what is it? It’s the loss resulting from inadequate failed
internal processes, systems, human failures, or external events. That’s the definition that comes from the Basel
framework. But in a nutshell, it’s anything that impacts people, systems, or processes or outside events that could impact
ourselves or our industry. So it really is a catchall of all risks. If it’s not market-related, if it’s not insurance-related, if it’s
not liquidity-related, it’s going to be operational.
Vol. 23, Septembre 2012
DÉLIBÉRATIONS DE L’INSTITUT CANADIEN DES ACTUAIRES
3
The reason that this definition excludes reputational risk and strategic risk is often we think of those as residual risks in
that those are the consequences of a failed system, process or people, which will impact your reputation and can impact
your strategic plans. Really everything that we do as an organization, as individuals has an impact on operational risk.
So, what are some examples?
Speaker Lajeunesse: This is the end list. It could be different from your company. This is the list that we live by at
BMO. I don’t know for Manulife, are you using the same list?
Speaker Deacon: We would have many of the same components as well, yes.
Speaker Lajeunesse: I won’t go through the whole list, you can read this as well as I can. But I want to just talk about a
few of them. Process risk. Process risk is the one that really is often the last thought because documenting everything is
difficult, but think about it from a new employee perspective. I have been spending a large part of my summer in an
education session and one of the things that came out through educating people on risk in our company was the fact that
often you have lots of very experienced people in your underwriting or your claim adjusting and you’re not going to
document everything, but if you are a new employee and you come in, a lot of the things that are intuitive to somebody
that’s experienced are not intuitive for these people. And the systems are getting more and more complex. Process is
critical for the success of an organization.
And then fraud, everyone has talked to this. Ralph mentioned it already. There are a lot of tests for this and people get
really creative. Just think about how everyone who has software, IT, or internet, every day there’s a new virus. Every day
there’s a new way of doing things that tries to bypass the system.
Regulatory. Regulators are not going to go away. If anything, right now we are in a pendulum towards more regulation
than less regulation and it’s a pendulum that goes back and forth. In my 25 years working in the insurance industry I’ve
seen a very lax regulatory environment and a very stringent, and right now we’re more in a stringent and it’s a
consequence of, I would say, the 2008 meltdown. But it’s not going to go away, especially with AML.
The insurance industry in general tends to think that AML is not for them, it’s only for banks. And I think we are wrong
to think that way. The penalty in the U.S. is going to hit us. And the regulators in Canada are going to put a lot of effort
on that. To give you an idea of this, CAMLO, which is basically the AML office at the bank, has at least 10 to 20 people
only working on that.
And this summer we were working on launching a new product. We need to make sure that we have the proper process
in place for CAMLO and we had this whole group working together until about a week or two ago where somebody
said, “Oh it’s really great, we’re going to pass this test. But we’re not asking the client a question, so when we selfidentify, so now it means that we need to change our marketing process, we need to involve more people.” And it’s very
onerous and it really bogs down the resources.
And then finance, we often tend to think that finance is not part of operational risk, but it is. It is part of what I as a
CRO need to opine on: is the business plan sound? Do the financial projections included in the business plan make any
kind of sense?
Taxation, very important on the life side more than on the P&C side. But on the life side there are lots of products that
can raise a risk of taxation. And every time I have a new product coming in to my desk I send it to our tax expert to
make sure that we are properly set up and we have a really good client experience so the clients are not adversely tax
impacted and nor are we as an organization.
Model risk is kind of the one that every single actuary I know fights. Ralph really pointed it out earlier very clearly that
when we have a software company, somebody else is coming in, it’s a black box to us and we kind of assume that that
software company is taking the risk for us. But as an organization, we are accountable for the tools that we use.
Therefore, it’s very important that we have model experts.
This list is huge. And it’s really hard for one person to wear all of these hats. So collaboration is very, very important. I
have two risk officers reporting to me. Neither of them are expert in all of these areas. I’m privileged to be working for a
4
company that is very large and has the resources to have experts in each of these fields. There are 17 risk categories here.
The question is, is this applicable to everyone? I believe that it is. The degree depends, and how you can implement that
is also a challenge. Tim.
Speaker Deacon: Moving forward through our operational risk crash course we’d be remiss if we didn’t touch on what
are some of the regulatory guidelines out there that address operational risk. As was mentioned earlier, the Basel
Committee on Banking Supervision through the banks for international settlements, back in 2003 sought out to codify
some of the operational risk practices that the banks had been following and looked to set about some supervisory
guidance. I think due in part to the large transactional nature of banks, think about the transactions that you would
incur in your own personal banking, there’s been a lot of focus in banks at a very early stage on operational risk.
So 2003 first cut of these core principles, time evolves, banking practices evolve as well and the Basel Committee sought
to update these in 2011. And really what they are, 11 core principles and these form the foundation that banks in
Canada today follow under the OSFI guidelines in terms of how their operational risk program should be structured.
They essentially cover four broad topics: governance, identification and assessment of operational risk, monitoring and
reporting, and control and mitigation. When it comes to governance, the Basel principles here are really founded on this
concept of three lines of defence and we’ll touch on that more a little later. The idea that to have true operational risk
oversight you need to have an independent function. So something that’s independent of the businesses that can have a
look and provide the appropriate guidance and oversight over operational risk.
Best practice would be to have an operational risk committee. So this would be a committee comprised of various
disciplines in your organization, both from the finance actuarial, as well as the business and operations, etc. So quite a
large group. Often IT is involved in that as well.
Every good regulatory guidance involves a lot of documentation. So really looking to codify in the standards and
principles your framework for how you’d be looking at operational risk.
When it comes to identification and assessment, these Basel principles outline an alphabet soup of related tools and
techniques. Listed here, this idea of a risk control self-assessment, an RCSA, some key performance indicators, KPIs and
these are really tools that you would look to use in your organization to assess the level of inherent risk that you have
within a particular business. So in the list of the key risks under operational risks that Elaine just went through, you
would look at your business and say, “Where is our inherent risk within our business for each one of these disciplines?”
Then you would ask yourself what mitigating controls or factors already exist to address some of these risks? And then
ultimately, once you’ve taken into consideration those controls, what’s the residual risk that still remains? And how
severe is that and what could go wrong and how much effort and focus do you need to place on that?
The key in that identification and assessment that usually gets people excited is the fourth bullet, the capital assessment
and allocation. Today, as we’ll touch on in a moment, there’s no explicit capital charge for operational risk within life
insurance and, I believe, the P&C framework as well. But that will change as it did for the banks and the challenge
here—and we’ll touch on this a bit more later—is how you go about trying to quantify something as broad and as vague
as operational risk.
And then the remaining sections around monitoring and reporting. Once you start to think about operational risk
within your business, starting to track those losses, understanding why did the loss occur? What can we learn from that?
And then you can build up a series of data to really understand your operational risk exposure and how much operational
risk the company is willing to take on.
The three lines of defence: I had mentioned that previously. Maybe just a show of hands in the room. How many people
are familiar with the concept of three lines of defence? OK, so we’ve got a good mixture of different exposures. So those
who put up your hand, we’re going to ask you to be the TAs for this course. At the conclusion of this session you’re
going to be our champions.
The idea really of three lines of defence is really delineating the idea of “risk management versus risk oversight”. And the
idea is quite simple, that the first line of defence, the front lines of the troops in the army if you can envision that, is the
5
business. The business is the ones who are responsible for managing their risk. The second line of defence is the risk
management folk. So people like Elaine and myself. We help to provide the oversight over the risk management that the
first line is providing. And then our good friends internal audit come along in the third line and they’re really the
adjudicators of how well our troops are doing and how well our checkers are doing.
I could be a bit cynical that there’s new emerging guidance being put out and it looks at having six lines of defences.
Within each one of these categories there’s a checker for the checker. I’ll leave it up to you whether you feel that that
level of scrutiny is warranted and necessary in your organization. But the idea here is that there is at least three clear
distinct lines of defence.
And now often in practice and certainly in our case in the early days of operational risk, these lines are blurred. And
they’re blurred because if you don’t have a mature risk management function within your organization, often internal
audit has played that role in the past and certainly have been focused on operational risk elements. The whole purpose of
this framework is really to make it clear who is really responsible for what. There are clear lines of accountability and
oversight.
Continuing on in our journey through the regulatory guidance, I have some more alphabet soup for you, this concept
called ORSA, Own Risk Solvency Assessment. This is the mother of all risk management tools and techniques. And
really the who’s who of global and domestic regulators all have some interest and excitement on this concept of ORSA
and they’re all playing a part in promulgating it in their respective jurisdictions.
In a nutshell, ORSA is a tool that really pulls together all of your risk management and capital management disciplines
to really provide a coherent set of documentation that looks at all of your risk exposures and assessing how much capital
you should hold against those risk exposures, providing stress testing to demonstrate that through time and through
stress periods you have sufficient capital, etc.
Now, the reason we mention ORSA is because operational risk is explicitly referenced in ORSA. And this is one of the
tools in which regulators are looking to make sure that companies have an assessment and understanding of their
operational risk and ideally a risk appetite to understand how much risk you’re willing to accept on the operational risk
side.
So through the DCAT process, there is an OSFI component within ORSA as it relates to stress testing, so we already
have various forms of this. ORSA for the first time is trying to pull together different parts and pieces that may already
exist within their organization and try to make it all cohesive and all in one.
Solvency II. A bit of the risk in putting together slides is that almost on a daily basis the effective dates of things tend to
slip, so this says 2014. I think the bets on the bid-ask spread in the betting pools now has this around 2015. The idea is
that Solvency II has a concept of ORSA and many of the European insurers are well progressed in that regard. And of
course our friends down south in the NAIC also have been looking at ORSA and you might have seen recently that
they’ve just published their formal ORSA guidelines.
And finally, to complete our regulatory oversight here, just a couple of other points. As I’ve mentioned, there’s no
explicit charge in the life framework anyway for MCCSR and operational risk. Many of you will have seen OSFI’s recent
roadmap for the future of capital requirements. In there is explicit mention that operational risk would be a component
and assessed. Those of you involved in the QIS process coming up this fall, stay tuned because there likely will be a
component for assessing operational risk in there as well.
Hopefully that’s everything you need to know about operational risks. It’s quite simple. It’s pretty straightforward. Not
sexy, unfortunately no stochastic modelling yet. But just plain people processes and systems.
Now that we’re all experts, I’ll hand it back to Elaine to talk about some of the evolution of the banks.
Speaker Lajeunesse: Thank you, Tim. I will start by saying operational risk was probably not even on anyone’s radar
three or four years ago. And in that time we had no common definition, everything was kind of blurry. And as is today
with the three lines of defence where everyone is kind of setting it up and implementing, operational risk is becoming a
lot clearer. There are more definitions out there and I don’t think that insurers have provided any input in this. So we’re
6
a bit late as an industry to the table. I think probably we are going to be kind of stuck with the decisions that are being
developed by other financial institutions.
There is no public insurer data for insurance losses yet, operational losses. The comment on this slide here is really
mainly for banks. I’m assuming that in five years whoever will be presenting on operational risk at this meeting would
probably have an industry-wide reporting of operational loss, but this is not ideal.
The last point is very true and you all know that is active regulatory oversight, it’s very, very important and I think as an
industry we need to come and step up to the plate a little bit more on operational risk, otherwise we’ll be in no place to
influence the process at all.
Operational risk, ORM in the slides, is maturing. It’s for the banks and it’s really out there and it’s very important. It’s a
force to be reckoned with. It used to be that you wouldn’t need to involve as many people as you do now and it’s shown
a lot of value, at least in my experience. The one thing that I find very important on this slide is the second bullet point
of the second bullet point, I guess.
Operational risk is everywhere. And it’s really hard for us to isolate it because if you think of a new product, you’ll have
operational risk, you’ll have market risk, you’ll have insurance risk, they’re all embedded together and that’s one of my
biggest challenges when I’m discussing risk for an insurance company. If you look at a bank, the risks are more in a tower
and it’s easy to isolate the credit risk, it’s easy to isolate the market risk. When you look at an insurance risk versus a
market risk, everything is embedded together. You develop a life insurance product, you’re going to have a long tail.
There you go, you have market risk but you also have insurance risk in the same product. And the delineation between
the risks is not as clear as one would think. Tim.
Speaker Deacon: So let’s bring this back and make it real. All we have to do is pick up the paper in the last couple of
months, or last 18 months for that matter, and you can see the real live material losses that have occurred from an
operational risk perspective. Ralph touched on some of these in his intro remarks, but I wanted to take a few and explore
them a little further.
J. P. Morgan, as was announced, I’m sure many of you are familiar. Initially thought they had a $2 billion problem
through their credit default swap trading portfolio out of their London chief investment office. The size of that loss has
ballooned over time as they tried to slowly exit the market and unwind those swaps. The reality is that that caused a
hastily arranged press meeting in advance of their quarterly results to pre-warn the market on those losses and then
instantly a team of risk professionals and investigators, etc., descended upon the organization and really sought to get to
the bottom of that exposure. I’ll touch on that in a second, some of the lessons that we can all learn from that particular
example.
Ralph also mentioned a Knight Capital example. Seemingly a good idea, let’s upgrade our trading system. Let’s go more
modern, new techniques, etc., let’s put that out in the market. But oops, some oversight on our change management
protocol, all of a sudden it started spewing out erroneous trades into the market. Took them at least 45 minutes to figure
that out before they could shut it down. Two days later they’re in an emergency fundraising exercise, calling up all their
closest friends and bankers trying to get some emergency cash.
SocGen, I’m sure all of you have heard about the rogue trading scandal that poor Jérôme Kerviel had caused for the
organization and the damage to the reputation of the organization, not to mention its market capitalization.
And the list goes on. There’s a whole suite of examples from banks both on this side of the pond as well as in the U.K.
HSBC, they were recently on for money laundering. They’re looking at at least a $700 million fine for apparently
helping aid and abet terrorists’ and drug cartels’ access to U.S. financial system.
So you say “OK, well we’re not a large bank. Thank God we don’t have an investment banking operation. That’s
interesting but poor banks, thankfully it’s not us.” Not to pick on J. P. Morgan or Knight Capital, but I do believe that
for these two incidents in particular there’s something every single one of us can learn irrespective of whether you’re a
bank, whether you’re a small or a large P&C or a life insurer. And really the key messages here aren’t the exact fact
7
pattern that it was a trading system or that they happened to have a credit default swap portfolio in the London desk. It’s
really around risk culture.
In the case of J. P. Morgan, the facts are obviously still coming out, but credit to the organization, when they published
their Q2 results, they had a very in-depth exposé on what happened and an investigation. And really at the heart of it,
from publicly available information, it appears that there was this risk management centre, this derivative trading book
that really helped the organization through the financial crisis. They performed very well, they seemed to be really
hedging their exposures and were making a lot of money for the company.
I think that the key there is to really make a distinction: are you a profit centre or are you a risk management centre? And
if you’re a risk management centre, any time you’re cranking out significant losses, it should be a red flag to observe just
to make sure that you understand exactly what’s going on in that particular area.
As it turns out, J. P. Morgan, like many big banks, relies on complex models to execute a lot of their trades. In their case
they have a value at risk, a VaR model that helped execute. As the story goes, they made changes to that system which
resulted in a risk exposure for that particular book that they had dropping in half. So instantly one quarter to the next,
do a simple recalibration and your risk exposure is dropped in half. Challenging because these are very, very complex
instruments, but again, it’s a chance for pause to say really do we have the risk metric correct?
Models are very useful tools to help understand risk exposure, certainly when looking at insurance products in terms of
understanding embedded optionality. They are models and they, like everything else, have limitations. So always take a
chance to pause and question the output of the model and rely on your expert judgment to overlay.
In the case of Knight Capital, I think really at the heart of that is the IT change management controls. So you may not
have a trading system that actually you used for executing trades in a public market, but you may have a valuation
system, you may have an accounting system. And any time you do those changes, it’s important to make sure you have
the parallel runs, the back testing, etc. before going live. And also the segregation of duties, making sure that again in the
spirit of the three lines of defence that there’s proper segregation amongst all the different players and there’s people who
can provide an independent third party input into the process.
We’ll now hand it over to Elaine to talk about BMO’s experience.
Speaker Lajeunesse: Thank you, Tim.
OK, so how do we approach risk management? That approach applies to all the business at BMO, so it doesn’t matter if
you’re hedging, if you’re a private banker, if you’re an insurance company, if you are in Asia, if you’re in Europe; we
have one standard, it applies for all and it really defines our risk appetite.
We want to understand and manage. What does that mean? It means that we want to be transparent about the risks that
we’re undertaking. Ralph mentioned that I did bungee jumping and I did hang-gliding and I do all kinds of crazy stuff
sometimes, at least for an actuary, and that’s my risk appetite in my personal life. That’s not the risk appetite of my
employer.
Every one of us needs to make sure that we understand what is the risk appetite and the culture of our organization.
Because if you don’t know that, anything you’ll do will not stick and you will be totally missing the boat. So it’s very,
very important that you define your risk appetite. That’s probably a less sexy thing about risk management. Because it’s
really boring, it’s really difficult to go and meet people and try to define what is it that we want to do and who are we as
an organization. And that’s the starting point.
And once you have that, then you can be transparent about the risk. And it’s not about finger-pointing and it’s not about
this person is not doing that and the other person is doing something different, it’s about understanding what we do and
it’s linked to the bottom point here, optimizing our risk return. Logically, any sane person will choose the highest return
for any given level of risk.
8
Reality is not that way. You have people who sponsor a project. They may be more or less powerful in your organization.
And that’s where risk comes into play. Our role is really to make sure that we are looking objectively at risk and it applies
to operational risk as well as other risks.
We want to protect our reputation and every one of you knows RIM, everyone knows the story of the two guys that got
kicked out of an Air Canada flight on their way to China. I actually happen to know somebody who was on that plane.
It was not pretty. Our reputation risk is one of the key drivers of the share value of your organization. So it’s very
important.
Operational risk is a key driver of the impact on your organization. You want to diversify, limit your tail risk, you’re an
insurance specialist, you know that. Not everyone in your organization will have the same understanding of what tail risk
is. Yes, we have reinsurance protection often or retrocession if you’re a reinsurer. But that doesn’t necessarily cover
everything. It covers the financial impact, immediate financial impact. There are other things like Ralph mentioned. I’m
sure in Japan they had some insurance on their thermonuclear, but still not everything is covered by your insurance so
you need to have a plan.
To maintain capital and funding. Liquidity, it’s not as important for an insurance company as it is for a bank so I’ll just
go back. And, so next slide . . .
So we have this round circle model where it’s kind of a continuum. The same way that I’m now shrinking and I have
now white hair, we’re changing every day. The only constant in my life is change. That’s the only thing I know for sure
will be in my life. And so operational risk is the same way. Things that we can do today we couldn’t do yesterday or we
won’t be able to do tomorrow, it’s constantly evolving. We need to be ready for that and have a flexible framework that
allows us to manoeuvre in that and we’re not stuck in a box, and then trying to make a square hole fit into, no what is it,
the square pole fitting in a square or a hole, anyway, that expression that I can never really get it right.
What’s very important is the tone at the top. Often I’ve heard a lot of CEOs say risk management is important but when
it comes time to make a tough decision, we go and fall back on customer pressure, competitive pressure. Having a strong
operational risk framework involves making tough decisions. I will not tell you that it’s easy. It is not easy. It’s very
difficult. It’s tough to do the right thing when everyone else is not disciplined. We all think that everyone else is not
disciplined obviously.
You need to tailor your risk to your risk appetite, again. I’ve always, because I was in audit at some point in my career, I
have like a little pet peeve with internal audit because often we see them as the bad guys who come to catch us. And I
don’t think that’s their role. I think no one gets up in the morning thinking, “Oh, thank God, I’ll get something today,
I’ll get somebody.” They would like nothing more than to come in today and say, “Yes, you are walking and talking in
the same way.” And we need to be cognisant of the fact that we want to do that. We are kind of hoping that things that
we’re not doing totally right are not going to get caught.
Collaboration is the key in a successful framework for operational risk. We have 17 risk categories. Not all of them are
present at any given project, but I would say that in my experience of 14 months at BMO, probably five to six risk
categories on operational risk are always present. That means five to six other key stakeholders to be involved and to
communicate with and engage. Often operational risk, especially because it’s not viewed as the sexy thing, is also the one
thing that says you’re raining on my thunder. We’re seen when we bring operational risk as people who are overreacting,
people who are preventing the business to do business. But most of the operational assets you will have are linked to an
operational risk.
There’s lots of education. It’s a very interesting field. But you have to have a thick skin if you are an operational risk
officer. Again, strong risk culture. At some point in my life I was trying to develop an enterprise risk management and I
went to see several key executives in the organization I was working for. And some of them told me they were really
onboard and they would totally engage in this and some of them just told me, “Elaine, we really like you so if you want
to do this we’ll let you do it, but really don’t bother us too much because we have business to do.” You need to embed
the operational risk with the other type of risk with the culture.
9
If your president or your CEO or your board are not behind you and they’re not making it a priority, you will spin and
spin and spin and spin and never get anywhere. Operational risk, to be honest, is all about common sense. There’s no
rocket science involved in operational risk, it’s all about common sense. So if you talk to your underwriter, junior
underwriter and say, “Can you do this this way?”, they’ll say, “Of course I can do it.” But once it gets accumulated and
you have more people involved and more projects delayed because of operational risk, that’s the first thing that gets
kicked out at the curb.
We need to get away from a focus on compliance. We need to get focused on values. Compliance alone is not going to
make operational risk or risk for that matter successful in the organization. If the answer to why are we doing operational
risk or why are we doing risk management is because OSFI wants us to, you’ll get a vague, weak framework. And you’re
not going to be effective and you’ll bring no value. I personally want to bring value to any organization I work for. And I
don’t want the answer to be because A. M. Best wants it or because OSFI wants it.
I’m throwing the question back to you, what do you want the organization to stand for and what value do you want risk
management to bring to your organization? If you’re not convinced yourself, you’re not going to be able to convince
anyone else.
What are the strategic objectives for BMO? It really comes down to collaboration. You need to have a very collegial
approach to risk management, especially for operational risk. You need to dedicate resources to it. You saw the 17 risk
categories that we have presented to you. You, like no one in their right mind, can’t be an expert in all of this and the
challenge for the insurance industry as a whole, not a specific company, but as a whole, is that a lot of companies are not
big enough to have an expert in each of these categories. So the industry will have to come up with a solution to that.
Otherwise OSFI is going to dictate to you what you want or how you should be thinking about each of these risk
categories. You have to start with collaborating with other departments and not think in silos.
Then you want to avoid surprises. So risk is good. We should all take risks. All our companies are, most of them have
shares and most of them have an intrinsic value. We obviously are paid to make sure that we earn more than GICs,
otherwise anyone who invests in our company would just take their money and put it in GICs. So we need to make sure
that we are taking risks that are well understood and also are transparent. We cannot avoid operational risk; nor can we
eliminate it. It’s all about understanding the risks that we’re taking.
I read an article from 2004 recently. Reputation risk is maybe the fifth or seventh key driver of net income for the
following year. But it is the key driver of your long-term share value. So it’s really important to get it right. For an
insurance company to prove and measure operational risk, tracking of operational risk is going to be very, very
important.
It is very difficult to know what is an operational risk. Most often, because it’s common sense, people are not reporting
those losses. If you have a culture that does not encourage transparency, then you will never hear about them.
Tim mentioned root cause. It’s very, very important to understand why do we have an operational risk. Often people are
just going to see a problem and fix it, which is great and that’s what they should be doing. The next step is also to
communicate that they fixed the problem. And then we just want to make sure that we have losses so we can actually
model operational risk.
Part of the framework—and ORM stands for operational risk management framework in case you haven’t guessed yet—is
what we call the RCA. RCA is used for operational risk. You can use it for other risks, but we use it for operational risk.
It’s basically looking through each individual department and looking at each of the individual risk categories and
measuring the effectiveness of what we do to monitor and manage the risk.
Scenario testing is not unlike stress testing or DCAT. It’s just a little bit more fuzzy because it’s a lot more judgment and
there are no data. We need to also evaluate our business from an economic capital point of view rather than a regulatory
point of view. The views can be quite different. More and more the regulators are coming to an economic capital and
they’re going towards that. But they’re not equal and they don’t mean the same thing. When you evaluate any initiative,
you need to look at it from an economic perspective as well as a regulatory perspective.
10
We obviously as a bank have a different business model and different legal entities and we want to know overall where
our operational risks are. But for me, when I look at the insurance operation, I also want to understand where are the
weaknesses and where are the strengths. It goes both ways and we often think about operational risk or any risk as losses,
but we also have to look at it from a gain or stress test strength as well.
OK, so Tim and Ralph already talked to you about several examples. In the interest of time I will talk just briefly on this
slide.
One thing that was very interesting is while we were preparing and we were having discussions, the three of us, we talked
about earthquakes in BC and as a typical P&C-trained actuary, I said, “Well, it’s all insured.” The more I thought about
it, the more I thought, “OK, well there’s a lot of operational risks here, there’s a lot of things that can go wrong that we
haven’t planned, that we don’t have a process for and that the economic losses are going to be covered to a certain extent,
but there are many, many other losses.” What do you do with the people? How is your business continuity program?
What happened to your phone line? What happens if you cannot get material to BC and so on? I think often we’re
thinking of it just from an immediate impact on our bottom line where we need to look at it from a long-term and that’s
where operational risk comes into play.
The scenario testing, what it does is also help us look at our business from a living will perspective. So what can we
change if we have a major crisis? What can we sell? Where are the value added services and what are the things that are
nice to have? Because we often have a business case and we often have processes and products that we just do because
they’ve been approved once and that’s what we do. How often in our organization are we going back and thinking of
things we do and questioning why we’re doing it? One of the big benefits operational risk and documenting brings to the
table is it allows us to look back at what we’re doing and say, “Is this really the right thing to do? Should we do it
differently? Should we eliminate some of the things?”
AMA—I don’t know if it’s on anyone’s radar, AMA and the insurance industry, but it’s very much top of mind in the
banking industry. It stands for advanced management approach. There are three levels and obviously the banks want to
have the highest level. What it did bring to our organization was a greater transparency. We thought we were good, but
we had a long way to go. It’s an initiative that’s been in the works for about a year and a half now at the organization. At
least another six months before we go to the regulator to get our AMA accreditation.
It’s painful. Because the level of care and the level of diligence and the level of documentation that’s required to meet this
accreditation is pretty important. And you need robust capital modelling and you can imagine for operational risk,
there’s nothing robust at this time. We’ve been working really, really hard to have better modelling and I think we’re
really close to getting that.
On this slide I just wanted to bring a difference between KPI’s (key performance indicator) and key risk indicator (the
KRIs). There’s a big difference and often they’re used interchangeably. How do you measure your business is different
than how you measure the risk of your business. I’ll give you an example of what I mean. I’m developing a risk appetite
for my organization right now. We’re thinking about OK, what are the the KRIs that I want to use? One that was
proposed was the loss ratio. I’m thinking, “How is that giving me an indication of the riskiness of my business?”
Especially when one of your organizations is a Barbados operation that is subject to CAT events. So if I have a big event
at the beginning of the year my loss ratio is going to be through the roof, does that tell me that I’m more or less risky? It
tells me that I have really bad results that year, but it doesn’t tell me a whole lot about the riskiness of my operation.
We came up with a tail value at risk at 80%. And that’s more of an indicator. Is it a perfect indicator? Probably not, but
it’s a better indicator to tell me how is my risk level and how is it aligned to my risk appetite.
Now I’m going to hand you over to Tim. The next slide we kind of worked together and I agree with the assessment that
we put there. We are looking forward to your comments on how you see your organization or the industry.
Speaker Deacon: Thanks Elaine. The problem with going second is that that was a very, very high bar to follow. I hope
all of you took some great notes about how to implement a successful operational risk program from Elaine. Those of
you like me who will now all of a sudden have an inferiority complex about the maturity of your operational risk
programs, I do have some hope for you.
11
As Elaine mentioned, we’ve put together a very scientific statistically relevant actuarial exam or the study here that looks
at the range of practice amongst global banks and insurance companies. What we’ve done here on the next slide is really
looked at where do we all fit in. Obviously this is highly subjective. But on the basis that many of the banks have been at
this for over a decade, not surprisingly they’re the most mature. Working down to the European insurers, as was
mentioned earlier, the programs like Solvency 2 and other regulatory guidance in the U.K. and in Europe have really
promulgated early action for a lot of the European insurers.
Perhaps a bit surprising to some, the U.S. insurers in some cases—certainly the large ones on the life side—arguably are
ahead of the Canadian life companies. And that’s really for a variety of reasons, but in part, some of the early operational
losses that the U.S. insurance industry faced really put a lot of spotlight on operational risk and we’ll touch on some of
those examples at the very end. But that got some of the insurers started on operational risk oversight even before there
was some regulatory guidance on that. Then along comes the Canadian insurers.
Hopefully this doesn’t offend. Obviously this is subjective and individual companies can fit along the range. But we did
want to give you an impression that there are various stages and disciplines on operational risk.
Like Elaine had mentioned for BMO, in terms of corporate culture, everything that we do at Manulife is influenced by
our Pride values. Really these are a simple set of principles that everyone in our organization, all 28,000-plus employees
look to follow and it really tries to set the tone from the top and it guides our actions and behaviours. In fact, we’re often
evaluated from a performance perspective based on our adherence and demonstration of these core values.
Given the 125-year investment that Manulife’s had to build up these core values and attributes, the stakes are high.
Without proper operational risk oversight, the reputation, as we’ve seen with others on the earlier slides, can vanish in an
instant. There’s often a saying, your own personal reputation or that of a company takes a lifetime to build and seconds
to lose.
With that as the backdrop, I moved into my role at the end of March this year and like every good company professional
with limited resources and many projects on the list, I sought to pillage whatever I could from all those who had gone
before us on operational risk. In designing and looking at our program, we made use of extensive peer benchmarking,
calling up people like Elaine, friends down south of the border, overseas, etc. and really tried to understand what have
you done and learned on operational risk? What worked for you, what didn’t work for you? If you could do it over again,
how would you do it, etc.?
You’d be amazed at the insights that you can learn from it; a one-hour phone call would save you eight hours of reading
articles on the internet or regulatory guidance. Really this is a topic that because it’s so public, some view it as a
competitive advantage but it’s something we all face and, because it’s emerging, it’s something that we can all share. I
encourage all of you to take and pillage all of these slides if you like anything that you’ve heard, feel free to use it in your
own respective organizations.
Manulife had good intentions on operational risk. We looked to set up an oversight program probably a good five to six
years ago, but along came the financial crisis and clearly diverted attention elsewhere. And it was really hard to progress
the program in the way that we wanted to, given it was all hands on deck for focusing on the business matters. We did
try to push and chip along as we could throughout the last five-six years, but it’s really only been in the last 12 to 18
months where we’ve really put a lot of renewed energy and focus into our operational risk program to build it out.
What we did is looked at this in baby steps. The first thing we did is conducted some internal pilots. We took a couple
of businesses and really tried to run through an operational risk investigation and assessment process for a couple of our
key businesses. We wanted to learn from that, we wanted to understand what works for us within our own culture,
within our own framework, and really try to identify where our key risks are that we should be focusing our efforts.
We conducted a series of workshops. Very, very good input and participation. Perhaps a bit surprising to myself anyway,
there was a lot of interest in understanding what this was and how it would impact the area. I think in some cases our
lesson learned through those exercises is that we could be a lot more efficient and streamlined. The propensity to keep
going once you’ve kind of opened up Pandora’s box to try and chase down every possible risk or exposure was there and
12
certainly depending on how detailed the individuals you have in your organization on these particular topics, the
propensity to really focus in on those low impact type of risks that were definitely there.
I think it allowed us to sort of step back and say, “We should really be strategic about this.” I think that the key lesson
there was practical, practical, practical. Out of necessity, given all the things that all of us have on our plates every day, the
only way, in my view, at least in our organization, to have a successful implementation is to really think about it from a
practical lens.
With that insight, I set off to develop a set of core principles that I thought would help guide our operational risk
implementation. I thought this was important because I really wanted us to have a key set of criteria that we could really
evaluate it against in terms of whether or not we were successful in what we were trying to do. It also allowed me a tool
to help sell and communicate the idea of operational risk and why our businesses needed to be involved and help us with
this program. I’ll touch through a few.
The first one, most importantly, is the whole objective of this is to preserve and enhance our business value. Really, the
key is adding value. As Elaine mentioned. If I had approached this purely from a regulatory angle in saying, “We’ve just
got to do this to comply”, you’ll get a very different result and often it stereotypically can be a tick-box approach. The
regulatory guidance is there to help make sure we’re doing the right thing and it’s well thought and well researched and
obviously has been evolving. But you have to think about it from more than a regulatory compliance exercise. It’s got to
be something where you can add value.
Certainly in my case, having spent my prior life both at Manulife and before joining, helping companies implement
international accounting standards, I don’t know about you, but I was feeling a bit of regulatory compliance fatigue.
Trying to make sure that on the basis that we are in an environment where there is heavy regulation, how can we be
smart about how we implement?
With that, as Elaine had mentioned, this is really a journey and it becomes part of the culture and to do that it has to be
a top-down and a bottom-up process. It’s got to be consistent with your appetite and your strategic objectives. It may be
acceptable that certain losses could exist in certain businesses because the amount of risk/reward trade-off and the cost it
would be to implement processes and controls to really nuke out that particular risk may not be worth the benefit. You
really need to look at individual risk exposures.
The three lines of defence we have touched on. But that’s a shift in many of our organizations, I think, in Canada
historically where some of those lines were blurred, we’re really moving towards a more mature risk management
function with access and oversight as opposed to execution.
Looking at our people, process, and systems, you would think an organization our size would have an army to help
implement operational risk, but it’s not the case. We all have pressures from a resource perspective. Looking at how can
we leverage our existing resources internally and how can we be smart about this and really anoint and dedicate people
who can help with our operational risk oversight.
Perhaps most importantly, too, is materiality, as was mentioned. You can spend a lot of time chasing very small impact
areas. Looking at the high impact, lower probability, I think, is where you’re going to get the most value. Then again,
this is really a journey, it’s baby steps. We want to do this incrementally. You can’t boil the ocean all at once. You can’t
solve all of those 17 risk categories that Elaine had mentioned all at once so let’s take and learn as we go and evolve.
With that, that’s really helped to frame our approach. Recognizing that regulatory guidance is coming out and that we all
will be looking to be complying with those, we wanted to get ahead of the game. I would encourage all of you, if you
haven’t had a chance to spend much time on operational risk, to think about that because it’ll allow you to form a view
and opinion in terms of what operational risk exposure looks like in your organization.
One of the other tools that might help you in that exercise is this idea of heat mapping. Like any project, you do a good
scoping and look at your organization and really understand where the biggest inherent risk exposures are. There are
going to be pockets of your organization that are well managed, well controlled, etc. My favourite line when I go out to
speak to our businesses is, “We are risk managers.” As Ralph had mentioned, we’re insurance, we have no exposure.
13
We’ve never had any losses. “Go away Tim, thanks very much, leave your pamphlet on my desk and I’ll have a look at
it.”
The question I always come back with is, that’s great, that’s excellent; how do you define operational risk? What is it that
you’re talking about that you’ve got well managed? How do you know if you don’t have a way of reporting or
understanding or learning from some of your losses, how do you know that you’ve got everything managed? This is
where this scoping tool comes in because you can really help codify where that residual risk, what the inherent risk is in
that business, then considering what controls or processes you already have in place and then what’s the residual
exposure. We’re using that as a tool to help focus where our implementation efforts are and focus on those really highimpact areas first.
Coming out of it, the real sell to a business, particularly those that are well managed, is the opportunity to reduce costs.
Clearly in today’s environment that’s one of the few variables that there is control over from a management perspective.
Certainly as you go through you can identify a lot of redundancies. Maybe that’s overkill in certain areas. Maybe there
are ways of being more efficient about controlling that particular business or those risks and here’s an opportunity to add
value.
Just putting that into a bit more context in terms of the guiding principles driving our implementation, there are
different levels here. Elaine had mentioned some similar elements, but obviously like any good project having
appropriate project planning up front, making sure that governance is in place, we established an operational risk
committee about two years ago. That was before we had even implemented and the idea was to get the company used to
talking about operational risk losses, looking at external events and really trying to shift ourselves to become a learning
organization where not only did we learn from our own mistakes but we learn from others. Then we share that
knowledge internally through postings on our intraweb, and having a chance at every one of our major committees to
leave a standing agenda item at the very bottom of the meeting to talk about emerging risks. To have a round table
where you’re asking input of our business leaders, what are some of the trends that they’re seeing in their business and
where should we maybe be concerned and keep an eye on going forward?
This concludes the formal part of our remarks and in case you were thinking somehow through all of this that this
couldn’t happen to you, here’s a list of just a few insurance-specific operational losses. Many will be familiar with the
vanishing premiums. The sales practices occurred even earlier than the 1990s, but a lot of it came out in the 1990s in
terms of the settlement. Claims practice management. A lot of press, particularly in the U.S., of carriers who, with very
aggressive claims denial processes, etc., deny, deny, deny and then if the claimant’s persistent then finally award them
their claim.
Perhaps very, very common that many of you will have experienced is policyholder taxation errors. Obviously a very
complex area. It could be through a system, that the system wasn’t coded appropriately to make sure that the proper tax
and the withholding was there versus just understanding the complexity of the product and then later having the errors
emerging through time.
Something that’s very topical south of the border is escheatment laws. Looking at unclaimed property. There’s been a lot
of lawsuits around that in terms of the treatment of unclaimed property. When the property is meant to pass to the
government, and that varies by state in terms of their different laws.
If you’re like me and you’re excited by these types of things and you want to be a learning organization, there’s plenty of
websites. The FSA is quite good about posting all of the companies that they’ve issued lovely fines to for operational risk
losses over time.
With that, we’d like to open up the floor and hear some thoughts from you, and maybe get some questions that you’ve
been saving up for Elaine and I.
Moderator Ovsec: Thanks, Tim. Thanks, Elaine. Before we get to the Q&A I’d just like to make some additional
remarks. My job today was very easy. I had to talk about the housekeeping items, had to read some bios, I had to come
up with a top 10 list. I’ve been working with Tim and Elaine for the last four weeks on the presentations and I know
how much passion they bring to their work. I’m sure it was evident to all of you today.
14
A couple of takeaways that hit close to home. If you listen to some of your younger actuaries, they say, “What’s the
valuation system put out?” I don’t know. J. P. Morgan on a little bit bigger scale placed over-reliance on models. So it’s a
top-down, bottom-up, it’s a cultural thing. You have to get into that mentality.
On the cultural thing as well, Elaine talked about this not being a compliance exercise. If you think it’s a compliance
exercise, if you treat it like a compliance exercise, it’s not going to be real. If you take the passion, if you take the effort
and the mindset to develop a proper ORM structure and to develop the culture around that, it will work for you.
With that, I’d encourage all of you to join me in thanking our speakers this morning, Elaine and Tim, and then we’ll
open up for questions.
(Applause)
Moderator Ovsec: We’ve covered a number of topics and I would encourage you to step up to the microphones. Please
announce your name and affiliation and to whom you’re directing your question.
Allan Brender: Hi, I’m Allan Brender. Two very different questions. Let me ask you both. In the old days when you said
“risk manager”, you meant the person who bought your insurance, OK? Obviously you’ve moved totally away, it’s all
about human behaviour. But still some of the stuff, if you look at the 17 categories you have, some of these things can be
insured against. Not only the property, business interruption, a whole bunch of other things. My question is: how do
you deal with the things that you can insure by buying insurance supposedly from another company? And once you’ve
bought it, do you forget about that risk or do you still worry about it? That’s question number one.
The second question is a very human one. Managing risk sometimes means being cautious and being cautious sometimes
impinges on profit. Chief executives in this world are very profit driven. So the question is: how do you get buy-in for all
the stuff you’re doing given that there’s a natural countercultural issue here?
Speaker Lajeunesse: I’ll take the second one, Allan. How do you make this happen? By first making sure your culture is
aligned with your risk appetite. By culture, that means that your CEO, CFO, your key executives are not paid to drive
the bottom line. You have to have a culture that’s driven by top line and bottom line.
I read once this quote, I really love that quote so I’ll share it with you. I think it’s in a book by ?? [1:11:50], but it says
“Nine out of 10 people that are very bright are doing stupid things because they are paid to do these stupid things”. As
long as we will compensate executives on the profit that they’re driving, as long as the message that we’re going to send
to A. M. Best is that we need to always have bigger, better, improved results regardless of where the economy or the
competitiveness of the market is, then yes, you’re right; we’ll always have a problem.
During my presentation I did mention it’s tough to do the right thing. And it’s tough to do something that’s not like the
competition is doing. That’s true. That’s my position on that.
Speaker Deacon: Yes, I would agree with Elaine with everything that you had mentioned on that. I mean, to use a
recent example, I went to one of our business units, a group benefits business, very transactional, very processing
oriented. An area that had been focusing on operational risk right since inception to make sure that the processes and
procedures were in place. In our organization I would view that as a very mature operational risk, even if they didn’t call
it or label that. Obviously, what’s the sell, what’s the hook for them to pay attention to me or to even entertain it as a
discussion?
I think, two areas. Often over time, when you’re building up an organization, you’re putting in these processes and
controls, you don’t often have a chance to pause and look back and say, “Actually, is what we’re doing efficient? There
are too many layers here; maybe it’s overkill.” I’d like to use the angle that this gives us an opportunity to pause, refresh,
and say is there a smarter, better, faster way in which we can do what we’re doing and also to cut out some of the fat, so
to speak, in the process.
The other thing is, and when I really get a lot of resistance, the trump card is pulling out the paper and walking around
with the Wall Street Journal and chances are there’s going to be some article or issue that has emerged due to an
operational risk element. It’s a bit unfortunate. As I said, we didn’t want to pick on J. P. Morgan but I think it is a good
15
example because there’s an organization that was recognized in the market by ratings agencies, etc., as having a very, very
well-focused risk management discipline and the reality is things can happen. There are a variety of reasons why it can
happen, but that’s ultimately the test and you just flash that and say even the best-intentioned people still have losses and
exposure.
On the first topic, buying insurance, with any risk is an opportunity, clearly, from a business venture point of view and
certainly that is a tool to help mitigate some of those 17 categories that Elaine had mentioned. For organizations you
have to do a cost/benefit trade-off and understand: building up the processes and controls internally for that particular
risk, is that a better return from your money versus the premiums you’d be paying?
I would, just to use an extreme example, let’s say that you found a counter party to insure you against all 17 of those risk
buckets and you did the math and the premiums and the trade-off versus what you’d want to build up internally. The
classic case of the fine print. Directors’ and officers’ insurance is a great example. You’re insuring yourself against error
but noted in the bottom in the fine print is “we don’t insure against fraud”.
In reality, unfortunately because of culture and over time, fraud can be an element of that. The fine print, I would argue
that it’s almost impossible to be covered for every single eventuality under all 17 of those buckets, even if you could find
a counterparty. But it certainly is a tool and for P&C writers and other writers it’s an opportunity to see how you can
help financial institutions and other organizations protect against those losses.
Speaker Lajeunesse: While this is an opportunity for a P&C insurer, as an organization you still have your deductible
and your retention to manage. Not all the losses are covered. Fraud is one of them. But other than that, the current view
of us on the operational risk opportunity is you still have, as an executive or a manager of your company, you still have
an accountability to improve your bottom line. You can’t diversify away your premium. If you don’t do anything and
you’re not getting this, then I’m pretty confident your premium is going to increase.
I don’t think you would, and I don’t think you believe that either. I mean that you don’t think writing insurance and
forgetting about operational risk is the way to go.
Moderator Ovsec: Thanks for the question, Allan. Thanks for the response. We have a few more minutes if anybody
else has any questions.
Gary Mooney: Gary Mooney. Based on what I’ve read about a lot of abuses that have taken place, it seems to come
down in many cases to too much control or too much power in the hands of one individual. I’m wondering to what
extent in your organizations you look at the specific opportunities for particular individuals to cause major problems?
Speaker Lajeunesse: We have a very extensive culture and we have risk management committees, not only for
operational risk but for risk at large. We have also a culture in the organization where people are actually changing
position every so often. Even if you’re a key person in a specific area, every three to five years you’re going to have a new
role. Or you’re going to retire or you’re going to . . . Something will happen.
We’re not immune as an organization from that because there are people with bigger leadership qualities and they’re
better at influencing others and so we’re not immune to that. But because we make a lot of decisions on a convivial focus
and it’s really a consensus of people, we’re less exposed to a certain extent. For a small organization it’s a really difficult
thing to achieve because there’s just so many chiefs. But in a bigger organization, I’m sure Manulife is the same way,
there’s not one single person who makes a key decision.
Speaker Deacon: Yes, just to maybe add a couple of thoughts to that. Taking a CEO role, obviously the chief
commander oftentimes has veto power or final say on key decisions. I guess maybe one thought is in looking at your
organization and doing an assessment if you choose to take a risk-based approach like we have in looking at a particular
business, that would be one of the key factors. Is there a single individual who seems to have a lot of power or influence,
a lot of control? It may not be the top seat, maybe it’s just someone who is very gregarious and has a lot of influence at a
different level.
That would be one of the key warning signs, so to speak. Then you ask yourself, “OK, if that’s the case, does this person
have the ability to influence?” You look at what the compensating controls are. In this case maybe this is a pitch for the
16
three lines of defence and some of the guidelines that OSFI and others have put out around corporate governance and
international regulations, making sure that there are proper lines to the board of directors and the others who provide
oversight over the employees and management to the company. Is there a clear channel, a whistle-blowing line, for
example, where you can make claims, etc., so that you can do it in a safe environment where you don’t have to be up
against dealing with a very commanding individual?
Those tools—having direct access to the board, having in-camera sessions, etc.—are an opportunity to voice those
concerns and if there’s a proper culture in place, those things tend to get dealt with quickly. If you’re in a smaller
organization, making sure that the board is aware and on top of these and there’s various chains of command and
communication that you can use to achieve that.
It is a very important topic, particularly for those organizations who may not be public, etc., or don’t have the regulatory
scrutiny that other regulations impose on them, for example. If you’re a small private starting organization, that could be
a challenge.
Moderator Ovsec: I think we have time for one or two more questions, if anybody would like to venture up to the
microphone. Have any burning questions for Tim or Elaine? Looks pretty quiet on the front. Sorry?
Rob Dowsett: Rob Dowsett, old retired actuary. Twenty years ago we were talking about risks in the insurance industry
and all of a sudden we did DCAT. We thought we had a pretty good handle on risks at that time, but I guess we didn’t
think specifically about operational risk. I’m disturbed by that slide that showed the bullets, with the Canadian life
companies at the bottom with the completely white bullet, in other words no attention to operational risk. I think there
has been a lot of attention to risk in the Canadian life companies. And I’m wondering if you could comment on this.
Possibly we thought we had risk examined properly through DCAT, but we missed operational risk and we’re still
missing it, is that your view?
Speaker Lajeunesse: Thank you for your question. Our view is more it’s a matter of degree, from the ones who are
really well prepared to the ones that are less prepared. And while I agree that some large companies are more advanced
than what the slide proposed, our highly scientific survey indicates that by and large the industry as a whole has not
spent a whole lot of time thinking about operational risk.
Speaker Deacon: I knew I was going to get challenged on the statistical relevance of our sample here. I’ve just got a
couple of quick things just to add to Elaine. In fairness, the Canadian insurer line was just above that white circle so it
wasn’t quite saying that it was non-existent. I guess historically you’re right: there have been processes to stress test, look
at risk in DCAT, it was one of the main tools early on to do that.
To my knowledge, though, there’s never been an explicit requirement to stress the operational risk component of that.
So obviously a very, very heavy emphasis on market and insurance risk, credit and liquidity. But the reason there hasn’t
been is because what basis do you measure that operational risk? In the absence of data unless you’ve had a process to
collect your losses internally or externally, to construct a loss distribution as it relates to operational risk is very
challenging.
Often what I think insurers, certainly in many cases, would do is hold a buffer. The way the MCCSR regime was done is
that operational risk was implicitly covered by holding a higher threshold above the 100%, for example at 150 that
would cover these.
Among the tools and techniques for measuring the risk exposure that Elaine mentioned, there’s a basic indicator
approach that the Basel suggests. You just take a factor times net income or premiums or revenue or some sort of metric
to hold a plug, so to speak, on your exposure. But I think that slide was really to try and say the maturity of a
“operational risk” oversight program.
So it’s not that organizations hadn’t focused on operational risk, it’s not that they weren’t aware of it. Some may even
have developed internal ways of tracking losses. But the maturity of actually having a dedicated function that’s
independent and has oversight over operational risk in and of itself is still fairly young in the Canadian industry.
Speaker Lajeunesse: We want to thank you for this question. We were hoping to get a question on that slide.
17
Moderator Ovsec: OK, we have time for one more question.
Marilyn Dunnill: Marilyn Dunnill from Sun Life. I was just interested, you had said that in order to implement
operational risk you would be leveraging throughout the organization in order to minimize costs, that it’s not too much
of a burden. I was just wondering how you would do that? Just some of your ideas about that. The risk is that the people
doing it would then be overwhelmed and then become operational risks themselves, but just how do you balance that
out?
Speaker Deacon: Maybe I’ll start and Elaine you can add. That’s a great question. Using a personal example, I was
surprised for not having a “dedicated” operational risk oversight program for decades at Manulife how much had already
existed in our organization. To give you a couple of examples: internal audit had always been very focused on
understanding inherent risk within each one of our businesses before they’d come out and conduct an audit. So there
was a wealth of data already that had done in my example using this heat map type of idea to do a risk assessment to
figure out where to focus on. There were already a plethora of data that existed.
The other thing that I discovered and that I had recalled from my time spent with the wealth management industry. If
you’re a particular organization that might happen to have mutual fund business, the securities requirements and,
frankly, the demand from unit holders is such that there is a well-defined operational risk compliance program that
exists.
In pockets of our organization we actually had a lot of maturity on operational risk without even knowing it so we could
leverage and borrow from those practices and learn from that and extrapolate and apply it to other parts of our
organization.
But similarly, if you’re not as large or not as sophisticated, you don’t have a mutual fund, your internal audit’s fairly
small, the best place to go to is talk to your ops risk, operational individual, so who is responsible for the operations of
the particular business and just spend a lot of time interviewing them, understanding what they do on a daily basis.
Again, they may not call it operational risk, they might not use the same verbiage and alphabet soup that we’ve just used,
but I think you can gain a lot of insight in terms of understanding how do they get up in the morning and what do they
most worry about and why are they not worrying about other areas. I think what you find very quickly is that people
might have been thinking about operational risk, just not calling it that. Very quickly you can take that insight and then
leverage it for other parts of the organization.
Speaker Lajeunesse: It’s a tough act to follow such a good answer. I think it goes down to what my belief is, that
operational risk is about common sense. By spreading the work in your organization to people who are actually doing a
first line of defence. Like I don’t go around and document how you should enter a life or an insured in the system. And
if you think about it, that’s a great tool. You need to find a way to leverage what you’re asking the business to do.
Making sure that they see a value, what’s in it for them? And if you can find what’s in it for the person that you’re
talking with or interacting then it’s going to be a lot easier. At BMO we have this thing called Buco. It’s a business unit
compliance officer and basically what they do is one person in each of the units, let’s say new business, POS, claims, is
dedicated to, in their job description, meet with the compliance officer on a regular basis and they discuss compliance
issue. So it’s not adding a tremendous amount of work to each individual. But it’s bringing a lot of wealth and
knowledge to the organization.
My advice would be when you are thinking about this, think about what’s in it for them. It’s all based on common sense.
Moderator Ovsec: With those final comments, again my job was very easy. Elaine and Tim did all the heavy lifting, so
please join me one more time in thanking them for their passionate presentations.
(Applause)
Moderator Ovsec: Thanks very much. We’re adjourned.
[End of recording]

PS-1: The Insurance Company and Operational Risk

Transcription

Documents pareils

Bambouserie at Plougonver – Gilbert and Josiane Cudennec

TEA 2-1 - Institut des Actuaires

Programme scientifique me scientifique

Edward Timothy Tozer (1928–2010)

pot commun isere steptembre 2014

Welcome Booklet

Reina (Bougie) Lajeunesse Guest Book

VISITE A CANTERBURY

France Criminal Code - The Protection Project

October / octobre - Lester B. Pearson School Board

Physique du charme ouvert dans CBM à FAIR