Ideally, enterprise risk management (ERM) is a centrally managed process in which the chief risk officer (CRO) retains responsibility for setting overall governance policies and monitoring all risk management functions. With reactions to the financial crisis of 2008 still in full swing and new solvency and capitalization requirements coming from regulators, the reality is that the CRO is highly focused on managing financial risk. Operational risk management in the form of business continuity and disaster recovery, because of its relative maturity as a discipline, has not been adequately integrated into ERM. For many insurers, business continuity planning (BCP) remains the onus of the IT department and is seen as an IT issue not a business problem.
The disconnection between the financial and operational risk strategies will prove to have a significant business impact in the event of a disruption due to disaster — whether the “disaster” is as major as a hurricane or as minor as a garbage truck taking down a power line. Insurers must evaluate the impact of operational risks across their distribution networks and third-party suppliers. Moreover, as merger and acquisition activity increases, the need to integrate risk management policies across the newly formed organizations becomes a day one imperative.
The catastrophic events of September 11, 2001 showed the vulnerability of many financial institutions. Business recovery plans proved inadequate for restoring business functions: Failover sites were located too close to the disaster site, key personnel could not be relocated quickly, and restoring data and information proved challenging, if not impossible.
Another finding that has been poorly understood resulted from interdependencies between the financial institutions. The interdependencies between insurers and other distribution and financial organizations are as complex as the interdependencies of the banks and other financial institutions affected by 9/11. Hurricane Katrina in 2005 also highlighted additional weaknesses in the processing chain as regional banks, insurance agencies, and broker-dealer firms suffered physical losses to their places of business, shaking customer confidence.
With the high number of entities involved in the life insurance sales network, insurers are at risk. Besides maintaining a recovery plan that covers the insurance company, the insurer must consider the impact that a business failure would have on the other entities throughout the processing chain.
The low frequency of catastrophic events breeds complacency. In the first year or two after the September 11, 2001 terrorist attacks, the quality and completeness of business continuity plans improved markedly, but subsequent complacency has resulted in a deterioration of both continuity plans and the planning process.
Even seemingly mundane events can adversely impact business processes. For example, a construction crew accidentally cut through the communications cables of the wholesaling subsidiary of one major insurer, knocking out the company’s call center. Not only did the wholesaling organization and insurance company not have an integrated plan in place to roll the call center over to the home office, but when members of the wholesaling organization called the home office, the operations team didn’t even realize that the wholesaling company was part of the insurance company’s operations. As a result, the call center and internal sales desks were down for several hours.
This unfortunate event could have been avoided if the two companies had coordinated their business continuity processes in advance. In this example, an operational risk became a strategic risk by adversely impacting customer expectations through the lack of business availability. This example highlights organizational misalignment on two levels, between the two organizations and between the technology and business units.
Business continuity planning is not a “once and done” process. Operational risk and business continuity planning must become a pervasive business process, not just a technology process. Advanced recovery planning with technology partners, suppliers, and distributors will ensure minimal disruption to customer service and processing capabilities. Continuity planning must be a top priority of insurers’ risk management organizations.
*NOTE: Originally published on SAS Voices.