Last Updated 2/1/2023

Operational risk has played a role in many of the banking industry scandals taking place over the past two decades. As the financial system has become more interconnected and complex than ever before, the challenge of understanding and mitigating operational risks has increased. Improvements in operational risk management (ORM) have taken on greater focus and visibility within the financial services industry and many other industries. In recent years, the NAIC, through its Solvency Modernization Initiative (SMI), has been exploring ways to increase the regulatory focus on operational risk. In addition, as a result of the Solvency II regulations, many large European insurance companies have begun to establish formal ORM programs.

Overview: The International Association of Insurance Supervisors (IAIS) defines “operational risk” as the risk of adverse change in the value of capital resources resulting from operational events such as inadequacy or failure of internal systems, personnel, procedures, or controls, as well as external events. It refers to the risk that results from shortfalls or inadequacies in the management of otherwise quantifiable risk and unforeseen external events that can impact an insurer. Operational risk potentially exists in all business activities; it encompasses a wide range of events and actions or inactions, such as fraud, human error, accounting errors, legal actions, and system failures. Many of these problems arise through conducting day-to-day business operations and are typically managed with little or no incident.

Operational risk became recognized as a major risk class in the mid-1990s following several large-scale insolvencies in the banking industry (i.e., Orange County, 1994; Barings Bank, 1995; and Daiwa Bank, 1995, among others) that undermined the confidence in the banking system. In these cases, significant losses were incurred due to operational risk failures. In response, the Basel Committee on Banking Supervision (BCBS) released a proposal in June 1999 to replace the 1988 Basel Capital Accord (Basel I), which applied to all banks in the U.S. with a new risk-sensitive framework. The initial consultative proposal introduced an operational risk category and corresponding capital requirements. Currently, the Basel III standardized approach is expected to be nearly fully implemented by 2025 for most internationally active banks.

As operational risk has become recognized as a distinct risk category, the value of effectively managing operational risk has increased considerably. In recent years, cyber risk has become a critical operational risk for insurance regulators to address given the increase in cyber incidents, including data breaches, identity theft, ransomware attacks, and denial of service events. Such incidents can have a material impact on capital through restoration and remediation costs, lost revenue, and regulatory penalties. Cyber risk insurance is becoming a more popular product to mitigate this operational risk.

Operational risk remains difficult to identify and assess as the causes are extremely heterogeneous, making developing statistical models for operational risk challenging. A sound operational risk model extends well beyond the confines of a formula-based quantification. It encompasses a company’s business activities and is an integral part of an efficient enterprise risk management (ERM) framework. An insurer’s underlying operational risk profile should be thoroughly reviewed across its range of business activities in order to identify and estimate the model input requirements. The principal challenge is to combine two essential sources of information: empirical loss data and expert judgment.

Many companies have been leveraging the experience of the banking industry, which has been focused on operational risk for more than a decade. However, historical data on the frequency and severity of losses are often not available. Thus, uniform historical data upon which operational risk capital charges could be built is lacking. Organizations, such as the Operational Risk Consortium (ORIC), have begun to collect data from participating financial institutions to develop operational risk loss data consortiums. ORIC was founded in 2005 to advance operational risk management and measurement. It facilitates the anonymized and confidential exchange of operational risk data between member firms, providing a diverse, high-quality pool of quantitative and qualitative information on relevant operational risk exposures.

Status: State insurance regulators, working together through the NAIC, have been looking at whether and how best to incorporate internal and external aspects of operational risk more explicitly into the risk-based capital (RBC) formulas. In 2013, the Capital Adequacy (E) Task Force turned its attention to operational risk. The Task Force’s Operational Risk (E) Subgroup was charged as follows: “Evaluate options for developing an operational risk charge in each of the RBC formulas and provide a recommendation to the Capital Adequacy (E) Task Force as to treatment of operational risk in the RBC formulas.” Life RBC has always had a charge for “business risk” that implicitly includes operational risk. Property and casualty (P&C) RBC and Health RBC do not have a charge for operational risk per se, but they do have a charge for excessive growth, which is recognized as a cause of both operational risk and underwriting risk. The Capital Adequacy (E) Task Force adopted the operational risk charge as a 3 percent add-on to the insurer’s RBC after the Covariance amount, and it became effective for 2018 year-end reporting. In 2019, The Capital Adequacy (E) Task Force sent a referral to the Group Solvency Issues (E) Working Group suggesting areas where further guidance could be developed to improve regulators’ analysis and assessment of operational risks.

In March 2021, the Property and Casualty Risk-Based Capital (E) Working Group adopted a proposal to remove the Operational Risk Factor from the RBC Catastrophe Risk Charge (Rcat). Before the proposal was adopted, the 3% operational risk charge was implicitly included in the contingent credit risk within the Rcat component. The purpose of this proposal is to eliminate the double counting issue since there is already a 3% overall operational risk charge in the total RBC after covariance.

Recent NAIC initiatives have also resulted in the adoption of the Risk Management and Own Risk and Solvency Assessment Model Act (#505), as well as corporate governance standards as qualitative means for considering internal operational risk and some aspects of external risk via a group-wide assessment. An Own Risk and Solvency Assessment (ORSA) will require insurers to self-assess reasonably foreseeable and relevant material risks (i.e., underwriting, credit, market, operational, liquidity risks, etc.) that could have an impact on an insurer’s ability to meet its policyholder obligations.