Last Updated 1/23/20
Operational risk has played a role in many of the banking industry scandals taking place over the past two decades. As the financial system has become more interconnected and complex than ever before, the challenge of understanding and mitigating operational risks has increased. Improvements in operational risk management (ORM) have taken on greater focus and visibility within the financial services industry and in many other industries. In recent years, the NAIC, through its Solvency Modernization Initiative (SMI), has been exploring ways to increase the regulatory focus on operational risk. In addition, as a result of the Solvency II regulations, many large European insurance companies have begun to establish formal ORM programs.
Overview: The International Association of Insurance Supervisors (IAIS) defines "operational risk" as the risk of adverse change in the value of capital resources resulting from operational events such as inadequacy or failure of internal systems, personnel, procedures or controls, as well as external events. It refers to risk that result from shortfalls or inadequacies in the management of otherwise quantifiable risk, and from unforeseen external events that can impact an insurer. Operational risk potentially exists in all business activities; it encompasses a wide range of events and actions or inactions, such as fraud, human error, accounting errors, legal actions and system failures. Many of these problems arise during the course of conducting day-to-day business operations and are typically managed with little or no incident.
Operational risk became recognized as a major risk class in the mid-1990s following a number of large-scale insolvencies in the banking industry caused or exacerbated by events outside of market and credit risk (i.e., Orange County, 1994; Barings Bank, 1995; and Daiwa Bank, 1995, among others) and undermined the confidence in the banking system. In these cases, significant losses were incurred due to operational risk failures. In response, the Basel Committee on Banking Supervision (BCBS) released a proposal in June 1999 to replace the 1988 Basel Capital Accord (Basel I), which applied to all banks in the U.S., with a new risk-sensitive framework. The initial consultative proposal introduced an operational risk category and corresponding capital requirements Currently the BCBS is rolling out a BASEL III standardized approach that is expected to be fully implemented by 2022 for all internationally active banks.
. As operational risk has become recognized as a distinct risk category, the value of effectively managing operational risk has increased considerably of late. In recent years cyber risk has come into focus as an operational risk for insurance regulators to address given the increase in cases of cyber incidents including data breaches; identity theft; ransomware attacks; and denial of service events. Such incidents can have a material impact on capital through restoration and remediation costs, lost revenue and regulatory penalties. Cyber risk insurance is becoming a more popular product that is used to mitigate this operational risk.
Operational risk remains difficult to identify and assess as the causes are extremely heterogeneous, thus making developing statistical models for operational risk challenging. A sound operational risk model extends well beyond the confines of a formula-based quantification. It encompasses a company's business activities and is an integral part of an efficient enterprise risk-management framework. An insurer's underlying operational risk profile should be thoroughly reviewed across its range of business activities in order to identify and estimate the model input requirements. The principal challenge is to combine two essential sources of information: empirical loss data and expert judgment.
Many companies have been leveraging the experience of the banking industry, which has been focused on operational risk for more than a decade. However, historical data on the frequency and severity of losses are often not available. Thus, uniform historical data upon which operational risk capital charges could be built is lacking. Organizations, such as the Operational Risk Consortium (ORIC), have begun to collect data from participating financial institutions to develop operational risk loss data consortiums. ORIC was founded in 2005 to advance operational risk management and measurement. It facilitates the anonymized and confidential exchange of operational risk data between member firms, providing a diverse, high quality pool of quantitative and qualitative information on relevant operational risk exposures.
Status: State insurance regulators, working together through the NAIC, have been looking at whether and how best to incorporate internal and external aspects of operational risk more explicitly into the risk-based capital (RBC) formulas. In 2013, the Capital Adequacy (E) Task Force turned its attention to operational risk. The Task Force's Operational Risk (E) Subgroup, was charged as follows: "Evaluate options for developing an operational risk charge in each of the RBC formulas and provide a recommendation to the Capital Adequacy (E) Task Force as to treatment of operational risk in the RBC formulas." The Capital Adequacy (E) Task Force adopted the operational risk charge using a percentage of overall RBC after Covariance approach and it was effective for 2018 year-end reporting. In 2019, The Capital Adequacy (E) Task Force sent a referral to the Group Solvency Issues (E) Working Group suggesting areas where further guidance could be developed to improve regulators’ analysis and assessment of operational risks.
Recent NAIC initiatives have also resulted in the adoption of the Risk Management and Own Risk and Solvency Assessment Model Act (#505), as well as corporate governance standards as qualitative means for considering internal operational risk and some aspects of external risk via a group-wide assessment. An Own Risk and Solvency Assessment (ORSA) will require insurers to self-assess reasonably foreseeable and relevant material risks (i.e., underwriting, credit, market, operational, liquidity risks, etc.) that could have an impact on an insurer's ability to meet its policyholder obligations.
Committees Active on This Topic
Own Risk and Solvency Assessment: Origins and Implications for Enterprise Risk Management
2015, Journal of Insurance Regulation Vol. 34, No. 9
The Increasing Importance of Sound Operational Risk Management
October 2013, CIPR Newsletter
Media queries should be directed to the NAIC Communications Division at 816-783-8909 or firstname.lastname@example.org.