4th July 2023
Critical incidents for an organisation can occur from many causes: procedures or protocols failure, security measures are compromised, third party suppliers’ failure to deliver services, natural catastrophes, pandemic and even war—and more often than not, this comes down to a lack of operational resilience in place to prevent these incidents taking place. The common thread in these critical incidents is that wherever the stem from, they impact on the insurance firm’s ability to provide the customer outcome. Not only can this result in financial loss but it can also damage your company’s reputation significantly—especially when you operate in a market as highly regulated as Insurance.
In some cases, failing to be operationally resilient can result in hefty fines, revoking of licenses, and possible business closure.
In other words, understanding how to prevent and mitigate critical incidents is crucial for the survival of your insurance business. Let’s dive a little deeper into this.
The Operational Resilience Framework was created by the Bank of England, PRA and FCA in 2019 where they laid out the proposals in its Operational resilience: Impact tolerances for important business services policy statement. The regulations came into force on 31st March 2022, with a 3-year leeway period to ensure insurers are adequately complying with their tolerance levels.
And while the regulatory bodies have acknowledged that service disruptions and incidents can still occur when a company has made strong efforts to protect its assets, they want the frameworks to reduce the knock-on effect these disruptions can have on customers and markets.
For insurance firms specifically, this can mean they need to create a complex operational resilience framework that considers their continuously changing customer requirements, third-party risk, and the use of technologies, software, and data storage systems that are both on premise or increasingly cloud-based.
Under the Operational Resilience Framework regulations, insurance firms will need to fulfil the following key requirements:
All the above will then need to be presented to the insurance firms board members and senior management and signed off.
You’re only as protected as your operational resiliency strategy allows for. But before you engage in developing one for your business, it’s crucial to consider the following:
As a businessowner or leader, it’s imperative that you understand the difference between business continuity and operational resilience. While the former is an important component of operational resilience, business continuity focuses internally on the organisation itself, while the latter considers both the internal and external influences.
Operational resilience is an overarching concept and work on this will never be complete—it requires continuous effort, and business continuity helps to achieve that, but they need to be aligned.
To be successful, your operational resilience strategy needs to be an integral part of your company culture. And this doesn’t just mean having measures in place that your employees are aware of but treating it as a never-ending cycle that informs your teams and departments and is considered in all product and operational decisions.
The financial services sector is becoming increasingly reliant on outsourced third-party services to operate. For example, some of the largest CTPs to many insurers is cloud-based computing services, and claims handling.
Identifying your CTP’s is a requirement under the FCA’s guidelines for operational resilience and you need to ensure you’re treating them with the same caution and preparedness as you do your internal operations. Knowing your CTP’s operational resilience plan is crucial to understand how to prevent and mitigate critical incidents.
Any great insurance firm needs to have a customer-centric culture—and this means, always considering what’s important to your customers, particularly in light of the FCA’s new Consumer Duty plan.
Your customers trust you with their sensitive data, and if your operational resilience efforts aren’t strong enough, you risk causing them harm in many ways. This could include a reduced quality of service, and a loss of trust.
Critical incidents cannot be avoided, but if insurance firms are found to have fallen short of the operational resilience requirements as suggested by the PRA and FCA face potentially detrimental consequences. This can range from fines, to having their licenses revoked and worst-case scenario, full business closure. Take for example, TSB Bank Plc who were fined £48.65m for their operational resilience failings.
However, if a critical incident does occur and the regulatory bodies find you took all possible measures to be operationally resilient, you’ll likely be spared these negative regulatory or financial consequences.
Learning how to prevent and mitigate critical incidents can protect your insurance business from a number of negative consequences including both financial and reputational loss. Not to mention that a strong operational framework is a PRA and FCA requirement, meaning any organisation operating in the insurance space needs to have their operational resilience strategy embedded within their organisation by March 2025.
Need help protecting your insurance business against critical incidents? Here at Davies, we can help you to build and implement an operational resilience strategy to keep your business running and fulfil your regulatory requirements.
To learn more about why ignoring significant financial risks, such as: regulatory fines, revenue damage, and increased costs could threaten an organisation’s long-term survival, download our white paper.
Have you ever found yourself watching a film from the 1960s…
14.6 million people in the UK are disabled, and with vision,…
The world has come a long way when it comes to…
Imagine a financial world that feels like it revolves around you,…