Insure yourself: How Insurance firms can prevent and respond to critical incidents

4th July 2023

Critical incidents for an organisation can occur from many causes: procedures or protocols failure, security measures are compromised, third party suppliers’ failure to deliver services, natural catastrophes, pandemic and even war—and more often than not, this comes down to a lack of operational resilience in place to prevent these incidents taking place. The common thread in these critical incidents is that wherever the stem from, they impact on the insurance firm’s ability to provide the customer outcome. Not only can this result in financial loss but it can also damage your company’s reputation significantly—especially when you operate in a market as highly regulated as Insurance.

In some cases, failing to be operationally resilient can result in hefty fines, revoking of licenses, and possible business closure.

In other words, understanding how to prevent and mitigate critical incidents is crucial for the survival of your insurance business. Let’s dive a little deeper into this.

Operational resilience in the insurance industry

The Operational Resilience Framework was created by the Bank of England, PRA and FCA in 2019 where they laid out the proposals in its Operational resilience: Impact tolerances for important business services policy statement. The regulations came into force on 31st March 2022, with a 3-year leeway period to ensure insurers are adequately complying with their tolerance levels.

And while the regulatory bodies have acknowledged that service disruptions and incidents can still occur when a company has made strong efforts to protect its assets, they want the frameworks to reduce the knock-on effect these disruptions can have on customers and markets.

For insurance firms specifically, this can mean they need to create a complex operational resilience framework that considers their continuously changing customer requirements, third-party risk, and the use of technologies, software, and data storage systems that are both on premise or increasingly cloud-based.

Key expectations for insurance firms

Under the Operational Resilience Framework regulations, insurance firms will need to fulfil the following key requirements:

  1. Identify important business services: These will differ between insurance firms but could include such as pricing and rating engines, claims handling, the issue of policy documentation, customer service, and more.
  2. Identify critical people, processes, and technology: Using a mapping exercise, insurers will need to draw connections between critical people, processes, and technology associated with important business services. This helps identify the line of defence but also highlight any weak spots that could be vulnerable to threat.
  3. Set impact tolerance thresholds: Impact tolerances refers to the maximum tolerable level of disruption an important business service can handle.
  4. Initiate scenario testing: You need to be able to prove that the impact tolerances you have set are realistic, so insurance firms must design a series of situations to demonstrate this and show how they would be able to reduce the effect of threats.
  5. Implement self-assessments: In line with the FCA and PRA’s operational resilience requirements, all insurance firms must create and update a written self-assessment of their compliance with the regulations. This is sometimes referred to as a playbook.

All the above will then need to be presented to the insurance firms board members and senior management and signed off.

Five questions to consider when preparing your operational resilience strategy

You’re only as protected as your operational resiliency strategy allows for. But before you engage in developing one for your business, it’s crucial to consider the following:

1. Is there cohesion between your business continuity and operational resilience strategies?

As a businessowner or leader, it’s imperative that you understand the difference between business continuity and operational resilience. While the former is an important component of operational resilience, business continuity focuses internally on the organisation itself, while the latter considers both the internal and external influences.

Operational resilience is an overarching concept and work on this will never be complete—it requires continuous effort, and business continuity helps to achieve that, but they need to be aligned.

2. Can you realistically embed your operational resilience strategy into your company culture?

To be successful, your operational resilience strategy needs to be an integral part of your company culture. And this doesn’t just mean having measures in place that your employees are aware of but treating it as a never-ending cycle that informs your teams and departments and is considered in all product and operational decisions.

3. Have you identified your Critical Third Parties (CTP)?

The financial services sector is becoming increasingly reliant on outsourced third-party services to operate. For example, some of the largest CTPs to many insurers is cloud-based computing services, and claims handling.

Identifying your CTP’s is a requirement under the FCA’s guidelines for operational resilience and you need to ensure you’re treating them with the same caution and preparedness as you do your internal operations. Knowing your CTP’s operational resilience plan is crucial to understand how to prevent and mitigate critical incidents.

4. Do you understand what your customers want?

Any great insurance firm needs to have a customer-centric culture—and this means, always considering what’s important to your customers, particularly in light of the FCA’s new Consumer Duty plan.

Your customers trust you with their sensitive data, and if your operational resilience efforts aren’t strong enough, you risk causing them harm in many ways. This could include a reduced quality of service, and a loss of trust.

5. Have you taken all possible measures to protect your customers?

Critical incidents cannot be avoided, but if insurance firms are found to have fallen short of the operational resilience requirements as suggested by the PRA and FCA face potentially detrimental consequences. This can range from fines, to having their licenses revoked and worst-case scenario, full business closure. Take for example, TSB Bank Plc who were fined £48.65m for their operational resilience failings.

However, if a critical incident does occur and the regulatory bodies find you took all possible measures to be operationally resilient, you’ll likely be spared these negative regulatory or financial consequences.

Learning how to prevent and mitigate critical incidents can protect your insurance business from a number of negative consequences including both financial and reputational loss. Not to mention that a strong operational framework is a PRA and FCA requirement, meaning any organisation operating in the insurance space needs to have their operational resilience strategy embedded within their organisation by March 2025.

Need help protecting your insurance business against critical incidents? Here at Davies, we can help you to build and implement an operational resilience strategy to keep your business running and fulfil your regulatory requirements.

Relevant Content

To learn more about why ignoring significant financial risks, such as: regulatory fines, revenue damage, and increased costs could threaten an organisation’s long-term survival, download our white paper.


Neil StricklandBusiness Development Director – Insurance

David Ilett
Consulting Director


    Keep up to date with Davies