Any entrepreneur will know that taking risks is part and parcel of running a business.

But taking action to protect yourself against potential threats helps your business to become, what the FCA refer to as, operationally resilient. This refers to how well an organisation can withstand and recover from disruptive events while doing business as usual—and is especially crucial for highly regulated markets like insurance.

Let’s take a closer look at the potential risks to insurance firms, their consequences, and the regulation designed to protect businesses in the sector from these.

What are the potential threats?

As the world evolves, and the business landscape changes, it’s imperative for business owners and leaders to take stock of the threats that will evolve alongside this. Risks won’t always stay the same and may grow or shrink in their severity and probability, depending on external factors such as the state of the economy.

To best protect your insurance firm, it is therefore crucial to continuously consider and measure these six common threats:

Cyber security: Since the Covid-19 pandemic, cyber security attacks have been on the rise, with a report from Vodafone finding that more than half (54%) of SMEs in the UK reported being the victim of some form of cyber-attack in 2022—up from 39% in 2020.

System failures: Downtime because of system failures can result in a loss of productivity and profitability—and this is a real risk for insurers e.g., who rely on the cloud. According to the Insurance Times, 41% of corporate decision makers were more concerned about cloud downtime compared to last year. With technology evolving and new systems or modernised versions of old systems being used by more organisations, increasing the change management risk is key to protect from new threats.

Third-party service provider outages: When you’re not directly in control of a service, you run the risk of downtime if the provider has an outage on their end. For example, if your insurance business relies on data being stored in the cloud, and the vendor you use has an outage, you will temporarily lose access to your data. This is crucial for facilitating and informing your insurance policy administration and claims handling service, so can significant disruption.

Natural disasters: Natural disasters can take down physical infrastructure, causing disruption to operations affecting both organisations and third-party providers ultimate ability to deliver to end customers.

Human error: We cannot always do everything perfectly the first-time round, but if your workforce or outsourced partners are making mistakes due to a lack of or ill-defined processes, , there is more susceptibility to making costly, yet avoidable mistakes.

Labour shortages: Any great business is made so by its team. So labour shortages can be detrimental to an insurance firms productivity and profitability. And as we find ourselves in a cost-of-living crisis, there are more consumers and businesses than ever depending on the insurance ecosystem to help them cope. Without the right people on board, you won’t be able to provide your essential services — but your competitor might!

What are the consequences of critical incident?

The consequences of a critical incident to your business can be vast, depending on the situation. However, they can usually be grouped under three risk areas:

Financial risks

These could include an organisation being faced with fines, sanctions, and even being open to liability claims. An insurer may be found liable if the regulator can prove that their operational resilience plan didn’t properly protect their customers through e.g., improper data storage.

For many businesses, the cost of putting security measures in place can seem high, but when you must deal with the aftermath of a threat, new security measures will be the solution. So, implementing them from the beginning can save you a lot of hassle and money.

Reputational risks

When you’re being trusted with people’s personal data, and particularly their financial data, there’s an added risk that a threat to your organisation will result in a poor reputation. A failure to deliver on the promises insurance provide to consumers and businesses should similarly not be underestimated. Reputational damage can result in customers taking their business to another insurer or broker. You may also be held accountable for a GDPR breach if it’s found you didn’t take all necessary steps to secure customer data.

Operational risks

A threat to your organisation isn’t just stressful for you, but also for your employees who will spend their time picking up the pieces. The pressure they feel after e.g., a cyber-attack will likely mean they feel stressed and unconfident in their roles.

If you’re hiring, it’s unlikely you’ll attract high-quality talent as they might not want to be associated with an organisation who did not demonstrate operational resilience. And it’s unlikely your current employees will want this mark next to their name either, so you could expect resignations.

The Operational Resilience Framework

Back in 2019, the Bank of England, FCA, and PRA worked together to set out guidelines that enable businesses to strengthen their operational resilience. These bodies set an original deadline of 31^st March 2022 for firms to have undertaken mapping with the aim of identifying important business services and impact tolerances. This activity should also mean firms have identified any vulnerabilities in their operational resilience. The regulator has provided a 3-year transitional period where firms must ensure they’re remaining within their established tolerances.

This means by March 2025 full mapping should be complete within all insurance businesses must have assessed and leveraged scenario-testing to reduce the risk of severe impacts to their customer-facing services. But insurance firms should expect these regulations will continue to evolve, for example, with the FCA’s Consumer Duty plans setting higher standards of consumer protection across financial services. Each organisation’s Operational Resilience Framework will also need to be adjusted in line with privacy laws, such as GDPR in the EU.

There are also regulatory bodies outside of the UK looking to develop their own operational resilience frameworks. For example, in the EU, the Digital Operational Resilience Act (DORA) sets rules on ICT risk-management, testing, and monitoring. The US prefers to use existing risk management guidelines to set individual organisation standards around operational resilience.

The cost of complacency

In the face of increased public and regulatory expectations, the pressure is on for insurance firms to improve their operational resiliency. The consequences of doing nothing, for a business in such a highly regulated market can be detrimental both financially, and reputationally. And ultimately, those who don’t adequately implement an operational resilience plan risk their long-term survival.

Continuous planning and the development of a clear operational resilience framework is crucial in minimising the potentially disastrous impacts that these threats can have.

Need help setting an effective operational resilience strategy? Davies can help. Our expert team can provide the knowledge and support you need to protect your organisation to the guidelines of the regulators.

Relevant Content

To learn more about why ignoring significant financial risks, such as: regulatory fines, revenue damage, and increased costs could threaten an organisation’s long-term survival, download our white paper.

Neil Strickland
Business Development Director – Insurance
neil.strickland@davies-group.com
https://www.linkedin.com/in/neil-strickland/

David Ilett​
Consulting Director
david.ilett@davies-group.com
https://www.linkedin.com/in/davidilett/