The critical incident readiness guide: How insurers and brokers can respond and recover from critical incidents

4th July 2023

Operational resilience isn’t just about the steps we take to protect ourselves from critical incidents, but also the steps we take to respond and recover from them as well.

We can’t predict, or protect ourselves, from everything that could happen in the insurance sector, but knowing and having the steps in place to keep delivering for customers and to come back stronger from things that cause organisational disruption is all part and parcel of operational resilience.

And with the European Insurance and Occupational Pensions Authority (EIOPA) Risk Dashboard 2023 data revealing that despite the insurance sector proving its resiliency in the face of macro and cyber risks, the materiality for these risks remain high for the industry, it’s imperative as a sector we know how to recover and respond.

Let’s explore this further.

How does a critical incident happen?

A critical incident is defined as a threat to the operation, reputation, or safety of an organisation which is typically unexpected and requires rapid and effective decision-making to overcome.

These threats can involve anything from a natural disaster that destroys your physical infrastructure and equipment, to a cyber security attack via hacking or phishing, or even a critical third party’s infrastructure going down. And while all of these will likely come as a surprise when they do happen, it’s imperative that you do everything you can to protect your own business and your customers from these disruptions.

With that being said, the FCA do acknowledge that there is only a certain level of protection that an organisation can implement. And there is always a risk of threat, no matter how many measures have been taken to prevent it—especially in a fast-paced and highly regulated market such as insurance. But as long as the regulatory bodies are satisfied that you have sufficient operational resilience strategies in place, you won’t face the penalties associated with these critical incidents, such as large fines or license revocation.

What to consider in your critical incident response and recovery plans

A comprehensive response and recovery plan needs to consider:

  • Identifying the resources required to deliver your services: This includes thinking about the people, processes, equipment and critical third parties that form the backbone of your organisation and how these map against each other.
  • Pinpointing the risks associated with your services and business as a whole: You need to think about how you’re currently managing these risks and what measures you have in place to prevent these from evolving into critical incidents. This includes thinking about any workarounds for these potential disruptions, to keep your business up and running and delivering for your customers.
  • Assessing whether your organisational governance is up to the challenge: All your business processes need to be working together towards an ultimate goal of operational resilience. This means ensuring the processes have clear owners and documented procedures which are stored in a location everybody who needs access, has it.
  • Analysing your processes regularly and updating them: These should be benchmarked against good governance guidelines.

3 steps to improve your critical incident readiness

Despite being unable to predict every eventuality, there are some things insurers can do to help get their organisation critical incident ready. So, while they can’t necessarily protect you from all threats, they can help you get back to business and recover from a critical incident much quicker.

Here are some of the steps you can take:

Create an operational resilience playbook

Playbooks are a common tool used by organisations across all industries to provide a written record of all processes related to their operational resilience strategy. Your playbook should include everything from identifying the important business services and critical functions you offer, and the people, processes and equipment related to these services. This process can help you to identify any capability gaps within your teams or processes, so you can work efficiently and effectively to fill these.

Your playbook should also document the response and recovery protocol for each part of your business, to ensure everybody is following a standardised procedure to minimise disruption and protect your customers as much as possible.  And don’t forget that your outsourced business processes are an integral part of your value chain and need to form part of your playbook.

Communicate your response and recovery process

Once you’ve got your playbook created, it’s important that you share this with your wider workforce, ensuring the messaging is consistent for all parties. This means thinking about a way to put your playbook somewhere that’s accessible for everyone who may need access to it, without compromising the confidentiality of your procedures and measures. The playbook will need to be updated as and when a critical incident occurs and as the situation changes.

Similarly, having pre-prepared communication templates that can be filled in as and when your insurance firm needs to update interested parties can ensure your messages are swiftly put out, and are always consistent regardless of who they come from.

Learn from critical incidents and near misses

When you’re in the middle of a critical incident, it can be difficult to think of a positive. But these incidents have the potential to feed into improved actions and plans for mitigation and recovery. Similarly, don’t overlook the invaluable learnings near misses can give you.

Whatever the threat, it’s important that you document this in your playbook to learn how you dealt with it, highlighting what worked and what needs amending. This can open up discussions with your wider workforce, stakeholders and outsourced partners who may be able to think of outside-the-box solutions for the next threat that could come your way.

Need help building and implementing an effective operational resilience strategy, or benchmarking your existing strategy? The experts at Davies can help. So, get in touch today.

Relevant Content

To learn more about why ignoring significant financial risks, such as: regulatory fines, revenue damage, and increased costs could threaten an organisation’s long-term survival, download our white paper.


Neil Strickland
Business Development Director – Insurance


David Ilett
Consulting Director

    Keep up to date with Davies