4th July 2023
Operational resilience isn’t just about the steps we take to protect ourselves from critical incidents, but also the steps we take to respond and recover from them as well.
We can’t predict, or protect ourselves, from everything that could happen in the insurance sector, but knowing and having the steps in place to keep delivering for customers and to come back stronger from things that cause organisational disruption is all part and parcel of operational resilience.
And with the European Insurance and Occupational Pensions Authority (EIOPA) Risk Dashboard 2023 data revealing that despite the insurance sector proving its resiliency in the face of macro and cyber risks, the materiality for these risks remain high for the industry, it’s imperative as a sector we know how to recover and respond.
Let’s explore this further.
A critical incident is defined as a threat to the operation, reputation, or safety of an organisation which is typically unexpected and requires rapid and effective decision-making to overcome.
These threats can involve anything from a natural disaster that destroys your physical infrastructure and equipment, to a cyber security attack via hacking or phishing, or even a critical third party’s infrastructure going down. And while all of these will likely come as a surprise when they do happen, it’s imperative that you do everything you can to protect your own business and your customers from these disruptions.
With that being said, the FCA do acknowledge that there is only a certain level of protection that an organisation can implement. And there is always a risk of threat, no matter how many measures have been taken to prevent it—especially in a fast-paced and highly regulated market such as insurance. But as long as the regulatory bodies are satisfied that you have sufficient operational resilience strategies in place, you won’t face the penalties associated with these critical incidents, such as large fines or license revocation.
A comprehensive response and recovery plan needs to consider:
Despite being unable to predict every eventuality, there are some things insurers can do to help get their organisation critical incident ready. So, while they can’t necessarily protect you from all threats, they can help you get back to business and recover from a critical incident much quicker.
Here are some of the steps you can take:
Playbooks are a common tool used by organisations across all industries to provide a written record of all processes related to their operational resilience strategy. Your playbook should include everything from identifying the important business services and critical functions you offer, and the people, processes and equipment related to these services. This process can help you to identify any capability gaps within your teams or processes, so you can work efficiently and effectively to fill these.
Your playbook should also document the response and recovery protocol for each part of your business, to ensure everybody is following a standardised procedure to minimise disruption and protect your customers as much as possible. And don’t forget that your outsourced business processes are an integral part of your value chain and need to form part of your playbook.
Once you’ve got your playbook created, it’s important that you share this with your wider workforce, ensuring the messaging is consistent for all parties. This means thinking about a way to put your playbook somewhere that’s accessible for everyone who may need access to it, without compromising the confidentiality of your procedures and measures. The playbook will need to be updated as and when a critical incident occurs and as the situation changes.
Similarly, having pre-prepared communication templates that can be filled in as and when your insurance firm needs to update interested parties can ensure your messages are swiftly put out, and are always consistent regardless of who they come from.
When you’re in the middle of a critical incident, it can be difficult to think of a positive. But these incidents have the potential to feed into improved actions and plans for mitigation and recovery. Similarly, don’t overlook the invaluable learnings near misses can give you.
Whatever the threat, it’s important that you document this in your playbook to learn how you dealt with it, highlighting what worked and what needs amending. This can open up discussions with your wider workforce, stakeholders and outsourced partners who may be able to think of outside-the-box solutions for the next threat that could come your way.
Need help building and implementing an effective operational resilience strategy, or benchmarking your existing strategy? The experts at Davies can help. So, get in touch today.
To learn more about why ignoring significant financial risks, such as: regulatory fines, revenue damage, and increased costs could threaten an organisation’s long-term survival, download our white paper.
Have you ever found yourself watching a film from the 1960s…
14.6 million people in the UK are disabled, and with vision,…
The world has come a long way when it comes to…
Imagine a financial world that feels like it revolves around you,…