Mango3

An Introduction to Insurer Operational Risk Topic 1: Risk Management of an Insurance Enterprise Mango, Donald and Venter, Gary Guy Carpenter & Co., LLC DM: 44 Whippany Road Morristown, NJ 07960 USA Tel: 001-973-285-7941 Donald.F.Mango@guycarp.com GV: One Madison Avenue, 4th Floor New York, NY 10010 USA Tel: 001-917-937-3277 Gary.G.Venter@guycarp.com
Originally published in a modified format inEnterprise Risk Analysis (Guy Carpenter & Company, LLC, 2007) pp. 144-172. Reprinted by permission of the author and the publisher.

1. Definition The use of the term “operational risk” in banking first came to prominence in the mid-1990s and, along with the major banking scandals around that time, in many ways contributed to the evolution of the role of the Chief Risk Officer. This is a rolethat is spreading from the banking industry to the insurance industry. Operational risk is defined by the Basel Committee on Banking Supervision as “the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk, but excludes strategic and reputational risk.” [1] This definition is deceptively short for such abroad area. To elaborate, the Basel Committee issued a July 2002 consultative paper, “Sound Practices for the Management and Supervision of Operational Risk,” where they defined the following seven types of operational risk loss events at category level 1 [2]: Internal fraud. Acts of a type intended to defraud, misappropriate property or circumvent regulations, the law or company policy, excludingdiversity/ discrimination events, which involve at least one internal party. Examples include intentional misreporting of positions, employee theft and insider trading on an employee’s own account. External fraud. Acts by a third party, of a type intended to defraud, misappropriate property or circumvent the law. Examples include robbery, forgery, check kiting and damage from computer hacking.Employment practices and workplace safety. Acts inconsistent with employment, health or safety laws or agreements, or which result in payment of personal injury claims, or claims relating to diversity/discrimination issues. Examples include workers compensation claims, violation of employee health and safety rules, organized labor activities, discrimination claims and general liability (forexample, a customer slipping and falling at a branch office). Clients, products and business practices. Unintentional or negligent failure to meet a professional obligation to specific clients (including fiduciary and suitability requirements), or from the nature or design of a product. Examples include fiduciary breaches, misuse of confidential customer information, improper trading activities on thebank’s account, money laundering and sale of unauthorized products. Damage to physical assets. Loss or damage to physical assets from natural disaster or other events. Examples include terrorism, vandalism, earthquakes, fires and floods. Business disruption and system failures. Disruption of business or system failures. Examples include hardware and software failures, telecommunication problemsand utility outages. Execution, delivery and process management. Failed transaction processing or process management, and relations with trade counterparties and vendors. Examples include data entry errors, collateral management failures, incomplete legal documentation, unapproved access given to client accounts, non-client counterparty misperformance and vendor disputes. The committee definedsubcategories of these loss events at category level 2 and further suggested example activities at level 3. However, the committee has left it to the banks to define appropriate heterogeneous groupings. While inevitably banking focused, the Basel Committee definition has gained substantial visibility and acceptance as the field of ERM has developed over the last ten years. However, there is not yet...