Insurance broker of the year: Aon

To insure against risk, a firm must first be able to measure it. Without a granular understanding of the specific threats it may be exposed to, an institution could all too easily buy protection unsuited to its risk profile or overpay for protection it does not need – neither a desirable outcome.

Since the emergence of more sophisticated operational risk measurement tools in the late 2000s, Aon has committed to partnering with its clients to help measure their risks and, in turn, tailor insurance policies appropriate to their needs.

“Typically, the way firms bought insurance was based on their perceived exposures as benchmarked against their peers,” says Jonathan Humphries, executive director for non-financial risk at Aon. “What we’ve been saying is that having a measurement system, complete with a good risk taxonomy and forward-looking view of their risk profile, helps clients to buy insurance more effectively – to optimise the value of premium spend against risk transfer and appetite.”

Regulator-defined metrics determine firms’ minimum capital requirements. A few banks have obtained risk transfer recognition under the AMA (advanced measurement approach) framework, but the use of insurance under Pillar 1 has been limited. In contrast, Pillar 2 capital calculation frameworks provide a solid foundation and benchmark against which firms can develop robust mitigation strategies. 

The current uncertainty over what methodology will be used to generate the Pillar 1 minimums – the Basel Committee has yet to reveal its reworking of the standardised measurement approach (SMA) – has increased the focus on Pillar 2 in some jurisdictions, and hence the increased use of firms’ own systems for measuring their operational risk exposures.

“We are seeing firms investing in their own model-based methodologies to comply with national regulators’ requirements around Pillar 2, and these developments can enhance the value of insurance solutions,” says Humphries.  

For example, Humphries explains how his team worked with a large international bank to help it develop an internal measurement system to better gauge its individual event type and overall risk profile. This was then used to develop a menu of insurance solutions designed to optimise risk transfer to mitigate exposures over different time horizons, and what was identified to be a potentially catastrophic loss event.

Building frameworks to accommodate the data and models necessary to compute Pillar II capital requirements and the integration/optimisation of risk transfer is not just a fixation of the largest banks, either. Aon has assisted several lenders in emerging markets, as well as a number of independent investment firms, to hone their operational risk measurement systems and risk transfer programmes, too.

“Building a robust measurement system, which is a prerequisite for considering insurance mitigation, typically involves building a comprehensive risk taxonomy – addressing cause, then event, then effect – the establishment of complete, comparable and robust internal loss data, and the development of structured scenarios, all of which feed into a model, creating a forward-looking loss profile,” says Humphries.

“This produces more accurate estimates as to what is needed in protection for operational risk exposures such as business practices and liability, fraud, including cyber fraud, and damage to physical assets, among others.”

Cyber risk is a big concern for institutions, with recent incidents including data breaches, IT failures and cyber frauds. Aon works closely with the broader insurance industry in its efforts to respond to these threats.

“There are challenges when considering how to quantify and insure cyber risks,” says Daniel Butler, managing director, operational risk solutions at Aon. “Firstly, cyber is a risk facilitator, thus the resulting loss types and associated consequences need to be understood and quantified to enable effective risk quantification and mitigation. Secondly, whilst there have been a number high profile incidents, firms tend to have limited internal experience and thus quantification is a challenge.”

Humphries adds: “Clients are asking us to assist in the identification and quantification of cyber-related exposures and then use this to implement more effective risk transfer solutions. Structured scenario analysis, taking into account factors such as dependencies on key service providers, is a key component of assessing potential financial losses. However, there are two other considerations for cyber risk: the consequences of business interruption; and how to manage post-loss risk management. We are seeing firms looking to optimise the use of insurance to address all three components.”

Counterintuitively, perhaps, the uncertainty around the new Pillar 1 standard has breathed new life into operational risk management, where the focus is moving away from regulatory capital calculation to risk reduction and business use. In this new world, insurance has a valuable role to play in supporting risk professionals to enhance risk governance, understanding, and management outside the regulatory rubric.

“The operational risk industry perhaps was somewhat stifled by having such a focus on regulatory compliance,” says Butler. “Now it has the opportunity to stand on its own two feet and demonstrate how it can be seen as an enabler to business and wider stakeholders. The evolving, more analytical approach to using insurance provides a key component of this.”