operational risk Archives - treasuryXL

| 30-06-2020 | Mark Roelands | treasuryXL

Insurance premium rates are reported to increase on average with about 2% in Europe, confirming the overall market trend of a hardening insurance market. Some markets have, however, seen double-digit growth in premiums, like D&O and Motor Third Party Liability. Other markets witnessed important coverage elements actually being excluded from cover, making the premium comparison apples and pears. As Covid-19 is impacting claims experience across all lines as well as causing negative investment returns, the hardening insurance market trend is expected to continue and get worse in 2020. Premium increases are to be expected and retention levels are expected to be increased.

It is therefore critical to work with your insurance broker in time to understand and mitigate effects for the treasury and insurance function. What is the action plan when retentions are being driven upwards or when cover is disappearing? What alternatives are available next to traditional insurance? Will your organisation be forced to retain risk above the risk appetite or accept double digit premium increases?
Although retaining additional risk may not be the worst solution, as premium increases may not reflect the actual risk that is being transferred and there are awareness benefits to being exposed to risks, the possibility to transfer alternatively is very valuable in the current hardening market.

Captive insurance

A captive is an in-house insurer, enabling efficient and centralized risk pooling while providing cover to operating companies and thereby bridging the gap between corporate and local risk appetite. Key arguments for establishing a captive are to smooth the impact of hardening insurance markets as well as provide additional flexibility in cover. The current market environment is therefore a textbook example for establishing an insurance entity. However, a captive is a licensed insurance company that comes with added costs and a compliance burden. This is especially true since Solvency II became active in 2016. As a general rule of thumb a minimum threshold of captive premium of EUR 2Mio would be required for a Dutch based captive, allowing for claims expenses (70-80% claims ratio), operating costs as well as building some reserves. Establishing a captive in other jurisdictions can make sense, as the route to licensing might still be feasible in 2020 (for the Netherlands at least 6 months are to be expected) as well as the opportunity of some more light-weight operational structures.

An interesting alternative to the fully owned, traditional captive is a Cell Company; either an Incorporated Cell Company (ICC) or Protected Cell Company (PCC). These alternatives provide the benefit of a shared structure (including initial capitalisation) and enable a ring-fenced environment for your organisation. In order to arrange that ring-fencing, specific legislation is required, which is found in Malta in the EU. Guernsey (leaving tax considerations aside) might be very interesting as well. Ireland and Luxemburg did give some hints for establishing cell company legislation but after Brexit this was delayed indefinitely. A Cell Company can provide the same functionality as a fully owned captive, but treasury and insurance will have to work with legal and tax to get a solid business case in place in order to address questions proactively.
Both Aon-Willis and Marsh have Cell Companies and would be able to assist, but insurers can also facilitate this (which has a lock-in effect) while there are also more independent providers like Artex, SRS (completing the top 5 of largest captive managers 2020) and firms like Atlas or Robus which can potentially be of added value as well.

Parametric Insurance

Next to captive insurance, parametric insurance is a promising route to follow.
Parametric insurance has historically been connected to weather insurance (e.g. rainfall exceeding a threshold leading to a pay-out) as well as longevity cover for pension funds (in the form of Insurance Linked Securities, Longevity Swaps). Parametric products enable a highly transparent and quick risk transfer and enable the route to other markets than the insurance market. A parametric product can be structured in an insurance structure but in a derivative structure as well. Conceptually an insurance-linked derivative will not be different than the plain vanilla currency instruments that are traded.

Covid is also attracting significant attention for parametric cover, as lockdown measures can be clear-cut triggers for parametric cover. Most importantly, for parametric cover clear risk information and data analysis is required and both are increasingly available. Increasingly better data and analysis techniques enable to minimise basis risk i.e. the risk in which an incident occurs but the derivative trigger is not being met. For instance site-specific weather stations are set up to ensure rainfall or water level at your organisations’ sites are being monitored. Increasingly, non-weather risks are being covered, for instance Ryskex GmbH and Axis Capital have worked together to develop parametric cyber-insurance cover.

Where traditional insurance has deductibles and exclusions, parametric risk transfer has basis risk which needs to be managed. Next to that other operational processes may be impacted, claims management for instance and therefore it is recommended to make a well founded and analysed decision.

Roadmap

Starting financing risks in a different manner is not a decision to be made in isolation and to be done quickly. It is a structural decision requiring a structured approach. In our practice, we use our Risk Finance Framework which is composed of (1) Foundation, the objectives to be met (2) People & Organisation, matching the organisation, policies and people involved (3) Processes, adaptive, effective and efficient (4) Data and Technology, the business case based on solid risk information.

In our view, this provides a very practical and structured approach allowing stakeholders like tax and legal to be involved throughout the process. Back planning from a January renewal date, it is critical that conversations with your broker and insurers are taking place in order to ensure no last-minute surprises are presented as a treasury or Insurance professional. In parallel, the (internal) business case can be analysed in order to make a decision.

Therefore, it is recommended to start preparations early, or actually on an asap basis.
Alternative Risk Financing can be highly interesting, but it is not an instant go-to solution and requires some preparations.

Mark Roelands

Risk and Compliance Specialist

| 21-3-2017 | Lionel Pavey |

There are lots of discussions concerning risk, but let us start by trying to define what we mean by risk. In my last article on how to manage treasury risk I will write something about operational risk. The Bank for International Settlements (BIS) defines this as “the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. If you want to read my earlier articles on managing the different treasury risks please refer to the complete list at the end of today’s article.

Whilst this is the last article in this series, it is actually – potentially – the most significant risk that a company can face, as there are many different ways that a loss could occur, together with the fact that when it happens the amount lost can be very large. Even if the size of the loss could be considered small, there is always the threat of reputation risk which, once identified, is very difficult to erase from the memory.

While it is possible to insure against rogue trading for a company (the risk present in the Treasury function can be quantified and qualified) it is very rare that damage is caused by just one individual – a financial version of the lone wolf theory. Operational risks tend to be interlinked – a fraudulent payment could be initiated by human involvement (either as fraud or human error) and facilitated by weak processes together with insecure technological systems.

There are 2 main areas of operational risk within treasury for a company

Internal
External

There are 3 main categories of operational risk within treasury for a company:

Computer System, Information Technology
Theft and Fraud
Unauthorised Activity

Computer System, Information Technology

A lack of robustness and deficiencies in the technology and systems contribute to circumstances for failures, errors, data losses, corruption and fraud. Internally considerable care and attention should be given to the protocol for Static Data. This encompasses all the relevant reference data for a counterparty and should be subject to at least an input and verification procedure before entering the computer system. Changes to Static Data have to be recorded, together with the proper paper trail and authorization matrix. Externally the risks relate mainly to illegal entry (hacking), together with the complete theft of data.

Theft and Fraud

Both internally and externally main areas include:

Theft – both physical and electronic
Extortion
Embezzlement
Forgery
Misappropriation
Willful destruction
Bribes
Kickbacks
Insider Trading

Unauthorised Activity

From the Treasury point of view, this is an internal activity and mainly relates to 2 types of transactions – unauthorized by transaction and or type; transactions that are not captured in the system and reported. These can lead to monetary losses (though a gain is possible – at the price of an operational risk), together with loss of reputation.
The last category clearly shows where the biggest risk occurs within a company – at the human level. Generally speaking, these are caused by incompetence, lack of knowledge, misuse of power or compulsion to act caused by external factors – extortion.
It is clear therefore that whilst the electronic systems employed by a company can be a liability if not properly programmed or safeguarded, even here, most of the errors can be traced by to human intervention.

So why are the human risks so often underestimated? Naturally a company wishes to have the feeling that its staff can be trusted (within reason). After all, the company felt that the staff were the right people to employ. It is not my intention to formulate the reasoning and thinking of people who perform illegal acts. However certain areas that can be considered include how staff are treated; the demand placed on them; the rewards given; the levels of transparency and inequity within the company; a closed-off attitude (problems in one department are kept within that department and not discussed throughout the company); the role model set by owners, directors and managers; loss of personnel, reduction in morale; disinterested and unmotivated staff.

Solutions

An effective framework of operational risk management needs to be designed and implemented within the business. This requires input and commitment from all departments within the company, meeting one agreed standard and not being shaped to every individual department’s wishes. The framework has to run and meet the requirements for all different strategies within the company.

I wish to finish with 2 examples of operational risk to illustrate how large they can be.

In 1995 the world’s second oldest merchant bank (Barings Bank) collapsed due to the actions of a rogue trader. Corruption and a lack of internal control led to a loss of GBP 827 million.

Around the same time I was employed as an international money broker working in the interbank market and travelled every day from The Hague to Amsterdam via train. As I knew the route off by heart, I read all the time – magazines, papers, books – anything. I purchased a book called “The Cuckoo’s Egg” as it seemed interesting and would pass the time away sitting on the train.
The synopsis told me that an unreconciled accounting discrepancy of just 75 cents would lead to a world of computer espionage and spies. I highly recommend reading the book to understand how a simple error can grow to show the dangers of ignoring operational risks. If you like acronyms then you will enjoy reading about the FBI, CIA, NSA and KGB – all hacked via a UNIX server at a laboratory linked to the University of California.The story is true and threatened national security.

Trust people – but do not place temptation in their way.