Operational Risk Management in P&C Insurance
The continuity of operational risk management is secured through the Operational Risk Committee (ORC). ORC handles policies and recommendations concerning operational risk management within If P&C as well as contingency plans, follow-up of risks identified in the Operational Risk Assessment (ORA) process, occurred incidents and other reports related to operational risks.
The business areas have the ultimate responsibility for identifying, assessing, monitoring and managing operational risks within different units.
Identification and Management
In If P&C, operational risk is categorized as follows: process execution failures, business disruptions and system failures, customer, product and business practices, employment practices, and internal and external fraud.
If P&C identifies operational risks through several different processes. The main processes are the environmental and macro analysis, the operational risk assessment process and incident reporting.
- Environmental and macro analysis is conducted by the Corporate Strategy unit on an annual basis, where the key trends affecting the insurance industry are identified and their implications to If P&C are assessed. On this basis, the main opportunities and threats are identified and prioritized. These assessments outline the most important external operational and business risks.
- Operational risk assessment (ORA) is a quarterly process where operational risks are identified and assessed in the different business units through interviews and workshops. After quarterly ORA follow-up meetings, the operational risks are reported to ORC. In addition, legal risks and some business risks are captured in the ORA process. The quarterly reporting is used as a basis for an overall risk assessment of an annual cycle, where the identified risks are analyzed and prioritized in all of If P&C's business areas and corporate functions as a part of the annual business planning process.
- Incident reporting and analysis is arranged in different ways depending on the type of the incident. Some incidents are collected through a separate incident database and others are collected through controls and investigations.
In order to manage operational risks, If P&C has approved a number of policies including Contingency Plans, Security Policies, Outsourcing Policy, Complaints Handling Policy, Claims Handling Policy and other policies related to different aspects of the business. The different policies are reviewed regularly and updated as needed. In addition, If P&C has thorough processes and guidelines to handle external and internal fraud cases should they arise. Furthermore, much effort is put into internal education regarding ethic rules.Previous page Next page