Risk Measurement and Management of Operational Risk in Insurance Companies from an Enterprise Perspective

• Date: 01 September 2014
• Author: Andreas Kolb,Nadine Gatzert
• DOI: http://doi.org/10.1111/j.1539-6975.2013.01519.x
• Published date: 01 September 2014

© The Journal of Risk and Insurance, 2013, Vol. 81, No. 3, 683–708

DOI: 10.1111/j.1539-6975.2013.01519.x

683

RISK MEASUREMENT AND MANAGEMENT OF

OPERATIONAL RISK IN INSURANCE COMPANIES FROM

AN ENTERPRISE PERSPECTIVE

Nadine Gatzert

Andreas Kolb

ABSTRACT

Operational risk can substantially impact an insurer’s risk situation and is

now increasingly in the focus of insurance companies, especially due to new

European risk-based regulatory framework Solvency II. The aim of this arti-

cle is to model and examine the effects of operational risk on fair premiums

and solvency capital requirements under Solvency II. In particular,three dif-

ferent approaches of deriving solvency capital requirements are analyzed:

the Solvency II standard model, a partial internal model, and a full inter-

nal model. This analysis is not only of relevance for Solvency II, but also

regarding an insurer’s Own Risk and Solvency Assessment (ORSA) that is

not only planned in Solvency II, but also by the NAIC in the United States.

The analysis emphasizes that diversification plays a central role and that op-

erational risk measurement and management is highly relevant for insurers

and should be integrated in an enterprise risk management framework.

INTRODUCTION

In the context of new risk-based capital requirements for banks and insurers imposed

by Basel II/III and Solvency II, respectively, the discussion about operational risk

intensified and especially large insurers are now confronted with the need to develop

and implement adequate risk measurement and management instruments to deal

with operational risk. In Solvency II, operational risk is defined analogously as in

Basel II/III as “the risk of loss arising from inadequate or failed internal processes,

personnel or systems, or from external events. Operational risk ...shall include legal

risks, and exclude risks arising from strategic decisions, as well as reputation risks”

(see European Parliament and the Council, 2009, Article 13, No. 33, Article 101, No.

4).1Operational risk is also of high relevance for the National Association of Insurance

Nadine Gatzert and Andreas Kolb are with the Department of Insurance Economics and

Risk Management, Friedrich-Alexander-University (FAU)of Erlangen-N ¨

urnberg, Nuremberg,

Germany. The authors can be contacted via e-mail: nadine.gatzert@fau.de and andreas.

kolb@fau.de, respectively. The authors wish to thank the anonymous referee as well as Rob

Hoyt and Joan Schmit for valuable comments and suggestions on an earlier draft of this paper.

1See also Basel Committee (2004, p. 137). In Basel II/III, operational risk is categorized

into the seven event types “internal fraud,” “external fraud,” “employment practices and

684 THE JOURNAL OF RISK AND INSURANCE

Commissioners (NAIC), where the potential inclusion of a specific charge for opera-

tional risk within the U.S. system of risk-based capital for insurers is discussed (see

Vaughan, 2009; PwC, 2012). Besides the new regulatory requirements, cases of high

operational losses in the recent past also strongly emphasize the importance and

considerable risk associated with operational loss events. One of the most mentioned

events in this context is the bankruptcy of Barings Bank in 1995, which was followed

by a $1.3 billion loss caused by its rogue head derivatives trader in Singapore.2The

potential impact of operational losses on an insurer’s risk situation is also stressed by

figures regarding potential insurance fraud by policyholders, which in the German

insurance market, for instance, is estimated to about €4 billion per year (see Hiebl,

Roedenbeck, and Kiefer, 2012). In the third party liability insurance only, 25 percent

of all claims are suspected to be fraudulent and for an average motor liability insur-

ance company, losses due tofraud are estimated to €32.5 million per year (see Hiebl,

Roedenbeck, and Kiefer, 2012).3The magnitude of these operational loss events in the

past strongly demonstrates the need for an adequate measurement and management

of operational risks, which is also required according to the new framework Solvency

II. The aim of this article is to model and quantify the effects of operational risk from

an enterprise perspective by focusing on an insurer’s pricing and solvency capital re-

quirements under Solvency II. Wethereby compare the Solvency II standard formula

with a partial and a full internal model.

A large part of the academic literature concerns the modeling of operational risk. Cruz

(2002), McNeil, Frey, and Embrechts (2005), Gourier, Farkas, and Abbate (2009), and

Shevchenko (2010), for instance, point out the importance of extreme value theory

for calculating aggregate losses by using the loss distribution approach. Another part

of the literature empirically analyzes operational loss data. Although most of these

studies examine empirical data from the banking sector (see, e.g., Moscadelli, 2004; de

Fontnouvelle et al., 2003; Dutta and Perry,2006), Hess (2011b) also investigates opera-

tional loss data for insurance companies. Several studies dealing with operational risk

also assess the dependencies between the risk cells of banks, including, for example,

B¨

ocker and Kl ¨

uppelberg (2008), Ebn¨

other et al. (2003), Frachot, Roncalli, and Salomon

workplace safety,”“clients, products, & business practice,” “damage to physical assets,” “busi-

ness disruption & systems failures,” and “execution, delivery,& process management.” This

categorization of operational risk is also suggested for insurers by the German Insurance

Association (see GDV, 2007, p. 10). Note that in Basel II, operational risk was introduced as

a third risk class in addition to market and credit risk (see Cummins, Wei, and Xie, 2011;

Kamiya, Schmit, and Rosenberg, 2011), while in insurance, a more sophisticated risk clas-

sification system would, for example, separately define financial risks (e.g., market, credit,

etc.), policyholder insurance risk (e.g., property insurance, workers compensation insurance,

health insurance, etc.), business risk (e.g., management, strategy, etc.), and operational risk

(consistent with Basel II and Solvency II).

2Other examples of operational risk events include the NASDAQ odd-eighths pricing scandal

in 1994 as well as the losses of Soci´

et´

eG

´

en´

erale in 2008 and UBS in 2011, both due to rogue

traders. Similar examples in the insurance sector include the Swiss Life investment scandal in

2002, the AIG Finite Reinsurance Accounting fraud in 2005, as well as the AIG credit default

swap write-down in 2008.

3Another major issue is fraud in the context of commissions paid to agents. For example, the

bankruptcy of the German MEG AG in 2009 caused irrecoverable losses for several insurance

companies due to fraud in commissions (see Alten¨

ahr, 2010).