Roads to Resilience

not the case. Our objective is always to enable us to do business but to consider the parameters we operate in ” (Managing Director, UK) When they enter new markets they will tend to “ Complete a controlled test or Pilot ”, they will learn about the market, understand better the risks and only once they feel they have a good understanding, will they expand their activities. When it comes to risk management, the company operates the standard three lines of defence. The three levels are: business operation level (day to day business controls, detailed analysis of risks, mitigation of risk etc. ), risk management and compliance (risk management function, maintaining the implementation of effective risk management practices, providing oversight over business processes and their associated risks) and internal audit and corporate control. The company has a risk register which is used regularly, and which is managed by the Risk Management function. In addition to this approach the company has introduced several new techniques to support the 3 lines to improve the organisation’s resilience: Vulnerability identification (VID) process A vulnerability identification survey is sent out by the risk management team to thousands of people throughout the organisation, for example, it would be sent to individuals in the underwriting team, the tax team and the legal team. The survey questionnaire asks questions around vulnerabilities in the organisation, and it gives employees the opportunity to step back and reflect what could go wrong and communicate this back to the organisation. The questionnaire data is taken by the risk management team, who then categorise the information into the various types of risks, filter them to reduce duplication and then feed this to the senior managers across the business. The feedback is customised to the business area “ … in the winter of last year I would receive this back with a list of seven or eight items and they seem to fit in your part of the organisation. So then I would ask; number 1) what’s your reaction to them? 2) What are you doing about them? and 3) what do you think we should do about them? I think what’s powerful about that for the organisation is it doesn’t limit our assessment of risk to the ERM [Executive Risk Management] function ” (President and Chief Executive Officer, AIG EMEA Region). Near-miss reporting The company has introduced a specific process to identify, report and discuss situations where a risk (and loss) did not occur, but it was close (a near-miss). This could be for a number of reasons, such as the operating procedures did not identify an important factor. The near-misses are reported up to the board and are investigated to ensure they do not occur again. Accumulation of risks When the company looks at risk it does not just consider individual cases in isolation, it also considers the accumulation of risk. The company recognises that it is important to look at the accumulation of numerous insurance policies “ it really is critical to do an effective job of aggregation of your risks across the organisation ” (President and Chief Executive Officer, AIG EMEA Region), “ because some very, very small elements accumulating could lead to a big exposure for us ” (Managing Director, UK). For example, the accumulation of various insurance policies in a geographical area which is prone to flooding would need to be examined to check that the accumulated policies do not lead to the company being over-exposed.

99

Roads to Resilience: Building dynamic approaches to risk to achieve future success