Operational Risk Management in If P&C
The continuity of operational risk management is secured through the Operational Risk Committee (ORC), which coordinates the operational risk process. The committee’s task is to give opinions, advice and recommendations to the If P&C Risk and Control Committee as well as report the current operational risk status. The status assessment is based on the assessments in the organization, reported incidents and other additional risk information.
If P&C identifies operational risks through different processes. A trend analysis is being performed annually, where the most important trends affecting the insurance industry are identified and the effects on If P&C are assessed. In this process the most severe external operational risks are being identified.
The line organization and corporate functions have the responsibility to identify, assess, monitor and manage their operational risks. Risk identification assessments are performed quarterly. Identified risks are assessed from a severity perspective, encompassing probability and impact. The control status for each risk is assessed using a traffic light system: green – good control of risk, yellow – attention required, red – attention required immediately. The most severe risks with control status yellow or red are reported to If P&C’s Operational Risk Committee.
Incident reporting and analysis is managed differently depending on type of incident. Some types of incidents are reported via a separate web based incident reporting routine, and others are identified through controls and investigations.
In order to manage operational risks If P&C has issued a number of different steering documents; Operational Risk Policy, Contingency Plans, Security Policy, Outsourcing Policy, Complaints Handling Policy, Claims Handling Policy, and other steering documents related to different parts of the organization. These documents are reviewed and updated at least annually.
In addition to this If P&C has detailed processes and guidelines in order to manage possible external and internal frauds. Internal training on ethical rules and guidelines is a prioritized area.