Karla Gahan, Associate and Senior Consultant – Risk Advisory and Analytics and Kim Durniat, Partner and Head of Life Consulting at Barnett Waddingham
Many insurers will use paper-based based theoretical assessments as the starting point for these assessments. However, exercising can enhance scenario testing and improve your resilience – which is the objective of the PRA statement and will be useful in helping you meet your written self-assessment requirements.
In this blog we discuss the benefits of simulation exercises for insurers and how this approach can enhance firms’ ability to meet the regulators’ requirements.
The benefits of simulation exercises
Using simulation exercises to test your response plans is not a new idea. Whether it‘s in the armed forces or in financial institutions, running exercises to test if your plans work in practice enhances your response strategy in any scenario.
"It's not what happens to you, but how you react to it that matters." Epictetus GREEK STOIC PHILOSOPHER
An exercise tests how you react to situations in practice rather than theory. The benefits of running an exercise or simulation include the below.
Validation of the technical, logistical, and administrative aspects of the plan
Just because you have a plan, doesn’t mean that it’s practical or will work in the real world. What if more than one incident occurs at any one time, or risks cause knock-on effects? Also, people-related risks are highlighted and it’s much better to understand this during an exercise than have someone struggle during a real-life incident.
Understanding and ownership of roles and responsibilities
Explaining responsibilities during an incident wastes precious time and energy, so people need to know what’s expected of them. They will feel more confident and your response will be more effective.
Correct resource allocation
It is often a challenge to know how quickly processes can be completed, especially in a situation that may happen infrequently. Exercising can step through important elements to gather this information. This could relate to people, equipment or technology.
Muscle memory and rehearsal
It’s like a football team training for a match or a theatre group rehearsing for a play. It’s better to forget your lines or make a bad pass during rehearsals or training – and you’ll draw upon that experience in a real-life incident. This also enables a team to test their plans in a safe environment.
Enhanced response strategies
Response teams are able to further develop plans following the exercise by incorporating lessons learnt, as outlined during the debriefing. These learnings should be clearly brought out into the post-exercise report and subsequent actions.
Better communication plans and strategies
This is key to any incident response and the regulators are clear that these requirements are essential for your operational resilience strategies too.
Enhancing your ability to meet the regulator’s requirements
At the end of each exercise firms should produce a report which captures the observations, recommendations and actions which have been measured against the overarching objectives.
This post-exercise report can form part of your written self-assessment documentation, outlining your approach to testing, the objectives and outcomes of the exercise, vulnerabilities and actions identified.
The regulator expects firms to document details of their scenario testing, including assumptions made in relation to the scenario design and any identified risks to a firm’s ability to remain within impact tolerances. All of these elements should be clearly set out in every exercise report.
The observations and recommendations in an exercise report will be key in highlighting the lessons learnt and the areas that require investment. So, a well-structured exercise report can be a key part of the self-assessment requirements.
Don’t panic! You still have time
It is worth noting that the PRA expects scenario testing to evolve over time. So, enhancing the tools you use will demonstrate this development.
Exercising is clearly another string for your bow in showing the regulator that you are developing your testing. The regulator requires a documented testing schedule, to include the below.
Types of scenario testing (for example exercises or simulations)
Frequency of testing
Number of important business services tested (if you have a lot these services then you will be expected to run more tests)
This schedule will develop over time as your environment changes and your operational resilience understanding develops as you learn from other exercises.
Exercises and simulations are a key part of preparedness for any disruption. In the process they may uncover improvements that can prevent some incidents from occurring and ensure that responses are much better managed.
You might uncover mitigation and control actions that can be implemented: all of this enhances your operational and organisational resilience. And documenting your learnings is all part of the operational resilience requirement process.
|