Using simulation exercises to improve your insurance firm’s resilience


We all know exercising is good for you. But before you go and grab your running shoes, we want to focus on something slightly different: simulation exercises to test your firm’s resilience.

Operational resilience has been a growing focus of UK regulators. The Prudential Regulation Authority’s (PRA’s) supervisory statement* notes that exercises are one of the tools to test whether key services remain within acceptable tolerance limits during disruption.  

Many insurers will use paper-based theoretical assessments as the starting point for these assessments. However, exercising can enhance scenario testing and improve your resilience – which is the objective of the PRA statement and will be useful in helping you meet your written self-assessment requirements.

In this blog we discuss the benefits of simulation exercises for insurers and how this approach can enhance firms’ ability to meet the regulators’ requirements. 

The benefits of simulation exercises

Using simulation exercises to test your response plans is not a new idea. Whether it‘s in the armed forces or in financial institutions, running exercises to test if your plans work in practice enhances your response strategy in any scenario. 

"It's not what happens to you, but how you react to it that matters."
Epictetus Greek Stoic philosopher

An exercise tests how you react to situations in practice rather than theory. The benefits of running an exercise or simulation include the below. 

Just because you have a plan, doesn’t mean that it’s practical or will work in the real world. What if more than one incident occurs at any one time, or risks cause knock-on effects? Also, people-related risks are highlighted and it’s much better to understand this during an exercise than have someone struggle during a real-life incident. 

Explaining responsibilities during an incident wastes precious time and energy, so people need to know what’s expected of them. They will feel more confident and your response will be more effective. 

It is often a challenge to know how quickly processes can be completed, especially in a situation that may happen infrequently. Exercising can step through important elements to gather this information. This could relate to people, equipment or technology.

It’s like a football team training for a match or a theatre group rehearsing for a play. It’s better to forget your lines or make a bad pass during rehearsals or training – and you’ll draw upon that experience in a real-life incident. This also enables a team to test their plans in a safe environment. 

Response teams are able to further develop plans following the exercise by incorporating lessons learnt, as outlined during the debriefing. These learnings should be clearly brought out into the post-exercise report and subsequent actions.

This is key to any incident response and the regulators are clear that these requirements are essential for your operational resilience strategies too.

Enhancing your ability to meet the regulator’s requirements

 

At the end of each exercise firms should produce a report which captures the observations, recommendations and actions which have been measured against the overarching objectives. 

This post-exercise report can form part of your written self-assessment documentation, outlining your approach to testing, the objectives and outcomes of the exercise, vulnerabilities and actions identified. 

The regulator expects firms to document details of their scenario testing, including assumptions made in relation to the scenario design and any identified risks to a firm’s ability to remain within impact tolerances. All of these elements should be clearly set out in every exercise report.

The observations and recommendations in an exercise report will be key in highlighting the lessons learnt and the areas that require investment. So, a well-structured exercise report can be a key part of the self-assessment requirements.

Don’t panic! You still have time  

It is worth noting that the PRA expects scenario testing to evolve over time. So, enhancing the tools you use will demonstrate this development. 

Exercising is clearly another string for your bow in showing the regulator that you are developing your testing. The regulator requires a documented testing schedule, to include the below. 

  • Types of scenario testing (for example exercises or simulations)
  • Frequency of testing
  • Number of important business services tested (if you have a lot these services then you will be expected to run more tests)

This schedule will develop over time as your environment changes and your operational resilience understanding develops as you learn from other exercises. 

Exercises and simulations are a key part of preparedness for any disruption. In the process they may uncover improvements that can prevent some incidents from occurring and ensure that responses are much better managed. 

You might uncover mitigation and control actions that can be implemented: all of this enhances your operational and organisational resilience. And documenting your learnings is all part of the operational resilience requirement process.

To learn more about our operational resilience exercising and related services, visit our website or contact Kim Durniat or Karla Gahan

Source:

*SS1/21: Operational resilience: Impact tolerances for important business services

Stay up to date

The latest independent commentary and insights from our experts at the forefront of pensions, investment, insurance and risk - tailored to your preference.

Subscribe

Crisis Management Simulation Tool

Our Crisis Management Simulation Tool is a realistic, objective-based way to facilitate incident exercises with teams globally and, as needed, remotely.

Find out more