Operational Resilience: why aren’t we talking about it more?

By Bart Patrick
8 February 2023

Insurance is a critical part of our economic, commercial, social and personal wellbeing. Many of the things we take for granted would not happen without the backing of insurance. Doctors would struggle with managing risks, companies would fail and homeowners would be challenged by unacceptably large exposures just living in their own homes. Insurance matters.

After years of relative stability, the global unpredictability caused by the pandemic, war in Ukraine, inflation and the energy crisis has placed operational resilience firmly under the spotlight. It’s never been more vital, and more challenging, to ensure customers can access their financial services products without disruption.

On the back of this, the Financial Conduct Authority (FCA) has quietly and patiently introduced new policies on Operational Resilience to the financial services industry.

Although I am now seeing insurers start to push this into their selection criteria for technology solutions, it strikes me how little I’ve come across Operational Resilience as part of the general discussion around insurance. Given the significant implications for insurers it is rather surprising that this is not more prevalent – even more so considering the recent fine for TSB of £48m for operational risk and governance failings.

To quote the FCA website:

“Operational resilience is the ability of firms, financial market infrastructures and the financial sector as a whole to prevent, adapt and respond to, recover and learn from operational disruption. With the first policy milestone having passed on 31 March 2022, firms now have until no later than 31 March 2025 to be able to operate within their impact tolerances.”

Ok, so we’ve all had a bit of this over the last few years. I won’t go into details as, well, we all know about it. But the first policy milestone was passed in March 2022. 47 firms were asked by the FCA about their business services and operational impact tolerances. Whilst the FCA noted that firms demonstrated a clear understanding of the rules (understanding is arguably the easy bit), there were quite a few areas requiring further improvement.

Let’s look at these and analyse the impact of those findings that have a technology underpinning. This article is a critique, not a criticism, to be in sync with the FCA findings. There is an important distinction here. No one underestimates the issues and impediments insurers have. In the same breath, no one underestimates the efforts that insurance personnel make every day to keep the lights on. But I doubt if there is a single person operating in the insurance industry who does not wish things “just worked how they want and need it to”.

So looking into the FCA’s finding in terms of areas of improvement, how should tech work to overcome these? What stops it from doing so? These are important questions, the answers to which have flummoxed some of the best IT minds in the business. How do you make the financial and business pattern fit the IT cloth?

Taking the first two together, the FCA found that Insurers:

“did not identify important business services that would reasonably be expected for the firm’s business model or included internal or irrelevant businesses services”

identified important business service areas inconsistently between internal departments without rationale or justification”

So, insurers find it difficult to identify their own important business services, and define those services differently between departments.

Given that IT systems are the backbone of any insurance business, if the tech is a mess, all processes are by definition difficult to identify.

On top of this, it is the case that repeated technology “transformations” have just added to the redundancy within the business leading to a situation where if you asked an insurer “what does it cost you from a technology perspective to have that person at that screen answering the phone”, they would struggle to pin a price on it. This is no shock as it is a product of years of over-investment, under-investment, changes in strategy, leadership, and ownership that have muddied the waters to an extent that clear analysis is next to impossible.

So if the technology supporting the business services and business model are so opaque, this finding regarding identifying important business services is to be expected.

Moving swiftly on, the next set of FCA findings stated that insurers:

“did not consider consumer harm from being unable to purchase, amend or renew products”

Back to the tech. When you have legacy talking to legacy, weird proprietary systems, spreadsheets on desktops, several administration systems and various vintages of underlying technology – even some where the ability to service the code is physically dying out – then there are multiple places where this could apply to technology.

With newer and smaller insurers, the thought of implementing an “enterprise” system is abhorrent because of cost, commitment and complexity. Many smaller insurance entities run on clunky CRMs, spreadsheets, home grown systems, MS Access and functionally wafer-thin systems bought from third parties. This is a product of the aforementioned issues around cost, commitment and complexity.

Many insurers rely on armies of people on and offshore centres to fill technological gaps in policy processing from quote to renew or cancellation. Many of these gaps are filled with Robots, which is a sticking plaster over the breaks in the technological chain. Where there are robots, there are weaknesses. Modernisation is required, not sticking plasters.

Many insurance companies rely on a bit of luck, some technological chewing gum and the quality of their people (generally very high) to get them through shocks and issues – processes that we now know won’t stand up to Operational Resilience regulation

Self-service, straight-through processing, analytically driven hands-off operations in a closely integrated technology in the cloud may just have an answer to the above. The question really is how to you achieve this without breaking the bank?

“applied unsuitable answers to services underpinning both corporate and commercial products without consideration of the end user”

Hmm. This is vague, but quite nasty in its implication for corporate customers. In light of the issues and litigation over Business Interruption policies during the pandemic, this is not the best outcome.

We have a situation in many places where commercial contracts are handled via an extended chain. Broker to Insurer, Broker to MGA to Insurer. Bordereaux everywhere. Different systems, policy documents, wording amendments, payment standards, quotation platforms, interpretations and services. It’s a testimony to the professionals in the business that commercial insurance functions so well.

However, do they really provide the service that the end-insured wants? Take cyber cover. It was originally part of business liability products when it was a “get another line of cover on the product, add a bit of premium, targets met” situation.

Then about 18 months ago significant claims started occurring. The lax underwriting criteria tightened up. Cyber was stripped out of business liability policies and (quite rightly) became a separate line of business. There is now talk of cyber becoming uninsurable from the Zurich CEO, Mario Greco. But has anyone considered the impact on a business itself? SMEs suddenly lost cover and when they went for separate cover for cyber found it cost more than their employers liability and business liability combined.

Cyber is the most digital of risks. Business owners want an insurer to . But it is difficult to do this – pen testing, dark web scans and other outside-in methods of risk assessment only take you so far. Surely it would not be too difficult to set up a telematics virtual device-based technology to give insurers the technology equivalent of “driver data” to deliver this and protect policyholders? Evidently this is not the case. Tech, product development, data, processes and the scarcity of skilled resources hamper things.

Simply put, the ability for insurers to rapidly adapt their products, introduce new innovative technology is very challenged based on current architecture – small and large. They want to, however the legacy of old systems, inadequate sstems and “transformations” has left insurers in a difficult place.  

This is why insurtechs exist. They have spotted this as a potential opportunity. Lithe tech focused companies can make a difference to commerce. Quick change and adapt. Now we can say that few have scaled, and those that have are in a difficult place as they forgot the basics of insurance (excellent risk selection, the right price and focus on underwriting goals – income not “ifcome”), but these companies are there because of the struggle that established insurers have to really innovate products because of technological inadequacies.

“did not meaningfully consider the impact of unavailable important business services on vulnerable customers”

“appropriately identified high levels of consumer harm due to an unavailable important business service but set impact tolerances that seemed comparatively lenient”

“We are experiencing high volumes of traffic, please call back later” was an experience of many policyholders and claimants during the pandemic. Staff absence, technology challenges etc all came into play. At the time of most need policyholders were often asked to be patient. Most of us were willing to be patient bearing in mind the global pandemic.

But from a tech perspective all of the other factors raised in the Consultation Paper came home to roost. Fractured architectures, legacy technology, a business operation designed around being in the office all came into play. Insurers – and in particular their staff – responded magnificently to the challenge. IT directors moved heaven and earth to overcome years of technological treacle to create secure environments for staff to work in both in the office and at home.

However, the underlying beast of legacy, a fractured and fragile technological system that cannot adapt rapidly remains.  Until this is sorted adequately there will always be questions.


There were four other recommendations that came out of the consultation. I won’t go through these as they were more about how insurers had assessed their tolerances, their cutting and pasting of previous answers (looks like the regulator really does read these things!) and an inability to distinguish between internal and external services. However, I will go on to summarise the observations and make a call to action.

Ultimately the need is for technological change that embraces these issues simultaneously. The technology exists to do this – lithe, fast to implement and open to connection to anything. Microservices backed by amazing integration. But these need to be implemented with a longer view and in line with the strategic plan of the business.

Change is hard and takes time. The problem with change is that by the time you have changed, it’s out of date. But unless we have change then the factors raised in the consultation paper will always be there. During times of business, economic and social stress Insurance companies will be stretched to the limit, and often beyond.

But if insurers continue down their current path, then the change program will fit into one of two brackets:

  1. Enterprise transformational change – the big beast being turned over, dissected and a new beast put in place. Multi-year transformation costing £10’s of millions and in some cases £100’s of millions that arguably achieve very little and compound the issues.
  2. Small scale departmental change – “we’ve had enough” change, where the business can no longer suffer the impact of the legacy system (long change-cycles, expensive resources, costly implementation) and go for something a bit more lithe, but short term. This can cause a “death by a thousand cuts” where constant small-scale addition of lightweight systems to cure discrete problems create a disjointed mess in the absence of a strategic technical masterplan.

The solution lies between these two. Create a series of small-scale iterative changes in a framework of a long-term strategic goal. Assess, change, learn, assess, change, learn in rapid succession in line with the strategic change objectives of a company. Remove the sticking plaster, and work out what the holistic treatment is. ‘Prevention is better than cure’, my Dad always said, and careful, structured, repeating strategic change in insurance is the biggest source of prevention I can think of. When insurance truly changes, insurers will become more responsive, resilient, flexible and productive by not investing in dead-end technology or short term solutions. There have been many false dawns before, but with cloud computing, microservices architectures and hyper connectivity of systems, the opportunity exists now like never before, backed by drivers for change (competition, regulation, innovation, financial) never being more present.

Act small, think big.

Get more insurtech brainfood, every Friday.

Don’t miss a beat. Sign up to our free newsletter, and stay on top of the three main stories shaping the future of insurance, in just five minutes per week.  

Recent posts