Introduction

In general, when implementing a robust and verifiable system to manage and analyse operational risk, the major problem is the lack of historical data of losses, which is of concern equally to risk managers and regulators; additionally, the recent requirements of Solvency II will generate a system that promotes a better understanding and control of such risks.Footnote 1 Therefore, data access and its management is probably the most significant challenge (availability, accuracy and relevance) for insurance companies that have to implement an up-to-date operational risk management system.

In regard to internal data, an internal system could be implemented, which collects both operational risk quantitative data losses and incidents as qualitative information through surveys and internal indicators. In contrast, in Spain there is no, as such, external database available to insurance companies nor have they had the opportunity to develop enough expertise in the standardisation of operational risk data to quantify and effectively predict operational risks. That is the objective of this research: from an external database of operational risk losses of health insurers in Spain, which was the most extensive and complete database available and because of the operational implications of health insurance processes, the intention is to analyse and understand its statistical behaviour for the future completeness of data, selection of financial models and subsequent quantification of solvency capital within Solvency II.

Operational risk management and data analysis (internal and external) have been studied in the economic and financial literature previously. The most significant contributions are the following: the statistical analysis of operational risk has several aspects that have already been treated; see for example Chavez-Demoulin et al. Footnote 2 who have looked into the qualitative and quantitative approaches to operational risk and statistical techniques to improve the modelling environment applicable to risk management. The overview of the analysis using internal data, external data and experimented valuations have been treated by Lambrigger et al. Footnote 3 who have analysed the quantification of frequency and severity distributions for operational risk using internal data, opinions of experts and relevant external data. This analysis suggests a new approach to the combination of these three sources of data to estimate the operational risk charge capital and also uses the expert opinion of Guillen et al. Footnote 4 who evaluated and eventually adjusted for the level of underreporting; the same approach can be carried out non-parametrically using recent transformation techniques as in Buch-Kromann et al. Footnote 5 Furthermore, recent advances in operational risk research by Guillen et al. Footnote 6 have shown that this very same transformation technique can be explored to remedy some of the small sample problems and to combine external and internal data. Other authors who have worked on operational risk data are Klugman et al. Footnote 7 or Figini et al. Footnote 8

Our approach is first to illustrate the situation of health insurance in Spain and describe the process of value-added service of health insurers, which will facilitate the understanding of the nature of the operations performed by these companies. Then operational risk losses are defined by the standards of Solvency II and the data collection process is briefly explained. Thereafter the external database is presented along with the necessary adjustments in terms of data filtering and removal of inconsistent data. Finally, a statistical description of the database is performed in order to understand its content and structure for the future combination with internal data and the later selection of the financial methodology to quantify the charge of capital.

Health insurance in Spain

In this section, the relevant health insurance system in Spain, their value-added processes and activities are introduced in order to understand the general context of the operational risk data of health insurers, which are going to be analysed later in the research.

The modern health system in Spain was born in 1978 when Parliament approved the Spanish Constitution. However, the system was not complete until the approval of the General Health Law,Footnote 9 which created the National Health System for the integration of various public health subsystems. Its purpose is, according to Article 1, “The general regulation of all actions to enforce the right to health protection”. The National Health Service ensures that all people have the right to health; this is possible because the state assumes full responsibility for managing and financing equal health services for all people. The government, in order to manage those services, has established rules to regulate the system and to secure and implement medical care to the population, which is publicly funded.

In recent years, private health care has become more important. It is estimated that 15 per cent of the population has private health insurance, including public officials, who are given the option to choose between public and private sectors. Insurance can be used either as a complement or alternative to public health. The advantage is that private insurance companies have their own network of hospitals, clinics and laboratories, so that policyholders do not have to wait that long to be treated, although companies may force patients to use only doctors who are members of their medical group. Mixed systems are reimbursement programmes where clients can go to any specialist but the patients have to cover a small part of the service cost.

Nevertheless, there are new problems and different conditions for the health system, such as unemployment, interruptions in work life, the growth of the elderly population and the fact that health services represent more than a fifth of social spending in Spain. The growth of the elderly population represents a fundamental challenge to successfully manage the health system in the future.

Total expenditure in Spain on health services, public and private, is equivalent to 8.2 per cent of GDP.Footnote 10 Because it is expected that demand for these services increases at a faster rate than economic growth, the financing of health-care costs has become a significant problem. This means that there are new opportunities for the private sector, but to take advantage of them we need to create new strategies for managing the health business. This is not easy because of the current regulation of financial services and health insurance in Spain, and the related sectors such as pharmaceuticals, which are strongly conditioned by institutional, cultural and economic factors.

The process of value-added service of health insurers, which is presented schematically in Figure 1, will enable us to understand the nature of the operations performed by these companies in the delivery of health services:

  1. 1

    Sales and product/service design: For health insurance, product design is a critical process because it is where the services covered, fees, terms and conditions of renewal, reimbursements and medical services providers are defined. These characteristics should meet the potential demand of customers, as the preferences and available resources vary between different markets and people, and thus it requires a market segmentation that takes into account the different preferences in the service. For the design of the insurance product, it is also critical to have access to proper medical data, which is not always available when it comes to markets that we enter for the first time; this is because medical records are not completely transferable from one region or market to another, and because of data protection laws.Footnote 11 Design is also essential to reduce the exposure of health insurers to medical expenses, which are increased exponentially by investments in new medical equipment and the development of innovative diagnostics and treatments.

  2. 2

    Underwriting: Private insurance is based on the principle that the insured pay the premiums that cover their expected medical and administration costs. Thereby, the insurance contract would guarantee compensation to customers who suffer a health problem and need assistance. This actually produces a financial compensation of the premiums among the customers without losses and those with losses, even with price-tailored mechanisms to each personal risk, because the chronically ill and elderly customers have much higher health costs than those of the healthy and young people. The natural response from the insurers is to manage and discern the foreseeable risks, encouraging the selection of clients with minor health problems, which has been pushing governments to intervene in order to stabilise the imbalance that may exist. They do this either by setting up a universal health care provision or through public funding of private services. With this premise, and because of the inevitable increase in health costs, a review of the risk rates is essential for the management of these services by underwriters.

  3. 3

    Administration: Investments in information technology (IT) provide the accuracy and efficiency of the administrative process. As health services is a business with claims of high frequency but low severity (costs), any administrative saving has a significant impact on the profitability of these companies. Generally, all health insurers invest in IT systems to increase speed and reduce the unitary cost of data processing and claims settlement for patients, enabling them to react more quickly to changes in health-care costs trends. These tools would also allow the registration of data that will later be exploited for the actuarial analysis of losses and will be used to improve claims handling services.

  4. 4

    Medical management: According to Swiss Re,Footnote 12 around 70–90 per cent of insurance premiums are used to cover the cost of medical services incurred by patients. While most underwriters are successfully reducing operating expenses and administration costs, treatment costs are continuously increasing, and thus the containment of health-care costs is essential to control the growth of premiums. All efforts by health insurers in this regard will contribute significantly to their performance, such as negotiation and management of contracts with the medical services providers. Care assistance management seeks to influence clinical decisions with the objective of providing efficient services to patients, thus facilitating that, in all stages of the care process, underwriters collaborate with medical services providers for improvement.

Figure 1
figure 1

Health insurance value added services.Source: Swiss Re12 and prepared by the authors.

Full size image

In summary, private health services are not just a financial protection product against unexpected events such as traditional life risk insurance, but rather a care assistance service that requires meeting the health needs of its customers and policyholders, and demands for specific organisational and management practices of insurers and service providers, activities that have relevance for the better understanding of the nature of the losses that will then be used to statistically analyse operational risks in the health insurance sector.

Operational risk losses

Once the health insurance system in Spain is summarised, the next step is to define operational risk, present its regulatory framework and understand the underlying drivers of its behaviour, transferability and mitigation.

By the standards of Solvency II,Footnote 13 operational risk is defined as the risk of loss arising from inadequate or failed internal processes, personnel or systems or from external events, and includes legal risks, but not risks arising from strategic decisions and reputational risks. Under Solvency II, insurers are expected to maintain a specific minimum capital requirement for operational risk, to undergo supervisory tests of their risk management practices and to publish their strategies and processes for managing operational risk, the structure and organisation of the area, their risk mitigation policies and the techniques to estimate it:

  1. a)

    Solvency capital requirement shall be calculated based on the presumption that the undertaking will pursue its business as a going concern and its calculation shall take into account the effect of risk mitigation techniques, provided that they are properly reflected. It will be calibrated so as to ensure that all quantifiable risks to which an insurer is exposed are taken into account, being the required solvency capital equal to the value at risk of their own funds, with a 99.5 per cent confidence level and a one-year horizon.

  2. b)

    Capital requirements for operational risk shall reflect operational risks if they are not already included in the configuration of the basic required solvency capital (underwriting risk of life, non-life and health insurance, market risk and credit risk). Its calculation would take into account the volume of such operations, which will be determined from earned premiums and technical provisions in relation to those insurance and reinsurance obligations. In this case, capital requirement for operational risk shall not exceed 30 per cent of the required solvency capital for such insurance and reinsurance basic operations.

An additional step to understanding the components of internal operational risk, and one of the main tools to implement a comprehensive system of operational risk management in an insurance company,Footnote 14 is the use of a database that reflects the loss of such risks, which needs to be classified to obtain a homogeneous data and which allows subsequent analysis to further improve the risk measurement systems and modelling capabilities of insurers. For the research, we used the “Loss event type classification” (see Appendix) of ORIC, the consortium of the Association of British Insurers, which manages and collects the most known and extensive external database of operational risk for insurers than exists currently in the U.K. and whose risk classification is consistent with Basel II and Solvency II. The event types (level 1) for operational risks are: internal fraud; external fraud; employment practices and workplace safety; clients, products and business practices; damage to physical assets; business disruption and system failures; and execution, delivery and process management.

Some of the operational risk losses included in this classification are covered, at least in theory, by traditional insurance products. From the standpoint of the insurance industry (see Figure 2), the only risks that may not be insured are the activities or transactions that are outside of the law. However, in practice, there are real limitations to operational risks to be considered as insured; for example, for accepting the risk and setting a price, the risk should be finite and measurable, and without moral hazard.Footnote 15

Figure 2
figure 2

Operational risk losses: the insurer perspective. Source: Prepared by the authors.

Full size image

In the end, and in general terms, the risks to insure depend on the complexity of health insurers, its geographical scope and many other features. Starting from this point, the complete needs of operational risk management should be identified, including a detailed analysis of the insurance solutions available in the market to suit the risk profile of the organisation under study.

A variety of factors affect the purchase and design of insurance programmes such as regulatory pressures, the diversity of activities or business, geography, risk appetite or aversion, history of losses, financial statement strength or the size of the company. The combination of these factors will determine the level of operational risk to be financed or transferred in order to optimally assess these risks and develop new ways to manage them. The use of risk management techniques should be an economical tool that will help stimulate its management in all business units, seeking their support and alignment with the overall objectives of operational risk management.

General solutions of operational risk management offered by the insurance market fall into the following categories:

  1. a)

    Solutions for assets: property/business interruption, general liability, motor fleets, professional risks, etc.

  2. b)

    Solutions for employees: directors and officers, pension plans, accident and health, etc.

While on the one hand, operational risk cannot be eliminated, on the other hand it can be minimised through effective management or transferred. The issue that underwriters face is deciding what types of risks they are prepared to accept given the theoretical benefit to be obtained. It is desirable that health insurers have a general policy regarding transferable operational risks such as property damages, professional liability, and fraud or directors’ and officers’ liability for their particular risk exposures.

The general rule for health insurance companies, as in any other business, is to insure their operational risks with external underwriters. Some of them have global insurance programmes, which are reviewed periodically to certify that the best agreements are reached on market conditions, prices and protection limits. No matter how much effort has been made to manage or reduce operational risks, there will always be a residual exposure that should be undertaken or funded. Bearing in mind that each risk has its own characteristics regarding frequency and severity of losses, these can be used to transfer the risks, so that they will also help to adjust the calculation of regulatory capital for operational risk.

After selecting the most appropriate insurance programme to the risk profile of the company, when an incident or loss arises, it should be communicated to the underwriter or the broker company. The questions about the type of incidents that should be reported to the insurer or the coverage terms of them will depend on the design of the policy, the capacity of the insurance market, the preferences of the customer, the history of claims and premiums and the insurance after-sales services. Once the data is collected, it has to be treated and analysed, which is explained further in the following section.

The external database: treatment and statistical description

In the research, we used an external database of operational risk insured losses, concerning claims and incidents reported by 21 Spanish health insurance companies from 1991 to 2008, collected by an insurance broker,Footnote 16 with the aim to analyse and understand its structure and statistical behaviour for the future completeness of data, selection of financial models and subsequent quantification of solvency capital within Solvency II. This data has been used because it was the most extensive and complete database available in Spain and because of the operational implications of health insurance processes, such as product design and medical management. This database is composed of about 1,200 claims of insured losses, with an aggregate value of EUR 10.7m. Most of these claims relate not only to incidents reported by health insurance companies, but also relate to incidents occurred by general insurers that also manage other classes of insurance. The database is structured according to business line, not according to the type or class of insurance institution.

The database contains all reported losses, and the attributes recorded for each loss of the database include general information (customer reference, type of insurance class, cause and place of loss, etc.), date references (such as date of occurrence) and the value or amount of losses.

The quality of the database would depend on the insurance products contracted by health insurers and on the design of underwriting policies and claims management of each insurer. It should also be noted that the classification and collection of incidents in the database were made by a third party (an insurance broker), who reviewed that the losses were covered by the policy so there is a guarantee of consistency and quality of data homogeneity. The claims processing service, which was described briefly in the previous section and the treatment performed on the database have been a fundamental premise of the analysis, and was made through a methodical cleansing, treatment and categorisation according to the ORIC standard “Loss event type classification”, the encoding of losses based on its nature and its statistical behaviour, as well as the necessary adjustments in terms of data filtering and elimination of inconsistent data.

Data presented and analysed is based on the following criteria:

  1. a)

    Data was reported by Spanish health insurers from 1 August 1991 to 19 March 2007.

  2. b)

    Time reference is the date of occurrence of the accident/loss.

  3. c)

    Number of claims refers to the individual event losses.

  4. d)

    Amount of claims in euros.

  5. e)

    All individual losses or claims reported have been considered in the analysis; there is no defined minimum amount for a loss to be considered.

  6. f)

    Initial insurance products taken into account:

    1. i)

      Insurance products: General liability, medical liability, property damage and industrial, commercial and offices all-risk.

    2. ii)

      Non-life insurance products out of scope: motor insurance and credit insurance.

    3. iii)

      Life insurance products and pensions are also out of scope for the research.

Statistical description of the database

In this section, a statistical analysis of the complete operational risk database available for the research is performed, with the aim of understanding and knowing its content and structure. The methodology used was chosen for its simplicity and desire to be understood by a broad audience of risk managers and researches, although further analysis is needed when combining it with internal data and estimating the capital charge.

Figures 3 and 4 show the volume of data reported. The number of reported incidents has increased gradually over the period, from 15 events to a maximum of 136. With regard to the amount of reported losses, the gross value of claims reported has fallen from EUR 1.5m and EUR 1.9bn in 1998 and 2002, respectively, to a minimum of EUR 0.6m in 2005.

Figure 3
figure 3

Number of claims by year of occurrence. Source: Prepared by the authors.

Full size image
Figure 4
figure 4

Value of claims per year (euros). Source: Prepared by the authors.

Full size image

There is, in the period, a certain uniformity and consistency in the number of claims per year (Figure 3), between 90 and 120. As for the gross amount of claims by year of occurrence (Figure 4), there are two peaks in 1998 and 2002, because in January 1998 there was a liability claim of EUR 691,163.92, and in 2002 were six claims involving amounts exceeding EUR 150,000 each, when the average is about two incidents per year.

Figures 5 and 6 show the distribution of the aggregate number of incidents and the aggregate volume of losses grouped by sections: individual losses of less than EUR 1,000, between EUR 1,000 and EUR 2,000, and over EUR 20,000. These figures, shown at the end of the paper, reveal the characteristic high frequency/low impact and low frequency/high impact of the behaviour of operational risks. For example, note that there have been 836 claims for amounts of less than EUR 1,000, and these have had a very small impact compared to the total observed losses.

Figure 5
figure 5

Frequency distribution. Source: Prepared by the authors.

Full size image
Figure 6
figure 6

Severity distribution (euros). Source: Prepared by the authors.

Full size image

In regard to loss distributions, Figure 7 presents the overall frequency of claims classified by types of events (level 1), which also shows a significant concentration of losses in a few events. Losses are mainly concentrated in “Damage to Physical Assets” and “Execution, Delivery & Process Management”, which accumulate 45.63 per cent and 39.38 per cent of the total losses, respectively. “External Fraud” and “Employment Practices and Workplace Safety” have fewer loss concentrations, but both account for 13.01 per cent of them. Meanwhile, “Internal Fraud”, “Clients, Products & Business Practices” and “Business Disruption and System Failures” do not have a significant number of losses.

Figure 7
figure 7

Frequency of claims by event type. Source: Prepared by the authors.

Full size image

The biggest “Damage to Physical Assets” claims are made by median cost per claim losses, which is reasonable given that most investments in physical assets of these companies are in buildings and equipment. It is also observed that the number of claims in “Execution, Delivery & Process Management” category is high, which relates mainly to liability claims for medical interventions, which is the main activity of their business.

With respect to the severity distribution, Figure 8 presents the overall severity of accidents by type of event, which differs significantly from the frequency distribution of losses. The severity of losses exposure is more concentrated in one type of event than the frequency of losses. “Execution, Delivery & Process Management” accounts for 79.25 per cent of the loss amounts, while it represents only 39.38 per cent of the frequency of total losses. On the other hand, the other type of event with the highest frequency of losses, “Damage to Physical Assets”, has a much lower rate of severity (4.66 per cent).

Figure 8
figure 8

Severity of claims by event type (euros). Source: Prepared by the authors.

Full size image

A more detailed analysis of data by type of event illustrates that 21 out of the 25 largest losses correspond to “Execution, Delivery & Process Management”; three to “Employment Practices and Workplace Safety”; and one to “External Fraud”. As for “Execution, Delivery & Process Management” losses, there is a high average severity per claim, since this category includes the more serious damages mainly due to its nature: medical malpractice liability claims.

As a summary of the statistical description of the database, the data of the sample matches the expected behaviour of operational risk losses (high frequency/low impact and low frequency/high impact). The largest number of claims is for losses of low value and the greatest amount of claims is just for a few events. Additionally, this behaviour happens for all risk categories, except for “Damage to Physical Assets”, where the greatest impact on the volume of claims is represented by incidents with medium cost per claim, which is reasonable, taking into account the assets in which insurance companies invest to carry on their business, such as buildings and computers, and the existing risk measures for mitigation and control. In addition, the behaviour of “Execution, Delivery & Process Management” losses is out of the expected for operational risk, as it includes the claims of liability for medical practice, the main activity of their business.

Treatment of the database

Once the database was obtained and analysed, a thorough cleaning and treatment was performed. One of the major concerns was the consistency of data, so that each individual loss had to be initially categorized according to the standard event type classification for operational risk (see Appendix). Secondly, the records were classified into the following groups, given the need to model each one separately because of the different nature, behaviour and statistical claims history:

  1. a)

    Damages, including multi-hazards

  2. b)

    Health-care Liability

  3. c)

    General Liability

Moreover, and additionally to the initial review of each entry in the database (amounts, concepts, causes, etc.) and their classification into types of events, further adjustments were made. Some records were reallocated; data was filtered, eliminating incorrectly opened files; the total cost of claims was estimated where information lacked, using the historical data of the Industrial Price Index in Spain; and it was assumed, where necessary, that no significant changes in coverage and risk exposure conditions happened.

The sample remaining after filtering, presented in Table 1, consists of 373 insured loss claims, with an aggregate value of EUR 5.6m. It has to be pointed out that using only external data will provide a charge capital that is not sensitive to internal losses, does not increase despite the occurrence of a large internal loss and does not decrease despite the improvement of internal controls. So when combining different sources of data, there might also be some advantages for taking expert opinion in the process to quantifying operational risk, where expert opinion can take many forms, as was shown by recently developed transformation techniques combined with non-parametric smoothing theory.5

Table 1 Sample after filtering database
Full size table

Database analysis results vs. regulatory framework and applications

According to Solvency II, additionally to underwriting (non-life, life and health), market and credit risk, operational risk is a determinant of the new capital requirements; unfortunately, it was mentioned in the introduction that one of the major problems with modelling operational risk is the lack of suitable loss data. To overcome this problem, Solvency II requires insurers to complement its internal loss data with some more information, including external data. In particular, insurers should use assumptions based on external rather than internal data in order to verify the calibration of the internal model and to check that its specification is in line with generally accepted market practice (Solvency II, Art. 122), assumptions that might be based, as first approach, on similar operational risk data behaviour analysis that has been suggested in this paper. Regarding the data collection process described in the analysis, supervisory authorities will only approve the internal models of insurers if they are satisfied that the systems for identifying, measuring, monitoring, managing and reporting risk are adequate (Solvency II, Art. 112) and if the data used is accurate, complete and appropriate (Solvency II, Art. 121), which has been the case of the operational risk data and its collection process used in this paper.

The applications for insurers of the presented database are, in the first place, related to developing adequate compliance requirements, providing greater efficiency in the management and control of risk using the database to improve the combination of internal and external data and the calibration of the internal model, and using the data collection process to clarify the systems of identifying and reporting risks. In the second place, in the stage of quantification of solvency capital, using the results and behaviour of the external data to support the selection of the main financial model for this kind of risk, Value-at-Risk (VaR), and, moreover, providing a portfolio of potential severity and frequency distributions to be applied in the model. In summary, the database and its treatment will help management to use the information for the better understanding and control of risks, which is the main objective of Solvency II.

Conclusions

Management and financial analysis of operational risk is a necessary activity for insurers. This presents many opportunities for development and is a major field of study on conceptual and practical issues. This is because of the particularity and complexity implicitly involved in this kind of risk and the need to establish a capital to face the possible losses, a reality that has recently been materialised in the new European solvency rules (Solvency II).

The problem of the absence of internal data for financial analysis of operational risk is well known. The search of databases and their treatment is a key factor for the development of operational risk modelling for Solvency II, which is why the type of data that has been used (incidents with sufficient historical background, low and medium frequency and severity, and avoiding the possible outcomes of the external databases that are usually very biased events of high severity and low frequency) can help fill this lack for insurers, with its share of operational risk data combined from several health insurers, classified by type of risk most likely in agreement with Solvency II and depurated according to the needs of the ultimate goals.

Assuming that the analytic approach may be performed from different standpoints, the exercise and the entire process of collecting information on operational losses and its further examination offers insurers a vision much more comprehensive of operational risk and is a superb tool for its management. Solvency II, with respect to operational risks in particular, is not aimed only at finding fulfilment of a rule or standards of measurement, but is intended to implicitly achieve greater efficiency in the management and control of risk and in the capital allocation in the insurance companies.

Finally, and in reference to the results of the actuarial financial analysis developed on the operational risk database for health insurance companies in Spain, its treatment and depuration, and based on the imperative important previous work of understanding the industry and defining the process of collecting data, show that the type and structure of data available (losses or claims of low and medium severity and frequency) are consistent with the overall performance of operational risks, which will help the future combination with internal data and the later selection of financial models to quantify the charge of capital and ultimately will facilitate the understanding from insurers’ senior management, who ultimately make the decisions about risk acceptance and control.