Allianz’s Stephanie Smith on being prepared for operational resilience

Posted: 12 April 2021

As a leader the importance of ensuring you can stay ‘open’ whatever may be thrown at your business has always been critically important. But while business continuity planning was always understood as a business activity it was largely expected to be managed under the covers and was rarely a topic that excited those leading the business.

So it’s fantastic, particularly for me as someone who does get excited about this sort of thing, to see the dialogue and importance of this topic elevated and it getting improved levels of investment and airtime at the top table.

Stephanie Smith
Stephanie Smith, COO at Allianz Insurance

Rebadged as ‘operational resilience’ and with the pressures of and learnings from the pandemic still very real for us all, keeping your business open and providing uninterrupted customer service is now clearly a key topic for everyone, not just us in the insurance industry. But, while it’s gained some very recent welcome prominence across the industry, operational resilience is nothing new and our regulators have been tuning in to this topic for some time.

Under the guise of business continuity planning insurers have assessed the potential customer service interruption risks they face for many years, whether that be an IT system failure, a flood, a terror attack or even a pandemic, and we’ve prepared, trusted, invested and/or added processes to ensure we can keep our operations running.

The new operational resilience focus takes the traditional BCP thinking and adds some helpful and important extras. Unlike old school BCP, which very much focused on the continuity of the business itself and specifically the availability of systems, operational resilience puts the need to maintain customer service first, front and centre.

By setting customer impact tolerances for example, an insurer can define the extent to which it can tolerate customer disruption in terms of claims response times, data security and website or telephone outages. This gives a clear view of what’s acceptable from the customers’ viewpoint and so guides what appropriate measures and actions must be implemented and in what order.

Regularly pressure testing a firm’s emergency response and gauging how resilient it is at a given point is an essential part of the whole risk management process.

Having a regular, robust simulation and testing regime ensures that recovery plans are continually fine-tuned and remain effective, all risks are identified (as far as they can be) and, importantly, that all the key people get the chance to practice their incident response, so that they understand what’s involved and are prepared.

You can’t have your leaders learning for the first time in a real crisis scenario or – worst case – playing it out live on prime-time TV.

The importance of regular testing was highlighted for Allianz in 2019 when our Gracechurch Street offices were locked down with our folk inside and caught within a police cordon following a terror attack on London Bridge.

Although it was a worrying time for employees who were unable to leave the office, our incident response team had rehearsed a similar incident several months earlier, and so everyone felt much more confident about what was going on, we were able to make decisions quickly and our operations were unaffected.

It’s critical to keep your eyes and ears open to new potential threat vectors. And now, although it feels a bit like the plot of a science fiction movie, we are beginning to assess the potential disruption that could be caused by solar flares.

These sudden bursts of energy on the sun produce electromagnetic radiation that can affect phone signals, GPS, satellite communications and the internet, with obvious ramifications for customer communications.

Looking at business continuity in the round, and taking a moment to think about some of the biggest learnings from the last 12 months, employee resilience or wellbeing is another increasingly important topic.

It’s not much good having great processes and fully resilient networks if ultimately the pressures of your employees mean they are not workable in practice.

Some of the personal coping stories of the last 12 months have made for tough reading and required insurers to think very differently about how they support and provide for their people by adapting HR policies and priorities accordingly. Minimising uncertainty and showing employees that they are a valuable part of the company is good business 

And so operational resilience needs to become part of the whole organisation’s DNA. While developing and testing resilience naturally sits with an insurer’s operations team, the response and measures a business may need to take needs to be understood by everyone within the organisation.

It’s never been a more important time to keep operational resilience on everyone’s agenda.

Understanding and managing risk is exactly what insurers do for others, so it makes sense that we adopt the same approach to running our own businesses.