Not for the faint-hearted

November 2011

Fighting fit at over 60, Bupa has a turnover in excess of £7bn, 52,000 employees worldwide and a presence in around 190 countries. Deborah Ritchie speaks to Bupa CRO Keith Jackson about the role of risk management at the firm

In terms of risk management, what is the greatest challenge for an organisation like Bupa?

The greatest challenge is in designing a risk management framework which is suitable for a healthcare firm and for insurance which is not just about capital but also the Combined Code and Cadbury requirements. The focus for me is on risk mitigation as well as what the financial sector understands, which is a strong focus on capital.

In most peoples’ minds, Bupa is a UK hospitals business, when we actually only now have one in the UK; similarly, health insurance is one of our core offerings, but if you look across the globe we also have major ops in the care business and the data analytics. The company has grown phenomenally over the last decade. And now has a turnover in excess of £7bn, 52,000 employees worldwide and a presence in around 190 countries.

The major clusters are here in the UK, and in Australia, Spain, Latin America and other parts of the US, including Boston for example; plus we have joint ventures in India and in Saudi Arabia. Some 60% of our revenue now comes from outside the UK.

What is the secret to managing risk across such a wide geography?

The greatest challenge across such a geographically widespread operation is in governance – individual decisions need to be made in the context of each operating unit, but a standard framework and set of policies must be in place to ensure governance can be applied. The risks are different in each jurisdiction and peculiar to the type of business, but while that is the case, there is still a lot of learning that can be shared across jurisdictions.

Our risk and compliance network works well in this respect – with our team members sometimes bringing in external experts for their advice on certain issues. Central to the Bupa journey is a local focus underpinned by a solid group-wide framework and bringing together a vibrant community of staff. You have to have energetic people who have the desire and enthusiasm for the job, and who are prepared to share that enthusiasm.

I have worked in financial services for more than 20 years, and gas and electricity utilities for 10; I have accounting and insurance qualifications, but more importantly have worked in a variety of management roles, been a programme director and started my career as a loss adjuster. So I have spent more than half my life on the other side of the table.

There is far greater onus put on non-executives these days. They look to a risk function to give them an objective view of what they should be worried about and how worried they should be.

In this business, people need a balance of technical and ‘shop front’ managerial experience – you have to be able to cross bridges, so that you can have the benefit of that insight and a degree of commercial experience. All the staff here – from managers to clinicians – get actively engaged in risk management. It is something they are really interested in.

What advice would you give a risk team attempting to embed an ERM framework?

A consistent framework for enterprise risk framework sits within the risk strategy here at Bupa, with bespoke application locally. Local risk teams need to understand their particular areas but not necessarily the totality. This puts us in a position where we can focus on the right issues by asking the right questions. Unless it’s focused at the right level and towards the right area, there is a danger you will get it wrong. Among the challenges here is setting up the networks you need to build a cohesion and avoid misunderstanding.

There are 35 categories of risk, grouped into three areas: insurance risk, financial risk and operational risk, with business continuity in the last. In some organisations I have seen business continuity treated as an IT issue, though I have a strong and passionate belief that it should be led from a business priority perspective.

For instance, with our headquarters in Bloomsbury, we have considered the risks surrounding London 2012, which we believe will bring about limitations in terms of transport but nothing that has not already been subject to normal continuity planning. Our people at the corporate office or headquarters can generally work from a laptop – again, flexible working is a matter for departmental discretion. I’d like the risk teams to think they belong to the group as a whole. As an organisation, Bupa is a stable employer, so there is not a high staff turnover, which makes this job a lot easier.

Has it long been the case that risk thinking is so closely aligned with corporate strategy?

Board strategy is much more aligned to risk thinking than it has ever been. It is about transparency and clarity of decision making. It gives board members a framework to establish where they want to go and how they are going to get there. It used to be that we would have a strategy and then look at the risks. That does still take place, but now the risk appetite provides a framework and allows you to see the boundaries. Far from being a straight jacket, it provides a point of escalation for discussion and ensures the right people are involved in that discussion.

What's on Bupa's risk horizon?

In terms of health insurance, it is the inter-correlation of risks which is of most concern – with the most worrisome ones at the global level. There is also always a risk that we get too wrapped up in risk modelling, discounting the significant part that management judgement has to play. The banking sector has learned the hard way that you cannot be a slave to the model – it is no different for our sector. Risk management is not about driving risk out of the organisation. Simply put, if you didn’t have any risk, you wouldn’t make any money. I am comfortable taking risks if we can go into it knowingly, and share with others how decisions are made.

Additionally, we have been engaged in a discussion with the Association of British Insurers (ABI) and the Financial Services Authority (FSA), as well as at the highest levels in Europe to ensure that Solvency II legislation promotes a level playing field in terms of what it sets out to achieve. I am very pro Solvency II - it forces management to better understand their key risks and to ensure that they have good governance in place – and it’s no surprise that well run companies tend to do better so we’re all for that. But in terms of our capital and risk management requirements under Solvency II, it needs to reflect that we are a monoline health insurer and that the duration of our products and claims settlement is significantly shorter than, say, a life provider. Solvency II provides a timely opportunity provided we approach it in a proportionate way and benefit from the insight that derives.

Home More News

Most Read Stories

BSI launches new ISO for business continuity

Vodafone study finds personnel risk overlooked

BIBA issues EC mandatory disclosure warning

FRC to strengthen boardroom diversity principle

Chartis: Hong Kong failing to tackle cyber risk

ACE launches global catastrophe mapping tool

Cameron joins Nelson to set out Lloyd's ambitions

One week to enter this year's Business Continuity Awards