Řízení bezpečnostních rizik v komerční pojišťovně

Abstract

Commercial insurance companies are nowadays exposed to risks that surround them and may have existential significance. The goal of the diploma thesis is to define security risks as a subset of the operational risks and to describe a theoretical model of security risk management in commercial insurance company. The partial goal is to evaluate the classification of security risks based on theoretical knowledges in Česká pojišťovna, a.s., to compare theoretical and practical model of security risk management and highlight the weaknesses of the cycle. For writing the diploma thesis were used methods of analysis, synthesis and comparative method. There is a lot of authors who deal with operational risks and each clasify them from different perspective. Diploma thesis examines the operational risks from the perspective of standard Solvency II intended for the insurance companies, Basel II designed for the banking institutions and according to P. Vodová based on ČNB provision to internal managing and control system. On the basis of these perspectives is shown that security risk are a subset of operational risks that arise from inadequate or failed internal processes, people and systems of from external events. Security risks are the risks of direct or indirect losses resulting from the failure of security measures in the areas of physical, personnel, information security and information systems, including the area of anti-fraud measures. Česká pojišťovna, a.s. classifies security risks to personal risk, information risk, risk of information systems, object and technical risk and fraud risks, including the laundering of proceeds from criminal activities. This classification is sufficient and appropriate to contemporary perspective on safety of insurance companies. It focuses on internal risks arising from internal processes of insurance companies and their employees, and does not neglect the existence of external risks caused by acts of clients or natural force. Because of the nature of these risks, the insurance companies consider as necessary to manage these risks. A theoretical model of security risk management is based on the operational risk management process and each insurance company must therefore start to create and maintain the system of risk management. The following phases are identification of security risks, their analysis and risk assessment. The results of the risk analysis is the basis for designing security measures that are implemented into the security policy of insurance companies. Part of the cycle can be further financial risk coverage. Finally, attention is drawn to the need to inform all directors about the identified risks and to supervise the implementation of security policy in practice. The practical model of security risk management in Česká pojišťovna, a.s. is formally covered with a risk management system. The practitioners consider prevention the most important phase of the cycle. Then comes the phase of identification and risk analysis by the method of Failure Mode and Effect Analysis, which unfortunately is not used always or often not followed through. The following phase is investigation of causes that is the basis for designing corrective provisions and after their implementation these provisions act as a prevention. In some cases, it also includes phase of compensation. On the last stage, the practical model puts the focus on the sharing information inside and outside the insurance company, but neglects the periodic inspection of risk management unlike the theoretical model. Here, there is a scope for improvement of the security manager. There is also pointed out weaknesses of the cycle as organizational fragmentation, lack of information sharing or incomplete application the cycle in risk management.