Operational Resilience Frameworks for Indian Insurance Intermediaries

Operational resilience was a banking concept first, drawn from the Bank of England Discussion Paper of 2018 and operationalised by FCA/PRA expectations a few years later. The Indian insurance regulator has begun adapting the idea for the intermediary segment. The IRDAI (Insurance Brokers) Regulations, 2018, amended in 2024, now require brokers to maintain documented business-continuity and incident-management arrangements. The IRDAI Information Security Guidelines, 2023 apply to all entities holding policyholder data, including TPAs and corporate agents. The IRDAI Master Circular on Outsourcing, 2024 treats critical broker functions as outsourced services for the insurer principal, with attendant resilience expectations.

The regulatory direction is clear: an intermediary that cannot meet its obligations to policyholders or insurers during a disruption is no longer just a commercial failure, it is a regulatory failure.

The two concepts overlap but the differences matter. Business continuity focuses on the intermediary's ability to resume normal operations after a disruption, often measured by recovery time objectives (RTO) and recovery point objectives (RPO) for specific systems. Operational resilience focuses on the intermediary's ability to deliver important business services to policyholders and insurers through a disruption, measured by impact tolerance for each service.

The distinction has three practical consequences:

• resilience starts from the policyholder's experience, not the internal system inventory
• resilience is service-centric, not technology-centric, although technology is usually the critical dependency
• resilience tolerates degraded service, but only within a defined impact tolerance, after which the disruption is unacceptable regardless of internal recovery progress

An Indian broker whose internal claims-tracking system is down for 8 hours has a continuity problem. If 8 hours of downtime means a policyholder's motor claim notification is missed past the insurer's 14-day window, the broker has a resilience problem, regardless of how quickly the internal system is restored.

The first step in any resilience programme is mapping important business services (IBS). For an Indian broker, these typically include:

• claims notification to insurer within insurer-mandated windows
• policy issuance and endorsement processing
• premium collection and remittance to insurer
• renewal notice and quotation issuance for retention
• policyholder grievance handling
• regulatory reporting (IRDAI returns, GST, TDS)

For a TPA, the IBS list shifts towards claim adjudication, cashless authorisation, hospital coordination, and IRDAI's claim-status reporting. For a corporate agent, the list centres on suitability documentation, free-look refund processing, and policy servicing.

For each IBS, define an impact tolerance: the maximum tolerable disruption before policyholder or insurer harm becomes material. Tolerances should be expressed in concrete terms: "cashless authorisation for emergency admissions must not be delayed beyond 60 minutes for more than 5% of cases". Avoid the trap of setting tolerances equal to RTOs; the two metrics measure different things and should diverge.

For each IBS, document the dependencies that, if disrupted, would breach the impact tolerance. Dependencies typically span four categories:

1. People: which roles must function, and what is the bench depth
2. Process: documented procedures and their digital workflows
3. Technology: applications, infrastructure, and the cloud or on-premise location
4. Third parties: insurers, banks, regulators, TPAs, SaaS vendors

Operational resilience requires testing against severe-but-plausible scenarios, not just realistic ones. Indian intermediaries should run at least quarterly scenarios across the following categories:

• a ransomware event that encrypts the primary claim or policy-management system
• a prolonged power and network outage at the main operations centre
• the sudden unavailability of a critical third party (cloud provider, primary banking partner, key insurer's claim portal)
• a key-person event affecting two or more critical roles simultaneously
• a pandemic-style absence of 30 to 50% of front-office staff for 4 to 6 weeks

Scenario testing should not be a tabletop exercise alone. At least once a year, test failover infrastructure under load with realistic data. Documented test results are now an expected element of IRDAI inspections; failure to demonstrate testing or to act on findings is itself a finding.

Use insurer-mandated drills as supplementary testing. Most major Indian insurers now run quarterly partner drills; brokers and TPAs that treat these as compliance theatre miss an inexpensive opportunity to validate their own resilience.

The IRDAI Master Circular on Outsourcing, 2024 sharpened expectations on third-party risk management. For intermediaries, the practical impact lies in three areas:

• the intermediary remains responsible to the policyholder and insurer regardless of which third party fails
• material outsourcing arrangements require board-approved policy and annual review of third-party controls
• the third party's resilience is now the intermediary's resilience; due diligence cannot stop at the contract signing

A working third-party programme includes a tiered vendor inventory, periodic re-assessment of tier-one vendors, contractual rights to audit and to terminate on resilience failures, and a documented exit plan for each tier-one vendor showing how the service would be migrated within the impact tolerance window.

Cloud concentration is a particular concern. Many Indian brokers and TPAs run on AWS, Azure, or Indian sovereign-cloud providers like CtrlS or Yotta. A multi-region or multi-cloud strategy is rarely justified for a small broker, but the resilience plan should at least include a documented strategy for the named provider's outage, drawing on the provider's own published incident-response architecture.

Operational resilience is a board-level matter for any intermediary above a moderate size. The annual self-assessment should be tabled at the board, signed by the chief executive, and form part of the IRDAI return where applicable. The self-assessment should cover:

• the IBS inventory and any changes in the period
• the impact tolerances and any breaches
• the scenario tests run, the findings, and the remediation status
• material third-party events and their resolution
• the board's view of residual resilience risk

Where the broker or TPA is part of a larger group (insurance brokers held by banks, large NBFCs, or technology platforms), the group-level resilience policy should explicitly cover the insurance entity, but the entity's board cannot delegate accountability to the group.

Looking ahead, the IRDAI is likely to formalise operational-resilience expectations through a dedicated guideline within the next 18 months, modelled on the FCA's PS21/3 and the EU DORA framework. Intermediaries that have built the discipline now will face a smoother transition than those who treat the topic as a banking import that does not apply to them.