44 w h o ’ s w h o o f f s i

By Steve Ingram

SharpenIng the focuS on rISk management

w h o ’ s w h o o f f s i 45

r I S k m a n a g e m e n t // a n a LYS I S

When the sun rose over the peaks of a new decade, the global business community heaved a collective sigh of relief as it reached a clearing on one of the steepest and most treacherous learning curves of the last 30 years. But the climb to the summit is far from over. The next challenge is for businesses to understand and apply the lessons learnt.

On the ascent there will be sectors of the global business community that surge ahead and those who fall behind. A sector with a fierce determination to get to and stay at the front of the pack is the insurance sector. One of its secrets to success will be risk management.

According to PricewaterhouseCoopers’ 13th Annual Global CEO Survey, released in early 2010, insurers are determined to sharpen their focus on all aspects of risk management to a greater extent than CEOs in any other sector.

how to sharpen the focus on risk managementThe first step in sharpening the focus on risk management is to understand your base camp. Start with a comprehensive review of the structure, roles, and responsibilities of the risk management function.

A couple of key questions that need to be asked: • Why did we not see the crisis coming?• How did we underestimate the risks to such a significant extent?• What must we do differently?

The second step is to understand the quality of your climbing equipment. How effective are the existing risk management practices and policies? The answer: use a robust assessment

a n a LYS I S // r I S k m a n a g e m e n t

risk management is one where risk management is a part of your day to day business, not just one of a long list of corporate functions.

To make your solution part of your business means moving from a passive role as a communicator or scorekeeper and this transition starts with active enquiry:• How can our front line people anticipate

risk, and how can they help us explore risk possibilities and scenarios?

• How can we challenge the business to think differently about risk, and how can a corporate risk function add value?

four key findings from the pwc survey A PricewaterhouseCoopers benchmarking survey of Australian general and life insurers, released in February 2010, shows that risk management functions in this sector operate across all four quadrants of the risk management effectiveness framework tending more to the reactive than proactive end.

These results highlight that there are four key development opportunities:

1. Proactive risk managementAn organisation’s risk management culture is defined by its risk appetite, the behaviour of its people, and the supporting processes and systems. Typically, the approach is reactive with a multitude of functions managing a multitude of risks. This often results in the creation of risk silos or a corporate risk function that is removed from the actual execution of your business.

Proactive risk management, with a common framework and language, breaks down the silos and works cross-functionally across the business. With the elimination of silos and the transition of risk management from the corporate center to the front-line business, risk becomes embedded in the business process and the organisation will have a more informed view of its overall risk position.

To achieve a proactive risk management culture a business might ask itself: • Who are the real stakeholders of risk in

our business?• Are the risks well understood by

these stakeholders?

• Are our people using processes and controls effectively, as a component of business as usual?

• When something goes wrong will our people see the early warning signs and will they know what to do?

2. Linking key performance indicators and key result indicators to riskIf what gets measured gets managed, there are many key areas potentially going unmanaged among insurers.

In many cases there is limited or no alignment between the key performance indicators of the senior/executive management team with the key risks of the organisation.

There also appears (pre and post GFC) to be a lack of key result indicators, and where they do exist there is little if any link to risk and incentive schemes.

The less action we take proactively around such issues, the greater the likelihood that someone else will take notice for us. This misalignment or lack thereof has not gone unnoticed by regulatory bodies in Australia and overseas including the Australian Prudential Regulation Authority (APRA).

Effective from April 2010, financial services and general insurers will have to comply with new remuneration reporting standards.

The new standards will implement the Financial Stability Board’s Principals for Sound Compensation Practices, endorsed at the April 2009 G20.

The Principles aim to ensure effective governance of compensation, alignment of compensation with prudent risk taking, and effective supervisory oversight and stakeholder engagement in compensation.

APRA’s new standard reflects government, investor, and community concerns at excessive risk-taking, conflicts of interest, and examples of individual greed taking priority over the interests of shareholders and customers.

The remuneration policy applies to three categories of personnel including responsible persons, risk and financial control personnel, and all other persons whom a significant portion of total

There also appears (pre and post GfC) to be a lack of key result indicators, and where they do exist there is little if any link to risk and incentive schemes.

framework. One framework that can be used is maps accounting and control capabilities with business and decision-making communication on one axis, against reactive and proactive components on the second axis. The reactive component focuses on the past and explanation, with the proactive focused on the future and guidance.

Within the two axes the framework is broken into four characteristics/roles: communicator, business partner, score keeper, and diligent caretaker. At the centre of these characteristics/roles is impact.

Be warned: hazards exist in making an accurate assessment. It is an easy pitfall to put additional layers of risk management structure and process on top of what already exits. It is harder, but more effective, to honestly assess what you have, and to understand how it relates to your people in the front line of your business. Best practice

46 w h o ’ s w h o o f f s i

w h o ’ s w h o o f f s i 47

r I S k m a n a g e m e n t // a n a LYS I S

remuneration is variable and determined by performance measures.

Greater alignment of organisational key risks, KPIs and KRIs is not just compliance; it can help position risk as a central component of day to day business practices.

3. Scenario planningAs insurers plan their ascent to the summit, they need to plan for scenarios, changed conditions, and unknown hazards. Some insurers are starting to apply this approach through scenario analysis. While still viewed by many as overwhelming and time consuming, those who have participated in scenario analysis have found it a valuable tool for generating thought provoking, innovative solutions. It also empowers the real stakeholders and provides the organisation with a sharper education tool.

Scenario analysis has a predictive capability that enables the exploration of questions such as: What would happen in our operating environment if there was a global financial crisis? How would we recognise the early indicators? How bad could the situation get? How would we respond?

As any mountain climber knows, and the GFC should have taught us, the impossible is possible.

4. Sharing information effectivelyAll too often, there is a lack of transparency and alignment of risk systems and reporting between risk and the business across lines of business. The result is inefficiency, confusion, duplication, and failure of early detection.

If an organisation has “good practice” material, good risk management information, risk indicators or data, it is important to find ways to share it across the organisation. One of the easiest ways is to maintain a common risk language.

Sharper focus on the horizonThe final element of a sharper focus is to catalogue and understand the potential of emerging and future trends and risk. For insurers key considerations include: information security, biometrics, data quality and social networking.

Information securityThe economic downturn raised the bar on security. According to the 7th Annual Global State of Security Information Survey 2010, 63 per cent expect spending on information security to either increase or stay the same.

There is an increased risk environment and the role and importance of the information security function has been visibly elevated across the entire business.

The survey conducted by PricewaterhouseCoopers, in conjunction with CIO and CSO magazines, also showed that Chief Information Security Officers (CISOs), Chief Information Officers (CIOs), Chief Executive Officers (CEOs) and Chief Financial Officers (CFOs) agreed that the top three impacts on information security are:• A more complex and burdensome

regulatory environment;• Security challenges that are harder

to address in light of cost reduction initiatives; and

• An increased role and importance of the security function.Businesses are placing high expectations

on initiatives that take a strategic, risk-based approach. The message for the future isn’t new or different. It’s just more urgent. From an information security perspective organisations that want to “get it right” should be focusing on the following key issues:

1. Protecting data elements – a top priority • The number of respondents who say their

organisation has a data loss prevention (DLP) capability in place has leapt this year from 29 per cent in 2008 to 44 per cent in 2009.

2. Addressing the risks associated with social networking

• Six out of 10 respondents report that their organisation doesn’t have security technologies that support Web 2.0 exchanges, such as social networks, blogs and wikis.

• Close to eight out of 10 organisations have no social networking security policies in place.

3. Cloud computing is “on the table”• While IT virtualisation is a growing priority,

particularly in the public sector, only one out of every two respondents believes it improves information security.

if an organisation has ‘good practice’ material, good risk management information, risk indicators or data, it is important to find ways to share it across the organisation. one of the easiest ways is to maintain a common risk language.

Biometrics Biometrics enables the recognition of humans based on one or more physical or behavioural traits. This new technology has significant potential in the insurance industry to reduce the risk of identity theft. Voice biometrics is a highly secure method of authentication as it is harder to steal a voice pattern than it is to steal a password or PIN.

One of the leading Australian banks has announced the deployment of a voice biometric identification and verification function to deliver enhanced customer experience and security. The new service makes customers’ telephone banking experience much simpler. There is no need to remember cumbersome passwords and PINs, but their identity is private and protected.

Data qualityAPRA continues to evolve its data collection and reporting requirements for authorised general and life insurers and for general insurance intermediaries that are AFSL holders.

While these arrangements do not impose audit requirements in relation to the data,

48 w h o ’ s w h o o f f s i

a n a LYS I S // r I S k m a n a g e m e n t

organisations are expected to have adequate risk management systems to ensure their data is sufficiently complete, reliable, and verifiable.

Evidence from other industries, in particular the US and UK superannuation and pension industry, demonstrates the significant impact data quality issues can have on business operations.

Also, when we consider the rigour ADIs are required to apply over data quality in developing, managing and reporting their regulatory and economic capital frameworks, it becomes obvious that different industry sectors are approaching data quality in different ways. Perhaps this is a portent of things to come.

How in control of data are you? Data is the “life blood” of insurance. Whether qualitative or numerical, primary or derivative, internally or externally sourced, its availability, accuracy, completeness, maintenance, and smooth, secure flow is essential for:• Meeting customer promises, such as

pricing and discounts;• Supporting pricing decision-making;• Underpinning product development and

maintenance;• Ensuring value is achieved out of new

system initiatives;• Supporting actuarial valuations and

capital management; and• Measuring business performance

against strategy, objectives and key performance indicators.

Social networking (i.e. facebook and twitter)A new online phenomenon is seeing criminals use social networking sites such as Facebook and Twitter to gather personal information not to steal identities but to commit break and enters.

Likened to online shopping for burglars, a large UK insurer has warned users of social networking sites that by making personal information such as where they live, purchases, work patterns and holidays they are easy targets particularly when combined with information from Google search and maps.

As a consequence, the UK insurer is considering placing a premium on customers who use social networking sites.

Mobile phones are also becoming an increasing risk for insurers with a newly launched application using a GPS system to give and receive information on the location of the user and their friends. The information is displayed on a screen map with dots as place markers. The phones also transmit the locations to a website that anyone can log onto. Just another source of intelligence for burglars interested in knowing where you.

conclusionAs insurers prepare to stay ahead of the game for their ascent in the post-GFC economy they would do well to take stock of what risk management procedures, functions, and structures haven’t worked in the past.

The risk function can no longer be just a score keeper or reporter; it needs to be a business partner and member of the climbing team. Risk management adds great value to a business when the frontline stakeholders are part of scenario analysis, and when risk becomes part of the “business as usual”. * Steve Ingram is a Partner at PricewaterhouseCoopers. The 13th Annual Global CEO Survey mentioned in this article included 1,198 interviews with CEOs conducted in 52 countries during the last quarter of 2009. The full survey report plus supporting graphics which can be downloaded are available at www.pwc.com/ceosurvey.

As a consequence, the UK insurer is considering placing a premium on customers who use social networking sites.