When it comes to managing traditional risks, our survey found CROs are focused on enhancing the operating effectiveness of the nearly ubiquitous three-lines-of-defense (3LoD) model. Insurers are also continuing to enhance their risk appetite to better inform decision-making, although the maturity of risk-culture elements is largely in development.
However, the really high pressure points are coming from the issue that people-dependent risk models are not set up to manage the new risks emerging from an increasingly digital environment.
Cyber risks and information security
Our CRO survey found the maturity of insurers’ understanding, measuring and governing cyber risks has come a long way over the last 12 months, but the tasks are still evolving.
Asian CROs see themselves giving significantly more attention to cyber risk and information security in the coming year. Already, with increased engagement between risk and IT, the relationships between the CRO and chief information and security officers are becoming more strategic.
Insurers now clearly understand that cyber attackers not only target bank or credit card details; they also target customer data – with the potential for significant reputational impact. Survey respondents reported that many insurers are setting up dedicated responses to managing their own cyber risk. At the same time, the sector is also capitalising on the opportunity this emerging risk brings through the development of cyber insurance.
However, despite the material improvement in understanding cyber risks and potential impacts, risk teams are struggling to bring cyber expertise into the second line, mainly due to skills shortages. The CROs in our survey are especially looking for expertise in cyber and IT security, data analytics and Big Data, machine learning, anti-money laundering and artificial intelligence (AI).
But finding the budget to invest in these talents is proving problematic. Risk functions must find the right balance between acquiring scarce talent and investing in new technologies.
Also, measuring cyber risk and understanding the tolerances related to risk appetite remain largely reactive and based on detection. Risk functions are seeing reports on post-event incidents and intrusions. But they lack proactive metrics, such as training, patching programmes and vulnerability management, that show an insurer’s cyber risk management capability.
At the same time, cyber risk scenarios are not always embedded in crisis management response frameworks. Instead, some insurers are still using building outage, pandemic or financial crisis scenarios. Every aspect of insurers’ defence needs to adapt to incorporate the rising sophistication and increasing likelihood of cyber breaches. (See figure below).
In the last 12 months, most of the sector’s digital transformation has been focused on making the customer interface smart, efficient and seamless across channels. Insurers are harnessing robotics and intelligent automation solutions that fundamentally change their operations, so they can deliver the digital promise to customers speedily and cost-effectively.
Risk functions will increasingly have to consider how to change their approach to manage the shift in the firm’s risk profile resulting from digital transformation, including the risk of being insufficiently agile enough to enable innovation.
Challenges for risk functions
Our survey found that, currently, data-quality issues (integrity, availability and completeness) and the complexity of fragmented, siloed legacy systems are preventing some risk functions from monitoring and reporting on these emerging risks in a timely and granular manner.
Risk management needs to become smarter and faster – but also, under great budget pressure, more cost effective. Traditionally, insurers have depended heavily on adding head count in risk and compliance because of tight regulatory and remediation deadlines. But, today, people-dependent risk models are not sustainable.
Reducing costs cannot undermine the need for strong risk management and controls. Risk functions will have to leverage technology themselves to improve risk management, becoming technology innovators rather than spectators. CROs need to drive standardised, automated and centralised testing capabilities, so human resources can be assigned to more value-adding roles.
Already, some survey respondents have embarked on a journey of digital transformation, developing and using tools such as GRC, visualisation, robotics, big data, analytics, AI and machine learning.
“We are in the early stages of assessing how AI and analytics can support various elements of risk management.”
“We use Big Data and analytics tools to support our net promoter score surveys to help strengthen our insights into complaints and customer dissatisfaction. We are currently looking at other analytical tools that can be used for quality assurance and due diligence purposes, which we may implement once evaluated.”
These CROs are seeking to retain and motivate talent that can operate in the contexts of not only risk but also technology. They are also using technically adept team members to establish a “risktech” strategy that answers:
- What gaps need addressing?
- What digital options exist to enable risk management?
- What are the pros and cons?
- Can we use technology to do a better job of scanning the rapidly changing market?
A changing role for CROs
Our survey found that, in addition to the transformation of the CRO’s function, the CRO’s role is continuing to evolve away from traditional risk and regulatory compliance to becoming a partner with the business, with greater influence over the firm’s strategic direction.
More than 70% of our respondents said their attention was split 70 (business) and 30 (regulatory). Most have increased their influence over or secured approval of key processes.
In their efforts to prepare their businesses for the emerging risk landscape in the future, we expect CROs to play an even greater role in business and strategic planning. This will involve creating heightened sensitivity to risk at the executive table and becoming more involved in setting the strategy.
CROs should stop “rubberstamping” ideas and proactively work to see that strategy takes into account emerging risks and opportunities, as one of the respondents opined below:
“Three to five years from now … the CRO [will] be a key go-to person for the CEO and heads of businesses to engage in relation to business strategies.” A
Mr Sumit Narayanan is EY ASEAN Insurance Leader.
This is a curtain raiser to the Asia CFO Insurance Summit jointly organised by AIR and EY.
Download the EY APAC Insurance CRO survey 2017–2018 at goo.gl/vZLoAT
This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Member firms of the global EY organization cannot accept responsibility for loss to any person relying on this article.