Insurance companies are facing a fundamental shift in the external environment and must adapt accordingly. They have to reckon with an expanding array of risks, technologies and data sources, new regulatory expectations, and changing customer demands for how they set up and position their risk management functions. Based on extensive experience in the insurance sector, Strategy& has developed five dimensions which allow companies to reassess their current position and move towards a risk-intelligent approach: strategy, governance and organization, people and culture, processes, and data, methods and tools. Ultimately, insurers need to involve the risk management function more in strategic and tactical decision making, while establishing a clearly defined company-wide risk culture.
Several factors are influencing how insurers should now respond to risk. To begin with, the risk environment is rapidly evolving as non-financial risks, such as those relating to climate and cyber security, grow in importance. The Covid-19 pandemic has certainly reinforced this sense of a volatile world.
Moreover, industries and various business areas are becoming increasingly interconnected, making risks more complex for insurers. Technological innovation is fundamentally changing how insurers interact with their customers and stakeholders, but it is also generating new risks, such as those relating to data security. New, country-specific regulations, triggered by the speed of innovation and a rapidly changing world, are forcing insurers to respond with urgency. In addition to all of this, new business models and ecosystems are now in vogue, with a sharper focus on business-to-business partnerships that permit greater flexibility and technical expertise.
Comprehensive management of new and emerging risks is important for any company in order to ensure compliance and maintain a strong financial position. For insurance companies, however, it becomes doubly crucial as risk is the very basis of their value proposition and product portfolio.
The maturity level of a company’s risk management function can vary greatly - from merely meeting regulatory minimum requirements, to a top-down management of risks, to the desired goal of an end-to-end risk-intelligent approach. As they strive towards the risk-intelligent level, insurers will benefit from acting in accordance with their clearly defined risk appetite. The outcome will be risk-based business steering, and an overall risk awareness stemming from a company-wide risk culture promoted by the leadership team.
How then can we assess the maturity of each insurance company’s’ risk management and identify those areas most urgently requiring improvement? Strategy& has designed a framework with five central dimensions for the purposes of this assessment. For any given insurer or reinsurer, we can then determine the maturity of each of these dimensions and, based on that, define a clear way forward.
A Strategy& analysis which compares the risk positioning of eight selected insurance and reinsurance companies provides us with an instructive picture of the status quo. These companies vary in size from major multinational insurance groups and reinsurers, to small local insurers that operate in a single territory.
The study revealed that the risk management dimensions of people and culture and of data, methods and tools, have not received the requisite attention or undergone sufficient modernization. Inadequate performance in the latter dimension certainly reflects a broader trend, with PwC’s 2020 Global Risk Study revealing that only 33% of organizations throughout all sectors have the right technology and tools in place to anticipate, monitor and manage risk effectively. However, most surveyed insurers and reinsurers reported an advanced or even a risk-intelligent level for the governance and organization dimension, as well as for the strategy dimension.
Moreover, the larger multinational companies, and the reinsurers in particular, appear to have a more advanced approach to risk management than their medium-sized and smaller, local counterparts. One multinational reinsurer in particular boasts a strong risk culture, promoted by top management and directly linked to the assessment of performance.
This is perhaps a predictable finding, as reinsurers are naturally inclined to viewing the bigger picture. Their everyday work is devoted to identifying and assessing large-scale and potentially catastrophic risks on a global scale, whereas the horizons of smaller insurers are more limited to regulatory compliance, standardized products and the risks pertaining to individual clients.
Certain criteria need to be met to reach the final, risk-intelligent stage in any one dimension. With respect to the strategy dimension, the risk management function (and potentially the chief risk officer in particular) plays a prominent role in short-term and long-term corporate decision making, while overall organizational strategy reflects a detailed perspective on future risks and a defined risk appetite.
Non-financial risks will feature to an increasing extent in any such future assessment. For example, risks relating to cyber incidents, climate change and natural catastrophes are now very much at the forefront of the minds of risk management experts.
Collaboration is an essential feature of a risk-intelligent organization and requires a supporting operating model that helps to eliminate any blind spots on the risk radar. Risk-related responsibilities across three lines of defense are divided in an efficient way, while cooperation and alignment between functions and an integrated approach between operational risk and compliance departments are all evident. The second line of defense (risk and compliance functions) and the third line (internal audit) work in close partnership with the senior leadership team.
In practice, however, financial institutions often encounter difficulties relating to the three lines of defense model. For example, clear division of responsibility tends to be absent, while a lack of trust in the risk function makes business units less committed to addressing risk management gaps. Seamless collaboration between the various elements responsible for risk management rests on identifying any duplication and potential for conflict.
When it comes to the people and culture dimension in a risk-intelligent organization, leadership teams of the top players develop an integrated perspective on the overall firm’s risk appetite and are themselves deeply committed to establishing a consistent company-wide risk culture. However, all too often, cultural guidance is not sufficiently concrete or specific, while the implementation of cultural change is not linked closely enough to business results or strategic impact. Meanwhile, top leaders can struggle to adopt behaviors consistent with the stated strategy.
In building a comprehensive risk culture, insurance companies can learn a great deal from tech giants, with their high level of agility in response to change, as well as their employee autonomy and close collaboration with external partners. Aside from a coherent risk culture, a risk-intelligent risk function should build important capabilities in handling future challenges, develop a deep understanding of innovative technologies, and decide on a clear vision. In particular, a comprehensive catalogue of required competencies with respect to artificial intelligence (AI) and data analytics should be drawn up.
In order to anticipate and control risk, cutting-edge processes need to be in place. As the focus in risk management moves away from retrospective evaluation, front runners are increasingly making use of forecasting models for risk identification and analysis or early-warning radars to proactively identify emerging risks and relevant developments in the regulatory landscape. Also, they are making use of new and dynamic risk metrics, with enhanced monitoring through improved data visualization, to support business steering.
For the final dimension of data, methods and tools, the emphasis in a risk-intelligent organization is on real-time automation and continuous striving for innovative risk solutions. Automated analyses, for example based on scenarios and stress tests, act as the baseline for defining the organization’s risk appetite. To mitigate the effects of any residual silo mentality, tools are employed to identify risks that cut across functional boundaries.
Advanced analytics, and AI-supported software with real-time access to internal and external data, are put into practice. Indeed, modern insurance companies enjoy the major benefit of a significant increase in data sources. They can also partner with other companies (including from outside insurance) to expand the range of such sources. Data on client history and preferences can be combined with information derived from connected consumer devices, the weather forecast, and further statistics to create a comprehensive picture of each individual customer and thereby shape the company’s holistic risk perspective.
Establishing a forward-looking risk management unit is achievable within less than one year and starts with an analysis of the status quo in the organization. The company then needs to draw up a vision of the structure and scope of the risk management unit and the roles and responsibilities within it. Final implementation involves several aspects: setting up the change management team; communicating the intended risk culture to the organization as a whole; hiring employees according to agreed skill requirements; carrying out training to strengthen critical capabilities, such as in data and analytics; and deploying technological solutions.
By first asking themselves the relevant questions about where they stand on each dimension of the Strategy& risk management framework and then responding accordingly, insurers and reinsurers of varying sizes can build a risk-intelligent organization, equipped to manage the complex and interconnected risks of the future.