Insurance and risk
The risk perspective of insurance companies is changing, and these companies have to be agile in order to be able to ward off threats that digitization has brought in:
Risk management is now on top of the agenda for Indian insurers as risk profile is in a state of constant change. Risk management practices are being thoroughly professionalized and these are now integrated into the process of management of business. In the rapidly changing world of VUCA, or Volatility, Uncertainty, Complexity and Ambiguity, insurance companies face newer and sophisticated forms of risks. The omnipresence of VUCA and the growing complexity thereof in the business environment present roadblocks to an enterprise’s journey towards achieving their objectives. The manifestation of VUCA can be seen in many forms like natural calamities, technological glitches and changes in financial markets.
INFORMATION, CYBER RISK
In today’s digital era where technology has become a game changer, technology risk is one of the biggest risks faced by insurance companies. Customer data and cyber security have emerged as crucial and customer data privacy is one the biggest threat in the digital era. The rise in the cyber crimes has added more worries for the insurers.
A risk manager faces threats (risk) while integrating various web platforms, payment gateways and payment merchants with the core internal IT system and applications. As the required data is collected from various digital platforms, at times there are challenges on account of incomplete data and inconsistency thereof. In order to mitigate the technology risk, data cleaning operations, historical trends analysis on various exposures and loss ratio analysis are carried out by applying statistical tools like the regression model and by using probabilistic approach.
Globally, with advancing importance of digitization of data, information technology coupled with government run initiatives like broadband highways, Rural Internet
Mission, etc, companies are virtually connected to the entire world. Hence cyber risk is a major threat. In order to protect the customer’s personal data, health related data and also to retain confidentiality of data at all levels, the risk manager along with information security team take all possible steps to mitigate cyber risk by implementing advanced IT security controls without breaching the data loss.
Samir Shah, executive director & CFO at HDFC ERGO General Insurance, believes there are challenges that insurance companies face today, like technology obsolescence, involvement of various external agencies in product and service delivery and rise in cyber attacks and data theft. “Moreover, it is anticipated that there is likelihood of enhanced statutory norms relating to data protection and stringent punitive action in the event of breach of customer data privacy. Hence, information security and cyber risks are considered as one of the top risks for an insurance company,” says he.
Rajeev Kumar, chief risk officer at Bajaj Allianz General Insurance, contends that the risk spread for insurers who offer cyber cover to organizations and entities is high. This is mainly due to the increase in intensity and frequency of cyber-attacks due to the onset of technology and better internet connectivity, he avers.
Information has become a valuable key asset for any organization and more so for an insurance company by virtue of its business dealing involving high volume of customer information exchange and retention. The companies have therefore to focus on specialized workforce to manage customer data and to manage cyber security risks.
NATURAL DISASTER RISKS
Extreme drought, unprecedented rains leading to floods, raging wildfires, tsunamis, changing weather patterns etc have become a relatively routine phenomena across the world these days. It has been a matter of concern that there has been a consistent rise in the frequency and severity of catastrophic events across the globe.
Samir Shah says as a general insurance company, HDFC ERGO foresees risk of natural disaster and catastrophic events as one of the top risks as it has a two-fold impact, firstly on the quantum of claims and secondly the higher cost of future reinsurance protection.
Rajeev Kumar too says climate risks are becoming even more uncertain for insurers because of climate changes like increase in frequency of natural catastrophes, droughts, etc. Such events pose a risk for insurers in terms of claim outgo and infrastructure costs.
Thi s y e a r I ndi a has wi t nes s e d unpredicted rains and floods in most of its geographies. So, the global warming and changing weather conditions have become the top risks for insurance companies and these companies are developing special strategies to combat these risks.
REPUTATION, OTHER RISKS
Apart from technological risks, cyber security risks and changing weather risks, insurance companies also have to deal with reputation risk. It is difficult for companies to maintain reputation in a competitive industry environment. There is considerable rise in operational risk in the industry due to the failure of the system, processes and people.
Reputational risk has a direct impact on brand image of the company. Positive news about a company enhances its brand image, but negative news, review or comments in social media may result in a trust deficit among customers, which can have an adverse impact on the image of company. The risk manager and senior management are most concerned about brand image of the company.
C o mment s R a j e e v K u ma r o n operational risks: “Operational risks arise due to failure of system, processes and people that organizations face during their day to day operations. With the geographical spread and extensive use of IT that most insurers have today along with increase in the number of offices, channels, manpower, etc, it is important to have consistency and stick to certain norms to avoid the risk large organizations may face.”
Insurance i ndustry is subject to considerable strategic challenges. Gopal Balachandran, CFO & CRO at ICICI Lombard General Insurance, emphasizes that corporate risks do not exist or occur in isolation, thereby requiring a different approach for discussion on exposures and risk management. “In today’s dynamic environment the top risks that insurance companies are exposed to mainly pertain to cyber security, data privacy, talent pool and attrition,” says he.
Reputation, operational, corporate and other risks require an integrated approach by departments like marketing, IT and HR to manage them efficiently.
CRO & TEAM SIZE
Indian insurance companies had started appointing chief risk officers even before it become mandatory. The risk team size mainly depends on the size and areas of operations of the insurance companies concerned They have appointed special risk managers to manage different types of risks. The risk team members have expertise in risk management functions, information security and fraud prevention.
Bajaj Allianz General Insurance has a team size of less than 10 people for risk management, as technology plays a vital
role in identifying and mitigating risk, which is mainly done through internal tracking mechanisms. Samir Shah shares the details of the team size: “We have a designated CRO for the last 10 years. We have a team of 6 personnel in our risk management team including the CRO.”
ICICI Lombard General Insurance has a CRO at a MANCOM level heading the risk management function. The MANCOM is completely involved in risk management initiatives, including playing a key role in the risk versus rewards decision making process. Gopal Balachandran says the total size of the risk management function is over 175 people comprising the right blend of enterprise risk management, information security and fraud prevention and management professionals. Different segments of the risk management function have able leaders who drive and lead the respective practices, says he.
Universal Sompo General Insurance Company has an i ndependent risk management department which acts as the second line of defence in the company for identification of various risks and for suggesting corrective measures thereof. Nirmal Bhattacharya, chief underwriter at the company, speaks about the risk management slogan adopted by the company: “We treat all the employees as stakeholders of various risks and heads of the departments as risk owners of the respective departments. We have adopted this slogan: ‘Everyone is a Risk Manager for the company’.”
Canara HSBC Oriental Bank of Commerce Life Insurance Co has a CRO, who is engaged in identification, assessment, monitoring and reporting of key risks to which the company is exposed to, including emerging risks. Its team comprises of 9-10 specialized risk management professionals overseeing various categories of risks like information security, financial risk, operational risk, fraud risk, etc. The company’s CRO Siddharth Kaushik says: “Every function within ‘First Line’ has been empowered to drive the risk management framework in the respective areas of operations through a structured framework and dedicated risk specs, which inculcates a culture of risk management and enhances the company’s capability to build risk engagement at every level within the organization.”
The role of CRO and other risk managers is becoming crucial because of the rise of technology related frauds in the industry. In future, it is possible that insurance companies will introduce special digital risk management teams to manage online frauds.
CONSULTANT & ERM
Many insurance companies have not appointed risk management consultants. Some companies have implemented enterprise risk management practices, which help to lay the foundation for effective risk management practices.
Siddharth Kaushik of Canara HSBC Oriental Bank of Commerce Life Insurance explains: “We have a specialized risk management function which is primarily engaged in carrying out all risk related activities along the first line of defence. At times, we engage external consultants for select highly specialized services such as forensic investigations.”
USGIC has effectively implemented enterprise risk management practices across the company by laying down the foundation pillars of risk governance, risk management culture among employees of company and adhering to regulatory compliances. While delivering reliable insurance products to Indian customers, the company is primarily focussed with customer centric approach for protecting policyholders’ interests.
Most of the insurers prefer inhouse consultants for risk management functions. Enterprise risk management practices play an important role in enhancing the risk management culture in the organizations.
RISK MANAGEMENT SOFTWARE
Several insurance companies have successfully implemented risk management software to mange different types of risks. Most of the insurance companies have developed such software inhouse and these are mainly used in areas like for undertaking risk assessments and for doing risk analysis. Risk management teams have developed different tools to manage the risks.
Bajaj Allianz General Insurance has developed a software that helps to identify risks specific to each department, which
is then assessed, mitigation steps are suggested and monitored accordingly.
DATA ANALYTICS, INSIGHTS
Data analytics and data insights are focus areas for insurance companies. They focus on building powerful analytics capabilities to reason over data, not only in hindsight, but through insights that can empower the company and leadership to predict unforeseen risks and exposures. In certain areas, the companies also use specialized off the shelf or customized tools like for predicative fraud risk analysis, etc.
Samir Shah speaks about customised risk management tools: “We focus on developing customized tools for enterprise wide risk and control assessment. For example, we have an application which assists in ascertaining and monitoring the natural and catastrophic risk exposure and accumulation at pin code levels across the country.”
Nirmal Bhattacharya of Universal Sompo General Insurance Company says data cleaning and blending tools are used for reconciliation of premium and claims data, Excel VBA -macro are used in developing the risk matrix and automating the process of alerts generation, while incident management tools capture loss event. Open source tools are customized for creating internal prototypes like statistical modelling: linear regression model and computation of loss expenses.
Digital transformation has l ed to a proliferation of digital solution providers. The emerging risktech companies are equipped with advanced technology, desired skilled resources and cost-effective solutions which can be largely customized as per various requirements of customers. They therefore are often able to find innovative and feasible alternatives to cater to the risk management needs of companies. However, being new ventures, they have limitations like lack of desired experience and exposure in risk management.
Samir Shah compares emerging risktech vs established companies: “The established risk management solution providers have ready off-the-shelf products which are well constructed but may not be suitable for the desired degree of customization required. Under such circumstances it is often a tradeoff between fully and partially customized products. Both options have their pros and cons, hence individual circumstances and requirements often determine the choices made.”
Nirmal Bhattacharya adds: “Emerging risktech companies help in using data science and analytics techniques for predicting future loss with the help of machine learning algorithms and big data. The approach followed by an established solution provider is primarily to minimize the current financial losses. Our experience with risk tech companies has been limited so far.”
Both t he c at e gori e s of s ol uti on providers bring value to the table. While the established players have the capability of providing enterprise wide solutions and / or are category leaders, the emerging risk tech companies provide innovative point solutions. Says Siddharth Kaushik: “In my view, there is nothing like one being better than the other; rather, it’s a matter of what suits one’s needs and aligns with the end objective. Both the solution providers do provide new technologies and at times bring in a completely new perspective. One of the key aspects which one needs to be cognizant of while working with solution providers pertains to blending these solutions with the existing ecosystem which at times may include old processes and legacy systems.”
In short, the established companies have expertise, but they are unable to provide customised solutions like risktech companies.
NON-ADOPTION FUTURE RISK
Evolving technologies like advanced analytics; telematics, Internet of Things (IoT), etc are buzz words in the financial services space. Insurance companies cannot afford to delay or avoid adoption of these relevant technologies as they facilitate speed, agility, scalability and flexibility.
Born digital insurance companies are leveraging technology to drive change in customer preferences, expectations and experience; no sooner than later this will necessitate restructuring of the traditional business models of old-time players. The longer is the wait to break inertia for such adoption, more difficult would it be for the company to survive the technologically savvy competition. Delayed or nonacceptance of relevant technology adoption and deployment is a top risk for the future for the insurance companies.
Samir Shah foresees risk of natural disaster and catastrophic events as one of the top risks in terms of quantum of claims and higher cost of future re-insurance protection
Gopal Balachandran believes that corporate risks do not exist or occur in isolation and they need a different approach for discussion on exposures and risk management
Rajeev Kumar maintains risk spread for insurers who offer cyber cover to organizations and entities is high because of the increase in intensity and frequency of cyber-attacks
Siddharth Kaushik refers to his company’s treatment of risk activities along the first line of defence
Nirmal Bhattacharya explains how his company has created the slogan ‘Everyone is a risk manager for the company’