The nature of risk is evolving. Indicators suggest that economically the world is more stable than it has been since the onset of the global financial crisis, and the IMF tells us that global economic activity continues to firm up. Albeit far from a world without global financial concerns, there seems to be an increasing focus on non-financial risks.The World Economic Forum’s 2018 Risks Perception Survey revealed that the top 5 risks for global leaders in terms of both likelihood and impact are non-financial. They are, for example, generated by extreme weather events and natural disasters, by new technologies and the increased exposure to cyber attacks and data fraud, by political and social instability with the threat of terror attacks, large scale migration, and interstate conflict.
The relevance of non-financial risks for the insurance industry is clear: damage is not only direct, in the form of higher combined ratios, compliance sanctions and operational failures, but also indirect, in the form of long-term reputational deterioration and destruction of shareholder value. The relevance for risk professionals is just as clear: faced with a new and dynamic set of challenges, business is evolving the way it operates, and risk had better not be behind the curve.
In this ‘brave new world’ we see 4 cornerstones for the future of Risk in insurance companies.
1. Manage risk ‘by design and by default’.
Non-financial risks are often difficult to identify, and impact multiple business processes. Preparedness requires active involvement of the first line of defense and collaboration between risk and business so that structurally they interact much more closely. Regulators are pushing in this direction, as their most recent wave of regulations focus on proactive customer and data protection. GDPR requires pre-emptive analysis of key risks and proactive consideration of data protection in processes and IT system design. IDD and MiFIDII similarly mandate embedding of customer protection logic in product design and disclosure, ultimately impacting product strategies. Also cyber risks need to be managed while designing IT systems, ensuring ‘security by design’, thus embedding directly within the system design the mitigation measures to defeat the common and known malicious practices (e.g.establishing ‘fail securely’ IT processes to manage errors minimizing exposure to further attacks). We will finally see risk truly embedded in product and process design.
2. Leverage the power of data and InsurTech to better manage risks.
The capture and use of more information than ever before – over 90% of data created globally was generated in the past 3 years – combined with substantial technology advancement, opens up a wealth of opportunities, including for risk management solutions, such as:
- Machine learning, recognizing unusual patterns from behavioral analysis of employees (e.g. based on voice recognition, emails and transactions) and spotting conduct risks in MIFIDII;
- Robotics and artificial intelligence, making the job of control functions easier – BCG’s data and research platform Fintech Control Tower has identified over 360 RegTechs specializing in data collection, risk analysis, reporting, but also digital experience for customers (e.g. robotics applied to AML KYC processes and artificial intelligence aiming at reducing false positives in transaction monitoring);
- Blockchain, offering transparency, authentication and information security – insurance applications include streamlining payment and enabling safe, real-time exchange of information with distributors;
- Emerging InsurTech players, leveraging the power of data to create personalized insurance offerings and to better price risks (e.g. wrist-worn fitness trackers used by health insurers to monitor customer activity and accordingly adjust premiums)
Of course, this brings new challenges for the sector, particularly strategic risks. A study by BCG and Morgan Stanley shows that the mature motor insurance market could see a size reduction of 54-84% by 2040 (heavy disruption scenario), depending on the adoption rate of autonomous vehicles. Being able to link envisaged risks to new strategic opportunities will become crucial for insurers to remain competitive and relevant.
3. Deeply understand organizational complexity to avoid complacency.
Often organizational complacency causes major compliance and conduct mishaps. Everything is going well until a crisis unexpectedly exposes the business, such as human error not captured by control functions. Organizational legacy can stifle the intuition and judgment of professionals, from top managers to employees. Routine processes become habitual and employees give little consideration to risks that are outside their sphere of training or experience. Understanding the root cause of behaviors is the key to preventing unanticipated incidents. Challenging current habits (as opposed to ‘no dissent culture‘) and simulating risk scenarios (e.g. ‘red teaming‘, conducting regular ‘destroy your business’ war games) is critical.
4. Broaden the view to see the interconnectedness of risks.
Markets, businesses and companies are more interconnected than ever. Risks cannot be assessed in isolation, but complex interdependencies need to be mapped, understood and managed. Adverse events are usually correlated and single failures may spread across different areas, potentially leading to reputational damage to the industry as a whole (contagion). Traditional ERM frameworks focus on historical events and are unable to capture these dynamics. Risk needs to move to modern system thinking, where problems are viewed through the lens of interconnected networks and feedback loops.
We will continue to live in a world with more risk and uncertainty. These four cornerstones represent a significant step change in the way risk is managed, enabling companies to better adapt to changing threats and turn potential crises into a growth opportunity. The ability of risk managers to support business decisions, leverage technology and data to manage new risks, deeply understand human behaviors and think in terms of risk ecosystems will certainly make the difference.
Welcome to the future of Risk.
Written by Matteo Coppola, BCG’s global leader of Risk Management in Insurance and Mauro Piccinini PhD, Project Leader and Qualified Actuary in BCG's global taskforce in Risk in Insurance.