Upload
dinhxuyen
View
224
Download
0
Embed Size (px)
Citation preview
Contents >
03 Introduction | 05 Profile of the respondents | 08 Operationalizing the three lines of defense model
10 Enhancing the risk appetite framework | 13 Developing and implementing the risk culture and conduct frameworks
16 Strengthening the management of cyber risk across the organization | 18 Preparing for and addressing key regulatory challenges
21 Positioning adequately for emerging trends | 23 Engaging in the digital transformation of the risk management function
27 Key contacts
APAC Insurance CRO survey 2017–2018 Ι Empowering for transformation 3
Introduction
About the surveyThis Asia-Pacific (APAC) Insurance Chief Risk Officer (CRO) survey has been undertaken with the aim of gaining insights into the role that CROs and risk functions play among insurers, and the key priorities of CROs in the short and medium term.
This survey has been designed to qualitatively understand the changing dynamics in the outlook of the risk function and the manner in which the CRO role is evolving. To that extent, we assessed CROs’ ability to contribute indirectly to value creation, identified the key challenges they face and their priorities as a result of changing regulatory requirements and unstable economic environment, and collected their views on the evolving role of technology in the industry and how they manage the risks associated with it.
Our findings this year call for the continued empowerment of individual accountabilities in particular across the three lines of defense to manage risk. This includes enhancing the risk appetite framework and developing and implementing risk culture and conduct frameworks. The need for this is critical for insurers to be successful in transforming their business in response to numerous internal and external pressures. Our results explore this further in the areas of emerging risks including cyber, the overabundance of regulatory change and the digital agenda already on our door step.
Our respondentsWe spoke to a spectrum of leading life and non-life insurance companies, reinsurers, and prominent insurance groups headquartered in APAC, which specialize in multiline insurance business generating sizeable premiums and with an extensive global reach. Each of these firms have their own unique proposition to offer and are market leaders or trendsetters in their respective area of specialty.
EY sincerely thanks the CROs and companies that shared their insights with us out of their busy schedules to enrich the content of this year’s survey.
APAC Insurance CRO survey 2017–2018 Ι Empowering for transformation 5
We interviewed 22 group or regional CROs with the following profile:
Profile of the respondents
The vast majority of respondents surveyed have had a risk team for more than five years and about two-thirds have had the CRO as part of the executive team for more than five years.
Respondents profile by
region
32%
41%
27%
Australia ASEAN
Greater China
Respondents profile by insurance
73%
27%
Insurer Reinsurer
Life GeneralComposite
Respondents profile by business
32%
59%9%
Fig. 1: How long ago was the risk team created?
Fig. 2: How long has the CRO been a part of the executive team?
9%
5%
86%
0% 10% 20% 30% 40% 60%50% 80% 90%70% 100%
1-2 years
3-5 years
Greater than 5 years ago
0%
18%
18%
64%
0% 10% 20% 30% 40% 60%50% 80% 90%70% 100%
1-2 years
Less than 1 year
3-5 years
Greater than 5 years ago
APAC Insurance CRO survey 2017–2018 Ι Empowering for transformation6
Regulatory requirements and mandate from the board and management were the main motivations behind the building of a risk management capability.
What have been the motivations behind the building of a risk management capability:
1. Regulatory and compliance drivers
2. Board mandated
3. Management driven
4. Need for specialist capability
5. Public perception
6. Shareholder and activist demand
Even though the risk function of most respondents were established a long time ago, the scope of their responsibilities continue to evolve over time. Thirty-six percent of the surveyed CROs have been given new responsibilities over the past year, such as:
• Reviewing potential data breaches
• Measuring and driving risk culture
• Providing input into asset liability management (ALM) and investment risk oversight
• Establishing a quality assurance “line 2.5” between the second and third lines of defense
• Expanding into other area of the business
Fig. 3: Have you been given new responsibilities or authority over the past year?
More than three-quarters of the respondents think that the CRO has a responsibility to ensure that the company grows:
“ While growth is not the primary focus of the CRO as a member of the executive team, the CRO has a responsibility to support shareholder returns and this includes sustainable growth in the investment, and input into risk-adjusted returns is a key component of this — as is the need to ensure a robust system of controls is in place to support business growth and ensure appropriate conduct.”
Fig. 4: Does the CRO have a responsibility to ensure that the company grows?
36% 64%
0% 10% 20% 30% 40% 60%50% 80% 90%70% 100%
Yes
No
77% 23%
0% 10% 20% 30% 40% 60%50% 80% 90%70% 100%
Yes
No
APAC Insurance CRO survey 2017–2018 Ι Empowering for transformation 7
Consistent with last year’s survey results, CROs find it difficult to evidence that the risk function is adding value — in the eyes of the internal stakeholders.
They get mostly informal feedback from management and sometimes from the first line.
As a good practice, some respondents have implemented risk culture and “voice of the customer” surveys to take the pulse of their stakeholders across the organization.
When asked about the Risk team’s biggest accomplishments over the past 12─–24 months and which areas they expect to devote significantly more attention to in the next 12 months, the responses varied between Asia-Pacific respondents. It reflected notably the diversity of Asian respondents and the relative maturity of Australian CROs. Yet, risk culture is on top of the CROs’ agenda across the Asia-Pacific region.
“ [I receive] unsolicited invitations to project meetings, leadership meetings, strategy meetings, working groups, product meetings, client visits, etc. suggesting that, beyond a standard risk governance framework, risk’s advice is being sought.”
Biggest accomplishments over the past 12–24 months
Areas getting significantly more attention in the next 12 months
Asian respondents • Own Risk and Solvency Assessment (ORSA) improvement
• Operational risk management
• Development of an integrated risk management system together with a proper risk appetite framework
• Capital management initiatives
• Risk culture
• Cyber risk and information security
• Enterprise risk management (ERM) framework
• Investment risk
Australian respondents • Risk reporting and dashboards
• Incident management
• Risk culture
• ERM framework
• Embedment and up-skilling of first line and greater risk accountability
• Conduct and culture
• Governance, Risk and Compliance (GRC) tools
APAC Insurance CRO survey 2017–2018 Ι Empowering for transformation8
Operationalizing the three lines of defense model
Commentary
Ninety-five percent of respondents, surveyed across Asia-Pacific, have adopted a formal three lines of defense (LoD) model, with the remaining insurer indicating that they are working toward implementing this model.
Fig. 5: Does your company adopt a formal three-LoD model?
95% 5%
0% 10% 20% 30% 40% 60%50% 80% 90%70% 100%
Yes
No
Key findings
CROs acknowledged the three-LoD model to work well in design, but the model presented difficulties during its implementation in practice.
A majority of CROs identified that the greatest challenge with the three-LoD model is delineating the roles between the first and second line. In particular, CROs recognize the need to strengthen their first line and ensure their risk ownership and accountability.
Despite these challenges, CROs are already actively thinking about or starting to implement ways to enhance the operating effectiveness of the three-LoD model. These include the following:
• ─ Training is provided through workshops to enhance risk understanding and awareness with a desire to promote a risk management culture across the insurer.
• ─ A line 1.5 function is created where the second line is actively working to develop first line’s capability to own their risks. CROs see that the line 1.5 function would eventually be phased out, allowing the first line to operate independently, and the second line to be a challenge and review function over risks.
• ─ Performance assessment is linked to the responsibilities of day-to-day activities in risk management. Some insurers indicated that they are introducing risk management indicators in the first line as part of their performance appraisal system.
APAC Insurance CRO survey 2017–2018 Ι Empowering for transformation 9
“ The three-LoD model is giving a false sense of security to the board — if there is a failure in the first line, there is a failure in the second line. Then it means there is a failure in all the three lines. In that sense, strengthening the first line is the main challenge.”
“ The three-LoD model works well, but the only problem that can arise is in scenarios where the first line does not want to own up to the risk, and don’t believe their job involves managing the risk.”
What can we learn from the banking sector? Key findings from the Eighth annual global EY/IIF bank risk management survey:
Banks recognize that operationalizing the model, and making it effective and efficient is, if not anything, more challenging than designing the broad-brush framework. Four elements stand out:
• Make risk management smarter, faster and more cost-effective: Reducing costs cannot undermine the need for strong risk management and controls.
• Wean off people-dependent risk management: Traditionally, financial institutions have depended heavily on adding head count in risk and compliance because of tight regulatory and remediation deadlines. There are now signs that people-dependent risk models are not sustainable.
• Develop a new talent strategy: Financial institutions will have to compete much harder to recruit, retain and motivate talent that can operate in contexts of not only risk, but also in technology.
• Drive standardization: Standardizing, automating and centralizing testing capabilities are an important vehicle for weaning off a people-dependent model.
APAC Insurance CRO survey 2017–2018 Ι Empowering for transformation10
Enhancing the risk appetite framework
Commentary
Risk appetite framework
Ninety-five percent of respondents have a formal risk appetite statement (RAS) in place. A significant proportion of RASs (41%) are qualitative with little quantification of statements.
Respondents seem to converge on the hierarchy of appetite, tolerances and limits. All use a top-down, or a combination of top-down and bottom-up approach in developing the framework to ensure alignment.
Majority of respondents (73%) express the RAS broadly and use tolerances and limits to control the level of acceptable risks. We have observed increased adoption rates of operational risk (86% already in place and in development) and franchise value (50% already in place and in development) in corporate risk appetite as compared with the survey results last year (operational risk 40% already in place; franchise value 0% in place and in development).
Quantitative limits for operational, interest rate and equity risks continue to develop across respondents with further efforts required for full adoption of quantitative limits.
Majority of respondents (73%) take RAS into consideration when writing business.
Capital and stress tests
Most respondents indicate the importance of regulatory capital due to the lack of internal models. A few respondents in Australia indicate capital benefits with internal model use. One respondent, for example, faces higher restrictions on regulatory capital in meeting local requirements.
While regulatory capital helps to understand drivers and impact, it may not measure all risks well (e.g., operational risk).
Stress tests based on regulatory capital framework have been widely adopted to fulfill local reporting requirements. Most of the respondents (64%) applied individual shocks to each risk type. Shocks are then combined via correlation tables. Frequency of stress-testing exercise is usually annual, although more frequent reporting is observed (e.g., monthly) in some insurers.
Better practices:
• Involving management early in the design of stress scenarios
• Considering stress-test scenarios from head office for consistency
• Stochastic models, simulations of balance sheet and profit and loss (P&L), and copulas
• Developing a distribution curve for each operational risk identified
Forty-two percent of respondents have an Internal Capital Adequacy Assessment Process (ICAAP) that have not reached stability. Areas to improve on include:
• Reviewing number of stress tests and increasing level of scenario testing
• Wider coverage of risks (e.g., liquidity risks)
• Enhancing Key Risk Indicators (KRI)
• Evolving with business (demonstrating a stronger link with business)
APAC Insurance CRO survey 2017–2018 Ι Empowering for transformation 11
Fig. 6: Which of the following metrics do you use in your corporate risk appetite?
Regulatory capital
Liquidity
Credit rating
Operational risk
Total profit
Operating profit
Economic capital
Franchise value
Economic profit
In place In development No metric Already in place Not in use
83% 17%
33%
58%
58%
50%
33%
67%
100%
91% 9%
83%
67%
42%
68%
68%
50%
45%
36%
36%
27%
45%
55%
50%
58%
33%
50%
50%
68%
17%
9%
9%8%
14%
5%
5%
18%
86% 14%
27%
14%
42%
2016 2017
Fig. 7: For which of the following risks have you set quantitative limits?
Quantitative limits in place No quantitative limits in place
Liquidity 75% 25% 77% 23%
Insurance andunderwriting 8%92% 82% 18%
Interest rate 9%91% 55% 45%
Equity 68% 32%100%
2016 2017
Credit 8% 82% 18%92%
Operational 67% 33% 50% 50%
APAC Insurance CRO survey 2017–2018 Ι Empowering for transformation12
Key findings
Emerging practices
• Insurers continue to enhance their risk appetite to better inform decision-making, including risk oversight.
• There are examples where risk appetite have been used to inform reinsurance purchase, business acquisition and underwriting. This reflects greater alignment of the risk management infrastructure and the business drivers.
• Mature organizations recognize the need to align behaviors and culture with risk appetite — this remains work in progress.
Key trends observed
• Better linkage between business plan, risk appetite framework and capital
• Moving toward economic capital in the long run
• Revision of stress tests to have wider coverage of key risks events
Insurers continue to improve the links among business, capital and risk. Setting quantitative limits to all risks continues to be the challenge.
APAC Insurance CRO survey 2017–2018 Ι Empowering for transformation 13
Developing and implementing the risk culture and conduct frameworks
Commentary
There is ongoing work in developing and implementing frameworks for the management of risk culture and conduct risk.
While significant progress has been made over the last two years in thinking about approaches to risk culture, progress has still remained slow.
Less than one in two (45%) insurers across the APAC region have developed a risk culture or risk conduct framework.
The maturity of risk culture elements is largely in development. The elements of goal setting, remuneration and defining a target state are proving to be the leading place to start the development of risk culture frameworks.
Measurement and quantification of risk culture and conduct risk continues to be a challenge.
Fig 8. The three lens approach
Perceptions• Interviews• Focus groups• Identify root cause
Outcomes• Breaches and near misses• Consequence management• Customer complaints analysis and trends
The EY assessment approach
• Hypothesis based on industry and client experience are tested
• The assessment answers the “what” and “why” question and outlines root causes of behaviours and outcomes
• The outcome of our assessment is “intervention-based” and outlines high-impact initiatives that will build on curent strengths and address current weaknesses
• Apply 80/20 approach to survey design and data collection: standard questions and data requests supplemented by tailored questions for the specific drivers of the assessment (i.e., focus on conduct)
• Build a risk culture dashboard to provide the executive committee or non-executive directors committee with a frequent “pulse check”
“The three lens approach” combines perceptions, mechanisms and outcome data to gain an objective view of a firm’s culture
OutcomesBehaviors
Risk management framework O
rgan
isatio
nal s
truc
ture
O
rgan
izatio
n ca
pabi
lity
Ta
lent m
anagement Leadership
Risk appetite
Risk
tran
spar
ency
Capabilities Tone
at t
op
Behaviors
Governance
Roles andresponsibilitiesStrategy
Relationships
Responsiveness
Motivation
Mechanisms• Policies• Processes• Governance• Management information
APAC Insurance CRO survey 2017–2018 Ι Empowering for transformation14
“ Yes, [we have implemented the risk culture framework] three years ago. We have defined our risk culture through the espoused values with links to the remuneration framework, annual engagement survey, and the reward and recognition program.”
Fig 9. Have you developed a risk culture framework?
45% 55%
0% 10% 20% 30% 40% 60%50% 80% 90%70% 100%
Yes
No
Fig 10. Rate your organization’s maturity against the following risk culture framework elements
Mature Progressing in maturity No action taken
0% 10% 20% 30% 40% 60%50% 80% 90%70% 100%
5% 64% 31%Developing actionplans for risk culture
14% 59% 27%Risk culturein remuneration
9% 59% 32%Risk culture in product development
18% 50% 32%Defining a target state of risk culture
50% 32%18%Risk culture in goal setting
50% 36%14%Reporting measurementsto management committee
36% 55%9%Developing tolerancesfor key culture metrics
APAC Insurance CRO survey 2017–2018 Ι Empowering for transformation 15
Key findings
The focus on conduct risk is clearly uneven across APAC with wide variations between markets, where regulators explicitly discuss conduct risk. There are jurisdictions where elements of conduct risk are embedded in other regulations, and jurisdictions where conduct risk has yet to emerge as a regulatory focus. However, a growing number of regulators in the region are seeking to understand the steps firms are taking to manage conduct risk. Many firms are also beginning to better define conduct risk and incorporate its considerations right across the employee life cycle: recruitment, performance assessment, training, incentives and remuneration. In many jurisdictions, there has been an emergence of formal conduct risk frameworks, with dedicated teams supporting a conduct risk program.
We believe widely divergent conduct risk practices within the region will continue — largely correlated to the level of regulatory focus in home markets. Differences at the country level are largely due to different regulatory expectations and approaches to conduct risk. Larger firms and those headquartered in the US or Europe, where regulators have set high conduct risk management benchmarks, tend to have more advanced practices. Nonetheless, in 2018, we will continue to see an increased focus on conduct risk governance and measurement, frameworks, conflicts of interest, and people practices.
Fig 11. Have you developed a risk conduct framework?
45% 55%
0% 10% 20% 30% 40% 60%50% 80% 90%70% 100%
Yes
No
Fig 12. Rate your organization’s maturity against the following risk conduct framework elements
Mature Progressing in maturity No action taken
8% 67% 25%
8%
67%
67% 25%
33%
0% 10% 20% 30% 40% 60%50% 80% 90%70% 100%
Roles and responsibilitiesof the board and senior
management-related committeesdesignated to conduct risk
Metrics in risk appetite statementfor conduct risk and reporting
Target frameworkfor conduct risk
APAC Insurance CRO survey 2017–2018 Ι Empowering for transformation16
Strengthening the management of cyber risk across the organization
Commentary
The maturity of understanding, measuring and governing cyber risks has come a long way over the last 12 months.
Organizations now clearly understand that cyber-attackers do not just target money or credit card details, but also valuable data, including customer data. The damage caused by a major data breach
will not only be financial, but will also have a significant reputational impact to the organization.
Despite the material improvement in understanding cyber risks and potential impacts, risk teams are struggling to bring cyber expertise into the second line — this is mainly a function of skills shortage.
APAC Insurance CRO survey 2017–2018 Ι Empowering for transformation 17
Fig. 13: Has cyber risk been incorporated into strategic planning?
59% 41%
0% 10% 20% 30% 40% 60%50% 80% 90%70% 100%
Yes
No
Fig. 14: How much of your team (time and headcount) is devoted to cyber security? Please specify the number of full time equivalent (FTE)
5%
45%
50%
0% 10% 20% 30% 40% 60%50% 80% 90%70% 100%
5+
1-5
0
Key findings
Relationships between the CRO and the chief information and security officers appear to be in development and are improving through increased engagement.
Measurement of cyber risks, including tolerances related to risk appetites, seems more detective and reactive in nature. That is, there is reporting of post-event incidents and intrusions, rather than more proactive metrics that show the cyber risk management capability of an organization (things like training and awareness programs, patching programs and frequency, and vulnerability management).
Cyber risk scenarios do not appear to be consistently embedded in organizations’ crisis management response frameworks (relying on more traditional building outage or pandemic preparations) or scenarios (preferring more financial risk event scenarios).
APAC Insurance CRO survey 2017–2018 Ι Empowering for transformation18
Preparing for and addressing key regulatory challenges
Commentary
Current and anticipated future challenges: The CRO’s role continues to evolve away from the traditional risk and regulatory compliance role into becoming a partner with the business with greater influence of the strategic direction of the firm.
Fig. 15: 2017 — Can you describe the role of the risk management function in the following key processes?
Process owned by Risk and CRO Influence and approve Risk has limited influence
95% 5%
91%
82%
73%
18%
18%
55%
59% 9%32%
41% 27%32%
36% 41%23%
55% 27%18%
23%
50%
50%
64%
73%
45%
45%
32%
5%
5%
5%
5%
9%
9%
45%
0% 10% 20% 30% 40% 60%50% 80% 90%70% 100%
ERM — installation and maintenance
of risk framework Risk appetite setting
Risk measurement and reportingRisk tolerance
and limit setting
Stress testing — design
Stress testing performance
and reporting Model risk management
Model validation
Model governance
77% 9%14%Capital management
Reinsurance program design
Reinsurance program execution
Oversight or reserving and valuation
Technical provision
14%86%Investments
9%91%Strategic decisions (M&A)
86%14%Risk mitigation
23%77%Setting of asset strategy
27%73%Product design and pricing
59%41%Underwriting
APAC Insurance CRO survey 2017–2018 Ι Empowering for transformation 19
Fig. 16: 2016 — Can you describe the role of the risk management function in the following key processes?
Process owned by Risk and CRO Risk has limited influence
0% 10% 20% 30% 40% 60%50% 80% 90%70% 100%
100%Risk appetite setting
92% 8%Risk tolerance and limit setting
83% 17%Stress andscenario testing
42% 33% 17%Model validation
25% 17%50%Model governance
25%75%Capital management
25% 8%67%Risk mitigation
67% 25%8%Reinsurance
75% 25%Business strategy
67% 25%8%Product approval
17%67%17%Investments
33%67%Strategic decisions (e.g., M&A)
67%25%Reserving
50%Technical provision
Influence and approve
Fig. 17: What impact does the current regulatory environment have on business strategy?
32%
18%13.5%
23%
13.5%
Significant positive impact Insignificant negative impact
Insignificant positive impact Significant negative impact
No impact
APAC Insurance CRO survey 2017–2018 Ι Empowering for transformation20
Fig. 18: Time allocation of risk function to regulatory vs. business matters
14%
27%
71%
45%
14%
27%
0% 10% 20% 30% 40% 60%50% 80% 90%70% 100%
70% regulatory and 30% business
50% regulatoryand 50% business
30% regulatory and 70% business
2017 2016
Key findings
The role of the CROs continue to evolve from traditional organizational compliance with the risk management frameworks and regulatory agenda to spending more time on strategic drivers and business matters within the firm. This is reflected in the shift from the previous year with CROs spending more time devoted to business matters than regulatory matters.
When asked how much CROs owned, influenced or had limited influence over business processes, most indicated that they had an increased influence or approval over key processes, showcasing the remit of the CRO office continuing to expand and evolve over time.
“ Three to five years from now, possibly, the CROs’ role is to be a key go-to person for the CEO and heads of businesses to engage in relation to business strategies.”
“ The industry is under increased regulatory and government scrutiny, so the role of CRO now has a heightened sensitivity and importance at the executive table than ever before.”
Implementation of new regulatory and supervisory requirements remains a key industry focus, with specific regulations on top of the agendas in Asia, including Risk-Based Capital 2, IFRS 17 Insurance Contracts and China Risk Orientated Solvency System. CROs in Australia are more concerned by the local requirements: Life Insurance Framework, Emergency Service Levy, Banking Executive Accountability Regime, Australian Securities Investment Corporation regulatory work and Parliamentary Joint Committee inquiries. The respondents have very mixed views on the impact of the current regulatory environment on the business strategy, yet 50% still think there is a positive impact.
“ One of our biggest challenges is the heterogeneity of local regulatory requirements.”
As insurers eye the path forward, they must consider existing and future laws and regulations regarding data protection, consumer privacy and cybersecurity.
“ Critical thinking and complex problem-solving skills will be key as new areas (e.g., AI, insurtech) come to the fore.”
APAC Insurance CRO survey 2017–2018 Ι Empowering for transformation 21
Positioning adequately for emerging trends
Commentary
Emerging risk management continues to play a critical role to insurers in how they are managing risks.
Fig. 19: A typical emerging-risks radar for CROs
Political
Declining margins from legacy products
Economic
Environmental Technological
Catastrophe risk
Climatechange
Fintechs
Technological advancements
(continuing threat)
Regulatory compliance risk
Overpopulation issues
Changing consumer expectation
New competitors and new ways of doing business
Internet of things
Cybersecurity
Risk areas that CROs are unaware of
Expense risk and medical inflation Risk models being
overly complicated
Sustainability and affordability of
existing products
Political intervention
Autonomous vehicles
Legacy infrastructure and systems, which
prevent being up-to-date with competitors
Risks with artificial intelligence (AI)
CRO
Consumer regulation
SocialLegal
APAC Insurance CRO survey 2017–2018 Ι Empowering for transformation22
Key findings
For all the variation across individual companies, there is consensus that the universe of emerging risks is expanding, with CROs facing broader range of more-severe risks in 2017 and in the years to come (refer to Fig. 19)
CRO’s role in emerging risk processes include:
• Facilitating process with the business
• Reporting to the risk committee or board
• Providing feedback to the business units
• Serving as a link to business and strategic planning, to ensure these processes are responsive to emerging risks
An insurer’s understanding of cyber risks, 5–10 years ago, was mostly nonexistent. Now, it is on the agenda of every board. There are dedicated responses to managing cyber as well as capitalizing the opportunity it brings through the development of cyber insurance. Risk functions are clearly investing in this capability. With the onset of new business models, such as the digital agenda,
robotics, telematics, internet of things and insurtech, it is clear that many insurers need to understand what the next emerging risk is.
How do risk functions need to evolve with the emerging landscape?
• Increase role in business and strategic planning
• Continue to challenge role of management
• Create heightened sensitivity and importance at the executive table
• Increase level of monitoring, challenge and reporting
• Greater involvement throughout strategy setting beyond “rubber stamping”
• Responding to an increasing pace of change
Half of the respondents have only used written communications to communicate internally on the potential exposure to geopolitical events. Some good practices involved the use of these events within stress testing and scenario analysis.
Fig. 20: How does risk management evaluate and communicate potential exposure to the geopolitical events that have occured or could occur (e.g., Brexit, French presidential election, US presidential election)?
50%
14%
14%
22%
0% 10% 20% 30% 40% 60%50% 80% 90%70% 100%
No evaluation orcommunciation is done
Other*
Training orinformation sessions
Written communications(email and visual materials)
* Examples include “Ensuring these geopolitical events are factored into the base and stress scenarios”, “Quarterly risk profile updates to the Board Risk Management Committee”, “Evaluation performed at Group level and provided to local CRO” and “Inclusion in Top risks and emerging risks presented to the executives and the Board.”
APAC Insurance CRO survey 2017–2018 Ι Empowering for transformation 23
Engaging in the digital transformation of the risk management function
Commentary
The challenge of developing the risk function’s capabilities include stagnating budgets, scarce specialist resources and balancing people vs. IT.
Fig. 21: Compared with a year ago, has the size of your risk department:
5%
50%
45%
0% 10% 20% 30% 40% 60%50% 80% 90%70% 100%
Decreased
Stayed the same
Increased
Fig. 22: Compared with a year ago, would you say that hiring and retaining good talent is:
73%
27%
0% 10% 20% 30% 40% 60%50% 80% 90%70% 100%
About the same
Easier
Harder
0%
Fig. 23: Do you expect dedicated business-as-usual risk function budgets to materially increase, decrease or stay at similar levels going forward?
9%
5%
86%
0% 10% 20% 30% 40% 60%50% 80% 90%70% 100%
Materially increase
Stay similar
Materially decrease
APAC Insurance CRO survey 2017–2018 Ι Empowering for transformation24
Fig. 24: The plans for the budget of the risk team are:
77%
23%
0%
0% 10% 20% 30% 40% 60%50% 80% 90%70% 100%
To stay the same
To decrease
To increase
Fig. 25: Is the proportion of your budget allocated towards FTE vs. technology, going to:
59%
27%
14%
0% 10% 20% 30% 40% 60%50% 80% 90%70% 100%
Stay the same
Decrease
Increase
Key findings
The actual results regarding the size of the risk department are mostly in line with what was expected based on last year’s survey — no surprises at least on that side.
Perhaps, this is due to the fact that hiring and retaining good talent has not improved in one year, and that dedicated budgets have not changed dramatically year-on-year in one direction or another.
Going forward, the vast majority of respondents do not expect the dedicated business-as-usual risk budgets to change.
In terms of where these budgets would go in priority, people still have the lead over technology.
In terms of specialist skills, surveyed CROs are especially looking for expertise in cyber and IT security, data analytics and big data, machine learning, anti-money laundering and AI. These talents are very scarce for now and risk functions need to think of ways to overcome this challenging shortage.
“ Critical thinking and complex problem-solving skills will be key as new areas (e.g., AI, insurtech) come to the fore. Specific competencies in cybersecurity, financial technology, negotiation, EQ and collaborating with others will help to facilitate risk advisory, analysis and mitigation actions.”
As the risk function grows in maturity and needs more specialist skills, it is required to improve its cost effectiveness and demonstrate its value so as to be able to invest more going forward. But as it enters the digital age, the risk function needs to find the right balance between poaching (scarce) talent and investing in the new technologies, which will help build the momentum.
APAC Insurance CRO survey 2017–2018 Ι Empowering for transformation 25
Commentary
Outlook for the CRO role in 3–5 years.
“ (1) More attention to IT and data security is required as more businesses are done digitally and more processes are automated.
(2) More integration is required between risk, compliance and financial crime second-line activities.”
“ With strong risk culture, the CRO will have the comfort that all interests are aligned and the CRO will be in a better position to further optimize risk taking.”
“ The issue that CROs will battle with could be different and unexpected. In Asia, there is the prospect of more focus on market-consistent solvency frameworks, as regulators mature. Equally maturing regulations could mean that customer outcomes and fairness have become a key consideration for CROs, especially those responsible for compliance functions.”
“ The role of the CRO in 3-5 years’ time may tilt more towards (a) Strategic risk advisory vs. risk oversight, (b) Preemptive actions vs. ex-post and knowing all the factors (c) Resiliency vs. incident management, and (d) Coach to first line vs. just being at second line of defense.”
“ Continued increase in business and strategic planning. More efficient and real-time risk metrics and reporting.”
“ The industry is under increased regulatory and government scrutiny, so the role of CRO now has a heightened sensitivity and importance at the executive table than ever before. I see the role of CRO as developing beyond being a reactive role to regulatory pressures, to be a very proactive and nimble proactive and evolving role.”
“As more complex risk management will be performed within the line 1 functions, the level of monitoring, challenge and reporting of the risk function will increase.”
APAC Insurance CRO survey 2017–2018 Ι Empowering for transformation26
Commentary
Engaging in the digital transformation of the risk function.
Key findings
In last year’s survey, under the headline “In the battle between investment in people and in technology, it is people that win every time,” we noted that “CROs recognize the need to continuously improve their existing IT capability; however, we see CROs being hesitant to increase their investment in new technologies.” Even though some of the previous results tend to show the same facts, it needs to be pointed out that almost a third of respondents have plans to look into offshoring, robotics or other forms of efficiency gains to help manage costs in the Risk teams. More precisely, robotics, AI, machine learning and data analytics are increasingly mentioned as being explored for risk and compliance activities (e.g., AML screenings).
Risk functions encounter several technology constraints that restrict them practically from their desired level of monitoring and reporting of risk, mostly data quality (integrity, availability and completeness) and complexity of multiple systems (legacy, fragmented, siloed, incompatible, disparate and inconsistent).
A broader enablement of the risk function is necessary, so that it can gain in efficiency when providing more insightful management information (MI) for the consideration of the board and senior management. This is why some risk functions have embarked onto a journey toward their digital transformation through the development and use of tools, such as GRC, visualization, robotics, big data, analytics, AI and machine learning.
Example of leading practice from a respondent:
Digital transformation continues to be focused on the customer interface. Increasingly, firms are building — or planning to build — technology solutions that fundamentally change the way insurers operate, so they can deliver the digital promise to customers speedily and cost-effectively.
Beyond the interactions with customers, risk functions will increasingly have to consider how to change their approach to manage the shift in the firm’s risk profile resulting from digital transformation, and being agile enough to enable innovation. Over time, risk functions will have to leverage technology to improve risk management, and become technology innovators rather than spectators.
Even if the main focus of insurance CROs is on talent, it is important that someone is tasked with establishing the “risktech” strategy:
• What gaps need addressing?
• ─What options exist to enable risk?
• What are the pros and cons?
• How are you scanning the rapidly changing market?
“ We use big data and analytics tools to support our net promoter score (NPS) surveys to help strengthen our insights into complaints and customer dissatisfaction. We are currently looking at other analytical tools that can be used for quality assurance (QA) and due diligence purposes, which we may implement once evaluated.”
“ We are in the early stages of assessing AI and other analytics to various elements of risk management.”
APAC Insurance CRO survey 2017–2018 Ι Empowering for transformation 27
Key contacts
Kent WongAustralia
+61 2 9248 [email protected]
Thomas Kagermeier EMEIA Insurance FRAC Leader
+49 89 14331 [email protected]
James BrighamAustralia
+61 2 9248 [email protected]
Rick MarxUS
+1 917 655 [email protected]
Pierre SantoliniSingapore
+65 6340 [email protected]
Jonathan ZhaoAsia-Pacific Insurance Leader
+852 2846 [email protected]
Sumit NarayananASEAN Insurance Leader
+65 6309 [email protected]
Grant PetersOceania Insurance Leader
+61 2 9248 [email protected]
Bonny FuChina (mainland)
+86 10 5815 [email protected]
Hiroshi Yamano Japan
+81 3 3503 [email protected]
David ScottSingapore
+65 6309 [email protected]
Phil RoddHong Kong
+852 2846 [email protected]
Yong Joo Han South Korea
+82 2 3787 [email protected]
Patrick MenardSingapore
+65 6308 8978 [email protected]
Tze Ping ChngHong Kong
+852 2849 [email protected]
Brandon Bruce Malaysia
+6 03 7495 [email protected]
Nonglak PumnoiThailand
+662 264 [email protected]
EY | Assurance | Tax | Transactions | Advisory
About EYEY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.
EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.
© 2018 EYGM Limited. All Rights Reserved.
EYG no. 00469-184Gbl
BMC Agency GA 1006647
ED None
In line with EY’s commitment to minimize its impact on the environment, this document has been printed on paper with a high recycled content.
This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for specific advice.
ey.com