Australian Insurance CRO survey Empowering for transformation

Transcription

1 Australian Insurance CRO survey Empowering for transformation

2 Contents > 03 Executive summary 04 Highlights from CRO Insurance survey observations 13 Learnings from CPS220 reviews 15 How should insurance CROs respond? 19 What can insurers learn from our global banking risk management survey? 21 Key contacts

3 Executive summary This year s Australian insurance CRO survey sees local risk management requirements evolving to new levels, with major changes in risk appetite, cyber, risk culture, conduct risk and recovery planning. Risks that were considered emerging 5 10 years ago, such as cyber, have become mainstream agenda items for many risk functions, executive teams and boards. CROs must now address the risks associated with changing digitised business models, M&A activity, a continued cost out-focus and a relentless regulatory agenda overshadowed by the Royal Commission. This report the sister publication to the APAC Insurance CRO survey summarises the key findings from a survey of 16 Australian insurers and overlays these results with observations from our comprehensive CPS 220 Risk Management reviews. It then examines how insurance CROs should respond, in terms of reorientating their role within the business and harnessing technology to drive efficiencies and empower innovation. Finally, it looks across to the experience of banks, which are facing similar risk-based challenges, drawing on the results of EY s global banking risk management survey. We hope these observations and insights provide food for thought as insurance CROs and executives plan how to adapt to continued market disruption. To the participants who contributed their time and shared their thinking in this survey thank you. We look forward to taking stock with you again in the next 1 2 years. Australian Insurance CRO survey Ι Empowering for transformation 3

4 Highlights from CRO Insurance survey Top of mind for insurance CROs, based on analysing respondents language IT Specialist ICAAP Regulatory Pressures ESL Regulatory Change Technology Integration Efficiency Risk Culture and Conduct Risk Poor Data Quality Disruption Data Analytics Cyber Strategy Metrics for Risk Culture Scenario Modelling Upskilling of Line1 Staff Insuretech Cyber Metrics Cyber Risk Advisory Duty Risk Cost Out Technological Changes Privacy Digital Big Data GRC System BEAR Automation AML Risk Appetite Implement Recovery Planning Recovery Planning 3LoD Legacy Systems 4 Australian Insurance CRO survey Ι Empowering for transformation

5 Insurance CROs are enhancing and maturing their risk functions. Priorities include increasing the value of the risk function to the business and creating an enterprise-wide risk culture. A. The Risk function has increasing responsibilities and ownership of multiple processes Risk continues to take on more responsibilities and ownership of a growing number of processes. Risk s firm-wide influence increases each year, bringing with it a more active role in strategy design and execution, particularly around: stress testing, product management, investment, reinsurance and strategic risk management. Fig. 1: Can you describe the role of the Risk Management function in the following key processes? ERM installation/maintenance of risk framework Risk appetite setting 100% 88% 13% Risk measurement and reporting Risk tolerance and limit setting 81% 75% 19% 19% Stress testing design Stress testing performance and reporting 38% 44% 50% 44% 19% Model risk management 31% 69% Capital management Model validation Technical provision 25% 19% 19% 63% 13% 69% 13% 69% 13% Setting of asset strategy Reinsurance program design Strategic decisions (M&A) 94% 81% 81% 13% 13% Oversight or reserving/valuation 44% 50% Product design and pricing 81% 19% Investments 81% 19% Model governance 81% 19% Risk mitigation 69% 31% Reinsurance program execution Underwriting % 44% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Process owned by Risk/CRO Influence/approve Risk has limited influence Australian Insurance CRO survey Ι Empowering for transformation 5

6 B. Risk functions continues to expand, devoting more attention to new areas Insurance CROs will focus strongly on people and culture in the next 12 months, on the back of greater stakeholder and regulatory pressure within the industry. Insurers will increasingly embed and upskill within first Line, reflecting a continued focus on end-to-end risk management. Risk management needs to be on top of what they need to be on top of, but the experts (line 1) should be aware of the risks present. C. Budget constraints remain a challenge Although Risk is growing as a function, with increased responsibilities and areas of ownership, its budget is unlikely to increase. The pressure to do more with less is driving investment in digital back office transformation to make the efficiency gains needed for Risk to fulfil its ever-expanding mandate. Those who continue with manual processing will have no option but to scale back on delivery. D. Helping the business respond to emerging trends is an increasing priority Insurance CROs are highly focused on what comes next in a rapidly changing business environment. They must ensure Risk is ready to assist the organisation adapt to emerging trends. The Risk Function has a very significant role, they must have a crystal ball to see what is happening, to look ahead of the game and advise the business of what s coming up. 6 Australian Insurance CRO survey Ι Empowering for transformation

7 observations Risk appetite Risk appetite is at the heart of insurer s risk management framework the balancing equation to an insurer s strategy. Our survey found Regulatory Capital and Operational Risk are the most commonly used risk appetite metrics, driven by the current regulatory environment. This year, more insurance CROs are using liquidity as a risk appetite metric, following the recent focus on stress testing and recovery planning. Fig. 2: Which of the following metrics do you use in your corporate risk appetite? Regulatory capital Operational risk Liquidity 88% 94% 94% 13% Credit rating 69% 31% Operating profit 50% 19% 31% Economic capital 44% 50% Total profit 31% 63% Economic profit Franchise value 19% 19% 75% 75% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Already in place In development Not in use The risk appetite structure and metrics of financial and insurance risks, which closely align to drivers of business decisions and performance, continue to be more mature than those for non-financial risks. However, non-financial risk appetite continues to evolve, despite the difficulty of embedding it across insurance businesses due to the more subjective nature of these risk types. Australian Insurance CRO survey Ι Empowering for transformation 7

8 Fig. 3: Which of the following risks have you set quantitative limits: Select all that apply Insurance/underwriting 94% Credit Operational Liquidity 75% 81% 81% Equity 5 Interest rate 38% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% The search continues for forward-looking risk appetite metrics that will give management better indicators for emerging risks and issues. Traditional appetite measures consider the existing position of the insurer and align to data and metrics already in place. Forward-looking metrics that are credible and informative are difficult to construct. They often require improved data and/or innovative analysis and thinking. CROs should continue to consider how their risk appetite can evolve to be of greater utility to their board and business, and in particular how their risk appetites can incorporate metrics that indicate upcoming risks and potential issues. Insurers are increasingly starting to stress test their risk appetite as part of the business planning process and in developing strategic initiatives. As this process evolves, insurers will begin to put together that forward-looking view of risk. Cyber risk The cyber risk landscape continues to evolve in ways that no one could have foreseen even 12 months ago. Insurers now clearly understand that cyber adversaries-attackers do not just target money or credit card details, but also valuable data, including customer data. The damage caused by a major data breach will not just be financial but also significant reputational damage to the organisation. Major cyber incidents over the last 12 months, such as the WannaCry and Not-Petya malware outbreaks have also demonstrated how ransomware can significantly disrupt business operations. However, despite a material improvement in understanding cyber risks and potential impacts, skills shortages mean risk teams are struggling to bring cyber expertise into the second Line. 8 Australian Insurance CRO survey Ι Empowering for transformation

9 Fig. 4: How much of your team (time/headcount) is devoted to cyber security? Fig. 5: Does your board have a member with cyber knowledge? 13% 44% 38% 0 FTE 1 2 FTE 2+ FTE 5 44% Yes No Our survey found reporting cyber risk management to the board and senior executives, including tolerances related to risk appetites, is often reactive. Boards tend to receive reports of post-event incidents and intrusions, rather than proactive metrics that show the organisation s risk management capability (training, patching programs, vulnerability management) or how risk is changing over time. Cyber risk scenarios do not appear to take precedence in an organisation s crisis management response framework. Instead, crisis management response frameworks still tend to focus on more traditional events such as building outage, pandemic preparations or financial risk scenarios. In a modern financial services organisation, cybersecurity should be everyone s concern. How to make cybersecurity a core business priority Clearly define cybersecurity responsibilities ensure individuals know how they are contributing to an effective first, second or third line of defence Realistically assess your preparedness to respond by regularly refreshing your view on critical cyber risk, taking into account: Current and emerging cyber threats Plausible (not probable) cyber scenarios Actual (not hopeful) control effectiveness Identify your cyber critical assets and focus on protecting them. Think beyond your firewall: what key data do you share with third parties and how are they protecting it? At your next executive crisis management tabletop exercise, test the response and recovery capability of an identified plausible cyber scenario. For example, how would you respond to a cyber threat that disables your computer systems or steals customers medical or personal information. Educate your board about cyber risks and assets to the point where they are equipped to challenge and support your cyber strategy. Boards need to understand how investments or aspects of the strategy will help to manage or buy-down residual cyber risks. Australian Insurance CRO survey Ι Empowering for transformation 9

10 Risk culture In line with the sector s post-gfc efforts to redeem public confidence in risk management, most respondents (88%) have developed a risk culture framework. However, our survey found most frameworks are still progressing in maturity. A quarter of the respondents have reached maturity in: defining a target state and embedding risk culture in remuneration. Now, CROs need to focus on developing tolerances for key culture metrics. There is a correlation between risk culture in remuneration and product development with conduct outcomes. Achieving culture change by implementing action plans from risk culture assessments takes time. Fig. 6: Rate your organisation s maturity against the following risk culture framework elements: Defining a target state of risk culture 25% Risk culture in remuneration 25% Risk culture in goal setting 17% Reporting measurements to mangement committee 17% Developing action plans for risk culture Risk culture in product development 92% 8% Developing tolerances for key culture metrics 75% 25% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Mature Progressing in maturity No action taken 67% 8% 67% 8% 75% 8% 75% 8% 8% 83% 8% 10 Australian Insurance CRO survey Ι Empowering for transformation

11 Conduct risk It is early days for conduct risk management with efforts to date centred on framing conduct risk and clarifying oversight and ownership. The Royal Commission will materially drive how we think about this. ASIC s pursuit of market integrity and better consumer outcomes has resulted in high-profile regulatory interventions, including: legal proceedings and enforceable undertakings for alleged market misconduct, mass customer remediation for mis-selling, pressure selling, and an industry-wide review of life insurance claims handling. Only 38% of respondents have developed a conduct risk framework. More work needs to be done to firm up the end state, clarify roles and responsibilities and develop reporting capabilities. Fig. 7: Rate your organisation s maturity against the following risk conduct framework elements: Roles and responsibilities of the Board and Senior Management related committees designed to conduct risk Metrics in risk appetite statement for conduct risk and reporting 8% 67% 25% 8% 67% 25% Target framework for conduct risk 67% 33% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Mature Progressing in maturity No action taken Key areas of regulatory focus: Remuneration structures Fair treatment of clients Product design and product suitability Conflict of interest Ownership of conduct risk Senior management and board accountability Australian Insurance CRO survey Ι Empowering for transformation 11

12 Recovery planning APRA has gradually rolled out recovery planning in Australia, starting with the major banks in 2013, followed by regional banks and other ADIs. This has now extended to insurers. These recovery plans must assess if the options available to counter a crisis are sufficiently robust and varied to face a wide range of shocks. Half of our respondents indicated that they have had active discussions regarding recovery planning and almost two-thirds (63%) of insurers have recovery plans in place. Recovery plans limit the probability of failure and increases the chances of survival under extreme stress. They set out a range of credible options that insurers could realistically pursue, if they come under extreme stress. Plans need to: Have a material financial impact while also considering the franchise/reputational impact Be suitable and feasible to execute in different stress scenarios and in an acceptable timeframe Include processes to ensure timely implementation Include fast and slow scenarios, with both idiosyncratic and market wide stresses, that address the capital shortfalls and liquidity pressures Test options against each of the scenarios Include a trigger framework, embedded with early warning indicators, for initiating the plan Fig. 8: Have you engaged in discussions with APRA regarding recovery and resolution planning? Fig. 9: Do you have formal recovery and resolution plans in place? 50% 50% 38% 63% Yes No Yes No 12 Australian Insurance CRO survey Ι Empowering for transformation

13 Learnings from CPS220 reviews Our work with insurers to complete the first cycle of triennial CPS 220 Risk Management Reviews reveals five common areas for industry improvement. 1. Risk strategy and operating models are constantly evolving Key challenges include: Developing and documenting a vision and strategy for the risk function. This needs to be aligned to the broader business strategy, go beyond a compliance oriented Risk Management Strategy document and be refreshed in conjunction with the business strategy. Effectively embedding the three lines of defence (3LoD) model. This includes inadequately articulating and clarifying roles and responsibilities within each line of defence and evolution of the 3LoD structure with changes to the business operating model. Talent and capability needs of the risk function are lacking and should be annually assessed, for example, the current challenges faced within non-financial and emerging risk management along with lagging capability trends in technology, data and innovation. 2. Identification, assessment and management of non-financial and emerging risks need maturing Although insurers generally have well established processes for identifying financial and insurance risks, non-financial risks (including operational risks) and emerging risks are generally less mature and less understood. CROs need to develop appropriate frameworks to assess and measure these risks, which are receiving greater media and regulatory attention. Specific areas of focus include: operational or compliance risk (e.g., conduct risk), and strategic or cultural risks around issues such as payment protection and insurance mis-selling. 3. Risk culture and risk training is still a work in progress Risk culture continues to be on the forefront of the regulatory agenda, with majority of insurers still experiencing challenges in articulating a target state and embedding a methodology for measurement of risk culture. Although we have seen a strong tone from the top throughout the industry, embedding risk culture messaging (and its importance) remains in progress across middle and junior management levels. Most insurers are developing risk training frameworks. However, although mandatory risk modules are now widespread, risk training specifically for risk function personnel appears challenging to embed. Adequate training to ensure sufficient capability across all areas of the business will continue to be important, particularly as risk management changes in line with digital advancements. Australian Insurance CRO survey Ι Empowering for transformation 13

14 4. Risk modelling and stress testing capabilities need to increase Model validation remains challenging, with insurers often lacking the internal resources with the technical skills required for rigorous independent validation, let alone second line capability to oversee and challenge models. CROs should consider: Stress testing beyond regulatory requirements and beyond capital resilience Multi-year and emerging risks stress and scenario testing Stress testing in the development of business plans. 5. Data, systems and reporting require automation Our survey found technology constraints are preventing CROs from acting quickly based on the Risk information they have, including: Data required for MI production not always available (88%) Production of MI is time consuming and manually intensive (75%) We cannot get a holistic view of exposure and consequences of action (5) Managing data quality, building effective risk systems and creating efficient and automated risk reporting continue to prove challenging. Without this critical capability, CROs are having to rely on a high level of manual processes and adjustments when compiling information (such as pricing or claims data) for management, constraining effective business decision-making. Weak data quality controls, legacy systems and a lack of enterprise wide data and IT architecture and frameworks compound the problem. Reporting needs to evolve to focus more on emerging risk, customer and conduct, and providing risk insights to the board and senior management. Fig. 10: What technology constraints have you identified that prevents you from acting as quickly as you would like on the Risk information that you have? (choose up to 3) Data required for MI production not always available 88% Production of MI is time consuming and manually intensive 75% We cannot get a holistic view of exposure and consequences of action 5 Uncertainties over the integrity of the systems 38% to deliver what is needed Change program governance prevents fast-tracking of priority actions Runtimes of models too long to effectively use 0% in key business decisions 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 14 Australian Insurance CRO survey Ι Empowering for transformation

15 How should insurance CROs respond? Now Risk functions are being asked to do more, and to innovate, without a corresponding budget increase, CROs need to partner more with the business and harness technology to drive efficiencies. Budget allocations Fig. 11: Do you expect dedicated business-asusual Risk function budgets to materially increase, decrease, or stay at similar levels going forward? Fig. 12: The plans for the budget of the risk team are: 13% 19% 81% Materially decrease Stay similar 75% To increase budget To decrease budget Materially increase Budget to stay the same Business-as-usual Risk function budgets are likely to stay similar for most insurers (81%). CROs say that their Risk function budgets are likely to stay the same going forward (75%). Only 19% say they will increase their risk budget. Fig. 13: Is the proportion of your budget allocated towards FTE vs. technology, going to: 31% 38% 31% Increase Decrease Stay the same There is a clear precedence of increasing FTE over technology. Proportions of buget allocated to FTE vs. technology is likely to increase (38%) than decrease (31%). Australian Insurance CRO survey Ι Empowering for transformation 15

16 Managing resources within the risk department Fig. 14: Compared to a year ago, has the size of your risk department: Fig. 15: Compared to a year ago, would you say that hiring and retaining good talent is: 31% 13% 5 Increased Stayed the same Decreased 5 38% Harder Easier About the same Compared to a year ago, the size of risk departments have increased (5) or stayed the same (31%). Hiring and retaining good talent is only going to be harder (38%) or stay the same (5). Fig. 16: Are there plans to look into offshoring, robotics, or other forms of efficiency gains to help manage costs in the risk teams? 5 44% Yes No 44% of insurers are already looking into offshoring, robotics and other forms of efficiency gains to help manage costs in the risk teams. 16 Australian Insurance CRO survey Ι Empowering for transformation

17 Transform into a business-enabling strategic function In response to disruption, CROs are dividing their focus from being purely reactive, regulatory defence to business-enabling, strategic offence and innovation. Asked what they thought would be the biggest difference in their role 3 5 years out, most CROs believe they will be in a more strategic role. The industry is under increased regulatory and government scrutiny so the role of the CRO now has a heightened sensitivity and importance at the executive table than ever before. I see the role of the CRO as developing beyond being a reactive role to regulatory pressures to being a nimble, proactive and evolving role. Increasing regulatory and Board expectations will place greater focus on the role of the CRO. The increasing use of technology, data and outsource activities will require the CRO to have greater insight into such areas. The CRO role will have more emphasis on strategic advisory duties and less assurance focussed. Fig. 17: The strategic trajectory of CROs 100% Formalization of risk teams and processes Financial crisis Mitigating risks Control Insurers with a risk team Insurers with a CRO Known risks Emerging risks Promoting innovation Partnering Stabilization Disruption 0% CRO focus From defense Installing ERM Regulatory-focused Measurement and mitigation To offense Embedding ERM Strategic Value-adding Risk team and CRO adoption based on survey responses Australian Insurance CRO survey Ι Empowering for transformation 17

18 This reoriented CRO role will be essential for Risk to adapt to the new normal in the insurance market, with its widespread disruption. CROs also understand they need to swim faster to keep pace with a stronger current. If new challenges especially those related to disruption are not met, they fear the consequences for their companies. To make the transition to a more strategic role, CROs need to balance investment in technology, and develop and hire for specialist skills while maintaining their traditional risk capabilities. Leverage technology to improve risk management, and become technology innovators, rather than spectators Risk functions must respond to digital transformation on two fronts. First, managing the firm s changing risk profile as a result of digitised operations; second, digitising the Risk function itself to support efficiency and drive innovation. To this second point, more than 2 in 5 (44%) of Australian insurers are looking into offshoring, robotics or other efficiency gains to help manage costs in the risk teams. These include looking into AI, partnering with FinTechs, looking at robotics for QA efficiency and routine processes, using offshore services to further enhance efficiency. We use them to support our NPS surveys to help strengthen our insights into complaints and customer dissatisfaction. We are currently looking at other analytical tools that can be used for QA and due diligence purposes which once evaluated we may implement. Machine learning techniques in specific areas of insurance risk. Application within Customer and Product data Financial and Risk Big Data requires further work The use of analytics to detect incidents, near misses and analyse trends in risk data is an integral part of our risk management strategy. Recent establishment of a data analytics team who are working through key metrics and leading indicators for our business. 18 Australian Insurance CRO survey Ι Empowering for transformation

19 What can insurers learn from our global banking risk management survey? Findings from the eighth annual EY/IIF global bank risk management survey were largely in-line with the key highlights of the CRO Insurance Survey. Like insurers, banks are moving through three phases of a 15-year risk transformation journey: restore, rationalise and reinvent. As they begin to transition from the middle to third phase of the transformation journey, our survey found five success factors. 1. Manage emerging risks and increased competition: Broader geopolitical, social and environmental concerns are looming larger, as regulatory fragmentation continues and competition intensifies. FinTechs and major technology companies seek traction in profitable parts of financial services, while banks strategic options to deliver 11% 15% ROE narrow. Cybersecurity is now clearly the top risk for boards and CROs. 2. Lead a digital transformation of risk management: Technology has reshaped customer interfaces, but banks still have to implement new technologies in the middle and back office to drive fundamental change. Risk functions must change how they monitor risk profiles and enable innovation, and become smarter, faster and more cost-effective. New talent in technology and risk will be necessary, but hard to attract. 3. Operationalise three-lines-of-defence models: Operationalization of the three-lines model is necessary to improve the effectiveness and cost efficiency of risk management. Talent shortages are expected in advanced analytics, model risk and other key areas. Standardisation and automation are accelerating, even if broader technology deployments are delayed. 4. Manage non-financial risks cost-effectively: Though conduct risk frameworks are in place, there is a long way to go to improve effectiveness and improve cost efficiency. As risk appetite frameworks evolve, common challenges remain (e.g., expressing appetite for all risk types, cascading appetite to business units). Quantifying non-financial risks (e.g., reputational, strategic and cyber risks) remains difficult. 5. Stay resilient and protect against cyber risks: Banks are rethinking what constitutes operational resiliency. Beyond core competencies (business continuity, crisis management and disaster recovery), data quality and process-flow mapping need enhancing. In managing cyber risks across the three lines of defence, quantification and reporting are a challenge, even as boards increase oversight. Managing critical vendors more effectively will support operational and cyber resiliency. Australian Insurance CRO survey Ι Empowering for transformation 19

20 Industry s risk management journey Post crisis, banks have been going through a 15-year journey. The current focus is rationalization. Within the next few years, firms and risk management will have to reinvent themselves. First phase: post-crisis (five to six years) Middle phase now Coming years Restore Rationalize Reinvent Regulatory context Coordinated global response Primarily prudential in nature Implementation ongoing, increasingly conduct-related Signs of global fragmentation, with taking stock on impact in totality Revisions to reforms, more local variation New modes of regulation/ supervision to accommodate innovation and FinTech Technology focus Sustaining legacy systems Addressing identity access management inadequacies Digitalizing customer experience and interface Implementing three-lines-ofdefence cyber risk management Digitalizing middle and back office, and risk function Building in cybersecurity across the firm (eg., in M&A, due diligence, new product development) Risk focus Building foundational elements Primarily financial risk Curtailing risk taking and product development Embedding risk discipline into businesses Primarly non-financial risks Enabling risk taking Enabling and driving digital innovation Balancing risk taking and risk discipline Three lines of defence focus Building overall framework Expanding headcount in first and second lines Controls effectiveness Implementing operating model Stabilizing/reversing people growth Balancing effectiveness and efficiency Enabling risk management through automation, machine learning and artificial intelligence (AI) 20 Australian Insurance CRO survey Ι Empowering for transformation

21 Key contacts Grant Peters Oceania Insurance Lead Andrew Mead Oceania Financial Services Risk Lead Andrew Harmer Financial Services Risk Partner Kent Wong Financial Services Risk Director Australian Insurance CRO survey Ι Empowering for transformation 21

22 22 Australian Insurance CRO survey Ι Empowering for transformation

23 Australian Insurance CRO survey Ι Empowering for transformation 23

24 EY Assurance Tax Transactions Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organisation, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organisation, please visit ey.com Ernst & Young, Australia All Rights Reserved. APAC no. AUNZ PH ED None This communication provides general information which is current at the time of production. The information contained in this communication does not constitute advice and should not be relied on as such. Professional advice should be sought prior to any action being taken in reliance on any of the information. Ernst & Young disclaims all responsibility and liability (including, without limitation, for any direct or indirect or consequential costs, loss or damage or loss of profits) arising from anything done or omitted to be done by any party in reliance, whether wholly or partially, on any of the information. Any party that relies on the information does so at its own risk. ey.com