Excellence in Risk Management XV: Maintaining Relevance in the Age of Innovation

A changing risk landscape isn’t new for risk professionals, who have long dealt with emerging risks, from terrorism to climate change to cyber-attacks. But how well are they positioned for the risks and opportunities emerging from explosive technology growth — “disruptive technology” — and the fast pace of innovation?

By their own accounts, risk executives are largely confident regarding their current role: 89% of respondents to the 2018 Excellence survey said risk management in their organization supports, promotes, or acts as a “needed brake” on innovation. Only a few believe risk management has no effect (11%) or slows (1%) innovation, and none saw it as a barrier.

“We’ve got feelers out there, and we rely heavily on our businesses telling us about things,” the risk manager for a large financial institution said during an Excellence survey focus group. “We very seldom say ‘no’ [regarding innovations]. We always say, ‘Well you can do that, and this is the way to mitigate the risk.’ We want them to call us back the next time.”

More than 80% of risk professionals believe their view is shared across the organization.

However, C-suite respondents were more cautious in their characterization, with fewer saying risk management supports innovation and a notable percentage viewing risk management’s role as a “needed brake." This difference in viewpoint highlights a desire by some in the C-suite for risk management to provide a balance between supporting innovation and reining in “unbridled enthusiasm” elsewhere in the organization.

And that ties into a key finding: Companies are generally uneasy about the way they address the risks of disruption. Just 14% of respondents said they “strongly agree” that their organization has a clear process in place for addressing the risks associated with disruptive technology. Nearly half could not say there is a clear process at all.

For risk management professionals, a key takeaway is to challenge themselves to determine if they are really assuming leadership roles in conversations about emerging risks and solutions. How can they do that? One way is to ask themselves what they are doing to enable innovation. 

Technology Opens the Door to Growth 

Why must risk executives know about AI, Internet of Things, blockchain, and other technologies? The answer is often sitting in plain sight, from wearable technology that informs workplace risk to IoT connections that provide rich sources of data to insurtech solutions for insurance and risk finance. The promise for risk professionals who use these technologies is to proactively contribute to their organizations’ growth and performance.

Much of the technological innovation happening today occurs in areas commonly referred to as “digital.” Given that digitization is happening across every industry, we asked risk executives what “being digital” means to their organizations.

Overall, the responses show an orientation toward operational improvements, such as the ability to deliver goods faster and to automate core processes. Such improvements are certainly valuable and need to be achieved. As just one example, today’s insurance workflow contains a great deal of paper, scanned images, and PDFs, leading to a lot of “unstructured data.” To enable efficient machine learning algorithms, this data needs to be structured. To do so, natural language processing (NLP) and other advanced technologies will soon become prevalent. Using such techniques, AI can be used to merge policies, procedures, and controls to improve operational efficiency and help achieve regulatory compliance.

At the same time, it’s important not to ignore how digitization is changing the way companies interact with customers — and thus changing the nature of their risks. As the senior risk executive at a global manufacturer told us: “We’re a vertically integrated business, and we’ve now seen many examples of cyber-attacks causing material losses. So we’re looking at buying cyber insurance for the first time.” And cyber is just one of the new exposures from evershifting risk profiles.

Today’s companies must ask: What new markets are we looking to open? How are we positioning the company for growth? The important link is the shift in risk profiles, which are changing at an accelerating pace. Risk executives must lean in to these changes.

They should drive internal conversations to help understand the implications of new business models. And they should deploy an analytical decision-making framework that ensures the risk finance approach is optimized against an ever-changing risk profile.

Looking for technology to help cut through the noise

The incredible volume of data available for use in managing risk has been a source of both opportunity and consternation for many years. In the 2017 Excellence survey, for example, the “inability to model the magnitude of the risk” was the most commonly cited barrier to organizations’ understanding the impact of disruptive technology risks. At the same time, improving the use of data and analytics was the number one focus area for developing risk management capabilities.

Risk management professionals are looking for technologies that will help them sort through the chatter in the data. They want to be able to use data to see what risks are on the horizon, inform their response when a crisis arises, and help them refine risk finance.

Claims in the Technology Era

The insurance industry is challenged to jumpstart innovation in a high-touch, relationship-driven culture. Among our respondents, 40% said they would consider switching insurers and other advisors based on their ability to provide innovations in the claims area; another 43% didn’t rule out such a move.

According to Oliver Wyman, claims management is the most attractive operational area for insurer innovation. Among the focus areas for claims-centered insurtechs are reducing loss adjustment expenses, mitigating fraud, and digitally enabling restitution, including making payments before a claim is made.

One proof-of-concept trial currently at play within the insurance industry involves using blockchain in a smart contract-based multinational insurance policy, which includes a master policy and three local country policies. It allows stakeholders to view policy data and documentation and automates portions of the claims administration and communication processes to all parties in real-time.

Claims experience varies among coverage lines

Casualty lines dominated the areas in which respondents have had claims experience in the past 36 months. And most were generally satisfied with the outcome.

While only 20% of respondents had experienced a cyber claim in the past 36 months, those that did expressed the highest level of satisfaction. This could stem in part from the number of ancillary services that insurers often provide in their servicing of cyber claims.

Directors and officers liability claims registered the highest level of dissatisfaction. This may relate to the at times personal nature of such claims.

When asked where they would like to see improvements in the claims process, reducing costs was — to no surprise —number one. This is an area in which IoT solutions have potential by reducing total cost of risk (TCOR) if they can fundamentally reduce the number of claims organizations face.

Consider that IoT data, when combined with predictive capabilities powered by AI, may enable early detection and resolution of issues, potentially avoiding damages and operational disruptions. Such a system could, for example, “listen” to a machine’s signals, and use predictive diagnostics to determine whether it needs to be serviced.

Aiming for Strategic Grasp

Risk managers generally don’t need to understand the detailed intricacies of every new technology coming down the pike. But they should feel comfortable talking to technologists to understand which technologies are being used in their organizations, how they are being used, and whether certain ones can be leveraged to improve how organizations manage risks. The potential impacts of not being able to do so include being left out of decision-making, failing to foresee and develop needed modifications, and falling out of step with advances in the risk management profession.

The Excellence survey focused primarily on three areas —AI, blockchain, and the Internet of Things — that are already having an impact on risk management. Overall, survey respondents did not feel that they have enough knowledge about these disruptive technologies to contribute to discussions about them at a “strategic advisor” level.

Only by understanding the underlying technologies and their uses can risk professionals appreciate the associated risks and treat them accordingly. Looking at respondents whose companies already use or are exploring the use of these technologies, less than half felt their understanding was at a strategic level.

As expected, those whose companies are not using these technologies rated their knowledge level even lower.

AI: Rise of the Machines 

Artificial intelligence has been around for decades, long before Arnold Schwarzenegger’s 1984 film The Terminator and its apocalyptic view of AI. For many years, the challenge in fulfilling the grander visions of AI was that computing had hit a functional ceiling.

But now, due to such innovations as cloud computing and open source software, computing essentially has no limits. Increasingly, when discussing AI, people refer to augmented intelligence, whereby machines help humans to do things better, faster, and more intelligently.

The combination of AI and robotics process automation (RPA) — the automation of some chores — coupled with high-touch human intelligence is the wave of the future.

For risk executives, AI holds great promise for enhancing and supporting risk-related insights and decision-making. For example, automated analysis of large numbers of loss reports can help to identify trends in a manner that would not otherwise be possible. Such augmented insights can help decision makers identify emerging risks and prioritize risk management efforts. Among our respondents, 29% said their organization was using AI, though only 12% knew what it was being used for.

Another 18% said they were actively exploring how AI could benefit the organization. Risk executives will be well-served to start thinking through the ramifications of AI:

• How can AI be leveraged to improve risk management, such as by flagging emerging risks and identifying relevant trends?
• What kinds of risks must be managed once AI becomes “democratized,” accessible to all?
• As regulations develop around AI, how will it affect organizations?

The fact is that AI will only become more pervasive. One key to an AI strategy for managing risk is to first get the data and analytics side of the house in order. “Companies that rush into sophisticated artificial intelligence before reaching a critical mass of automated processes and structured analytics can end up paralyzed,” comes a warning from Oliver Wyman.

Blockchain: “Watching it Develop”

As the technology behind high-profile cryptocurrencies, blockchain has gained a lot of attention over the past few years, though few people are truly comfortable explaining how it works. That said, by enabling an extremely secure method of tracking transactions, blockchain has the ability to provide a range of benefits in the risk and insurance ecosystem.

One potential advantage will be its ability to provide a “single source of truth.” Today each participant in the insurance value chain keeps their own versions or copies of an object, such as policy or claims documents. By collaborating and keeping this information on a single blockchain that is decentralized, reliable, and immutable, users can create a ledger that is purportedly tamper-proof.

The blockchain can also provide security that a transaction is valid, typically by employing consensus mechanisms through which the transaction is transmitted to various validation points on the blockchain. The transaction will not be completed until the validating nodes all agree.

Further potential benefits in managing risk include cost reduction, 24/7 data accessibility, supply chain management, and fraud detection. Risk management professionals, however, remain at the early stages of understanding blockchain’s potential, with just 24% of respondents saying their organization either uses or is exploring the technology.

What’s more, more than half of those that are using or exploring blockchain lack the knowledge to be involved in related strategic discussions.

As the CEO of a logistics company said in an Excellence focus group: “Blockchain is a technology that’s right in front of us today. It’s not paramount to our business, but it has some abilities, particularly on the fraud/forensic side. But at this point we’re just watching it develop.” 

IoT: Awareness Growing

As was the case in the 2017 Excellence survey, we continue to question whether companies realize the full extent to which IoT devices are in use, although the trend line is positive. In 2017, just 48% said their organization used or planned to use IoT technologies, despite outside statistics showing actual usage at about 90%. This year, 59% of Excellence respondents said their organization uses or plans to use IoT, although many (25%) were not aware of how it would be used.

At their core, IoT systems allow enterprises to make value-adding decisions in real-time, with increased flexibility regarding their approach to efficiency, cost reduction, and risk modification. Transportation companies, for example, regularly use IoT devices to monitor a vehicle’s location, the temperature of its cargo, the performance of its driver, and more.

“We track just about everything we can on a driver,” said the risk manager at a US trucking company. “We have cameras in all of our trucks. We have crash avoidance systems ... and we’ve built predictive analysis that accounts for all the data points and puts out a risk score for those drivers.”

IoT technologies are also used to simplify regulatory compliance — for example, sensors can control temperature in food storage areas and automatically generate compliance documents to help with required inspections.

Organizations in many industries are finding that the data gathered from wearables is helping to refine safety programs and reduce workplace injuries.

It’s important to understand that IoT is a double-edged sword: It increases the loss potential from data security breaches as more sensitive data are being created and stored on networks. In addition, technologies that are not fully secured present the potential for manipulation of data and automated controls.

Cyber Maturity Increases 

In part due to the boom in technology and the serious consequences when it is compromised, much attention has been given to cyber risk over the past decade.

Seemingly not a day passes without significant news about a cyber-related attack, breach, solution, lawsuit, or regulation. One result is that organizations have quickly developed maturity around and understanding of the risk — more than three-quarters of survey respondents said their company understands how legal liability from cyber risks would affect them, and how their insurance would apply. Less than 10% said their organization did not understand.

The focus on cyber risk can also be seen in how many respondents cited enhancements to data security capabilities as a top priority for their organization.

Risk Committees Continue to be Underutilized

One of the ways risk managers can further strategic discussions around technology and innovation is by assuming a leadership role in their organization’s cross-functional risk committee. About 60% of organizations said they have such a committee.

This is an increase over last year, however we find the number has typically fluctuated between about 50% and 60%. Among those who said they do not have such a committee this year, 35% said their company should have one. For those that do have a committee, it’s important to keep the agenda from becoming stagnant over time.

For example, rather than focusing each meeting on a review of top risks, many effective committees now build perspectives around strategic risks, which increasingly involve technology and innovation.

Goals should include mitigating risks as well as taking advantage of market opportunities. It’s also important to occasionally review the composition of risk committees, maintaining a mix that goes beyond safety, business continuity, and legal in all risk management protocols.

The collaboration from such a committee can help to generate discussion and alignment around everything from innovative uses of data and risk finance to capital expenditures. When at their most effective, they are also likely to increase clarity regarding robust and complete coverage of relevant risks, whether “traditional” or emerging.

The majority of respondents with a committee this year said they regularly discuss emerging claims issues. This can be beneficial when the issues raised become part of a feedback loop, providing advice about emerging claims to those on the front lines working with new technologies.