Tag Archives: enterprise risk management

Top Risk Concerns for 2021

Financial institutions and their directors have to navigate a rapidly changing world, marked by new and emerging risks driven by cyber exposures based on the sector’s reliance on technology, a growing burden of compliance and the turbulence of Covid-19. At the same time, the behavior and culture of financial institutions is under growing scrutiny from a wide range of stakeholders in areas such as sustainability, employment practices, diversity and inclusion and executive pay. 

A new AGCS report highlights some of the most significant risk trends for banks, asset managers, private equity funds, insurers and other players in the financial services sector, as ranked in the Allianz Risk Barometer 2021, which surveyed over 900 industry respondents: Cyber incidents, pandemic outbreak and business interruption are the top three risks, followed by changes in legislation and regulation – driven by environment, society and governance (ESG) and climate change concerns, in particular. Macroeconomic developments, such as rising credit risk and low interest rates, ranked fifth.

The Allianz Risk Barometer findings are mirrored by an AGCS analysis of 7,654 insurance claims for the financial services segment over the past five years, worth approximately €870 million ($1.05 billion). Cyber incidents, including crime, rank as the top cause of loss by value, with other top loss drivers including negligence and shareholder derivative actions.

COVID-19 impact
Financial institutions are alive to the potential ramifications of government and central bank responses to the pandemic, such as low interest rates, rising government debt and the winding down of support and grants and loans to businesses. Large corrections or adjustments in markets – such as in equities, bonds or credit – could result in litigation from investors and shareholders, while an increase in insolvencies could also put some institutions’ own balance sheets under additional strain. 

Cyber – highly exposed despite high level of security spending

The COVID-19 environment is also providing fertile ground for criminals seeking to exploit the crisis as the pandemic led to a rapid and largely unplanned increase in working from home, electronic trading and digitalization. Despite significant cyber security spending, financial services companies are an attractive target and face a wide range of cyber threats, including business email compromise attacks, ransomware campaigns, ATM “jackpotting” – where criminals take control of cash machines through network servers – or supply chain attacks. The recent SolarWinds incident targeted banks and regulatory agencies, demonstrating the vulnerabilities of the sector to outages via their reliance on third-party service providers. Most financial institutions are now making use of software run on cloud services, which comes with a growing reliance on a relatively small number of providers. Institutions face sizable business interruption exposures, as well as third-party liabilities, when things go wrong. 

Compliance challenges around cyber, cryptocurrencies and climate change

Compliance is one of the biggest challenges for the financial services industry, with legislation and regulation around cyber, new technologies and climate change and ESG factors constantly evolving and increasing. There has been a seismic shift in the regulatory view of privacy and cyber security in recent years, with firms facing a growing bank of requirements. The consequences of data breaches are far-reaching, with more aggressive enforcement, higher fines and regulatory costs and growing third-party liability, followed by litigation. Regulators are increasingly focusing on business continuity, operational resilience and the management of third-party risk following a number of major outages at banks and payment processing companies. Companies need to operationalize their response to regulation and privacy rights, not just look at cyber security.

Applications of new technologies such as artificial intelligence (AI), biometrics and virtual currencies will likely raise new risks and liabilities, in large part from compliance and regulation, as well. With AI, there have already been regulatory investigations in the U.S. related to the use of unconscious bias in algorithms for credit scoring. There have also been a number of lawsuits related to the collection and use of biometric data. The growing acceptance of digital or cryptocurrencies as an asset class will ultimately present operational and regulatory risks for financial institutions with uncertainty around potential asset bubbles and concerns about money laundering, ransomware attacks, the prospect of third-party liabilities and even ESG issues as “mining,” or creating cryptocurrencies, uses large amounts of energy. Finally, the growth in stock market investment, guided by social media raises mis-selling concerns – already one of the top causes of insurance claims.

See also: Insurance and Financial Protection

ESG factors taking center stage 

Financial institutions and capital markets are seen as an important facilitator of the change needed to tackle climate change and encourage sustainability. Again, regulation is setting the pace. There have been over 170 ESG regulatory measures introduced globally since 2018, with Europe leading the way. The surge in regulation, in combination with inconsistent approaches across jurisdictions and a lack of data availability, represents significant operational and compliance challenges for financial service providers. 

At the same time, activist shareholders or stakeholders increasingly focus on ESG topics. Climate change litigation, in particular, is beginning to include financial institutions. Cases have previously tended to focus on the nature of investments, although there has been a growing use of litigation seeking to drive behavioral shifts and force disclosure debate. Besides climate change, broader social responsibilities are coming under scrutiny, with board remuneration and diversity being particular hot topics, and regulatory issues. 

Claims trends and the impact on the insurance market 

The fact that compliance risk is growing is concerning, as compliance issues are already one of the biggest drivers of claims. Cyber incidents already result in the most expensive claims, and insurers are seeing a rising number of technology-related losses, including claims made against directors following major privacy breaches. 

Other examples include sizable claims related to fraudulent payment instructions and “fake president” scams. Such payments can be in the millions of dollars. AGCS has also handled a number of liability claims arising from technical problems with exchanges and electronic processing systems where systems have gone down and clients have not been able to execute trades, and have made claims against policyholders for loss of opportunity. There have also been claims where a system failure has caused damages to a third party; one financial institution suffered a significant loss after a trading system crashed, causing processing failures for customers.

Recent loss activity, compounded by COVID-19 uncertainty, has contributed to a recasting of the insurance market for financial institutions, characterized by adjusted pricing and enhanced focus on risk selection by insurers, but also a growing interest for alternative risk transfer solutions, in addition to traditional insurance. Insurance is increasingly an important part of the capital stack of financial institutions and a growing number are partnering with insurers to manage risk and regulatory capital requirements or using captive insurers to compensate for changes in the insurance markets or to finance difficult-to-place risks. 

You can read the full report here: Financial Services Risk Trends: An Insurer’s Perspective

Transformation of the Risk Landscape

There is little doubt that the risk landscape has changed in the past few years. Natural catastrophes are increasing in number and severity, low probability risks are coming to fruition, higher probability risks (such as cyber) are looming larger and new risks are emerging. Here are some of the ways insurers can address the changing risk landscape.

From single-event scenarios to multiple-simultaneous-event scenarios

It has been common for insurers to test their solvency by creating several scenarios and estimating what each would do to capital levels. Typically, each scenario tested one variable at a time; for example, what would a 1-in-250-year event or an-XX basis point interest rate drop do to capital strength in a given year? However, as the risk landscape intensifies, single variable scenarios are no longer sufficient.

More robust and multi-event scenarios need to become the norm if the potential risk to capital is to be evaluated effectively. For example, what would the result be if 1-in-250-year event happened while equities plunged 35% in value? Or what would the effect be if two 1-in-250-year events occurred at the same time inflation rose by 40%? What would happen if three 1-in-150-year events happened in the same year? The macro-economic environment constantly changes, and individual company conditions are unique, so scenarios need to be tailored and updated as appropriate.

From virtually ignoring low probable risks to paying more attention to low probability risks 

Scoring risks is done on the basis of both their potential impact (dollar impact to profits, revenues, expenses) and their probability of occurring (high medium, low). Other things may come into play, too, such as how imminent the risks are (one year away, three years away, more than three years away). This kind of scoring makes it possible for companies to decide which risks should get the most focus and resources in an effort to mitigate their impact. The problem has been that the impact of low probability risks is hard to quantify and is often underestimated. Additionally, the very fact that their likelihood is not high means these risks tend to be taken less seriously than perhaps they should be.

The current pandemic — with all its ripple effects — has shown that low probability/high impact risks can and do happen. Some insurers realized the loss potential if a virus became widespread and incorporated virus exclusions in various policies. This has served them well, because those with such exclusions are better protected against claims for coverage that was never intended. 

Some low probability/high impact risks emanate from the broader environment and some come from a particular company’s business model or operations. In either case, the risks need to be properly vetted and commensurate mitigation plans need to be implemented. 

From focusing on current risks to focusing on both current and emerging risk

That there are so many current risks insurers must attend to leads to emerging risks not being identified or being pushed to the back burner.  Even though emerging risks can be hard to identify and assess and may not seem imminent, they should not be marginalized. Given the speed of change, these risks can emerge as full-blown risks sooner than might be anticipated. Significant ones can quickly cause serious consequences.  

Any insurer ignoring emerging risk identification and mitigation is opening itself up to potential loss or impairment that could have been minimized or avoided. Some emerging risk categories are: AI; cyber; environmental, social and governance (ESG) developments; and new energy sources.

See also: Building an Effective Risk Culture

From reality to perception 

Insurers’ perception of themselves can be quite different from the way they are perceived by stakeholders outside the industry. And it is the external perception that forms the basis of an insurers’ reputation. Any one insurer may have a better or worse reputation than the universe of insurers, but all are affected to some extent by the umbrella perception.  

Some of these negative aspects of insurers’ reputations stem from many retail buyers not always understanding the insurance mechanism and from thinking insurers make greater profits than they actually do. Some retail buyers would rather not buy insurance at all but are forced to by laws or lenders. Commercial buyers can find insurers slow, cumbersome and not very transparent.

In reality, insurers tend to be ethical in honoring their contractual obligations and are price competitive while also trying to improve processes and customer experience. This is largely true because insurers are heavily regulated, have publicly available ratings by rating agencies and exist in a competitive marketplace.   

Despite this reality, a poor reputation contributes to low customer loyalty, fraudulent claims, extra scrutiny by third parties and other risks or threats.  Now, insurers face more reputational risk than ever before as things like example, the legitimate, but unfortunate, denial of COVID-19 related business interruption claims has dented insurer reputations. How this will play out in the long run is unknown.

What this means in terms of insurers’ enterprise risk management (ERM) is that, when they look at their reputational risk picture, they need to assess the risks to their reputation from the outside in. They need to see how they appear in the eyes of customers, regulators and the community at large. Improvement can take the form of improved communication starting with clearer policy language but can move well beyond that to more frequent communication with customers, greater transparency and more responsible advertising.

All in all, insurers of all sizes need to take note of changes in the risk landscape and must continuously improve their ERM practices.

Building an Effective Risk Culture

“Culture is the soul of the organization — the beliefs and values, and how they are manifested. I think of the structure as the skeleton, and the process as the flesh and blood. And culture is the soul that holds the thing together and gives it life force.” – Henry Mintzberg

The prevailing risk culture within an organization can make it significantly better or worse at managing these risks. It also significantly affects the organizational capability to take strategic risk decisions and deliver on performance promises. Risk culture arises from the repeated behaviors of the employees of the organization. These behaviors are shaped by the underlying values, beliefs and attitudes of individuals, which are partly inherent; and by the existing corporate culture in the organization.

Now that risk practitioners are finally catching on to risk culture and risk culture building; way after my first article on people risk in GARP Risk review back in 2004, we suddenly find a whole bunch of risk culture “experts” talking absolute garbage when it comes to the doing this thing.

Let us thus get the basics right:

Basics No 1: Governance Structure:

Firstly, the reporting line for the head of risk/chief risk officer is directly to the board. If you run your business by committees, that would be the chairperson of the board risk committee; if not, it should be a non-executive director who knows something about the management of risk. 

Secondly, do not appoint your risk champions; select them from volunteers. 

Basics No 2: The Definitions:

Before you formulate your own understanding, use these definitions:

  • “Risk culture is the system of values and behaviors present in an organization that shapes risk decisions of management and employees. One element of risk culture is a common understanding of an organization and its business purpose” –NC State ERM Initiative
  • “Risk culture is a term describing the values, beliefs, knowledge, attitudes and understanding about risk shared by a group of people with a common purpose” –Institute of Risk Management
  • Risk culture building is the training of mind, of heart and of personal character to respond effectively to any situation of risk and take the right decision to mitigate, control or optimize risk to the advantage of the organization.

Basics No 3: The Levels of Maturity: 

  • Level 1: In a bad risk culture, people do not care and will not do the right things regardless of risk policies, procedures and controls. Generally reflecting an environment of risks managed in silos, people are always “firefighting” with no clear risk owners, no real communication and weak accountability.
  • Level 2: In a typical risk culture, people tend to care more and will do the right things when risk policies, procedures and controls are in place. Risk owners are clearly defined and roles and commitments are understood, but effective awareness is still lacking.
  • Level 3: In a good risk culture, people care and will do the right things even when risk policies, procedures and controls are not in place. At this level, there are integrated risk management teams with standardized roles and clear accountabilities, normally controlled by a central function that coordinates all activities.
  • Level 4: In an effective risk culture, people care enough to think about the risks associated with their jobs before they make decisions on a daily basis. Strong cross-functional teamwork and employees who apply sound judgment in the management of risk. A small central risk management advisory team that understands the enterprise fully supports the business at all levels. Organizations at this level are well-prepared for crisis management.
  • Level 5: In the ultimate risk culture, every person acts as a risk manager and will constantly evaluate, control and optimize risks to make informed decisions and build sustainable competitive advantage for the organization. At this level, organizational and individual performance measures are fully aligned and risk-sensitive. Every employee is a risk manager, and knowledge and skills are upgraded continuously. Such an organization is agile and designed to adapt to changes.

See also: Perspectives on Risk Culture Building

Basics No 4: Assessing the Current Level of Maturity and Building Action Plans:

To start risk culture building, an organization first needs to get an accurate picture of the current level of risk culture maturity in the organization. Various attempts have been made to do this, and most revert to some kind of questionnaire or checklist approach linked to a scoring sheet that is eventually tabulated to quantify an overall score, which is linked to a perceived level of maturity. 

In some instances, organizations call in consultants who also conduct interviews. The outcomes are then debated and agreed upon by consensus with the client. These processes can easily be manipulated to support the perception of those in charge and also fail to identify specific weaknesses to support targeted action plans.

A full risk culture maturity assessment must cover the following operational areas associated with the effective management of risk: 

  1. Policies
  2. Processes
  3. People and Organizational Design
  4. Reporting
  5. Management and Control

You have two options:

  1. A manual process: (offered as part of the formal Risk Culture Workshop training) 
  2. An on-line assessment tool: In an attempt to improve the accuracy of these kinds of assessments, a leading U.K. consultancy developed and launched an on-line assessment tool that is now commercially available. 

* (Contact chungarisk@yahoo.co.uk for details of either)

Basics No 5: What to Do Next: 

Building an effective risk culture requires aligning the structured approach in the innovation framework and the four-pillar risk culture building approach with the organization’s vision and purpose to be the most trusted and inspiring connector of positive change. This must be done within the context of the existing corporate culture, driven by the organization’s strategic objectives, with the outcome to realize the key benefits of risk culture building and create sustainable competitive advantage through the optimization of the management of risk within the organization.

Building an effective risk culture is much more than changing your organizational culture in line with your vision, mission, corporate values and risk appetite—you must factor in the interests of competing national cultures, sub-cultures, Maslow’s theory on individual self-actualization and the informal groups in the company. The interactions among these are not predictable, and variables cannot accurately be isolated.

An effective risk culture is not a matter of risk assessment or level of compliance; it is a matter of individual ownership of risk and personal “conviction” — a state of mind where human beings own the risks and the process of managing those risks through making well-informed risk decisions because they want to, not because they have to. Companies drive value through optimizing risk management rather than a culture of compliance where people will do only what is required.

Basics No 6: The Four Pillars

  1. Think differently
  2. Get the whole picture
  3. Build a risk nervous system 
  4. Make every employee a risk manager

Each of these pillars represents a structured approach to address the underlying mindsets and behavioral aspects of organization and individuals to influence their attitudes and responses to risk in the context of the organizational demographics and their education, experiences, circumstances, attitudes, beliefs, emotions, social status and other factors and filters.

See also: 5 Risk Management Mistakes to Avoid

Basics No 7:  The “Do Not Even Think About It” List:

  • You can NEVER build an effective risk culture if you use the old Three Lines of Defense model or the (even worse) new Three Lines model
  • If you are promoting a “culture of compliance,” do not waste money attempting to build an effective risk culture 
  • Building an effective risk culture is not a “project”; the work never stops
  • Even a bad risk culture can be strong, so stop talking about a strong risk culture as a good thing
  • If you are not going to link risk culture to the performance management of each employee, at all levels, forget about it
  • You can follow any risk management framework or standard to the last letter and still be useless at the actual management of risk… just because of culture
  • You can be a brilliant chief risk officer in one company and a total failure in the next… just because of culture.

5 Risk Management Mistakes to Avoid

While many businesses attempt some form of risk management, few have a flawless approach. And because of the dynamic nature of changing markets and other variables, risk management programs need to be regularly updated or they, themselves, become at risk. Risk calculations based on gravity and likelihood are relatively simple, but simplistic frameworks can’t prepare an organization for surprises down the road.

All organizations should undertake an ERM (enterprise risk management) strategy, projecting into their long-term future where risks might arise, but risk management is complicated, and many organizations are making mistakes. Here are five that can cost your business.

1) Reinventing the Wheel

Many organizations try to create their own risk management framework rather than drawing from the wealth of experience already out there. Yes, your business is uniquely positioned, but a strong risk management framework will take contextual variables into account. By attempting to implement your own risk management framework you’re rejecting experience and expertise developed by professionals, leaving yourself exposed to gaps in your framework that allow risk to creep in.

COSO (Committee of Sponsoring Organizations of the Treadway Commission) and AICPA (American Institute of Certified Public Accounts) have both published industry standard ERM frameworks from which your business can draw. Don’t reinvent the wheel when approaching risk management.

2) Ignoring IT Red Flags

Whilst IT departments are not best placed to lead ERM processes, the insight of your IT department is invaluable when building a risk management strategy, so IT professionals should be viewed as equal partners rather than subordinate teams. This configuration empowers your IT department to contribute valuably to the process of risk management.

“IT is uniquely placed to identify metrics and offer data and analysis that could easily be overlooked from other perspectives,” says Ethan McLaughlin, a risk management expert at State of Writing and Boomessays. “If your organization is conducting a SWOT (Strengths, Weaknesses, Opportunities, Threats) analysis, IT departments are an important place to start examining where risks may be present.”

3) Considering Identified Risks “Managed”

While risks need to be identified before they can be managed and mitigated, too many organizations stop after the first step. By listing potential risks to your organization you have done nothing to reduce their likelihood, and if you aren’t putting robust procedures in place then your strategy is nothing more than a sop.

What’s more, a large proportion of ERM is identifying strategic advantages possessed by your organization. Leveraging these advantages is as important as mitigating risks, and by capitalizing strategically on your position you can place yourself ahead of competitors.

See also: How Risk Management Differs From Insurance

4) Letting Expectations Get Out of Control

ERM does not provide a crystal ball, and sometimes situations unfold in genuinely unpredictable ways. For example, in 2020, risk management frameworks are scrambling to adapt to a radically changed economy in the face of a global pandemic. Judging ERM based solely on its accuracy misses the point.

Don’t let expectations get out of hand, as otherwise faith can be lost in risk management as a whole when the unexpected does occur. This will leave your business vulnerable to any number of things in the future.

5) Keeping Risk Management in-House

We all know that blindspots can appear when we’re too close to an issue, but many organizations consider risk management something that can be handled by internal auditors. In fact, an objective approach is essential, and an external eye can identify risk in seemingly innocuous procedures, something that those with a high degree of familiarity might have overlooked.

“Of course, details are essential in risk management so the in-house team should work closely with external auditors,” says Martin Franklin, a writer at Liahelp and OXessays. “This provides checks and balances that reduce risk and protect your organization in the long run.”

Wrapping Up

Risk management is an essential process that protects organizations from foreseeable fluctuations in future events. Key to the success of risk management are an established ERM, and working closely across departments while introducing an external eye. Putting a positive spin on circumstances is human nature — and provides a platform for success. Risk management enables this perspective to drive success, rather than leaving you open to catastrophic failure.

Time to Move Climate Risk Center-Stage

Insurers are not big polluters in their own right. Nor do they typically have lots of physical assets at risk, except indirectly through investment portfolios either now or in the future when economic transition raises the possibility of stranded assets.

Yet the impacts of climate on insurance operations are only too evident. Losses from more frequent flood events and other climate-related events, such as the wildfires that have ravaged parts of the U.S. and Australia in recent months; changing attitudes toward insuring and investing in high carbon industries; burgeoning regulation and moves toward mandatory climate risk disclosure; and external ESG (environmental, social, governance) ratings that increasingly reflect assessments of climate risk management – are all changing insurers’ risk landscapes.

With the PRA letter to U.K. insurers also setting the expectation that “firms should have fully embedded their approaches to managing climate-related financial risks by the end of 2021,” it’s relatively unsurprising then that climate change has been rising rapidly up the rankings of the perceived most dangerous risks to an insurance enterprise. In the most recent Willis Towers Watson Dangerous Risks Survey, for example, climate change rose from 53rd position in 2019 to 9th in 2020.

On the other hand, the up-side should not be ignored: Climate risk also brings new insurable opportunities and insurance can often be an enabler of innovation, allowing new technologies to be developed as risks are shared. Insurers that are taking steps now to better understand the risks and opportunities and planning for changes in their mid- to long-term strategies will be better placed to deal with them. These insurers will have built up a body of data, tools, analytical capabilities, processes and frameworks, with experience of learning and refinement, to avoid having to play catch up with the rapidly evolving regulatory environment as our collective knowledge of climate impacts grows.

Climate risk is truly multi-dimensional

Much as loss events grab the headlines, climate risk for insurers is truly multi-dimensional (see Figure 1). Potential ramifications that may not be grabbing the headlines yet could have potentially devastating consequences in years to come, such as sea level rise or threats that destabilize fragile states. Equally, new pathways for mitigating climate risk and resilience that don’t exist now could offer respite from threats and open up business opportunities.

Figure 1. The multi-dimensionality of climate risk

The need for a multi-dimensional risk approach simply reflects this expanding diversity of climate risk drivers.

Even if we confine those to the current day, from one angle there are market factors, such as regulation and investors’ lengthening ESG agendas. From another angle, there is the societal pressure to consume less and reduce environmental impact. Then there is the role of science and advances in climate understanding and adaptation, together with mitigation technologies and what these tell us about the need to adapt collective behavior. Notably, many of the world’s central banks and supervisors, through the Network for Greening the Financial System (NGFS), have already upgraded their view on the financial risks from climate change. The risks from climate change are now increasingly seen as having “distinct characteristics,” which means these risks need to be “considered and managed differently.”

The potential impacts on operations are similarly diverse, not the least whether factors such as public policy and regulation may affect insurability of certain segments. Add in underwriting issues (risk assessment, pricing sufficiency/competitiveness), regulatory compliance (including solvency impact), capital considerations (risk accumulation for example) and emerging risks (and opportunities) – and you have a veritable cocktail of risk dimensions to consider.

ERM implications

In many ways, however, these risks are not new per se; they map onto existing categories of financial and non-financial risk such as credit, market, business, operation and legal risks that insurers have been managing for many years. But taking into account the vagaries of climate, the risks do present new challenges.

Specifically for ERM programs, they raise issues and questions that require explicit consideration:

  • Governance, including the board’s role in providing oversight of climate risk responses and defining management responsibility for climate risk and ESG integration.
  • Risk identification, identifying the key channels through which climate risks can affect the company and how these are articulated and monitored on a continuing basis.
  • Risk appetite, including forming a view as to whether climate risk should be considered as a separate element or part of aggregate risk and how this will be implemented in practice.
  • Risk measurement and reporting, including how to incorporate climate risk into financial risk models and reports and deciding on relevant metrics for decision making, a key element of Taskforce for Climate-related Financial Disclosure (TCFD) requirements, for example.
  • Investment – how does the investment approach meet ESG objectives and respond to investor pressure to reduce or eliminate funding of high-carbon industries, for example?
  • Reputation risk, including identifying public communications needs and a strategy for communicating a firm’s climate and ESG response.

And because all in turn feed through to strategic business considerations such as earnings, product development, long-term direction and acquisitions and divestments, having a solid understanding within the business of the connections between physical, transition and liability risks is increasingly essential. This also means that the risk and governance frameworks need to be holistic and that each aspect cannot be treated in isolation.

See also: An Early Taste of Climate Change Disrupting Insurance

Devil is in the details

Conceptually, this all probably makes sense. Where it starts to get trickier is getting into the long weeds of risk impact and mitigation. For that, quantification is key.

This requires proven analytics tools and methods that are constantly being refreshed to reflect the latest science and predictive climate change scenario datasets and the expertise to provide the context of how business decisions can affect potential futures. Typically, quantification will also entail a collective, systematic and open data collection initiative to capture appropriate data to represent the key risk-related attributes of assets and, equally importantly, to include the valuations needed to feed through into balance sheet and other decision-making views.

Examples of the types of outputs needed will include hazard and climate risk scoring and mapping, determination of hazard- and climate-adjusted financial losses and advanced modeling of current and future climate risks. And beyond the numbers, transparency of models, scenarios and parameters is also key to the credibility and flexibility of the approach.

Our view is that there are some key analytical building blocks in helping build understanding of climate risk. Even if these may represent a kind of analytical nirvana at the moment, principally due to lack of data, there are options. Drawing parallels with emerging cyber risk, many insurers relied on scenario analysis and a sort of risk disclosure statement to not only quantify risks but also to set risk appetite metrics:

  1. Identify hazards – review of the existing portfolio for exposure to climate and natural catastrophe perils to establish the hazard levels.
  2. Quantify current climate risk for key perils – modeling of the current portfolio of risks, taking into account the vulnerability of assets and the level of hazard with reference to past events.
  3. Quantify future climate risk for key perils – modeling of future portfolios of risks for key perils at different times (e.g. 2030, 2050) and climate development scenarios. This should also consider the connections between perils – compounding and cascading risks are difficult to model, but they are the real world.
  4. Identify opportunities to mitigate climate risk – identification and assessment of loss drivers and mitigation opportunities to help reduce the financial loss potential of climate change.
  5. Determine transition risk and opportunities – evaluation of potential transition routes in line with modeling and taking steps to embed them within the risk framework.
  6. Quantify transition risks – through breakdown of the top transition risks by region/climate scenarios.

As they become armed with this sort of information, insurers should be able to identify the regions and perils that are driving climate risk now and how this distribution could change. Critically, this capability will help to quantify and reduce the cost of climate risk and enable insurers to feed the results into reviewing and updating the risk appetite and management frameworks on a regular basis.

Given the evolving investment focus on the “social contract” and sustainable returns, the capability will also be increasingly important for being able to inform potential investors of both the impact of climate change on an organization and steps being taken by the business to reduce its climate impact.

This need has been accelerated by recent regulatory moves focused around reporting and disclosure, including proposals and consultations in some countries to make TCFD reporting mandatory sooner rather than later. Add to this the idea that COVID-19 may accelerate the broader appetite for ESG as financial markets look to build resilience to systemic risks, and there is an even stronger case for enhancing understanding and response.

The upside is that the positive reputational impacts of disclosure, enforced or otherwise, are likely to be more far-reaching than just compliance – working through this process provides a holistic stress test of strategic decision making and company direction.

Eye to the future

So where might the gaps lie? To be truly strategic, thinking about climate risk needs to properly address current climate risks and project five, 10 and 20 years into the future, at least. That means developing the climate trajectory scenarios and metrics (the areas incidentally where insurers say they expect to need most help, according to our TCFD survey) that are increasingly being demanded by various stakeholders to assess a company’s climate transition plans and contribution.

See also: COVID-19 Is No Black Swan

Not all companies will be equally affected, but it’s apparent that, in relatively quick time, climate will have to be a central component of ERM and strategic direction. Those running ERM programs at insurers are uniquely placed to ensure their companies are prepared to meet those rising and multi-faceted expectations of investors, regulators, employees, customers and other stakeholders.

Embedding climate risk into existing frameworks and ensuring boards are taking a strategic approach to the changes that are already happening, and those to come, will put companies in a position to deal more effectively with the threats and embrace the opportunities of a future low-carbon economy .