Tag Archives: risk appetite

cyber insurance

Promise, Pitfalls of Cyber Insurance

Cyber insurance is a potentially huge but still largely untapped opportunity for insurers and reinsurers. We estimate that annual gross written premiums will increase from around $2.5 billion today to $7.5 billion by the end of the decade. Many insurers and reinsurers are looking to take advantage of what they see as a rare opportunity to secure high margins in an otherwise soft market.

However, wariness of cyber risk is widespread. Many insurers don’t want to cover it at all. Others have set limits below the levels their clients seek and have imposed restrictive exclusions and conditions – such as state-of-the-art data encryption or 100% updated security patch clauses – that are difficult for any business to maintain. Given the high cost of coverage, the limits imposed, the tight attaching terms and conditions and the restrictions on claims, many companies question if their cyber insurance policies provide real value.

Insurers are relying on tight policy terms and conditions and conservative pricing strategies to limit their cyber risk exposures. But how sustainable is this approach as clients start to question the value of their policies and concerns widen about the level and concentration of cyber risk exposures?

The risk pricing challenge

The biggest challenge for insurers is that cyber isn’t like other risks. There is limited publicly available data on the scale and financial impact of attacks, and threats are rapidly changing and proliferating. Moreover, the fact that cyber security breaches can remain undetected for several months – even years – creates the possibility of accumulated and compounded future losses.

See Also: Better Way to Assess Cyber Risks?

While underwriters can estimate the cost of systems remediation with reasonable certainty, there isn’t enough historical data to gauge further losses resulting from impairment to brands or to customers, suppliers and other stakeholders. And, although the scale of potential losses is on par with natural catastrophes, cyber incidents are much more frequent. Moreover, many insurers face considerable cyber exposures within their technology, errors and omissions, general liability and other existing business lines. As a result, there are growing concerns about both the concentrations of cyber risk and the ability of less experienced insurers to withstand what could become a rapid sequence of high-loss events. So, how can cyber insurance be a more sustainable venture that offers real protection for clients, while safeguarding insurers and reinsurers against damaging losses?

Real protection at the right price

We believe there are eight ways that insurers, reinsurers and brokers could put cyber insurance on a more sustainable footing while taking advantage of the opportunities for profitable growth.

  1. Clarify risk appetite – Despite the absence of robust actuarial data, it may be possible to develop a reasonably clear picture of total maximum loss and match it against risk appetite and tolerances. Key inputs include worst-case scenario analysis. For example, if your portfolio includes several U.S. power companies, then what losses could result from a major attack on the U.S. grid? What proportion of claims would your business be liable for? What steps could you take now to mitigate losses by reducing risk concentrations in your portfolio to working with clients to improve safeguards and crisis planning? Asking these questions can help insurers judge which industries to focus on, when to curtail underwriting and where there may be room for further coverage. Even if an insurer offers no stand-alone cyber coverage, it should gauge the exposures that exist within its wider property, business interruption, general liability and errors and omissions coverage. Cyber risks are increasingly frequent and severe, loss contagion is hard to contain and risks are difficult to detect, evaluate and price.
  2. Gain broader perspectives – Bringing in people from technology companies and intelligence agencies can lead to more effective threat and client vulnerability assessments. The resulting risk evaluation, screening and pricing process could be a partnership between existing actuaries and underwriters who focus on compensation and other third-party liabilities, and technology experts who concentrate on data and systems. This is similar to the partnership between chief risk officer (CRO) and chief information officer (CIO) teams that many companies are developing to combat cyber threats.
  3. Create tailored, risk-specific conditions – Many insurers currently impose blanket terms and conditions. A more effective approach would be to make coverage conditional on a fuller and more frequent assessment of the policyholder’s vulnerabilities and agreement to follow advised steps. This could include an audit of processes, responsibilities and governance within a client’s business. It also could draw on threat assessments by government agencies and other credible sources to facilitate evaluation of threats to particular industries or enterprises. Another possible component is exercises that mimic attacks to test both weaknesses and plans for response. As a result, coverage could specify the implementation of appropriate prevention and detection technologies and procedures. This approach can benefit both parties. Insurers will have a better understanding and control of risks, lower exposures and produce more accurate pricing. Policyholders will be able to secure more effective and economical protection. Moreover, the assessments can help insurers forge a closer, advisory relationship with clients.
  4. Share data more effectively – More effective data sharing is the key to greater pricing accuracy. For reputational reasons, many companies are wary of admitting breaches, and insurers have been reluctant to share data because of concerns over loss of competitive advantage. However, data breach notification legislation in the U.S., which is now set to be replicated in the E.U., could help increase available data volumes. Some governments and regulators have also launched data-sharing initiatives (e.g., MAS in Singapore and the U.K.’s Cyber Security Information Sharing Partnership). In addition, data pooling on operational risk, through ORIC, provides a precedent for more industrywide sharing.
  5. Develop real-time policy updates – Annual renewals and 18-month product development cycles will need to give way to real-time analysis and rolling policy updates. This dynamic approach could be likened to the updates on security software or the approach taken by credit insurers to dynamically manage limits and exposures.
  6. Consider hybrid risk transfer – Although the cyber reinsurance market is relatively undeveloped, a better understanding of evolving threats and maximum loss scenarios could encourage more reinsurers to enter the market. Risk transfer structures likely would include traditional excess of loss reinsurance in the lower layers, and the development of capital market structures for peak losses. Possible options might include indemnity or industry loss warranty structures or some form of contingent capital. Such capital market structures could prove appealing to investors looking for diversification and yield. Fund managers and investment banks could apply reinsurers’ or technology companies’ expertise to develop appropriate evaluation techniques.
  7. Improve risk facilitation – Considering the complexity and uncertainty surrounding cyber risk, there is a growing need for coordinated risk management solutions that bring together a range of stakeholders, including corporations, insurance/reinsurance companies, capital markets and policymakers. Some form of risk facilitator – possibly brokers – will need to bring together all parties and lead the development of effective solutions, including the cyber insurance standards that many governments are keen to introduce. Evaluating and addressing cyber risk is an enterprise-wide matter – not just one for IT and compliance.
  8. Enhance credibility with in-house safeguards – If an insurer can’t protect itself, then why should policyholders trust it to protect them? If the sensitive policyholder information that an insurer holds is compromised, then it likely would lead to a loss of customer trust that would be extremely difficult to restore. The development of effective in-house safeguards is essential in sustaining credibility in the cyber risk market, and trust in the enterprise as a whole.

See Also: The State of Cyber Insurance

Key questions for insurers as they assess their own and others’ security

From the board on down, insurers need to ask:

  • Who are our adversaries, what are their targets and what would be the impact of an attack?
  • We can’t defend everything, so what are the most important assets we need to protect?
  • How effective are our processes, assignment of responsibilities and systems safeguards?
  • Are we integrating threat intelligence and assessments into active cyber defense programs?
  • Are we adequately assessing vulnerabilities against the tactics and tools perpetrators use?

Implications

  • Even if an insurer chooses not to underwrite cyber risks explicitly, exposure may already be part of existing policies. Therefore, all insurers should identify the specific triggers for claims, and the level of potential exposure in policies that they may not have written with cyber threats in mind.
  • Cyber coverage that is viable for both insurers and insureds will require more rigorous and relevant risk evaluation informed by more reliable data and more effective scenario analysis. Partnerships with technology companies, cyber specialist firms and government are potential ways to augment and refine this information.
  • Rather than simply relying on blanket policy restrictions to control exposures, insurers should consider making coverage conditional on regular risk assessments of the client’s operations and the actions they take in response to the issues identified in these regular reviews. This more informed approach can enable insurers to reduce uncertain exposures and facilitate more efficient use of capital while offering more transparent and economical coverage.
  • Risk transfer built around a hybrid of traditional reinsurance and capital market structures offers promise to insurers looking to protect balance sheets.
  • To enhance their own credibility, insurers need to ensure the effectiveness of their own cyber security. Because insurers maintain considerable amounts of sensitive data, any major breach could severely affect their market credibility both in the cyber risk market and elsewhere.
risks

Why Do Some Take Risks, Others Not?

Every time you breathe, you take a risk. But, usually, the potential for harm is greater if you don’t breathe. (There are exceptions, such as when your head is under water without a breathing mask.) Every time you make a decision, you take a risk; we take risk all the time, in pretty much every facet of our personal and professional lives.

But, when faced with the same situation, people will act differently from one another. A person may assess the risk differently from someone else. He may make a different decision regarding whether the risk is acceptable and which fork in the road he should take to address it.

In risk management, it’s fine to have defined risk criteria or appetite statements, but these rarely cover every decision a manager has to make. So, the manager has to make a decision based on what she thinks is best.

A number of experts will point to risk culture as the answer to this variance in decision-making. The experts seem to believe that some organizations are more risk-averse than others. But organizations are composed of people—different people in leadership roles with different backgrounds, experiences and biases. Organizations are not homogeneous. In fact, sections of an organization are not staffed with people who are identical in their attitude toward risk.

For example, on whether to select vendor A, B, C or a combination of the three, different people are likely to make different decisions. Manager X may have had a bad experience at another company with vendor A, while Manager Y used to work for that vendor. Manager Z may have lived through a disastrous experience where a sole-source vendor failed, so she will opt for a combination of two or more vendors. Manager Y may have just suffered a loss on the stock market that affects his desire to take risk, while Manager X has just heard he is a grandparent again. Even something such as a state of mind can influence a risk decision.

It’s not only that different people make different decisions in the same situation but that each person may make different decisions at different times. This is important because, as risk professionals, we want decision-makers to only take the level of risk that top management and the board desires.

To have consistent decisions on risk, we need to know the temperature and overall health of the organization and its decision-makers. We need to answer these questions:

  • Who are we relying on to take the risks that matter most to the organization’s success?
  • How can we obtain assurance that they understand the desired level of risk?
  • How can we obtain assurance that they will act as we desire?
  • How will we know when their risk attitude changes?

A survey will, perhaps, give you a moment-in-time view. However, people change. Managers and executives leave, new ones join and people’s perspective and desire to take risk changes, especially if they see their compensation or termination is likely to be affected by their decision.

This is a complex issue that risk professionals need to understand and assess within, and across, their organization.

Richard Anderson and I will be discussing this in our Risk Conversations coming up in April in London and Chicago. Details are at www.riskreimagined.com.

In the meantime, how do you address this variability? How do you know that your decision-makers will take the desired level of risk?

The 3 Ways to Customer Retention

While life insurance used to be one of many Americans’ most important financial assets, a host of changes—economic, social and cultural—have caused it to become a lower priority. Customers’ top two reasons: that life insurance is too expensive, and that they have other financial priorities.

Given the difficulty of acquiring new customers, it is imperative for carriers to focus on retaining existing ones. In fact, small increases in retention can translate to large revenue growth, and the payoff can be substantial.

Reaping the benefits of a thoughtful customer retention program requires a long-term vision. Carriers should consider the potential lifetime value of a customer (and the products he is likely to buy) that will allow a carrier to increase profitability—today and in the future.

LexisNexis recommends three steps on the road to an effective customer retention program:

  • Acquire customers with retention in mind
  • Develop a customer-focused communications agenda
  • Understand the customer experience
  1. Acquire customers with retention in mind

Effective customer retention begins with targeted acquisition. Carriers must understand their own capabilities, risk appetite and services and acquire customers that they can serve well. The better a customer aligns with a carrier’s profile and preferred market spaces, the greater the likelihood she will stay.

Segmentation and predictive models are key. Solutions available in the market include:

  • Risk classification models to help carriers optimize leads and identify the most profitable prospects.
  • Lookalike models to help carriers understand the characteristics of their best customers and attract similar prospects.
  • Lifetime value models to identify the potential long-term return of a prospect—enabling a carrier to identify prospects with the greatest future potential for growth and loyalty.
  • Prospect persistency to help predict whether a prospect will lapse within a given time.

In short, successful retention efforts begin well before a customer is acquired.

  1. Develop a customer-focused communications agenda

Having done the legwork to acquire a suitable customer, carriers should ensure they have a strategy for strengthening the relationship. Each customer touch point is an opportunity to do so, and these touch points should be outlined in a customer-focused agenda and communication plan.

The customer agenda defines customer touch points, such as:

  • Onboarding process. The onboarding process can set the tone for the carrier-customer relationship. For example, customers might receive a welcome note with contact information in case of questions; where to learn more about protecting their life, health and other assets; how to set up a holistic financial protection plan; and more. Carriers can tailor these communications for individuals and reinforce the company’s brand, nurturing a conversation from the very start. These communications are usually separate from a carrier’s requirement to deliver legal policy documents, but this is not to say that the delivery of legally required documents has to be stiff or un-tailored. Every step of the process is an opportunity to nurture.
  • Annual reviews. Many customers are either unaware of or confused about coverage options, so annual reviews are an ideal opportunity for the carrier to stay in touch with each customer and offer risk management advice. Annual reviews also help position the carrier as an adviser, not just a service provider. In addition, carrier support for annual reviews can help a sales team stay on top of its customers’ life changes—while also positioning each salesperson as a reliable and trusted adviser.
  • Cross-selling opportunities. Based on their understanding of each customer, carriers can identify opportunities to cross-sell additional products, such as an annuity or supplemental health product. Carriers should also consider cross- or multi-product purchases within a household—for example, for an insured’s spouse, child or parent.
  • Payment reminders and opportunities for automatic payments. Payment and premium reminder notices can trigger customers to lapse or switch providers, so managing these communications is critical to retaining customers. In addition, automatic payments can make paying life insurance premiums effortless for customers, minimizing the chance that they will lapse.

Carriers should also ensure that they maintain continuity across all channels, synchronizing their market messages across all digital and traditional communications channels including websites, print and radio ads, social media, email and direct mail.

Traditionally, carriers have minimized communications with their customers, believing that reminders about life insurance are a reminder of that customer’s mortality as well as a budgetary expense. As such, retention strategies were more focused on conserving customers who had already decided to cancel their policies, typically by offering less coverage and lower premiums.

  1. Understand the customer experience

The customer agenda outlines when and how a carrier will communicate with its customers but does not address an individual customer’s unique needs. To better understand their customers and identify these needs, carriers should supplement their internal data with external data sources and predictive models. This is one area where the life industry has much experience and has often excelled, but carriers have not been consistent in their pursuit of data for deeper customer insights. Exacerbating the issue, new sales have been harder to win, prompting carriers to focus heavily on acquisition—to the detriment of understanding current customers’ needs.

The Internet and social media channels have changed the way that customers make purchases—and insurance is no exception. Rather than turn to a carrier or agent for advice, many customers now begin with online research. This research may include the carrier’s website, as well as comparison sites and online reviews. Increasingly, it also includes social media, which allows positive and negative experiences to be reported and shared. In general, these channels limit a carrier’s control over its brand and the customer experience.

To better understand each customer’s individual needs, and how he experiences a relationship with the carrier and agent, carriers can work with a data partner to:

  • Tap into third-party data sources to gain insight on a customer’s life changes. External data can help carriers identify customers whose insurance needs might change: For example, people often reevaluate their finances when they move or purchase a new home. Armed with up-to-date mover and homeowner information, carriers and agents can contact customers and advise them on ways to mitigate risk.
  • Verify whether an insured has appropriate coverage. Customers may experience life changes and not think to update their life insurance provider. Working with a data partner, carriers can obtain up-to-date, accurate and validated wealth and asset information—to be certain each insured has appropriate coverage and affordable premiums for their means, and to offer alternatives if otherwise.
  • Use models to determine the risk of a customer leaving. Market solutions are available that can help carriers predict the risk of a client leaving, so that carriers can take action before she leaves.

With data, analytics and predictive models, carriers can identify customers with changing insurance needs and life events and respond appropriately. An effective response will address a customer’s specific needs—and, in an ideal situation, will deliver a tailored message at the right time. In addition, market solutions can enable carriers to establish event alerts that deliver automatic messages at the right time. For example, a carrier could establish an automated event notification when customers apply for a new mortgage. An automated process could send each customer a note outlining tips for buying a home, while reinforcing the value of the life insurance the customer already holds, in helping to protect the home for the family. The communication would also remind customers to update their life insurance policy within a suggested time of a new home purchase to ensure they have adequate coverage.

Automation ensures that messages are delivered efficiently, effectively and through the appropriate channel. It can also support a more cooperative carrier-agent relationship, as carriers can direct customer retention efforts while still empowering agents to connect with customers. In addition, automation better assures carriers that they are providing a consistent experience. Following each automated message, the carrier or agent should follow up with the customer to reinforce the 1:1 messaging and strengthen the relationship.

In a continued low-interest rate environment, customer retention must be a priority for a carrier to thrive. Customer acquisition encompasses a host of carrier activities, from advertising and marketing, to on-boarding, underwriting and policy issue. In life insurance, it can take seven to eight years to recoup the acquisition costs for one customer. Bain has estimated that it is six to seven times more costly to acquire a new customer than to retain an existing one.

Major Regulatory Change in Asia-Pacific

The global insurance industry is undergoing significant regulatory change, with regulators in the more developed markets endeavoring to synchronize their efforts. Similar occurrences can be observed in the Asia-Pacific region, where a number of countries are reviewing and undergoing changes in their approach to insurance regulation and holistic risk management. Most notably, a number of regulators are either introducing risk-based capital (RBC) or revisiting their existing RBC frameworks. The maturing regulatory approaches in Asia-Pacific will be a significant factor in managing systematic risk and enhancing policyholder protection.

Asia-Pacific is different

While the proposed RBC framework in Asia-Pacific may have similarities with the European Solvency II standard, there is wide disparity in the level of sophistication and application. Many of the changes are being driven by local market nuances, such as characteristics of the insurance products being sold and maturity of the insurers who operate in the various jurisdictions.

For example, Australia has recently implemented its second-generation solvency regime. Singapore and Thailand are consulting with the industry on second- generation RBC frameworks, while others such as China and its Hong Kong SAR are considering moving in that direction. These moves are particularly encouraging in providing a regulatory framework that will allow for a degree of consistency, especially for those insurers that have multiple offices across the region.

In addition to the changes in reserving and solvency calculations, a number of regions are also strengthening their risk management efforts (e.g., China with C-ROSS). This exemplifies how regulators are paying more attention to embedding risk management activities in the business. They look to ensure that senior management has sufficient oversight to allow them to consider and discharge their fiduciary responsibilities. It is important that organizations have an operational infrastructure and that the risk profile is within business risk appetite levels.

What does this mean for insurers?

Advances in regulation in the Asia-Pacific region
are far-reaching. The implications are expected to improve the way businesses will operate to create long-term sustainability. These implications, in our view, will affect product offerings, investment strategy, capital utilization, risk transfer opportunities and infrastructure.

In particular, we foresee several implications:

• Robust regulatory framework will provide comfort to the overall financial soundness of the insurance industry. However, the cost of regulatory compliance is expected to increase significantly.

• Changing regulations will provide more room for innovation and incentives to enhance or change organizational metrics. Better-managed companies will potentially benefit from lower capital requirements, making their products more attractive.

• Companies traditionally focusing on new business value will have to rethink the continuing profitability of past years and will need to understand options available for in-force value management. This will be particularly crucial given that existing forms of new business may be capital-intensive.

• A better understanding of the business risk profile will be needed. This will necessitate implementing sophisticated techniques in modeling/optimizing risk- adjusted returns and outlining a more systematic process for risk appetite.

• Investment will be required to enhance the modeling and reporting systems to meet regulatory timelines.

• Convergence of regulations toward RBC will also mean that there is less disparity between local and foreign players. This will make Asia-Pacific insurance markets potentially more attractive for foreign investments. Moreover, customers may eventually benefit from new ideas and solutions from both foreign and domestic insurers. This will create a healthy competitive market place for policyholders.

Challenges and opportunities

Based on experience in more developed insurance markets, changes in regulations produce both challenges and opportunities for insurers. In the short term, it is anticipated that there will be more investment demands on insurance companies. Insurers have the prerogative to make the best use of these investments to define long-term opportunities.

In Europe, for example, some insurers have used Solvency II as a means to further enhance their risk management systems, capital allocation mechanisms and reporting infrastructure, and redefine their key performance Indicators. This, in turn, has convinced shareholders and analysts that investments because of regulatory changes should not be for mere compliance, but rather as a means of enhancing competitive advantage. We believe that insurers in Asia-Pacific should draw upon the experiences and challenges in more developed markets to establish an approach for Asia-Pacific markets that considers regulation, economic nuances and the purchasing behavior of policyholders.

Looking ahead

There will be many changes within the industry over the next few years, and companies will need to consider the operational implications for their businesses. Based on our conversations and experience in the region, we see an increasing number of insurers making adjustments to their future business plans and investment needs. Some of these modifications are tactical, such as enhancing their existing processes, while others have the potential to have a wholesale effect on entity rationalization and strategic initiatives, such as capital optimization.

We are very engaged with the regulators, industry bodies and insurance companies in the emerging discussions and are helping insurers to consider these regulatory changes with a strategic mindset.

China

The China Insurance Regulatory Commission (CIRC) has adopted a factor-based solvency system similar to Europe’s Solvency I regime. It is composed of internal risk management, solvency reporting, financial analysis and supervision, regulatory intervention and bankruptcy remediation. This solvency regulation system was built from 2003 to 2007.

Over the past 30 years, the Chinese insurance market has become one of the fastest-growing in the world, and its complexity and risk have increased accordingly. The existing static solvency system no longer properly reflects asset and liability risks facing insurance companies. Therefore, it has limitations in providing good guidance for insurers to improve risk management quality and capabilities.

Globally, there is a trend toward more risk-oriented regulation and governance, such as Europe’s Solvency II, the US NAIC’s solvency modernization initiative and Singapore’s RBC 2.

Developing a new solvency system for mainland China would not only meet local market needs but could also provide pragmatic and invaluable experience for other emerging markets, as well as the international insurance community.

Australia

Australia has two primary supervisory authorities, the Australian Prudential Regulation Authority (APRA) and the Australian Securities and Investments Commission (ASIC). Both bodies have authority over the entire retail financial sector, comprising deposit-taking institutions, life and non-life insurance companies, friendly societies and superannuation schemes. APRA is responsible for the licensing and prudential regulation of financial institutions, while ASIC deals with consumer protection issues.

The most significant recent enhancement to the regulatory regime is the capital adequacy framework and draft conglomerate supervision. This is supplemented by a corporate governance regime.

Hong Kong

The insurance industry in the Hong Kong SAR has witnessed considerable growth in the past decade. As of Oct. 14, 2014, there were 155 authorized insurers in Hong Kong, including
44 long-term insurers, 92 general business or non-life insurance companies and 19 composite insurers (i.e., life and non-life insurers).

In Hong Kong, the Office of the Commissioner of Insurance (OCI) is the Insurance Authority (IA) under the Insurance Companies Ordinance (ICO) and oversees the financial conditions and operations of authorized insurers. The OCI is part of the Financial Services and the Treasury Bureau of the Hong Kong Government.

India

The Indian life insurance industry has witnessed a phenomenal change in the last 14 years since it was opened to private players. It experienced strong growth (a CAGR of 30%) for almost a decade, until a wave of regulatory changes capped charges for unit-linked products. This compelled insurers to shift focus from unit-linked investments to traditional protection products, significantly slowing industry growth. With reduced shareholder margins on unit-linked plans, sales of traditional products have increased and now constitute at least half of new life insurance business, whereas unit-linked plans are facing negative growth.

General insurers have seen growth of 16% CAGR over the past decade. This is attributed to the evolving regulatory environment, new private companies entering the market, changing demographics, greater disposable income and business development in the corporate sector. In fact, growth was significantly higher in the financial year 2012–13 — up 24%, primarily as a result of policies sold and rate adjustments.

Against the backdrop of a relatively underpenetrated market, there is a significant potential for sustainable long-term growth. Currently, there are 24 life insurance and 28 general insurance companies in the market. A few mergers and acquisitions are in the pipeline.

The industry today is in a state of flux. Surrounded by political uncertainty, slower economic growth, regulatory changes and increased competition, insurance companies are looking to increase profitability, manage expenses and improve persistency.

Indonesia

Indonesia is one of Southeast Asia’s largest economies and presents a huge untapped market for the insurance industry. An expanding middle class and the young demographics of the population is creating a vast platform for savings and investment products, and as life insurance continues to show exponential growth, the microinsurance market is gaining traction with low- income consumers.

Against this backdrop, the Indonesian insurance industry is being shaped by changing regulations and stricter capital requirements that are aimed at introducing greater transparency and stability. In this transformed regulatory landscape, there are more new entrants to the market and greater opportunities for mergers, acquisitions and joint partnerships.

Malaysia 

Malaysia has a well-developed, stable economy that continues to attract insurers. The GDP is growing at nearly 6%, and unemployment and inflation are relatively low. Demographics and strong economic growth have helped to develop a strong market for takaful insurance and bancassurance. In recent years, the country has undertaken wide-ranging reforms aimed at improving regulatory efficiency and opening the door to greater competition in financial services.

The Malaysian insurance industry, like others in the Asia-Pacific region, is struggling with depressed investment returns, higher volatility in capital markets and increased pressure on the cost of capital. Against this business landscape, the industry appears to welcome regulatory changes. However, there are also concerns that some of these changes are diverting attention from key issues, such as improving portfolio returns and new business.

Singapore

The Monetary Authority of Singapore is finalizing the risk calibration and features of the RBC framework, with implementation expected from Jan. 1, 2017.

The RBC framework for insurers was first introduced in Singapore in 2004. It adopts a risk-focused approach to assessing capital adequacy and seeks to reflect most of the relevant risks that insurers face. The minimum capital prescribed under the framework serves as a buffer to absorb losses. The framework also facilitates an early intervention by the Monetary Authority of Singapore (MAS), if necessary.

While the RBC framework has served the Singapore insurance industry well, MAS has embarked on a review of the framework (coined “RBC 2 review”) in light of evolving market practices and global regulatory developments. The first industry consultation was conducted in June 2012, in which the MAS proposed a number of changes and an RBC 2 roadmap for implementation.

South Korea

The regulatory authority for the Korean financial services industry, the Financial Supervisory Service (FSS), introduced RBC in April 2009. In replacing the Solvency I requirement, the RBC scheme aims to strengthen the soundness and stability of the overall insurance industry.

In the rapidly changing insurance market, FSS has to review the RBC regime continuously to ensure that it serves the intended purpose. This effort included some changes in 2012, such as subdividing capital classes and categorizing risk factors in accordance to the types of risks transferred to insurance companies. Moreover, FSS enhanced the RBC calculation methodology by adding reverse margin risk as part of interest rate risk in 2013 and by raising the confidence level of risk factors for insurance risk early in 2014.

In light of the recent enhancements, some insurance companies’ solvency margin ratio has fallen below the FSS’s recommended ratio of 150%. As a result, these insurers have had to raise capital through alternative options such as issuing subordinated bonds.

Thailand

The Office of Insurance Commission (OIC) implemented a risk- based capital (RBC) framework and gross premium valuation (GPV) regime in Thailand in September 2011.

The OIC rolled out two phases of parallel tests before the actual implementation of the RBC framework to gauge the impact on insurers and to gather industry response. The solvency requirement was also increased from 125% at the initial implementation to 140%. This became effective Jan. 1, 2013, to give insurers more time to respond to the changes.

In 2011, the Thai regulator granted temporary RBC exemptions and relaxed some of the restrictions. This was an effort to help local general insurers overcome financial difficulty caused by flood losses that occurred that year, as the floods coincided with implementation of the RBC framework.

The OIC rolled out two phases of parallel tests before the actual implementation of the RBC framework to gauge the impact on insurers and to gather industry response.

ERM Alive and Well in Middle East

Having returned from a week in Dubai, where I co-chaired the 4th Annual Middle East and North African ERM Conference and led a two-day workshop on risk and strategy, I am pleased to report that ERM is alive and well half-way around the world. This reinforces my similar experience at the same forum (2nd annual) in 2012. While there may be a perception of free-flowing money and excess in this region, it is clear that key companies in many industries, including finance, energy and healthcare, face most of the same challenges in driving effective risk management strategies and programs as many of the companies in the West. Even though many risk leaders in the Middle East gained their educational backgrounds in Western institutions, where in many cases ERM is still a suspect discipline, many have nevertheless gained significant traction with advanced risk management strategies in their companies.

An interesting angle was revealed at the MENA conference that raises challenging questions for many of these practitioners. It emerged first as an informal, anecdotal comment about the challenge of raising the profile and effectiveness of risk management functions where there was little or no tolerance for risk. While most risk professionals face this challenge at one point or another in their careers, it appears more widespread in this region. The question is: why, and how to do you manage through this dilemma?

First, recognize that all organizations have a risk attitude that ranges from extreme risk aversion to a radically risk-seeking culture — you have a risk culture by default, if you don’t actively design and implement the risk culture you desire. Most often, the actual risk attitude plays itself out in risk-taking behaviors that form the basis for a risk-appetite framework and strategy. Within the context of a risk culture, which is defined primarily by the risk-taking behaviors of employees, every person has a risk attitude and appetite for risk.

The collection of these appetites and associated risk-taking behaviors can lead to what the MENA region seems to reflect, namely little or no tolerance for certain risks. That risk culture will frequently lead to performance issues or product/service pricing challenges that affect competitiveness and reputation. While it is appropriate to avoid certain risks, doing so is generally a bad choice when growth through innovation is desired; risk-taking comes with that strategy.

So attendees at MENA and others who wrestle with risk aversion should realize that this is incompatible with  long-term success in a competitive environment. As a result, they should commit to developing a consensus for a risk culture that aligns with an appetite for risk that is consistent with balanced or prudent risk taking.