Tag Archives: risk tolerance

Cyber: A Huge and Still-Untapped Market

Cyber insurance is a potentially huge, but still largely untapped, opportunity for insurers and reinsurers. We estimate that annual gross written premiums are set to increase from around $2.5 billion today to reach $7.5 billion by the end of the decade.

Businesses across all sectors are beginning to recognize the importance of cyber insurance in today’s increasingly complex and high-risk digital landscape. In turn, many insurers and reinsurers are looking to take advantage of what they see as a rare opportunity to secure high margins in an otherwise soft market. Yet many others are still wary of cyber risk. How long can they remain on the sidelines? Cyber insurance could soon become a client expectation, and insurers that are unwilling to embrace it risk losing out on other business opportunities.

In the meantime, many insurers face considerable cyber exposures within their technology, errors and omissions, general liability and other existing business lines. The immediate priority is to evaluate and manage these “buried” exposures.

Critical exposures

Part of the challenge is that cyber risk isn’t like any other risk that insurers and reinsurers have ever had to underwrite. There is limited publicly available data on the scale and financial impact of attacks. The difficulties created by the minimal data are heightened by the speed with which the threats are evolving and proliferating. While underwriters can estimate the likely cost of systems remediation with reasonable certainty, there simply isn’t enough historical data to gauge further losses resulting from brand impairment or compensation to customers, suppliers and other stakeholders.

A UK government report estimates that the insurance industry’s global cyber risk exposure is already in the region of £100 billion ($150 billion), more than a third of the Centre for Strategic and International Studies’ estimate of the annual losses from cyber attacks ($400 billion). And while the scale of the potential losses is on a par with natural catastrophes, incidents are much more frequent. As a result, there are growing concerns about both the concentrations of cyber risk and the ability of less experienced insurers to withstand what could become a fast sequence of high-loss events.

Insurers and reinsurers are charging high prices for cyber insurance relative to other types of liability coverage to cushion some of the uncertainty. They are also seeking to put a ceiling on their potential losses through restrictive limits, exclusions and conditions. However, many clients are starting to question the real value these policies offer, which may restrict market growth.

Insurers and reinsurers need more rigorous and relevant risk evaluation built around more reliable data, more effective scenario analysis and partnerships with government, technology companies and specialist firms. Rather than simply relying on blanket policy restrictions to control exposures, insurers should make coverage conditional on regular risk assessments of the client’s operations and the actions they take in response to the issues identified in these regular reviews. The depth of the assessment should reflect the risks within the client’s industry sector and the coverage limits.

This more informed approach would enable your business to reduce uncertain exposures while offering the types of coverage and more attractive premium rates clients want. Your clients would, in turn, benefit from more transparent and cost-effective coverage.

Opportunities for Growth

There is no doubt that cyber insurance offers considerable opportunity for revenue growth.

An estimated $2.5 billion in cyber insurance premium was written in 2014. Some 90% of cyber insurance is purchased by U.S. companies, underlining the size of the opportunities for further market expansion worldwide.

In the UK, only 2% of companies have standalone cyber insurance. Even in the more penetrated U.S. market, only around a third of companies have some form of cyber coverage. There is also a wide variation in take-up by industry, with only 5% of manufacturing companies in the U.S. holding standalone cyber insurance, compared with around 50% in the healthcare, technology and retail sectors. As recognition of cyber threats increases, take-up of cyber insurance in under-penetrated industries and countries continues to grow, and companies face demands to disclose whether they have cyber coverage (examples include the U.S. Securities and Exchange Commission’s disclosure guidance).

We estimate that the cyber insurance market could grow to $5 billion in annual premiums by 2018 and at least $7.5 billion by 2020.

There is a strong appetite among underwriters for further expansion in cyber insurance writings, reflecting what would appear to be favorable prices in comparison with other areas of a generally soft market — the cost of cyber insurance relative to the limit purchased is typically three times the cost of cover for more-established general liability risks. Part of the reason for the high prices is the still limited number of insurers offering such coverage, though a much bigger reason is the uncertainty around how much to put aside for potential losses.

Many insurers are also setting limits below the levels sought by their clients (the maximum is $500 million, though most large companies have difficulty securing more than $300 million). Insurers may also impose restrictive exclusions and conditions. Some common conditions, such as state-of-the-art data encryption or 100% updated security patch clauses, are difficult for any business to maintain. Given the high cost of coverage, the limits imposed, the tight attaching terms and conditions and the restrictions on whether policyholders can claim, many policyholders are questioning whether their cyber insurance policies are delivering real value. Such misgivings could hold back growth in the short term. There is also a possibility that overly onerous terms and conditions could invite regulatory action or litigation against insurers.

Cyber Sustainability

We believe there are eight ways insurers, reinsurers and brokers could put cyber insurance on a more sustainable footing and take advantage of the opportunities for profitable growth:

1. Judging what you could lose and how much you can afford to lose

Pricing will continue to be as much of an art as a science in the absence of robust actuarial data. But it may be possible to develop a much clearer picture of your total maximum loss and match this against your risk appetite and risk tolerances. This could be especially useful in helping your business judge what industries to focus on, when to curtail underwriting and where there may be room for further coverage.

Key inputs include worst-case scenario analysis for your particular portfolio. If your clients include a lot of U.S. power companies, for example, what losses could result from a major attack on the U.S. grid? A recent report based around a “plausible but extreme” scenario in which a sophisticated group of hackers were able to compromise the U.S. electrical grid estimated that insurance companies would face claims ranging from $21 billion to $71 billion, depending on the size and scope of the attack. What proportion of these claims would your business be liable for? What steps could you take now to mitigate the losses in areas ranging from reducing risk concentrations in your portfolio to working with clients to improve safeguards and crisis planning?

2. Sharpen intelligence

To develop more effective threat and client vulnerability assessments, it will be important to bring in people from technology companies and intelligence agencies. The resulting risk evaluation, screening and pricing process would be a partnership between your existing actuaries and underwriters, focusing on the compensation and other third-party liabilities, and technology experts who would concentrate on the data and systems area. This is akin to the partnership between CRO and CIO teams that are being developed to combat cyber threats within many businesses.

3. Risk-based conditions

Many insurers now impose blanket terms and conditions. A more effective approach would be to make coverage conditional on a fuller and more frequent assessment of the policyholder’s vulnerabilities and agreement to follow advised steps. This could include an audit of processes, responsibilities and governance within your client’s business. It could also include threat intelligence assessments, which would draw on the evaluations of threats to industries or particular enterprises, provided by government agencies and other credible sources. It could also include exercises that mimic attacks to test weaknesses and plans for response. As a condition of coverage, you could then specify the implementation of appropriate prevention and detection technologies and procedures.

Your business would benefit from a better understanding and control of the risks you choose to accept, hence lowering exposures, and the ability to offer keener pricing. Clients would in turn be able to secure more effective and cost-efficient insurance protection. These assessments could also help to cement a closer relationship with clients and provide the foundation for fee-based advisory services.

4. Share more data

More effective data sharing is the key to greater pricing accuracy. Client companies have been wary of admitting breaches for reputation reasons, while insurers have been reluctant to share data because of concerns over loss of competitive advantage. However, data breach notification legislation in the U.S., which is now set to be replicated in the EU, could help increase available data volumes. Some governments and regulators have also launched data sharing initiatives (e.g., MAS in Singapore or the UK’s Cyber Security Information Sharing Partnership). Data pooling on operational risk, through ORIC, provides a precedent for more industry-wide sharing.

5. Real-time policy update

Annual renewals and 18-month product development cycles will need to give way to real-time analysis and rolling policy updates. This dynamic approach could be likened to the updates on security software or the approach taken by credit insurers to dynamically manage limits and exposures.

6. Hybrid risk transfer

While the cyber reinsurance market is less developed than its direct counterpart, a better understanding of the evolving threat and maximum loss scenarios could encourage more reinsurance companies to enter the market. Risk transfer structures are likely to include traditional excess of loss reinsurance in the lower layers, with capital market structures being developed for peak losses. Possible options might include indemnity or industry loss warranty structures or some form of contingent capital. Such capital market structures could prove appealing to investors looking for diversification and yield. Fund managers and investment banks can bring in expertise from reinsurers or technology companies to develop appropriate evaluation techniques.

7. Risk facilitation

Given the ever more complex and uncertain loss drivers surrounding cyber risk, there is a growing need for coordinated risk management solutions that bring together a range of stakeholders, including corporations, insurance/reinsurance companies, capital markets and policymakers. Some form of risk facilitator, possibly the broker, will be needed to bring the parties together and lead the development of effective solutions, including the standards for cyber insurance that many governments are keen to introduce.

8. Build credibility through effective in-house safeguards

The development of effective in-house safeguards is essential in sustaining credibility in the cyber risk market, and trust in the enterprise as a whole. If your business can’t protect itself, why should policyholders trust you to protect them?

Banks have invested hundreds of millions of dollars in cyber security, bringing in people from intelligence agencies and even ex-hackers to advise on safeguards. Insurers also need to continue to invest appropriately in their own cyber security given the volume of sensitive policyholder information they hold, which, if compromised, would lead to a loss of trust that would be extremely difficult to restore. The sensitive data held by cyber insurers that hackers might well want to gain access to includes information on clients’ cyber risks and defenses.

The starting point is for boards to take the lead in evaluating and tackling cyber risk within their own business, rather than simply seeing this as a matter for IT or compliance.

See the full report here.

How to Understand Your Risk Landscape

This is part two of a series of five on the topic of risk appetite and its associated FAQs.

The author believes that enterprise risk management (ERM) will remain locked in organizational silos until boards are mobilized in terms of their comprehension of the links between risk and strategy. This is achieved either through painful and expensive crises or through the less expensive development of a risk appetite framework (RAF). Understanding risk appetite is very much a work in progress for many organizations. The first article made a number of observations of a general nature based on experience in working with a wide variety of companies. This article describes the risk landscape, measurable and unmeasurable uncertainties and the evolution of risk management.

The Risk Landscape

Lessons learned following the great financial crisis (GFC) include the importance of establishing an effective risk governance framework at the board level. In essence, two key questions must now be addressed by boards.

First, do boards express clearly and comprehensively the extent of their willingness to take risk to meet their strategic and business objectives?  Second, do they explicitly articulate risks that have the potential to threaten their operations, business model and reputation?

To be in a position to provide credible answers to these fundamental questions, we must first seek to understand the relationship between risk and strategy.

It is RMI’s experience that risk and strategy are intertwined. One does not exist without the other, and they must be considered together. Such consideration needs to take place throughout the execution of strategy. Consequently, it is vital that due regard is given to risk appetite when strategy is being formulated

Crucially, risk is now defined as “the effect of uncertainty on objectives.”

It is clear, therefore, that effective corporate governance is strategy- and objective-setting on the one hand, and superior execution with due regard for risks on the other. This particular landscape is what we in RMI refer to as the interpolation of risk and strategy. For this reason, RMI describes board risk assurance as assurance that strategy, objectives and execution are aligned. Alignment is achieved through operationalization of the links between risk and strategy, which will be described in the final article in this series.

Before further discussion, however, we would like to draw attention to observations based on our practical experience that give cause for concern, namely:

1.  Risk appetite: While we now have a globally accepted risk management standard3 and sharper regulatory definition of effective risk management for regulated organizations, there is as yet much confusion, and neither a consensus nor an internationally accepted guidance, as to the attributes of an effective risk appetite framework.

2.  Risk reporting: In relation to risk reporting, two significant matters arise:

Risk registers that are primarily generated on the basis of a compliance-centric requirement, as distinct from an objectives-centric4 approach, tend to contain lists of risks that are not explicitly associated with objectives. As such, they offer little value in terms of reporting on risk performance.

Note: RMI supports the adoption of a board-driven, objectives-centric approach5 to reporting and monitoring risks to operations, the business model and reputation.

Risk registers and other reporting tools detail known risks and what we know we know. They tend not to detail emerging or high-velocity risks that have the potential to threaten the business model. As such they tend to be of limited value in terms of reporting or monitoring either unknown knowns6, or unknown unknown7 risks. This is a matter that should give boards cause for concern given pace of change, hyper-connectivity and the disruptive nature of new technologies.

3.  Risk data governance: The quality, rigor and consistency in application of accounting data that is present in well-managed organizations does not equally exist in those same organizations in the risk domain.

The responsibility of directors to use reliable accounting information and apply controls over assets, etc. (internal controls) as part of their legally mandated role extends equally to information pertaining to risks that threaten financial performance. The latter is not, however, treated in an equivalent fashion to accounting data. Whereas the integrity of accounting data is assured through the use of proven and accepted accounting systems subject to audit, information pertaining to risks typically relies on the use of disparate Excel spreadsheets, word documents and Power Points with weak controls over the efficacy of copying and pasting of data from one level of report to another.

Weaknesses and failings in risk data governance can be addressed in much the same way as for other governance requirements.

For example:

a.    Comprehensive training for business line managers and supervisors on:

  •  (Risk) Management Processes,
  •  (Risk) Vocabulary,
  •  (Risk) Reporting,
  •  Board (Risk) Assurance Requirements

b.    Performance in executing (risk) management roles and responsibilities included in annual performance appraisals,  

c.   System8 put to process through the use of database/work flow solutions, providing an evidence basis of assurance that:

  • The quality, timing, accessibility and auditability of risk performance data is as rigorously and consistently applied as that for accounting data,
  • Dynamic management of risk data (including risk appetite/tolerance/criteria) can be tracked at the pace of change
  • Tests can be applied to the aggregation of risks to objectives at the pace of change and prompt interdictions applied when required,
  • Reports, or notification, of significant risks are escalated without delay, and without risk to the originator of information.

4.  Lack of understanding of the nature of the risks that need to be mastered in the boardroom:

Going back to our definition of risk as the effect of uncertainty on objectives: There are many types of objectives — for example, economic, financial, political, regulatory, operational, customer service, product innovation, market share, health safety, etc. — and there are multiple categories of risk. But what is uncertainty?

Uncertainty9 is the state, even partial, of deficiency of information related to understanding or knowledge of an event, its consequence or its likelihood.

There are essentially two kinds of uncertainty:

1.   Measurable uncertainties: These are inherently insurable because they occur independently (for example, traffic accidents, house fires, etc.) and with sufficient frequency as to be reckonable using traditional statistical methods.

Measurable uncertainties are treated individually through traditional (risk) management supervision, and residually through insurance.

Measurable uncertainties are funded out of operating profits.

2.   Unmeasurable uncertainties:  These are inherently un-insurable using traditional methods because of the paucity of reliable data. For example, whereas we can observe multiple supply chain and service interruptions, data breaches, etc. they are not sufficiently similar or comparable to be soundly put to a probability distribution and statistically analyzed.

Un-measurable uncertainties are treated on a broad basis through organizational resilience. For the top 5-15 corporate risks10 that are typically inestimable in terms of likelihood of occurrence, the organization seeks to maintain an ability to absorb and respond to shocks and surprises and to deliver credible solutions before reputation is damaged and stakeholders lose confidence.

Un-measurable uncertainties are funded out of the balance sheet.

The hyper-connected and multispeed world in which we live today has driven the effect of un-measurable uncertainties on company objectives to unprecedented, heights, and so amplified the risk potential enormously.

5.  Urgent need to recognize the mission-critical importance of building  and preparing management to always be prepared to offer credible solutions in the face of unexpected shocks and surprises  Figure 1 below describes the evolution of risk management as depicted within the red dotted line11 and the next stage of the evolution (resilience) as envisioned by RMI.

RMIFINAL

Figure 1: Evolution of risk and the emergence of “resilience” as the current era in the evolution of 21st century understanding of risk  

Resilience was the theme that ran through the World Economic Forum: Global Risks 2013, Eight Edition Report.  Resilience was described as capability to

  1. Adapt to changing contexts,
  2. Withstand sudden shocks, and
  3. Recover to a desired equilibrium, either the previous one or a new one, while preserving the continuity of operations.

The three elements in this definition encompass both recoverability (the capacity for speedy recovery after a crisis) and adaptability (timely adaptation in response to a changing environment).

The Global Risks 2013 Report emphasized that global risks do not fit neatly into existing conceptual frameworks but that this is changing insofar as the Harvard Business Review (Kaplan and Mikes12) recently published a concise and practical taxonomy that may also be used to consider global risks13.

The report advises that building resilience against external risks is of paramount importance and alerts directors to the importance of scanning a wider risk horizon than that normally scoped in risk frameworks.

When considering external risks, directors need to be cognizant of the growing awareness and understanding of the importance of emerging risks.

Emerging risks can be internal as well as external, particularly given growing trends in outsourcing core functions and processes.

table3

It is also interesting to observe the diversity in understanding of emerging risk definitions. For example:

  • Lloyds: An issue that is perceived to be potentially significant but that may not be fully understood or allowed for in insurance terms and conditions, pricing, reserving or capital setting,
  • PWC: Those large-scale events or circumstances beyond one’s direct capacity to control, that have impact in ways difficult to imagine today,
  • S&P: Risks that do not currently exist,

The 2014 annual Emerging Risks Survey (a poll of more than 200 risk managers predominantly based at North American re/insurance companies) reported the top five emerging risks as follows:

  1. Financial volatility (24% of respondents)
  2. Cyber security/interconnectedness of infrastructure (14%)
  3. Liability regimes/regulatory framework (10%)
  4. Blowup in asset prices (8%)
  5. Chinese economic hard landing (6%)

Maintaining business defense systems capable of defending the business model has become an additional fiduciary requirement for the board, alongside succession planning and setting strategic direction15.

References:

Influenced by COSO (Committee of Sponsoring Organizations of the Threadway Commission, Enterprise Risk Management (ERM)  Understanding and Communicating Risk Appetite, by Dr. Larry Rittenberg and Frank Martens

2 Source: ISO 31000 (Risk Management 2009). ISO 31000 is now the globally accepted risk management standard.

3 The new globally accepted risk management standard (ISO 31000) is not intended for the purposes of certification. Rather, it contains guidance as to risk-management principles, a framework and risk management process that can be applied to any organization, part of an organization or project, etc. As such, it provides an overarching context for the application of domain-specific risk standards and regulations — for example, Solvency II, environmental risk, supply chain risks, etc.

4 Risk Communication Aligning the Board and C-Suite: Exhibit 1 Top Challenges of Board and Management Risk Communication by Association for Financial Professionals (AFP), the National Association of Corporate Directors (NACD) and Oliver Wyman

5  The Conference Board Governance Centre, Risk Oversight: Evolving Expectations of Board, by Parveen P. Gupta and Tim J Leech

6 An unknown known risk is one that is known, and understood, at one level (e.g. typically top, middle, lower level management) in an organization but not known at the leadership and governance levels (i.e. executive and board levels)

7An unknown unknown risk is a so called black-swan (The Black Swan: The Impact of the Highly Improbable, Nassim Nicholas Taleb)

8 Specified to the ISO 31000 series

9 Source: ISO 31000 (Risk Management 2009). ISO 31000 is now the globally accepted risk management standard

10 More than 80% of volatility in earnings and financial results comes from the top 10 to 15 high-impact risks facing a company: Risk Communication Aligning the Board and C-Suite, by the Association for Financial Professionals (AFP), the National Association of Corporate Directors (NACD), and Oliver Wyman

11 Source: Institute of Management Accountants, Statements on Management Accounting, Enterprise Risk Management : Frameworks, Elements and Integration

12 Managing Risks: A New Framework

13 Kaplan and Mikes’ third category of risk is termed “external” risks, but the Global Risk 2013 report refers to them as “global risks.” They are complex and go beyond a company’s scope to manage and mitigate (i.e. they are exogenous in nature).

14 Audit and Risk, 21 July 2014, Matt Taylor, Protiviti UK,

15 The Financial Reporting Council has determined that it will integrate its current guidance on going concern and risk management and internal control and make some associated revisions to the UK Corporate Governance Code (expected in 2014). It is expected that emphasis will be placed on the board’s making a robust assessment of the principal risks to the company’s business model and ability to deliver its strategy, including solvency and liquidity risks. In making that assessment, the board will be expected to consider the likelihood and impact of these risks materializing in the short and longer term;

5 Issues for Boards on Risk Appetite

Many have struggled to find and articulate a risk appetite. It is actually not too hard to find, if you know where to look. It is right there – on the border.

Risk appetite is the border between the board and management. Once management has proposed a risk appetite and the board has approved it, then management is empowered to take risks. As long as the risks are within the risk appetite, then management does not need to inform the board until after taking those risks. If management plans to take risks that are outside of the risk appetite, then executives must go to the board in advance for permission.

That, of course, is just the bare minimum communication with the board about risk. There are five topics that make up a good level of board communications:

1. Risk appetite and plan
2. Risk position and profile
3. Top=risk mitigation and capabilities
4. Emerging risks
5. Major changes to risk environment and risk plan

The first and last items are the subject here. The other topics will be covered in later posts.

Notice that the first item on the list above is appetite AND Plan. Before discussing risk appetite, both management and the board need to be very familiar with the company’s historic levels of risk and the intentions for risk level. If there is no history of risk planning, it is totally premature to even discuss risk appetite.

It is doubtless true in all cases that management has vast experience with risk taking, as well as experience with risk taking that ended up creating losses or other undesirable adverse consequences. But unless there has been experience of planned and monitored risk taking, there is a natural propensity to start with the presumption that, in the past, the highest-risk activities are those that ended in losses and that activities that did not end up with losses were lower-risk. While losses are a good indication of one sort of risk, they are not the only way to assess risk.

Imagine the risk of an earthquake in a specific area. There have been no earthquake losses there in living memory. But that doesn’t mean that there is no risk. There was a devastating earthquake there just 150 years ago, thus there is certainly some potential for future events.

Risk is not loss, and loss is not risk. Risk is the potential for loss. It only exists in advance of an event. Loss is the negative outcome of an event.

Risk appetite sits on another border. That is the border between regular and extraordinary – mitigation, that is. For each of the major risks of a firm, we have a regular process for control, mitigation and treatment of risk that we have and and that we acquire. We also should have some idea of what we might do if the level of risk gets out of hand. For example, a life insurer writing variable annuities might have a hedging program that is used to mitigate unwanted equity market risk. A P&C insurer might have a reinsurance program to lay off excess aggregations of property risk. A bank might have a securitization program to mitigate the portion of mortgage risk that it does not want to keep. In all three cases, an unexpected jump in closing rate or a new very successful distributor might suddenly cause the level of residual risk after normal mitigation to become excessive.

Usually, this is evidenced by a weakening solvency margin. The company must go into extraordinary mitigation mode. That means that for the risk that has become excessive, or for another risk if they have a nimble risk steering function, there will need to be some major change in operations to bring the level of risk back into line. The choices for these extraordinary mitigations may be simple adjustments to the normal mitigation processes, a shift in hedging targets, a drop in the reinsurance retention or an increased emphasis on securitizing all tranches. But most often these extraordinary mitigations involve real changes to plans, such as a change in pricing structure, risk acceptance procedures, a change in product or distribution strategy to discourage the least profitable or highest risk sales or a change in a share buy-back plan. In the most extreme cases, there might be a need to temporarily shut down the source of the excessive risk.

Unexpected losses might also cause a sudden shift downward in risk capacity and therefore in risk appetite. In such cases, extraordinary mitigations will favor options that might speed the rebuilding of capital. In the most extreme cases, the final stage mitigation would be to sell an entire operation along with the embedded risk exposures.

Almost all of those extraordinary mitigation choices are not decisions that management prefers for businesses. But good managers have some advance idea of the priority order in which they might apply those tactics as well as the triggers for such actions. Those triggers are the boundary for risk taking. They are reflective of the risk appetite.

So if you recognize that risk appetite is this boundary condition, you realize that the talk you hear in some places of “allocating risk appetite” is not the approach that you want to take. What you really need is a risk target that is allocated. The risk target is your plan. It is not totally “efficient,” but there should be a buffer between the risk target and the risk appetite. That buffer allows for the fact that we do not control and may not even immediately notice all of the things that might cause our risk level to fluctuate, but we need a risk target because risk appetite is really the border that we hope not to cross.