Data-Driven – Page 2

Mastering Risk with “Data-Driven GRC”

Publié le 10 mars 201810 mars 2018 par hanswillertbleuazurconsultingeu

Where are organizations heading ?

“Data Driven GRC” represents a consolidation of methodologies, both functional and technological, that dramatically enhance the opportunity to address emerging risk landscapes and, in turn, maximizing the reliability of organizational performance. This paper examines the key opportunities to leverage change—both from a risk and an organizational performance management perspective—to build integrated, data-driven GRC processes that optimize the value of audit and risk management activities, as well as the investments in supporting tools and techniques.

Functional Stakeholders of GRC Processes and Technology

The Institute of Internal Auditors’ (IIA) “Three Lines of Defense in Effective Risk Management and Control” model specifically addresses the “who and what” of risk management and control. It distinguishes and describes three role- and responsibility-driven functions :

Those that own and manage risks (management – the “first line”)
Those that oversee risks (risk, compliance, financial controls, IT – the “second line”)
Those functions that provide independent assurance over risks (internal audit – the “third line”)

The overarching context of these three lines acknowledges the broader role of organizational governance and governing bodies.

Technology Deficiencies in the Three Lines of Defense

Since the emergence of Sarbanes-Oxley, the use of technology in risk and control related processes has truly started to take meaningful shape in many organizations. However, when looking across the risk and control oriented functions in most organizations, technology is still typically used on a departmental or point solution basis.

Third Line (internal audit) use of risk & control technology

For the past decade, surveys of internal auditors have consistently identified the more effective use of technology as among the most pressing issues facing the profession. Specifically, the responses to the surveys also referred to the need for increased use of technology for audit analysis, fraud detection, and continuous auditing. Other surveys also highlight a shortage of sufficient technology and data analysis skills within audit departments.

Much of the driving force for improving the use of technology is based on the desire to make the audit process itself more efficient and more effective, as well as to deliver more tangible value to the rest of the organization.

During the past decade, the role of the internal audit function itself has changed considerably. Internal audit’s traditional focus on cyclical audits and testing internal controls is evolving into one in which internal audit is expected to assess and report on the effectiveness of management’s processes to address risk overall. This often includes providing guidance and consultation to the business on best practices for managing risk and compliance within business process areas and maintaining effective control systems. The use of technology is an increasingly critical component of these best practices and in some cases internal audit is able to champion the implementation of high-impact, high-value technology within the business’s risk management and compliance processes, based on their own experience in using technology for assurance purposes.

There is considerable variation in the extent to which internal audit departments leverage technology. However it is certainly fair to say that for audit to be truly valuable and relevant within the context of organizational strategy, a significant improvement is required across the board. Internal audit as a profession simply is not moving forward at the pace of technology.

Some specific statistics from recent research reveals:

Only approximately 40% of internal audit departments use audit and documentation management systems from specialized vendors. The remainder use disorganized tools and processes, typically based on Microsoft Office® & shared folders.
Audit programs for specific business process areas and industries are usually developed through a combination of previously used programs and those shared on various audit-related websites. This approach does not address organization-specific risk.
Next generation testing techniques, especially data analytics, are overwhelmingly underutilized.

Second Line (risk, compliance, financial controls, IT) use of risk & control technology

Outside of audit, in other areas of risk and compliance, some organizations have acquired specialized departmental software, but the majority use only basic Office tools to maintain inventories of risks, document controls and perform risk assessments. In larger enterprises, it is not unusual to have a variety of different technologies and approaches applied in different operational entities or in different functional areas. This approach is usually more costly and less effective than one based on a common platform. Effective testing methods using technology are usually unavailable or left unconsidered.

In fact, second line of defense functions often rely heavily on inquiry-based methods such as surveying, which are proven ineffective at identifying the actual manifestations of risk in the organization. If analytical software is used in the business for investigations or monitoring transactions, it in many cases involves standard query tools or some form of generic business intelligence (BI) technology. Although good for providing summary level information or high-level trends, BI tools struggle to show the root cause of problems. And while they may have certain capabilities to prevent fraud and errors from occurring, or to flag exceptions, they are not sufficient to effectively trap the typical problem transactions that occur.

First Line (management) use of risk & control technology

While in some cases, first line management have access to better technology for use on specific pain point areas (e.g., continuous transaction monitoring technology used within finance departments), there is a common tendency for management to place far too much reliance on core business systems for effective control. While the large ERP and other system vendors seem to have extensive capabilities for preventing control deficiencies, the reality is that these are extremely extensive and complex systems and internal controls are usually the afterthought of those implementing them, not a core focus. For example, in many cases certain control settings are turned off to enable the ERP system to run more efficiently.

An integrated and collaborative approach to managing risks and monitoring controls in collaboration with the second and third lines of defense, using a common, independent methodology and technology platform, typically proves the most effective in accomplishing management’s key risk mitigation strategies.

DD GRC

Click here to access ACL’s White Paper

By investing heavily in start-ups and technology, (re)insurance companies appear to have assumed a semblance of control over the InsurTech revolution

Publié le 10 février 2018 par hanswillertbleuazurconsultingeu

Who Benefits from Modularization?

With technology moving forward at an unprecedented pace, incumbents are increasingly electing to outsource functions to highly specialized new entrants, renting evolving modules of technology that can be tailored to suit their individual needs. Though this approach may be more cost effective, it further fuels the question of whether incumbents will allow value in the industry to shift towards new entrants. In time, market participants will come to understand which module in the chain generates the most value. It is plausible that automation in distribution will shift value towards efficiency of internal processes that support cutting-edge modeling and underwriting engines.

InsT0

The State of InsurTech

InsurTech funding volume increased 36% year-over-year in 2017, demonstrating that technology driven innovation remains a core focus area for (re)insurance companies and investors heading into 2018. However, perhaps contrary to many of the opinions championed in editorial and press coverage of the InsurTech sector, further analysis of the growing number of start-ups successfully attracting capital from (re)insurers and financial investors reveals that the majority of InsurTech ventures are not focused on exiling incumbents by disrupting the pressured insurance value chain. According to research from McKinsey & Company,

61% of InsurTech companies aim to enable the value chain,
30% are attempting to disintermediate incumbents from customers
9% are targeting full scale value chain disruption.

Has the hype surrounding InsurTech fostered unjustified fear from overly defensive incumbents?

We have taken this analysis a step further by tracking funding volume from strategic (re)insurers versus financial investors for InsurTechs focused on enabling the value chain relative to their counterparts attempting to disintermediate customers from incumbents or disrupt the value chain altogether and found that 65% of strategic (re)insurer InsurTech investments have been concentrated in companies enabling the value chain, with only 35% of incumbent investments going to start-ups with more disruptive business models. What does it mean? While recognizing the subjective nature of surmising an early stage company’s ultimate industry application at maturity from its initial focus, we attribute this phenomenon to the tendency of incumbents to, consciously or subconsciously, encourage development of less perceptibly threatening innovation while avoiding more radical, potentially intimidating technologies and applications.

Recognizing that this behavior may allow incumbents to preserve a palatable status quo, it should be considered in the context in which individual investments are evaluated – on the basis of expected benefits relative to potential risk. We have listed several benefits that InsurTechs offer to incumbents :

InsT1

Segmenting the InsurTech Universe

As InsurTech start-ups continue to emerge across the various components of the insurance value chain and business lines, incumbents and investors are evaluating opportunities to deploy these applications in the insurance industry today and in the future. To simplify the process of identifying useful and potentially transformational technologies and applications, we have endeavored to segment the increasingly broad universe of InsurTech companies by their core function into four categories:

Product & Distribution
Business Process Enhancement
Data & Analytics
Claims Management

This exercise is complicated by the tendency of companies to operate across multiple functions, so significant professional judgment was used in determining the assignment for each company. A summary of the criteria used to determine placement is listed below. On the following pages, we have included market maps to provide a high level perspective of the number of players in each category, as well as a competitive assessment of each subsector and our expectations for each market going forward. Selected companies in each category, ranked by the amount of funding they have raised to date, are listed, followed by more detailed overviews and Q&A with selected representative companies from each subsector.

InsT2

Click here to access WTW’s detailed birefing

Insurance Data Integrated Platform

Publié le 7 janvier 2018 par hanswillertbleuazurconsultingeu

The insurance industry today is poised for a paradigm shift in the way that technology is deployed to provide products and services to customers. This has primarily been driven by changing business needs and the innovations brought about by myriad insuretech firms, leading to an inevitable shift towards adopting the new digital innovations.

Analysts have forecast significant investments geared towards the digitalization of the industry and expect such investments to continue pouring in for several years. It is also expected that an increasing number of new insurance companies will be driven by technology companies to bring better products, services, and customer service in the insurance industry.

A forward-looking plan of action, sufficient operational flexibility, an effective implementation strategy, and a willingness to adopt digital disruptions in every aspect of their organization – those insurers that have all of the above can position themselves to leverage the impending digital disruptions to propel their organization to the very forefront of the industry.

DEALING WITH THE DIGITALIZATION OF THE INSURANCE INDUSTRY

These adopters of digital technology will have a clear upper hand against their competition. Suitably equipped to cut costs and design more attractive offerings, the digital insurance carriers are sure to acquire a whole new set of customers, thus increasing market share. Those who fail to quickly adopt the new technologies, on the other hand, will struggle to maintain their competitive positions in the midst of a customer-centric, price-sensitive market.

Data has always been at the center of the insurance industry, and despite the changes that are to come, data will continue to be the focal point of the industry. In fact, it’s set to play a bigger role to play than ever before.

The continued criticality of data in the insurance landscape is ensured by carriers’ need for information-driven strategies in the digitalized business scenario. They’ll have to leverage data as an asset, enabling automated decision-making in critical business processes, in order to thrive. This, in turn, is why a digital business technology platform – one that incorporates information management and analytical capabilities – will become a necessity in the future.

Without a system in place to support the analytics and reporting needs of the business, decision-makers may be left with no choice but to rely on conventional time-consuming manual processes those are more qualitative rather than quantitative in nature. This is bound to cause serious repercussions for the organization, ultimately resulting in missed opportunities and loss of competitiveness.

According to a Gartner study, the two following technology platforms are essential for any digital business:

Data and analytics platform – This platform should consist of data management programs and analytics applications to enable data-driven decision making
Ecosystems platform – This platform’s role should be to support the creation of and connection to external ecosystems, marketplaces, and communities

MFX

Click here to access MFX’s detailed White Paper

The General Data Protection Regulation (GDPR) Primer – What The Insurance Industry Needs To Know, And How To Overcome Cyber Risk Liability As A Result.

Publié le 31 décembre 201731 décembre 2017 par hanswillertbleuazurconsultingeu

SCOPE

The regulation applies if the

data controller (organization that collects data from EU residents)
or processor (organization that processes data on behalf of data controller e.g. cloud service providers)
or the data subject (person)

is based in the EU. Furthermore, the Regulation also applies to organizations based outside the European Union if they collect or process personal data of EU residents. Per the European Commission, “personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from

a name,
a home address,
a photo,
an email address,
bank details,
posts on social networking websites,
medical information,
or a computer’s IP address.”

The regulation does not apply to the processing of personal data for national security activities or law enforcement; however, the data protection reform package includes a separate Data Protection Directive for the police and criminal justice sector that provides robust rules on personal data exchanges at national, European and international level.

SINGLE SET OF RULES AND ONE-STOP SHOP

A single set of rules will apply to all EU member states. Each member state will establish an independent Supervisory Authority (SA) to hear and investigate complaints, sanction administrative breaches, etc. SA’s in each member state will cooperate with other SA’s, providing mutual assistance and organizing joint operations. Where a business has multiple establishments in the EU, it will have a single SA as its “lead authority”, based on the location of its “main establishment” (i.e., the place where the main processing activities take place). The lead authority will act as a “one-stop shop” to supervise all the processing activities of that business throughout the EU. A European Data Protection Board (EDPB) will coordinate the SAs.

There are exceptions for data processed in an employment context and data processed security, that still might be subject to individual country regulations.

RESPONSIBILITY AND ACCOUNTABILITY

The notice requirements remain and are expanded. They must include the retention time for personal data and contact information for data controller and data protection officer must be provided.

Automated individual decision-making, including profiling (Article 22) is made disputable. Citizens now have the right to question and fight decisions that affect them that have been made on a purely computer generated basis.

To be able to demonstrate compliance with the GDPR, the data controller should implement measures which meet the principles of data protection by design and data protection by default. Privacy by Design and by Default require that data protection measures are designed into the development of business processes for products and services. Such measures include pseudonymizing personal data, by the controller, as soon as possible.

It is the responsibility and liability of the data controller to implement effective measures and can demonstrate the compliance of processing activities even if the processing is carried out by a data processor on behalf of the controller.

Data Protection Impact Assessments must be conducted when specific risks occur to the rights and freedoms of data subjects. Risk assessment and mitigation is required and prior approval of the Data Protection Authorities (DPA) is required for high risks. Data Protection Officers (DPO) are to ensure compliance within organizations.

DPO must be appointed:

for all public authorities, except for courts acting in their judicial capacity
if the core activities of the controller or the processor consist of
by their nature, their scope and/or their purposes, require regular and systematic
monitoring of data subjects on a large scale
processing on a large scale of special categories of data pursuant to Article 9 and
personal data relating to criminal convictions and offences referred to in Article 10
processing operations which, for the purposes of national

GDPR in a Box

Click here to access Clarium’s detailed paper

Mastering Risk with “Data-Driven GRC”

Publié le 29 décembre 2017 par hanswillertbleuazurconsultingeu

Overview

The world is changing. The emerging risk landscape in almost every industry vertical has changed. Effective methodologies for managing risk have changed (whatever your perspective:

internal audit,
external audit/consulting,
compliance,
enterprise risk management,

or otherwise).

Finally, technology itself has changed, and technology consumers expect to realize more value, from technology that is more approachable, at lower cost.

How are these factors driving change in organizations?:

Emerging Risk Landscapes

Risk has the attention of top executives. Risk shifts quickly in an economy where “speed of change” is the true currency of business, and it emerges in entirely new forms in a world where globalization and automation are forcing shifts in the core values and initiatives of global enterprises.

Evolving Governance, Risk, and Compliance Methodologies

Across risk and control oriented functions spanning a variety of

audit functions,
fraud,
compliance,
quality management,
enterprise risk management,
financial control,

and many more, global organizations are acknowledging a need to provide more risk coverage at lower cost (measured in both time and currency), which is driving reinventions of methodology and automation.

Empowerment Through Technology

Gartner, the leading analyst firm in the enterprise IT space, is very clear that the convergence of four forces,

Cloud,
Mobile,
Data,
and Social

is driving the empowerment of individuals as they interact with each other and their information through well-designed technology. In most organizations, there is no coordinated effort to leverage organizational changes emerging from these three factors in order to develop an integrated approach to mastering risk management. The emerging opportunity is to leverage the change that is occurring, to develop new programs; not just for technology, of course, but also for the critical people, methodology, and process issues. The goal is to provide senior management with a comprehensive and dynamic view of the effectiveness of how an organization is managing risk and embracing change, set in the context of overall strategic and operational objectives.

Where are organizations heading?

“Data Driven GRC” represents a consolidation of methodologies, both functional and technological, that dramatically enhance the opportunity to address emerging risk landscapes and, in turn, maximizing the reliability of organizational performance. This paper examines the key opportunities to leverage change—both from a risk and an organizational performance management perspective—to build integrated, data-driven GRC processes that optimize the value of audit and risk management activities, as well as the investments in supporting tools and techniques.

Data Driven GRC

Click here to access ACL’s detailed White Paper