Incumbents and InsurTechs must embrace each other’s unique strengths and work together

Executive summary

New challenges, changing business dynamics have set off a tectonic shift in the insurance industry

  • Customer expectations are evolving, offers are becoming more innovative, and new players are making their presence known.
  • Fundamental and significant challenges will require insurers’ immediate and considered attention.
  • As a result of these changing dynamics, incumbents and InsurTechs agree that collaboration with other industry players is necessary to create an integrated portfolio of offerings.

Insurers must support a platform that serves a broad spectrum of customer needs

  • The future marketplace will showcase a bouquet of offerings that caters to customers’ financial and non-financial needs.
  • Insurers need a structured approach to marketplace development that includes proper identification of customer preferences and relevant offerings, evaluation of best-fit partners, and an effective GTM strategy.
  • Today’s operating model will undergo a fundamental transformation as part of the inevitable path forward.

Experience-led digital offerings and seamless collaboration with ecosystem players will drive marketplace success

  • Insurers will need to tear down internal silos, seamlessly connect with ecosystem players, and be more inventive.
  • Our Inventive Insurer profile includes key characteristics:
    • intelligent insurer,
    • open insurer,
    • deep customer,
    • and product agility.

Incumbent-InsurTech collaboration can shore up competencies in preparation for the future

  • InsurTechs’ unique capabilities and agility make them ideal partners for incumbents aiming to carve out a substantive role in the new marketplace.
  • A successful holistic collaboration will focus on long-term benefits.

New ecosystem roles will evolve as the industry transitions toward the marketplace model

  • Industry players must decide how to successfully and profitably contribute to the new ecosystem based on their most compelling competencies, as well as market needs and the external environment.

There’s no looking back for today’s digitally-empowered consumers

Throughout the past decade, as smart technology tools became mainstream, consumer interaction with the world changed dramatically. Changing lifestyles, behavior, and preferences have created a digital-age paradigm. As smartphones and the internet unlock information and decision power, interconnectivity, personalization, and seamless omnichannel access have become must-haves.

So, what does this mean for insurers?

Policyholders seek new offerings: Traditional insurance policies may not fully meet customers’ changing needs and desire for add-on services, personalization, and flexible offerings. In fact, for nearly half of policyholders, the decision to continue with their insurer is influenced by the availability of these features and benefits, according to the World Insurance Report (WIR) 2019.1

The demand for digital transaction channels is up: The popularity of digital channels is gradually growing. More than half of insurance customers (nearly 52%) interviewed as part of the WIR 2018 placed high importance on the mobile and internet or a website channel for conducting insurance transactions.

Simplicity is the rationale behind genuinely digital products

Digital channels work best when insurers streamline and standardize products and processes so customers easily understand features and benefits and can make direct purchases online with ease. In short, insurers must simplify offerings to create genuinely
digital products.

  • Easy to understand: Policy details should be redesigned and reformatted for straightforward interpretation so customers can quickly make a buy/ no-buy decision. For example, Berkshire Hathaway’s Insurance Group (BiBerk) launched a comprehensive insurance product for small businesses that combines multiple coverages. Dubbed THREE, the new product is three-pages long and links coverage for workers compensation, liability (including general liability, errors and omissions, and cyber), property, and auto.
  • Automated processes: Straight-through processing and other ease-of-use tools can simplify underwriting, claims processing, and more across the value chain. Cake Insure, a subsidiary of Colorado-based Pinnacol Assurance, launched in late 2017 with an algorithm that produces a bindable quote in less than a minute and a bound policy in fewer than five minutes for small businesses seeking workers’ compensation insurance. New York-based property and casualty InsurTech Lemonade uses artificial intelligence to automate claims processing. Lemonade showcases a 2016 case in which it crossreferenced a claim against a user’s policy, ran 18 anti-fraud algorithms, approved the claim, and sent wiring instructions to the bank in three seconds to demonstrate ease of use.
  • Straightforward policy wording: Descriptions of policy coverage and expenses (which ones are payable and which do not qualify) must be explained clearly in everyday language. Similarly, insurance industry players should work together to standardize definitions, exclusions, and processes.
  • Interactive customer education: Gamification, interactive videos, and social channels are ways to educate customers about risks, their need for coverage, and policy details. Interaction can also improve customer engagement and experience.

The marketplace of the future can holistically focus on customer needs

HomeFlix is a virtual assistant offering renters and homeowners insurance underwritten by Zurich Connect, the digital arm of Zurich Italy, and powered by on-demand digital broker Yolo, a Milan-based InsurTech. In addition to insurance coverage, the policy, introduced in July 2019, offers laundry service – washed and ironed after a few days and paid directly on delivery. Access to concierge maintenance services such as plumbing and electric also is available. Next, HomeFlix plans home delivery, babysitting, and cleaning services.

New York-based Generali Global Assistance (a division of Italy’s Generali Group, which provides travel insurance-related services) strategically partnered with San Francisco-based rideshare company Lyft in late 2017 to improve customer service and contain costs for clientele of its insurance companies and multinational corporations. Later, Lyft
collaborated with CareLinx, a US professional caregiver marketplace that helps find, hire, manage and pay caregivers online, to create CareRides, a door-to-door transportation service for special-needs individuals in 50 US metro areas. Generali Global Assistance also partnered with CareLinx to provide value-added services for existing policyholders in times of need.

The marketplace of the future can offer emerging-risk coverage

Working with Cisco, Apple, and Aon, Allianz launched a comprehensive cyber insurance product for businesses in early 2018. The product includes a solution comprised of cyber-resilience evaluation services from Aon, secure technologies from Cisco and Apple, and options for enhanced cyber insurance coverage from Allianz. The product aims to help a broader range of organizations manage and protect themselves better from cyber risks associated with ransomware and malware-related threats.

The marketplace of the future can deliver simple to understand, easy-access offerings

Berlin-based startup FRIDAY offers innovative, digital automotive insurance with features like kilometeraccurate billing, the option to terminate at month’s end, and paperless administration. The InsurTech’s technologies and partnerships include:

  • Telematics support from the BMW CarData platform and from TankTaler, which tracks vehicle location as well as data such as battery voltage, mileage, and other statistics
  • Automotive services through the mobility hub of ATU, a German chain of vehicle repair franchises
  • Drivy, a peer-to-peer car rental marketplace that enables consumers to lease vehicles from private individuals
  • Friendsurance, a peer-to-peer InsurTech that pays out a percentage to customers who do not use (or use very little) annual insurance also sells FRIDAY policies

Prudential Singapore and StarHub partnered to create FastTrackTrade (FTT), Singapore’s first digital trade platform for small and midsized business (SMBs) that uses blockchain technology. FTT helps SMBs find business partners and distributors, buy and sell goods, track shipments, receive and make payments, access financing, and buy insurance via a single platform. FinTech startup Cités Gestion developed the pioneering platform with funding from Prudential.

CG1

Structure supports success

Insurer success in the future marketplace will rely on a structured approach (see Figure 3).

  • Understanding customer preferences and conceptualizing product portfolios: Insurers can tap new data sources such as social media channels and use behavioral analytics for better understanding and more accurate estimation of their customer’s preferences and risk profile. With a deeper understanding of customers, they can conceptualize personalized product portfolios for each customer segment.
  • Recruiting the right partners: Once the product portfolio is finalized, insurers should look for partners that align with their business objectives and strategic vision. Cultural fit, ease of integration of systems, and seamless channels of communication are key success factors.
  • Structuring the offerings portfolio: Insurers should closely collaborate with partners while assembling their portfolio. A winning product/service mix offers a hyper-personalized one-stop solution for all the needs of the customer.
  • A compelling go-to-market strategy: Insurers should be able to communicate the value of the marketplace by touting human-centric offerings that customers find simple to understand and easy to access.
  • Capturing feedback: Through advanced analysis of sales data, direct customer input, social media, etc., insurers can capture feedback about their offerings. The process should be continuous rather than on an ad-hoc basis. More importantly, the input should be immediately acted upon to enhance current products or to conceptualize a new product.

CG2

To realize the full potential of the structured approach, four fundamental shifts in the current operating model are critical

For an insurer to realize the full potential of the structured approach and ensuring the successful creation of the marketplace of the future, four fundamental shifts in the current operating model are critical (see Figure 4). The importance of these areas is borne out by the research. For example:

  1. Experience: More than 70% of insurers and InsurTechs said a focus on holistic risk solutions for customers was critical to establishing a future-state insurance marketplace.
  2. Data: More than 70% said advanced data management capabilities are critical.
  3. Partnerships: 90% of InsurTechs said partnerships were critical while 70% of incumbents said the same. Both insurers and InsurTechs have a hearty appetite for collaboration with other sectors, such as healthcare providers and players from the travel, transportation, and hospitality space (see Figure 5).
  4. Shared access: However, an emerging area in which views are evolving is the transition to a shared economy. Here, less than 40% of established insurers and InsurTechs say they consider shared ownership of assets to be critical.

Industry players should understand that the four shifts – focus on experience, data, partnership, and shared access – are interrelated and critical for partnering with other entities to develop bundled offerings. Concentrating on one at the expense of others may stymie the overall efficiency of the marketplace.

CG3

Digital maturity does not match aspiration

While insurers realize the importance of these fundamental shifts, there is a significant gap between their expectations and their current digital maturity. Lack of digital maturity is the biggest concern for incumbents. While 68% of insurers said they believe partnerships are critical, only 32% are currently collaborating with ecosystem partners (see Figure 6).

Less than 40% of insurers have a holistic digital transformation strategy and are collaborating with ecosystem players to provide value-added services. Only 11% of insurers say they leverage open architecture, which is critical for working with other industry players.

CG4

CG5

Experience-led digital offerings and seamless collaboration with ecosystem players will drive marketplace success

We call firms prepared to excel in the future marketplace Inventive Insurers because they have strategically updated their product portfolios, operating models, and distribution methods. They have outlined their distinctive capabilities as well as their competency gaps and are ready to deliver end-to-end solutions in the manner customers prefer.

Pragmatic assessment (and subsequent enhancement) of a firm’s digital maturity is critical to connecting with ecosystem players seamlessly. Figure 7 shows the steps companies need to take to establish the marketplace of the future.

CG6

1. Prioritize digital agility

The critical first step in the future marketplace journey is boosting digital agility. The more quickly initiatives are implemented, the more quickly firms will enhance their digital maturity and actively participate within a connected ecosystem. Insurers must holistically adopt these critical capabilities to optimize their digital agility and seamlessly connect with partners to develop digitallyintegrated ecosystems (see Figure 8).

  • Real-time data gathering
  • Advanced analytics
  • Re-engineering complex processes and automating them

CG7

2. Build an integrated ecosystem

Seamless collaboration between insurers and their strategic partners is the backbone of a digitally integrated ecosystem. As new players enter the insurance value chain (aggregators, original equipment manufacturers (OEMs), one-stop policy management apps, and third parties such as repair stores), incumbents must strengthen their position through strategic partnerships.

Our proposed digitally-integrated ecosystem seamlessly interconnects insurers with customers and partners to enable the efficient flow of information and services (see Figure 9).

CG8

In the digitally-integrated ecosystem, customers can access insurers over various channels through extended multi-device, multi-platform, and mobility offerings. Digital integration with partners will play a crucial role as insurers seek to increase their reach and provide customers with convenient and seamless services.

Integration with aggregators and intermediaries offers insurers a choice of distribution channels. As insurers connect with individual customers through devices, real-time data can be captured and used to provide personalized offerings and value-added services.

Insurers will move beyond traditional touchpoints to become their customers’ constant risk control advisory and partner. For that to happen, however, insurers will need to join forces with third-party vendors for efficient claims management and payout, and with OEMs for real-time customer data.

APIs, cloud-based storage, and blockchain can foster insurance ecosystem integration by enabling the seamless and secure transfer of data between diverse systems. A digitally-integrated ecosystem – both within and outside the organization – will support the real-time, personalized services that customers already demand. Digital mastery can benefit top- and bottom lines and propel insurers forward.

Grasping the art of teamwork with close ecosystem players – and relevant offerings based on core capabilities – will lay the groundwork for insurers to partner profitably.

3. Create tomorrow’s marketplace

Firms must develop Inventive Insurer competencies to contribute to the successful development of tomorrow’s marketplace. These competencies include intelligent processes, open platforms, customer centricity, and an innovative mindset among team members ( see Figure 10).

CG9

Intelligent insurer. Automation, analytics, and artificial intelligence can prioritize customer experience within all operations.

  • Process efficiencies can support top-notch service with quick turnaround times.
  • Analytical competencies help insurers understand customer needs and act swiftly.
  • Robust digital governance provides monitoring and ensures compliance within today’s dynamic regulatory environment.

Open insurers leverage open platforms to build an ecosystem of partners through seamless collaboration with third parties and enable firms to participate in the value chain of third parties. Insurers with open platforms can access and integrate new data streams to cater to customers’ evolving needs, reaching them in the way they prefer via new distribution channels. Modern platform with open architecture for providing bouquet of offerings also allow firms to take a fail-fast approach to product development and innovate at a faster pace.

Deep customer competencies allow insurers to leverage data and channels for enhancing the customer experience across all touchpoints. Deep customer insights generated using advanced analytics and AI enable insurers to keep the customer at the center of all decisions.

Product agility is crucial for insurers to create new products at a faster pace and gain a competitive edge from an increased speed-to-market. Creative culture and ability to innovate at scale are critical components for achieving product agility. A creative culture
encourages novel thinking from employees and spurs openness to change.

Innovation labs and design thinking can encourage a fresh approach, especially within cultures that are hard-wired with conventional processes and culture.

Leadership support and vision are also critical. While Inventive Insurer status may be an aspirational future state, each firm’s journey is unique. An open platform used as a sandbox is an excellent place to begin developing new competencies and learning how to innovate at scale. Inventive Insurers create digital, experience-led offerings by collaborating seamlessly with other ecosystem players.

Incumbents and InsurTechs will benefit from strategic collaboration

For the most part, the industry sees InsurTech collaboration only as a means to drive growth and transform the customer experience. For example, 84% of insurers and 80% of InsurTechs say they are focusing on “developing new offerings.”

However, when it comes to the critical building blocks for the new insurance marketplace – such as developing holistic technology infrastructure and advanced data management capabilities – there are significant gaps in the expectations of insurers and InsurTechs. For example, fewer than 40% of incumbent insurers want to build holistic technology infrastructure by collaborating with InsurTech firms, while more than 60% of InsurTechs wish to work with insurers to create such a foundation.

What’s more, while data security remains a crucial concern when establishing partnerships with other industries, only around 10% of incumbents and 25% of InsurTechs say they want to focus collaborative efforts on data security.

Industry players should focus on a holistic approach while venturing into an insurer-InsurTech collaboration to prepare for the future and consider tactical plans for quick wins that may offer short-term benefits.

External partners can facilitate incumbent-InsurTech collaboration

After clearly outlining collaboration objectives, insurers must select a partner. The World InsurTech Report 2018 took a deep dive into the InsurTech landscape and offered ways in which incumbents can assess the success potential of short-to-medium term partnerships with InsurTech firms as well as longterm relationship feasibility. Finding a partner that can address technology capability gaps may require specialized third-party support.

Incumbents and InsurTechs can optimize their structured collaborative efforts by keeping four guiding pillars in mind: People, Finance, Business, and Technology (Figure 13).

CG10

People (The right individuals in the best-fit positions): Employees are a firm’s most essential assets when it comes to driving innovation, growth, expansion, and fruitful collaboration. Both partnering entities must be flexible and strive for a balance between the hierarchical nature of many traditional insurers and the flat organizational structure favored by InsurTechs.

Finance (Allocate optimal capital, realistically forecast returns): Without a defined investment and revenue model, it may be difficult to articulate a compelling value proposition. Participants need adequate capital to invest in the partnership and a proven revenue generating model to maintain positive cash flow in the not-too-distant future.

Business (Early traction, measurable success): Business traction, a proven business model, customer adoption, and value creation are must-meet goals for any potential collaboration. A new business model should solve the needs and challenges that were difficult to tackle independently. A collaborative partnership should produce a value proposition with quantifiable results.

Technology (Collaboration tools and technologies): Technology tools should be secure and enable frictionless collaboration, as well as scalability. Partner systems should securely integrate with the help of technology. Accessed information must be accurate, timely, and be regulatorily compliant. It should be scalable without affecting current systems.

New ecosystem roles will evolve as the industry transitions toward the marketplace model

As the insurance industry advances, new specialist roles are developing. In addition to the traditional integrated business role, new functions include that of Supplier, Aggregator, and Orchestrator. Close collaboration will enable incumbents and InsurTechs to maximize opportunities in each.

These roles are not business-model exclusive but business-case specific. Each ecosystem entity may mix and match positions depending on the business model in play (see Figure 15).

Established insurers and InsurTechs can also play multiple roles within an ecosystem. For example, a firm can act as both supplier and orchestrator. Similarly, one firm may be a supplier in an ecosystem, but be an orchestrator in another ecosystem.

CG11

 

Click here to access Cap Gemini’s entire report

 

From Risk to Strategy : Embracing the Technology Shift

The role of the risk manager has always been to understand and manage threats to a given business. In theory, this involves a very broad mandate to capture all possible risks, both current and future. In practice, however, some risk managers are assigned to narrower, siloed roles, with tasks that can seem somewhat disconnected from key business objectives.

Amidst a changing risk landscape and increasing availability of technological tools that enable risk managers to do more, there is both a need and an opportunity to move toward that broader risk manager role. This need for change – not only in the risk manager’s role, but also in the broader approach to organizational risk management and technological change – is driven by five factors.

Marsh Ex 1

The rapid pace of change has many C-suite members questioning what will happen to their business models. Research shows that 73 percent of executives predict significant industry disruption in the next three years (up from 26 percent in 2018). In this challenging environment, risk managers have a great opportunity to demonstrate their relevance.

USING NEW TOOLS TO MANAGE RISKS

Emerging technologies present compelling opportunities for the field of risk management. As discussed in our 2017 report, the three levers of data, analytics, and processes allow risk professionals a framework to consider technology initiatives and their potential gains. Emerging tools can support risk managers in delivering a more dynamic, in-depth view of risks in addition to potential cost-savings.

However, this year’s survey shows that across Asia-Pacific, risk managers still feel they are severely lacking knowledge of emerging technologies across the business. Confidence scores were low in all but one category, risk management information systems (RMIS). These scores were only marginally higher for respondents in highly regulated industries (financial services and energy utilities), underscoring the need for further training across all industries.

Marsh Ex 3

When it comes to technology, risk managers should aim for “digital fluency, a level of familiarity that allows them to

  • first determine how technologies can help address different risk areas,
  • and then understand the implications of doing so.

They need not understand the inner workings of various technologies, as their niche should remain aligned with their core expertise: applying risk technical skills, principles, and practices.

CULTIVATING A “DIGITAL-FIRST” MIND-SET

Successful technology adoption does not only present a technical skills challenge. If risk function digitalization is to be effective, risk managers must champion a cultural shift to a “digital-first” mindset across the organization, where all stakeholders develop a habit of thinking about how technology can be used for organizational benefit.

For example, the risk manager of the future will be looking to glean greater insights using increasingly advanced analytics capabilities. To do this, they will need to actively encourage their organization

  • to collect more data,
  • to use their data more effectively,
  • and to conduct more accurate and comprehensive analyses.

Underlying the risk manager’s digitalfirst mind-set will be three supporting mentalities:

1. The first of these is the perception of technology as an opportunity rather than a threat. Some understandable anxiety exists on this topic, since technology vendors often portray technology as a means of eliminating human input and labor. This framing neglects the gains in effectiveness and efficiency that allow risk managers to improve their judgment and decision making, and spend their time on more value-adding activities. In addition, the success of digital risk transformations will depend on the risk professionals who understand the tasks being digitalized; these professionals will need to be brought into the design and implementation process right from the start. After all, as the Japanese saying goes, “it is workers who give wisdom to the machines.” Fortunately, 87 percent of PARIMA surveyed members indicated that automating parts of the risk manager’s job to allow greater efficiency represents an opportunity for the risk function. Furthermore, 63 percent of respondents indicated that this was not merely a small opportunity, but a significant one (Exhibit 6). This positive outlook makes an even stronger statement than findings from an earlier global study in which 72 percent of employees said they see technology as a benefit to their work

2. The second supporting mentality will be a habit of looking for ways in which technology can be used for benefit across the organization, not just within the risk function but also in business processes and client solutions. Concretely, the risk manager can embody this culture by adopting a data-driven approach, whereby they consider:

  • How existing organizational data sources can be better leveraged for risk management
  • How new data sources – both internal and external – can be explored
  • How data accuracy and completeness can be improved

“Risk managers can also benefit from considering outside-the-box use cases, as well as keeping up with the technologies used by competitors,” adds Keith Xia, Chief Risk Officer of OneHealth Healthcare in China.

This is an illustrative rather than comprehensive list, as a data-driven approach – and more broadly, a digital mind-set – is fundamentally about a new way of thinking. If risk managers can grow accustomed to reflecting on technologies’ potential applications, they will be able to pre-emptively spot opportunities, as well as identify and resolve issues such as data gaps.

3. All of this will be complemented by a third mentality: the willingness to accept change, experiment, and learn, such as in testing new data collection and analysis methods. Propelled by cultural transformation and shifting mind-sets, risk managers will need to learn to feel comfortable with – and ultimately be in the driver’s seat for – the trial, error, and adjustment that accompanies digitalization.

MANAGING THE NEW RISKS FROM EMERGING TECHNOLOGIES

The same technological developments and tools that are enabling organizations to transform and advance are also introducing their own set of potential threats.

Our survey shows the PARIMA community is aware of this dynamic, with 96 percent of surveyed members expecting that emerging technologies will introduce some – if not substantial – new risks in the next five years.

The following exhibit gives a further breakdown of views from this 96 percent of respondents, and the perceived sufficiency of their existing frameworks. These risks are evolving in an environment where there are already questions about the relevance and sufficiency of risk identification frameworks. Risk management has become more challenging due to the added complexity from rapid shifts in technology, and individual teams are using risk taxonomies with inconsistent methodologies, which further highlight the challenges that risk managers face in managing their responses to new risk types.

Marsh Ex 9

To assess how new technology in any part of the organization might introduce new risks, consider the following checklist :

HIGH-LEVEL RISK CHECKLIST FOR EMERGING TECHNOLOGY

  1. Does the use of this technology cut across existing risk types (for example, AI risk presents a composite of technology risk, cyber risk, information security risk, and so on depending on the use case and application)? If so, has my organization designated this risk as a new, distinct category of risk with a clear definition and risk appetite?
  2. Is use of this technology aligned to my company’s strategic ambitions and risk appetite ? Are the cost and ease of implementation feasible given my company’s circumstances?
  3. Can this technology’s implications be sufficiently explained and understood within my company (e.g. what systems would rely on it)? Would our use of this technology make sense to a customer?
  4. Is there a clear view of how this technology will be supported and maintained internally, for example, with a digitally fluent workforce and designated second line owner for risks introduced by this technology (e.g. additional cyber risk)?
  5. Has my company considered the business continuity risks associated with this technology malfunctioning?
  6. Am I confident that there are minimal data quality or management risks? Do I have the high quality, large-scale data necessary for advanced analytics? Would customers perceive use of their data as reasonable, and will this data remain private, complete, and safe from cyberattacks?
  7. Am I aware of any potential knock-on effects or reputational risks – for example, through exposure to third (and fourth) parties that may not act in adherence to my values, or through invasive uses of private customer information?
  8. Does my organization understand all implications for accounting, tax, and any other financial reporting obligations?
  9. Are there any additional compliance or regulatory implications of using this technology? Do I need to engage with regulators or seek expert advice?
  10. For financial services companies: Could I explain any algorithms in use to a customer, and would they perceive them to be fair? Am I confident that this technology will not violate sanctions or support crime (for example, fraud, money laundering, terrorism finance)?

SECURING A MORE TECHNOLOGY-CONVERSANT RISK WORKFORCE

As risk managers focus on digitalizing their function, it is important that organizations support this with an equally deliberate approach to their people strategy. This is for two reasons, as Kate Bravery, Global Solutions Leader, Career at Mercer, explains: “First, each technological leap requires an equivalent revolution in talent; and second, talent typically becomes more important following disruption.”

While upskilling the current workforce is a positive step, as addressed before, organizations must also consider a more holistic talent management approach. Risk managers understand this imperative, with survey respondents indicating a strong desire to increase technology expertise in their function within the next five years.

Yet, little progress has been made in adding these skills to the risk function, with a significant gap persisting between aspirations and the reality on the ground. In both 2017 and 2019 surveys, the number of risk managers hoping to recruit technology experts has been at least 4.5 times the number of teams currently possessing those skills.

Marsh Ex 15

EMBEDDING RISK CULTURE THROUGHOUT THE ORGANIZATION

Our survey found that a lack of risk management thinking in other parts of the organization is the biggest barrier the risk function faces in working with other business units. This is a crucial and somewhat alarming finding – but new technologies may be able to help.

Marsh Ex 19

As technology allows for increasingly accurate, relevant, and holistic risk measures, organizations should find it easier to develop risk-based KPIs and incentives that can help employees throughout the business incorporate a risk-aware approach into their daily activities.

From an organizational perspective, a first step would be to describe risk limits and risk tolerance in a language that all stakeholders can relate to, such as potential losses. Organizations can then cascade these firm-wide risk concepts down to operational business units, translating risk language into tangible and relevant incentives that encourages behavior that is consistent with firm values. Research shows that employees in Asia want this linkage, citing a desire to better align their individual goals with business goals.

The question thus becomes how risk processes can be made an easy, intuitive part of employee routines. It is also important to consider KPIs for the risk team itself as a way of encouraging desirable behavior and further embedding a risk-aware culture. Already a majority of surveyed PARIMA members use some form of KPIs in their teams (81 percent), and the fact that reporting performance is the most popular service level measure supports the expectation that PARIMA members actively keep their organization informed.

Marsh Ex 21

At the same time, these survey responses also raise a number of questions. Forty percent of organizations indicate that they measure reporting performance, but far fewer are measuring accuracy (15 percent) or timeliness (16 percent) of risk analytics – which are necessary to achieve improved reporting performance. Moreover, the most-utilized KPIs in this year’s survey tended to be tangible measures around cost, from which it can be difficult to distinguish a mature risk function from a lucky one.

SUPPORTING TRANSFORMATIONAL CHANGE PROGRAMS

Even with a desire from individual risk managers to digitalize and complement organizational intentions, barriers still exist that can leave risk managers using basic tools. In 2017, cost and budgeting concerns were the single, standout barrier to risk function digitalization, chosen by 67 percent of respondents, well clear of second placed human capital concerns at 18 percent. This year’s survey responses were much closer, with a host of ongoing barriers, six of which were cited by more than 40 percent of respondents.

Marsh Ex 22

Implementing the nuts and bolts of digitalization will require a holistic transformation program to address all these barriers. That is not to say that initiatives must necessarily be massive in scale. In fact, well-designed initiatives targeting specific business problems can be a great way to demonstrate success that can then be replicated elsewhere to boost innovation.

Transformational change is inherently difficult, in particular where it spans both technological as well as people dimensions. Many large organizations have generally relied solely on IT teams for their “digital transformation” initiatives. This approach has had limited success, as such teams are usually designed to deliver very specific business functionalities, as opposed to leading change initiatives. If risk managers are to realize the benefits of such transformation, it is incumbent on them to take a more active role in influencing and leading transformation programs.

Click here to access Marsh’s and Parima’s detailed report

Four elements that top performers include in their digital-strategy operating model

For many companies, the process of building and executing strategy in the digital age seems to generate more questions than answers. Despite digital’s dramatic effects on global business—the disruptions that have upended industries and the radically increasing speed at which business is done—the latest McKinsey Global Survey on the topic suggests that companies are making little progress in their efforts to digitalize the business model. Respondents who participated in this year’s and last year’s surveys report a roughly equal degree of digitalization as they did one year ago, suggesting that companies are getting stuck in their efforts to digitally transform their business.

The need for an agile digital strategy is clear, yet it eludes many—and there are plenty of pitfalls that we know result in failure. McKinsey has looked at how some companies are reinventing themselves in response to digital, not only to avoid failure but also to thrive.

In this survey, McKinsey explored which specific practices organizations must have in place to shape a winning strategy for digital—in essence, what the operating model looks like for a successful digital strategy of reinvention. Based on the responses, there are four areas of marked difference in how companies with the best economic performance approach digital strategy, compared with all others :

  • The best performers have increased the agility of their digital-strategy practices, which enables firstmover opportunities.

McK1

  • They have taken advantage of digital platforms to access broader ecosystems and to innovate new digital products and business models.

McK2

McK3

  • They have used M&A to build new digital capabilities and digital businesses.

McK4

  • They have invested ahead of their peers in digital talent.

McK5

Click here to access McKinsey’s survey results

Successful risk management today may start with governance, risk and compliance (GRC)—but it shouldn’t end there

As more and more organizations embrace digital transformation, business risk grows in scope and complexity, and the need to manage it in a more agile, responsive manner becomes increasingly pressing.

GRC in its initial incarnation—a set of tools for managing compliance risk— remains valuable for that specific challenge, but it aligns less precisely with today’s evolving definitions of risk and risk management. The answer is not to abandon GRC, though; rather, it’s to allow it to evolve into an approach that is better suited to today’s multifaceted challenges: integrated risk management. This paper maps out the path from a pre-digital, compliance-driven riskmanagement strategy to an adaptable, integrated approach that can keep pace with the fast-changing digital world.

STARTING POINT: RECOGNIZING NEW RISKS

GRC emerged early in this century as a way of improving corporate governance and internal controls to address regulatory compliance requirements. Today, however, the need has evolved from better managing compliance risk to better managing overall risk. And the definition and scope of risk itself has evolved as well, with areas such as digital third-party risk coming into play and moving to the forefront. Strategies that drive business success today, such as technology adoption or market expansion, are creating new opportunities—but at the same time, they are introducing more risk. Consider these examples:

DIGITAL TRANSFORMATION

Digital transformation is clearly a strategic priority today; IDC recently forecast spending in this area to reach $1.3 trillion in 2018. Digital transformation creates new opportunities to thrive and compete—but it also creates digital risk. Digital business typically involves fast-moving projects supported by processes that require a multitude of different applications, expanding the points of risk and the stakes for the organization. The key to seizing the opportunities is managing the risk in critical areas:

  • VENDOR AND OTHER THIRD-PARTY RELATIONSHIPS: Looking to move more quickly and nimbly to exploit business opportunities, organizations are increasingly relying on external parties, such as service providers (especially cloud service providers), vendors, contractors and consultants. This increases risk, since organizations don’t have direct control over the risk a third party creates—but they are nevertheless responsible for managing the risk in third-party relationships.
  • COMPLIANCE AND OVERSIGHT: That brings us to the area that originally led to the emergence of GRC: compliance risk. That risk has not gone away; it’s only been joined by other risks, such as those described above. Given the increasing complexity of business and IT today, compliance has grown more complex, increasing the risk associated with it.

The examples described above represent major categories of risk for organizations today, but they are by no means the only risks organizations face. Every organization is a complex ecosystem of people, processes and technology, and risk can be hidden away in many areas.

NEXT LOGICAL STEP: AN INTEGRATED VIEW OF RISK

A HORIZONTALLY INTEGRATED VIEW
As areas of risk within organizations continue to grow beyond just compliance risk, the need to view them as an integrated whole becomes increasingly clear. There are two primary reasons for this.

  • One is that it’s simply unrealistic and operationally unsustainable to manage them separately, using different risk management platforms.
  • The other reason—far more critical than the first—is that most areas of organizational risk today don’t really exist independent of other risks; rather, they cross over into other areas.

For example, if engaging with a cloud service provider presents a security risk, that’s both a digital risk and a third-party risk. And if that risk isn’t addressed, it may result in issues across multiple areas, from business disruption to compliance. Therefore, organizations need to be able to leverage business processes to build an integrated picture of risk that crosses operational functions and fosters a multidisciplinary approach to risk management. Think of this as a horizontally integrated view of risks that needs to be managed.

AND A VERTICALLY INTEGRATED VIEW
A horizontally integrated view is important—but incomplete. The other part of the picture is a vertically integrated view that connects strategic and operational risk. In the early days of GRC, independent functions were focused more on operational risks with less emphasis on connecting to the strategic business impact. Business and IT were essentially separate functional parts of an organization and there was little connection between these two worlds. That changed as enterprise GRC became a requirement of risk management.

Today, however, when business and technology are intimately connected (or at the very least, mutually influential), risk management must link operational risks to business strategies and vice versa. Security events are a great example. At RSA, we talk about Business-Driven Security™, which puts security-related IT incidents in a business context and makes it possible to calculate the business impact of a security event—and vice versa. This kind of interrelationship allows organizations to bridge the gap between security teams and their business counterparts, creating an environment in which they can reduce the risk that security incidents will negatively affect the business or that business decisions will negatively affect IT. The interrelationships between strategic business goals and operational events are becoming increasingly impactful.

  • A decision made at the strategic level will cascade down and affect the organization’s ability to manage a risk in operations;
  • a seemingly minor operational event can spiral out of control and impact strategic direction.

Thus, connecting the top-to-bottom, strategic-to- operational view of risk—as illustrated in the accompanying graphic—is essential to truly understanding, and addressing, the obstacles to achieving business objectives.

GRC

Click here to access RSA’s White Paper