A brief summary of the key regional trends :
- Analytics, Customer Centricity and Digital Innovation achieve similar scores across all our regions.
- Customer-Centricity trails marginally in North America.
- Noteworthy is the perfect score of 60 attained for Digital Innovation in Asia-Pacific, which indicates that this was the number-one priority here in all four measures underlying the priority score (money, time, staffing and training).
- Underwriting and Risk Management both score considerably higher in North America than they do elsewhere – as we saw in the first priorities table, Underwriting is 3rd in the list of priorities in North America, despite not getting above 7th place in any other regions, and its Risk Management score is more than 80% higher than the runner-up’s (Europe).
- There is a step-up in focus on Claims in Europe and North America compared to Asia-Pacific.
- With Distribution Diversification, we have the exact inverse scenario, with Asia-Pacific leading the pack, possibly a reflection of the emerging markets within it necessitating high-scale low-cost distribution, which traditional models cannot provide.
- Fraud is also a marginally higher priority in Asia-Pacific.
- Europe and Asia-Pacific lead North America with their focus on Internet of Things.
- Cybersecurity and Mobile achieve similar (lowish) scores for all regions; Product Development is relatively high across the board.
- Regulation is the biggest deal in Europe, where respondents quoted in particular Solvency II and the Insurance Distribution Directive (IDD) as being causes for concern.
Click here to access Insurance Nexus detailed survey analysis
How to raise enterprise risk intelligence
- Break down silos and collaborate. To ensure all risks are addressed, finance, operations, compliance, legal and IT functions should work together in managing enterprise risks. According to 53 percent of respondents, there is little, if any, collaboration among these functions to achieve a clearly defined enterprise risk management strategy.
- Focus on accomplishments that will make a difference. The findings reveal a significant gap between the most important features of a risk intelligence platform and what features are actually accomplished. The features considered most important but rarely accomplished are:
- Business continuity response (produces plans, runs business impact analyses, resiliency controls and engages stakeholders in crisis drills and recovery)
- Incident/issue risk response (coordination of classification, collaboration, evidence, policies and reporting across the organization for all operational and security risk events)
- Operational risk & compliance (creates risk registers and runs Risk and Compliance Self-Assessments (RCSAs) against critical business processes to report key risk indicators (KRIs), findings and loss events)
- Threat and vulnerability mitigation (automates continuous risk correlation, prioritization and remediation of assets and operation criticality, threat reachability, control and vulnerabilities)
- Establish a formal budget for enterprise risk management. It is critical to allocate resources specifically designated to achieving a well-executed enterprise risk management program. Fiftyeight percent of respondents say their organizations do not have a formal budget.
- Engage management and the board of directors in the organization’s risk strategy. The inability to get started was one of the top three barriers to achieving risk management objectives. Senior leadership’s involvement will incentivize and motivate collaboration and a formal process for achieving the objectives of a risk management program.
- Achieve clarity of your IT assets and infrastructure. A clear map of the infrastructure and categorization of assets, especially high value and knowledge assets, is key to ensuring appropriate risk measures are in place. Only 24 percent of respondents say they have categorized assets based on their business criticality.
- Assign accountability for the achievement of specific risk management objectives. According to the findings, either no one person has overall responsibility or it is dispersed throughout the organization.
- Measure effectiveness in risk intelligence efforts. Only 31 percent of respondents say their organizations have specific metrics to determine how well risks are being managed. Many organizations represented in this study are not measuring such key objectives as time to contain threats and attacks, time to identify and pinpoint high-risk areas and time to remediate after containment of the attack.
- Consolidated risk reporting is essential. Sixty-three percent of respondents say it is essential or very important to have a centralized or consolidated risk reporting (one set of metrics) in order to achieve a strong security posture.
- Replace complexity with ease of use. The number one barrier to achieving risk management objectives is the complexity of technologies that support risk management objectives. Understandably, the number one feature of a risk management solution is ease of use (53 percent of respondents). Investments in risk management technologies that end up on the shelf because of complexity and the lack of in-house expertise will frustrate any attempts to achieve an enterprise risk management program.