EIOPA proposal for Regulatory Technical Standards (RTS) on management of sustainability risks including sustainability risk plans – Part 2

Publié le par hanswillertbleuazurconsultingeu

Our recent article presented EIOPA’s RTS proposal regarding the requirements of sustainability risk management with respect to ORSA, governance and key functions within the future, significantly broadened Solvency II framework.

This article will focus on materiality and financial assessment of sustainability risks as well as on proposed metrics, targets, and actions described by the RTS draft.

Materiality assessment

The definition of materiality under Solvency II and the European Sustainability Reporting Standards (ESRS) are aligned in their focus on the potential impact of information on decision-making.

  • Under Solvency II, for public disclosure purposes, materiality means that if an issue is omitted or misstated, it could influence the decision-making or judgment of users of the information, including supervisory authorities. As to financial materiality, sustainability risks can translate in a financial impact on the (re)insurer’s assets and liabilities through existing risk categories, such as underwriting, market, counterparty default or operational risk as well as reputational risk or strategic risk. In other words, they are ‘drivers’ to existing risk categories.
  • Similarly, the ESRS defines materiality as the potential for sustainability-related information to influence decisions that users make on the basis of the undertaking’s reporting. In the context of financial materiality, which is relevant for Solvency II purposes, the ESRS specifies that a sustainability matter is considered material if it could trigger or reasonably be expected to trigger material financial effects on the undertaking. This includes material influence on the undertaking’s development, financial position, financial performance, cash flows, access to finance or cost of capital over the short-, medium- or long-term. The materiality of risks is based on a combination of the likelihood of occurrence and the potential magnitude of the financial effects.

The two frameworks are aligned as material financial effects, as defined by the ESRS, would likely influence the decision-making or judgment of users of the information, including supervisory authorities. This alignment enables undertakings to apply a consistent materiality assessment approach across both Solvency II and ESRS reporting requirements.

Both Solvency II and ESRS do not set a quantitative threshold for defining materiality. The RTS do not specify a threshold for materiality either, considering this should be entity-specific. The undertakings should however define and document clear and quantifiable materiality thresholds, taking into account the above and provide an explanation on the assumptions made for the categorisation into non-material and on how the conclusion on the materiality has been reached. The classification of an exposure or risk as material has bearing on its prudential treatment, as it is a factor that determines whether the risk should be further subject to scenario analysis in the undertaking’s ORSA. The RTS require the undertaking to explain its materiality threshold in the plan: the assumptions for classifying risks as (non-) material in light of the undertaking’s risk appetite and strategy.

The materiality assessment should consider that:

  • Sustainability risks are potential drivers of prudential risk on both sides of the (re)insurers’ balance sheet.
  • Sustainability risks can lead to potential secondary effects or indirect impacts.
  • The exposure of undertakings to sustainability risks can vary across regions, sectors, and lines of business.
  • Sustainability risks can materialise well beyond the one-year time horizon as well as have sudden and immediate impact. Therefore, the materiality assessment necessitates a forwardlooking perspective, including short, medium, and long term. For example, certain geographical locations may not be subject to flood risk today but may be so in the future due to sea level rise. The risk assessment should be performed gross and net of reinsurance, to measure the risk of reliance on reinsurance.

The materiality assessment would consist of a high-level description of the business context of the undertaking considering sustainability risks (‘narrative’) and the assessment of the exposure of the business strategy and model to sustainability risk (‘exposure assessment’), to decide whether a risk could be potentially material. Following this, based on the identification of a potentially material risk, the undertaking would perform an assessment of the potential financial impact (i.e., financial risk assessment, as part of ORSA).

The narrative should describe the business context of the undertaking regarding sustainability risks, and the current strategy of the undertaking. It also describes the long-term outcome, the pathway to that outcome, and the related actions to achieve that outcome (e.g., emissions pathways, technology developments, policy changes and socio-economic impacts).

The narrative would include a view on the broader impact of national or European transition targets on the economy, or the effect of a transition risk throughout the value chain. The narrative should include other relevant sustainability risks than climate, such as risks related to loss of biodiversity, or social and governance risks, as well as interlinkages between sustainability risks (e.g., between climate and biodiversity or climate and social) and spill-over and compounding effects looking beyond specific sustainability risk drivers on particular lines of business.

Sustainability narratives, indicators, and interlinkages

  • Narrative: For example, for climate change undertakings may refer to publicly available climate change pathways (i.e., the Representative Concentration Pathways (RCPs) developed by the Intergovernmental Panel on Climate Change (IPCC); Network for Greening the Financial System (NGFS)) or develop their own climate change pathway.
  • Indicators: Macro-prudential risk indicators or conduct indicators may provide additional insights and help the undertaking form its view on the future development of sustainability risks. Especially over a longer horizon, sustainability risk could have a wider and compounding impact on the economy and interactions between the financial and the real economy would need to be considered. For example, indirect impacts of climate change could lead to increase in food prices, migration, repricing of assets and rising social inequalities. All these indirect drivers will, in turn, impact the real economy as well as the financial sector, even more so as they could also trigger political instability. Macroprudential concerns could include, for example, plausible unfavourable forward-looking scenarios and risks related to the credit cycle and economic downturn, adverse investments behaviours or excessive exposure concentrations at the sectoral and/or country level. For example, EIOPA financial stability and conduct ESG risk indicators can be used to assess the external environment and business context in which climate change-related risks/opportunities can arise for the undertakings, the risk indicators will give an indication of macro-prudential risk in the insurance sector, and potential ESG related developments at sector level to the detriment of consumer protection.
  • Interlinkages: For example, increasing temperatures leading to increased mortality risk affecting health business can potentially create underwriting as well as legal transition risk if the conditions for triggering a liability insurance have been met (e.g. a company failing to mitigate/adapt the risk). But also, a sharp increase in physical risks can lead to public policies focusing on a faster economy transition, leading in turn to higher transition risks. Physical and transition risks can impact economic activities, which in turn can impact the financial system. At the same time, the interconnectedness of the financial sector, and more generally of the economy, can create secondary effects: physical risk reducing the value of property, reducing in turn the value of collateral for lending purposes or increasing the cost of credit insurance, leading to economic slowdown; or physical damage caused by extreme weather events to critical infrastructure increasing the potential for operational/IT risks, amplifying supply chain disruption and disruption to global production of goods.

Based on the narrative, through qualitative and quantitative analyses, undertakings should arrive at an assessment of the materiality of their exposure to sustainability risks. A qualitative analysis could provide insight in the relevance of the main drivers in terms of traditional prudential risks. A quantitative analysis could assess the exposure of assets and underwriting portfolios to sustainability risk.

Exposure assessment

The aim is to identify sustainability risk drivers and their transmission channels to traditional prudential risks (i.e. market risk, counterparty risk, underwriting risk, operational risk, reputational risk and strategic
risk). Additionally, the assessment should provide insight into (direct) legal, reputational or operational risks or potential (indirect) market or underwriting risks, which could arise from investing in or underwriting activities with negative sustainability impacts, or from the undertaking misrepresenting its sustainability profile in public disclosure.

  • Qualitative analysis to help identifying the main drivers of climate change risks:
    • Transition risk drivers include changes in policies, technologies, and market preferences as well as the business activities of investees and commercial policyholders and policyholder preferences. At macro level, it may include consideration of failure of national governments to meet transition targets.
    • Physical risk drivers include level of both acute and chronic physical events associated with different transition pathways and climate scenarios. This involves assessing the impact of physical risks to counterparties (investees, policyholders, reinsurers) as well the insurer’s own operations (e.g.to insurer’s business continuity, also for outsourced services). For climate change-related risks, the assessment should consider the evolution of extreme weather-related events for insurers underwriting natural catastrophe risks (incl. in property and health insurance).
  • Geographical exposure: Identify potential exposure of assets or insured objects to sustainability risk based on, for example, the location of operations, assets or insured objects or supply chain dependencies of investee companies in geographical areas, regions or jurisdictions prone to (physical) climate, other environmental or social risks.
    • Natural catastrophe and environmental risk datahubs such as the Copernicus datasets on land (use) or biodiversity can give an indication of relevant environmental risks across regions.
    • Social risk indicators identify countries or regions that are vulnerable to social risk, measure social inequality or development. These can give an indication on potential social risk exposure of assets or liabilities located in those regions.
  • Economic activity/sector-based exposure: Identify potential exposure of assets or lines of business or insured risks to potential sustainability risks based on the impact of the investee (or supply chain dependencies of the investee) or the policyholder’s economic activity, or their dependency on environmental or social factors. Such assessment should however not only focus on for example, exposures to climate related sectors, but also to other sectors which may be indirectly affected by (transition) risks.
    • Alignment of the economic activity with the climate and environmental objectives and screening criteria set out in the Taxonomy Regulation and Climate, Environmental Delegated Regulations, as supported by the taxonomyrelated disclosures.
    • Biodiversity loss, a high-level exposure assessment of could be carried out using the level of premiums written in economic sectors with a high dependence on ecosystem services and/or a high biodiversity footprint (economic exposure) and the probability of occurrence of the associated nature-related risk factors.
    • Social risks, exposure of assets or liabilities to economic activities in ‘high risk social sectors’, can be identified by referring to the Business and Human Rights Navigator (UN Global Compact), which can help mapping exposure to sectors at high risk of relying on child labour, forced labour, or sectors negatively impacting on equal treatment (incl. restrictions to freedom of association) or on working conditions (inadequate occupational safety and health, living wage, working time, gender equality, heavy reliance on migrant workers) or have negative impacts on indigenous people.

Financial risk assessment

Where the exposure is deemed material, based on the thresholds set by the undertaking, a more detailed evaluation of the financial risks combining quantitative and/or qualitative approaches should inform the financial impact on the undertaking’s balance sheet. Here the assessment should aim to identify the key financial risk metrics and provide a view of the expected impact of such risks under different scenarios and time horizons at various levels of granularity.

Scenarios

When assessing the potential financial impact of material sustainability risks, the RTS sets out that undertakings should specify at a minimum two scenarios that reflect the materiality of the exposure and the size and complexity of the business. One of the scenarios should be based on the narrative
underpinning the materiality assessment. Where relevant, the scenarios should consider prolonged,
clustered, or repeated events, and reflect these in the overall strategy and business model including
potential stresses linked to the

  • availability and pricing of reinsurance,
  • dividend restrictions,
  • premium increases/exclusions,
  • new business restrictions,
  • or redundancies.

For climate change risks, the Solvency II Directive requires undertakings with a material exposure to climate change risks to specify at least two long term climate change scenarios:

(a) a long-term climate change scenario where the global temperature increase remains below two degrees Celsius;

(b) a longterm climate change scenario where the global temperature increase is significantly higher than two degrees Celsius.

Experience to date shows that the most used scenarios are those designed by NGFS43, IPCC Shared Socioeconomic Pathways (SSPs) or tailor-made scenarios (set by regulators, e.g. for nature-related scenarios or for stress testing purposes.

Time horizons

The time horizon should ensure that the time horizon for analysing sustainability risks is consistent with the undertaking’s long-term commitments. The time horizon should allow to capture risks which may affect the business planning over a short-to-medium term and the strategic planning over a longer term.

The time horizon chosen for the materiality assessment in sustainability risk plan should also enable the integration of the risk assessment process with time horizons applied for the purposes of the ORSA for risk assessment purposes.

Taking the example of the impact of climate change: its impact can materialise over a longer time horizon than the typical 3-5 years (re)insurers’ strategic and business planning time horizons considered in the ORSA. It is argued that ORSA time horizons are too short to integrate the results of such longer-term climate change scenarios. Nevertheless, the ORSA should allow for the monitoring of the materialisation of risks over a longer term. At the same time, climate change-related risks and opportunities can affect the business planning over a short term and the strategic planning over a longer term.

The RTS specify the time horizons for sustainability risk assessment, to promote supervisory convergence and increase the consistency of risk assessment across undertakings and with decisionmaking. For this purpose, the RTS stipulates that the following time horizons for the sustainability risk assessment apply:

  • Short term projection: 1-5 years
  • Medium term projection: 5-15 years
  • Long term projection: min. 15 years

Documentation and data requirements

The sustainability risk assessment should be properly documented. This would include documenting the methodologies, tools, uncertainties, assumptions, and thresholds used, inputs and factors considered, and main results and conclusions reached.

Undertakings’ internal procedures should provide for the implementation of sound systems to collect and aggregate sustainability risks-related data across the institution as part of the overall data governance and IT infrastructure, including to assess and improve sustainability data quality.

Undertakings would need to build on available sustainability data, including by regularly reviewing and
making use of sustainability information disclosed by their counterparties, in particular in accordance with the CSRD or made available by public bodies.

Additional data can be sourced from interaction with investees and policyholders at the time of the
investment or underwriting of the risk, or estimates obtained from own analysis and external sources.
Undertakings should, where data from counterparties and public sources is not available or has shortcomings for risk management needs, assess these gaps and their potential impacts. Undertakings
should document remediating actions, including at least the following: using estimates or (sectoral) proxies as an intermediate step – the use of such estimates should be clearly indicated – , and seeking to reduce their use over time as sustainability data availability and quality improve; or assessing the need to use services of third-party providers to gain access to sustainability data, while ensuring sufficient understanding of the sources, data and methodologies used by data providers and performing regular quality assurance.

Frequency

The RTS aim to align the frequency of performance of the materiality and financial risk assessments
with, on the one hand, the cycle of the submission of the regular supervisory report to the supervisor ‘at least every three years’, if not stipulated differently by the supervisor, and the requirement for undertakings to assess material risks as part of their ORSA ‘regularly and without any delay following any significant change in their risk profile’.

Significant changes to the undertaking’s risk profile can include material change to its business environment including in relation to sustainability factors, such as significant new public policies or shifts in the institution’s business model, portfolios, and operations.

In addition, for the frequency of the financial risk assessment, the RTS need to consider that undertakings (except for SNCUs) are required to conduct at regular intervals, at a minimum every three years, the analysis of the impact of at least two long-term climate change scenarios for material climate change risks on the undertaking’s business.

Based on these considerations, the RTS set out that the materiality and financial risk assessment should be conducted at least every three years, and regularly and without any delay following any significant change in their risk profile.

Building on the requirements , the RTS specifies that key metrics and the results of the sustainability risk
plan should be disclosed at least every year or, for smaller and non-complex undertakings, at least every two years or more frequently in case of a material change to their business environment in relation to sustainability factors.

Metrics

Prescribing a list of metrics in sustainability risk plans can help

  • in promoting risk assessment,
  • improve comparability of risks across undertakings,
  • promote supervisory convergence in the monitoring of the risks and
  • enable relevant disclosures.

At the same time, it is important to allow undertakings flexibility in defining their metrics to avoid missing useful undertaking-specific information. Therefore, the RTS describes the key characteristics of the metrics and provides a minimum list of relevant metrics to compute.

Backward-looking (current view) and forward-looking, can be tailored to the undertaking’s business model and complexity, while following key characteristics apply. Metrics should

  • provide a fair representation of the undertakings’ risks and financial position using the most up-to-date information.
  • be appropriate for the identification, measurement, and monitoring of the actions to achieve the risk management targets.
  • be calculated with sufficient granularity (absolute and relative) to evaluate eventual concentration issues per relevant business lines, geographies, economic sectors, activities, and products to quantify and reflect the nature, scale, and complexity of specific risks.
  • allow supervisors to compare and benchmark exposure and risks of different undertakings over different time horizons.
  • be documented to a sufficient level to provide relevant and reliable information to the undertaking’s management and at the same time be used as part of supervisory reporting and, where relevant for public disclosure, ensuring sufficient transparency on the data (e.g. source, limitations, proxies, assumptions) and methodology (e.g. scope, formula) used.

The RTS requires the following minimum current view metrics:

The following list includes optional metrics which could be considered by the undertaking on a voluntary basis to report on the results of scenarios analysis (financial risk assessment) for material sustainability risks.

Targets

Based on the results of the sustainability risk assessment, the undertaking’s risk appetite and long-term
strategy, the undertaking should set quantifiable targets to reduce or manage material sustainabilityrelated exposure/risks or limits sustainability-related exposure/risks to monitoring prudential risks over the short, medium, and long term.

The undertaking should, based on its risk appetite, specify the type and extent of the material sustainability risks the undertaking is willing to assume in relation to all relevant lines of business, geographies, economic sectors, activities and products (considering its concentration and diversification objectives) and set its risk management targets accordingly.

Undertakings shall explain the way the target will be achieved or what is their approach to achieve the
target. Intermediate targets or milestones should allow for the monitoring of progress of the undertaking in addressing the risks. The undertakings should specify the percentage of portfolio covered by targets.

The targets should be consistent with any (transition) targets used in the undertaking’s transition plans and disclosed where applicable. The targets and measures to address the sustainability risks will consider the latest reports and measures prescribed by the European Scientific Advisory Board on climate change, in particular in relation to the achievement of the climate targets of the Union.

Relation between targets, metrics, and actions across transition plans, sustainability risk plans and ORSA, applied to an example for transition risk assessment for climate risk-related investments

Actions

Actions to manage risks should be risk-based and entity-specific.

  • Actions set out in undertakings’ transition plans, for example under CSDDD can inform the sustainability (transition) risk to the undertaking’s business, investment, and underwriting. Such transition plan actions typically involve:
  • Limiting investment in non-sustainable activities/companies Introduction of sustainability criteria in the investment decision.
  • Re-pricing of risks.
  • Integrating sustainability into the investment guidelines.
  • Stewardship, impact investing, impact underwriting.
  • Integrating ESG into the underwriting standards and guidelines of the undertaking.
  • Product development considering the impact on climate change.

The measures in the transition plan and actions to address financial risks arising from the transition need to be integrated into the investment, underwriting and business strategy of the undertaking. They need to be measurable and where actions fail to meet their expressed target, these should be monitored and, where necessary, adjusted.

Cliquer pour accéder à click-here-to-access-eiopa-bos-24-458-consultation-paper-on-regulatory-technical-standards-on-management-of-sustainability-risks-2.pdf

Better practices for compliance management

Publié le par hanswillertbleuazurconsultingeu

The main compliance challenges

We know that businesses and government entities alike struggle to manage compliance requirements. Many have put up with challenges for so long—often with limited resources—that they no longer see how problematic the situation has become.

FIVE COMPLIANCE CHALLENGES YOU MIGHT BE DEALING WITH

01 COMPLIANCE SILOS
It’s not uncommon that, over time, separate activities, roles, and teams develop to address different compliance requirements. There’s often a lack of integration and communication among these teams or individuals. The result is duplicated efforts—and the creation of multiple clumsy and inefficient systems. This is then perpetuated as compliance processes change in response to regulations, mergers and acquisitions, or other internal business re-structuring.

02 NO SINGLE VIEW OF COMPLIANCE ASSURANCE
Siloed compliance systems also make it hard for senior management to get an overview of current compliance activities and perform timely risk assessments. If you can’t get a clear view of compliance risks, then chances are good that a damaging risk will slip under the radar, go unaddressed, or simply be ignored.

03 COBBLED TOGETHER, HOME-GROWN SYSTEMS
Using generalized software, like Excel spreadsheets and Word documents, in addition to shared folders and file systems, might have made sense at one point. But, as requirements become more complex, these systems become more frustrating, inefficient, and risky. Compiling hundreds or thousands of spreadsheets to support compliance management and regulatory reporting is a logistical nightmare (not to mention time-consuming). Spreadsheets are also prone to error and limited because they don’t provide audit trails or activity logs.

04 OLD SOFTWARE, NOT DESIGNED TO KEEP UP WITH FREQUENT CHANGES
You could be struggling with older compliance software products that aren’t designed to deal with constant change. These can be increasingly expensive to upgrade, not the most user-friendly, and difficult to maintain.

05 NOT USING AUTOMATED MONITORING
Many compliance teams are losing out by not using analytics and data automation. Instead, they rely heavily on sample testing to determine if compliance controls and processes are working, so huge amounts of activity data is never actually checked.

Transform your compliance management process

Good news! There’s some practical steps you can take to transform compliance processes and systems so that they become way more efficient and far less expensive and painful.

It’s all about optimizing the interactions of people, processes, and technology around regulatory compliance requirements across the entire organization.

It might not sound simple, but it’s what needs to be done. And, in our experience, it can be achieved without becoming massively time-consuming and expensive. Technology for regulatory compliance management has evolved to unite processes and roles across all aspects of compliance throughout your organization.

Look, for example, at how technology like Salesforce (a cloud-based system with big data analytics) has transformed sales, marketing, and customer service. Now, there’s similar technology which brings together different business units around regulatory compliance to improve processes and collaboration for the better.

Where to start?

Let’s look at what’s involved in establishing a technology-driven compliance management process. One that’s driven by data and fully integrated across your organization.

THE BEST PLACE TO START IS THE END

Step 1: Think about the desired end-state.

First, consider the objectives and the most important outcomes of your new process. How will it impact the different stakeholders? Take the time to clearly define the metrics you’ll use to measure your progress and success.

A few desired outcomes:

  • Accurately measure and manage the costs of regulatory and policy compliance.
  • Track how risks are trending over time, by regulation, and by region.
  • Understand, at any point in time, the effectiveness of compliance-related controls.
  • Standardize approaches and systems for managing compliance requirements and risks across the organization.
  • Efficiently integrate reporting on compliance activities with those of other risk management functions.
  • Create a quantified view of the risks faced due to regulatory compliance failures for executive management.
  • Increase confidence and response times around changing and new regulations.
  • Reduce duplication of efforts and maximize overall efficiency.

NOW, WHAT DO YOU NEED TO SUPPORT YOUR OBJECTIVES?

Step 2: Identify the activities and capabilities that will get you the desired outcomes.

Consider the different parts of the compliance management process below. Then identify the steps you’ll need to take or the changes you’ll need to make to your current activity that will help you achieve your objectives. We’ve put together a cheat sheet to help this along.

Galvanize

IDENTIFY & IMPLEMENT COMPLIANCE CONTROL PROCEDURES

  • 01 Maintain a central library of regulatory requirements and internal corporate policies, allocated to owners and managers.
  • 02 Define control processes and procedures that will ensure compliance with regulations and policies.
  • 03 Link control processes to the corresponding regulations and corporate policies.
  • 04 Assess the risk of control weaknesses and failure to comply with regulations and policies.

RUN TRANSACTIONAL MONITORING ANALYTICS

  • 05 Monitor the effectiveness of controls and compliance activities with data analytics.
  • 06 Get up-to-date confirmation of the effectiveness of controls and compliance from owners with automated questionnaires or certification of adherence statements.

MANAGE RESULTS & RESPOND

  • 07 Manage the entire process of exceptions generated from analytic monitoring and from the generation of questionnaires and certifications.

REPORT RESULTS & UPDATE ASSESSMENTS

  • 08 Use the results of monitoring and exception management to produce risk assessments and trends.
  • 09 Identify new and changing regulations as they occur and update repositories and control and compliance procedures.
  • 10 Report on the current status of compliance management activities from high- to low-detail levels.

IMPROVE THE PROCESS

  • 11 Identify duplicate processes and fix procedures to combine and improve controls and compliance tests.
  • 12 Integrate regulatory compliance risk management, monitoring, and reporting with overall risk management activities.

Eight compliance processes in desperate need of technology

01 Centralize regulations & compliance requirements
A major part of regulatory compliance management is staying on top of countless regulations and all their details. A solid content repository includes not only the regulations themselves, but also related data. By centralizing your regulations and compliance requirements, you’ll be able to start classifying them, so you can eventually search regulations and requirements by type, region of applicability, effective dates, and modification dates.

02 Map to risks, policies, & controls
Classifying regulatory requirements is no good on its own. They need to be connected to risk management, control and compliance processes, and system functionality. This is the most critical part of a compliance management system.

Typically, in order to do this mapping, you need:

  • An assessment of non-compliant risks for each requirement.
  • Defined processes for how each requirement is met.
  • Defined controls that make sure the compliance process is effective in reducing non-compliance risks.
  • Controls mapped to specific analytics monitoring tests that confirm the effectiveness on an ongoing basis.
  • Assigned owners for each mapped requirement. Specific processes and controls may be assigned to sub-owners.

03 Connect to data & use advanced analytics

Using different automated tests to access and analyze data is foundational to a data-driven compliance management approach.

The range of data sources and data types needed to perform compliance monitoring can be humongous. When it comes to areas like FCPA or other anti-bribery and corruption regulations, you might need to access entire populations of purchase and payment transactions, general ledger entries, payroll, and travel and entertainment expenses. And that’s just the internal sources. External sources could include things like the Politically Exposed Persons database or Sanctions Checks.

Extensive suites of tests and analyses can be run against the data to determine whether compliance controls are working effectively and if there are any indications of transactions or activities that fail to comply with regulations. The results of these analyses identify specific anomalies and control exceptions, as well as provide statistical data and trend reports that indicate changes in compliance risk levels.

Truly delivering on this step involves using the right technology since the requirements for accessing and analyzing data for compliance are demanding. Generalized analytic software is seldom able to provide more than basic capabilities, which are far removed from the functionality of specialized risk and control monitoring technologies.

04 Monitor incidents & manage issues

It’s important to quickly and efficiently manage instances once they’re flagged. But systems that create huge amounts of “false positives” or “false negatives” can end up wasting a lot of time and resources. On the other hand, a system that fails to detect high risk activities creates risk of major financial and reputational damage. The monitoring technology you choose should let you fine-tune analytics to flag actual risks and compliance failures and minimize false alarms.

The system should also allow for an issues resolution process that’s timely and maintains the integrity of responses. If the people responsible for resolving a flagged issue don’t do it adequately, an automated workflow should escalate the issues to the next level.

Older software can’t meet the huge range of incident monitoring and issues management requirements. Or it can require a lot of effort and expense to modify the procedures when needed.

05 Manage investigations

As exceptions and incidents are identified, some turn into issues that need in-depth investigation. Software helps this investigation process by allowing the user to document and log activities. It should also support easy collaboration of anyone involved in the investigation process.

Effective security must be in place around access to all aspects of a compliance management system. But it’s extra important to have a high level of security and privacy for the investigation management process.

06 Use surveys, questionnaires & certifications

Going beyond just transactional analysis and monitoring, it’s also important to understand what’s actually happening right now, by collecting the input of those working in the front-lines.

Software that has built-in automated surveys and questionnaires can gather large amounts of current information directly from these individuals in different compliance roles, then quickly interpret the responses.

For example, if you’re required to comply with the Sarbanes-Oxley Act (SOX), you can use automated questionnaires and certifications to collect individual sign-off on SOX control effectiveness questions. That information is consolidated and used to support the SOX certification process far more efficiently than using traditional ways of collecting sign-off.

07 Manage regulatory changes

Regulations change constantly, and to remain compliant, you need to know—quickly— when those changes happen. This is because changes can often mean modifications to your established procedures or controls, and that could impact your entire compliance management process.

A good compliance software system is built to withstand these revisions. It allows for easy updates to existing definitions of controls, processes, and monitoring activities.

Before software, any regulatory changes would involve huge amounts of manual activities, causing backlogs and delays. Now much (if not most) of the regulatory change process can be automated, freeing your time to manage your part of the overall compliance program.

08 Ensure regulatory examination & oversight

No one likes going through compliance reviews by regulatory bodies. It’s even worse if failures or weaknesses surface during the examination.

But if that happens to you, it’s good to know that many regulatory authorities have proven to be more accommodating and (dare we say) lenient when your compliance process is strategic, deliberate, and well designed.

There are huge benefits, in terms of efficiency and cost savings, by using a structured and well-managed regulatory compliance system. But the greatest economic benefit happens when you can avoid a potentially major financial penalty as a result of replacing an inherently unreliable and complicated legacy system with one that’s purpose-built and data-driven.

Click here to access Galvanize’s new White Paper

An Animal Kingdom Of Disruptive Risks -How boards can oversee black swans, gray rhinos, and white elephants

Publié le par hanswillertbleuazurconsultingeu

Where was the board? As a corporate director, imagine you find yourself in one of these difficult situations:

  • Unexpected financial losses mount as your bank faces a sudden collapse during a 1-in-100-year economic crisis.
  • Customers leave and profits drop year after year as a new technology start-up takes over your No. 1 market position.
  • Negative headlines and regulatory actions besiege your company following undesirable tweets and other belligerent behavior from the CEO.

These scenarios are not hard to imagine when you consider what unfolded before the boards of Lehman Brothers, Blockbuster, Tesla, and others. In the context of disruptive risks, these events can be referred to as black swans, gray rhinos, and white elephants, respectively. While each has unique characteristics, the commonality is that all of these risks can have a major impact on a company’s profitability, competitive position, and reputation.

In a VUCA (volatile, uncertain, complex, and ambiguous) world, boards need to expand their risk governance and oversight to include disruptive risks. This article addresses three fundamental questions:

  • What are black swans, gray rhinos, and white elephants?
  • Why are they so complex and difficult to deal with?
  • How should directors incorporate these disruptive risks as part of their oversight?

Why are companies so ill prepared for disruptive risks? There are three main challenges:

  1. standard enterprise risk management (ERM) programs may not capture them;
  2. they each present unique characteristics and complexities;
  3. and cognitive biases prevent directors and executives from addressing them.

Standard tools used in ERM, including risk assessments and heat maps, are not timely or dynamic enough to capture unconventional and atypical risks. Most risk quantification models—such as earnings volatility and value-at-risk models—measure potential loss within a 95 percent or 99 percent confidence level. Black swan events, on the other hand, may have a much smaller than 0.1 percent chance of happening. Gray rhinos and white elephants are atypical risks that may have no historical precedent or operational playbooks. As such, disruptive risks may not be adequately addressed in standard ERM programs even if they have the potential to destroy the company. The characteristics and complexities of each type of disruptive risk are unique. The key challenge with black swans is prediction. They are outliers that were previously unthinkable. That is not the case with gray rhinos, since they are generally observable trends. With gray rhinos the main culprit is inertia: companies see the megatrends charging at them, but they can’t seem to mitigate the risk or seize the opportunity. The key issue with white elephants is subjectivity. These no-win situations are often highly charged with emotions and conflicts. Doing nothing is usually the easiest choice but leads to the worst possible outcome. While it is imperative to respond to disruptive risks, cognitive biases can lead to systematic errors in decision making. Behavioral economists have identified dozens of biases, but several are especially pertinent in dealing with disruptive risks:

  • Availability and hindsight bias is the underestimation of risks that we have not experienced and the overestimation of risks that we have. This bias is a key barrier to acknowledging atypical risks until it is too late.
  • Optimism bias is a tendency to overestimate the likelihood of positive outcomes and to underestimate the likelihood of negative outcomes. This is a general issue for risk management, but it is especially problematic in navigating disruptive risks.
  • Confirmation bias is the preference for information that is consistent with one’s own beliefs. This behavior prevents us from processing new and contradictory information, or from responding to early signals.
  • Groupthink or herding occurs when individuals strive for group consensus at the cost of objective assessment of alternative viewpoints. This is related to the sense of safety in being part of a larger group, regardless if their actions are rational or not.
  • Myopia or short-termism is the tendency to have a narrow view of risks and a focus on short-term results (e.g., quarterly earnings), resulting in a reluctance to invest for the longer term.
  • Status quo bias is a preference to preserve the current state. This powerful bias creates inertia and stands in the way of appropriate actions.

To overcome cognitive biases, directors must recognize that they exist and consider how they impact decision making. Moreover,

  • board diversity,
  • objective data,
  • and access to independent experts

can counter cognitive biases in the boardroom.

Recommendations for Consideration

How should directors help their organizations navigate disruptive risks? They can start by asking the right questions in the context of the organization’s business model and strategy. The chart below lists 10 questions that directors can ask themselves and management.

NACD1

In addition, directors should consider the following five recommendations to enhance their risk governance and oversight:

  1. Incorporate disruptive risks into the board agenda. The full board should discuss the potential impact of disruptive risks as part of its review of the organization’s strategy to create sustainable long-term value. Disruptive risks may also appear on the agenda of key committees, including the risk committee’s assessment of enterprise risks, the audit committee’s review of risk disclosures, the compensation committee’s determination of executive incentive plans, and the governance committee’s processes for addressing undesirable executive behavior. The key is to explicitly incorporate disruptive risks into the board’s oversight and scope of work.
  2. Ensure that fundamental ERM practices are effective. Fundamental ERM practices—risk policy and analytics, management strategies, and metrics and reporting—provide the baseline from which disruptive risks can be considered. As an example, the definition of risk appetite can inform discussions of loss tolerance relative to disruptive risks. As an early step, the board should ensure that the overall ERM framework is robust and effective. Otherwise, the organization may fall victim to “managing risk by silo” and miss critical interdependencies between disruptive risks and other enterprise risks.
  3. Consider scenario planning and analysis. Directors should recognize that basic ERM tools may not fully capture disruptive risks. They should consider advocating for, and participating in, scenario planning and analysis. This is akin to tabletop exercises for cyber-risk events, except much broader in scope. Scenario analysis can be a valuable tool to help companies put a spotlight on hidden risks, generate strategic insights on performance drivers, and identify appropriate actions for disruptive trends. The objective is not to predict the future, but to identify the key assumptions and sensitivities in the company’s business model and strategy. In addition to scenario planning, dynamic simulation models and stress-testing exercises should be considered.
  4. Ensure board-level risk metrics and reports are effective. The quality of risk reports is key to the effectiveness of board risk oversight. Standard board risk reports often are comprised of insufficient information: historical loss and event data, qualitative risk assessments, and static heat maps. An effective board risk report should include quantitative analyses of risk impacts to earnings and value, key risk metrics measured against risk appetite, and forwardlooking information on emerging risks. By leveraging scenario planning, the following reporting components can enhance disruptive risk monitoring:
    • Market intelligence data that provides directors with useful “outside-in” information, including key business and industry developments, consumer and technology trends, competitive actions, and regulatory updates.
    • Enterprise performance and risk analysis including key performance and risk indicators that quantify the organization’s sensitivities to disruptive risks.
    • Geo-mapping that highlights global “hot spots” for economic, political, regulatory, and social instability. This can also show company-specific risks such as third-party vendor, supply chain, and cybersecurity issues.
    • Early-warning indicators that provide general or scenariospecific signals with respect to risk levels, effectiveness of controls, and external drivers.
    • Action triggers and plans to facilitate timely discussions and decisions in response to disruptive risks.
  5. Strengthen board culture and governance. To effectively oversee disruptive risks, the board must be fit for purpose. This requires creating a board culture that considers nontraditional views, questions key assumptions, and supports continuous improvement. Good governance practices should be in place in the event a white elephant appears. For example, what is the board protocol and playbook if the CEO acts inappropriately? In the United States, the 25th Amendment and impeachment clauses are in place ostensibly to remove a reprehensible president. Does the organization have procedures to remove a reprehensible CEO?

The following chart summarizes the key characteristics, examples, indicators, and strategies for identifying and addressing black swans, gray rhinos, and white elephants. The end goal should be to enhance oversight of disruptive risks and counter the specific challenges that are presented. To mitigate the unpredictability of black swans, the company should develop contingency plans with a focus on preparedness. To overcome inertia and deal with gray rhinos, the company needs to establish organizational processes and incentives to increase agility. To balance subjectivity and confront white elephants, directors should invest in good governance and objective input that will support decisiveness.

NACD2

The Opportunity for Boards

In a VUCA world, corporate directors must expand their traditional risk oversight beyond well-defined strategic, operational, and financial risks. They must consider atypical risks that are hard to predict, easy to ignore, and difficult to address. While black swans, gray rhinos, and white elephants may sound like exotic events, directors could enhance their recognization of them by reflecting on their own experiences serving on boards.

Given their experiences, directors should provide a leading voice to improve oversight of disruptive risks. They have a comparative advantage in seeing the big picture based on the nature of their work— part time, detached from day-to-day operations, and with experience gained from serving different companies and industries. Directors can add significant value by providing guidance to management and helping them see the forest for the trees. Finally, there is an opportunity side to risk. There are positive and negative black swans. A company can invest in the positive ones and be prepared for the negative ones. For every company that is trampled by a gray rhino, another company is riding it to a higher level of performance. By addressing the white elephant in the boardroom, a company can remediate an unspoken but serious problem. In the current environment, board oversight of disruptive risks represents both a risk management imperative and a strategic business opportunity.

Click here to access NACD’s summary

Optimizing Your GRC Technology Ecosystem

Publié le par hanswillertbleuazurconsultingeu

Most organizations rely on multiple technologies to manage GRC across the enterprise. Optimizing a GRC technology ecosystem aligned with a defined GRC process structure improves risk-informed business decisions and achievement of strategic business objectives. This illustration outlines ways to continuously optimize your GRC technology ecosystem for

  • greater process consistency
  • and development of actionable information.

An integrated GRC technology ecosystem built on common vocabulary, taxonomy and processes enables

  • more accurate and timely reporting,
  • increased reliability of achievement of objectives
  • and greater confidence in assurance with less burden on the business.

Here are just a few of the key benefits:

Process and Technology Alignment

  • Common methods for core tasks, uniform taxonomies, and consistent vocabulary for governance, risk management and compliance across the organization
  • Risk-based actions and controls that ensure timely responses to changed circumstances
  • Standardized GRC processes based on understanding where in the organization each defined process takes place and how data is used in managing risks and requirements
  • Connected technologies as necessary to gain a complete view of the management actions, controls and information needed by each user

Governance Systems to include:

  • Strategy / Performance
  • Board Management
  • Audit & Assurance Tools

Risk Systems to include:

  • Brand & Reputation
  • Finance / Treasury Risk
  • Information / IT Risk
  • External Risk Content
  • Third Party Risk

Compliance Systems to include:

  • Policies
  • Helpline / Hotline
  • Training
  • EHS (Environment Health and Safety)
  • Fraud / Corruption
  • Global Trade
  • Privacy
  • Regulatory Change
  • AML (Anti Money Laundering) / KYC (Know Your Customer)

Enabling Systems to include:

  • Data Visualization
  • Analytics
  • Business Intelligence
  • Predictive Tools
  • External Data Sources

Protective Systems to include:

  • Information Security
  • Data Protection
  • Assets Control

Benefits and Outcomes

  • Enhanced tracking of achievement of objectives and obstacles
  • Connected reporting for board/management/external stakeholders
  • Timely understanding of impact from operational decisions
  • Actionable view of changes needed to meet regulatory requirements
  • Clear action pathways for resolution of issues and process reviews
  • Consistent risk assessments feeding into advanced analytics
  • Improved predictive capabilities to support strategic planning
  • Control testing and audit trails for response to regulators and auditors
  • Greater confidence in assurance with less burden on the business
  • Enterprise-wide, departmental and geographic control standards

OCEG

Tips for Optimization

1. Process Framework

  • Identify tasks appropriate for standardization and schedule implementation across units
  • Assess vocabulary used throughout organization for inconsistencies and establish rules
  • Adjust process model periodically to continue alignment with business objectives and activities

2. Technology Ecosystem

  • Periodically review GRC technologies for gaps and duplication of systems
  • Assess appropriateness of connection of systems for data sharing and user access
  • Maintain a current road map for re-purposing and acquisition of technologies

3. Outcome Management

  • Apply standard processes for resolution of issues and remediation of identified process framework or technology ecosystem weaknesses
  • Enhance reporting capabilities with refined report structure and delivery methods/schedules
  • Ensure all users apply the process framework and understand how best to use the technology

Click here to access OCEG’s illustration in detail

Mastering Risk with “Data-Driven GRC”

Publié le par hanswillertbleuazurconsultingeu

Overview

The world is changing. The emerging risk landscape in almost every industry vertical has changed. Effective methodologies for managing risk have changed (whatever your perspective:

  • internal audit,
  • external audit/consulting,
  • compliance,
  • enterprise risk management,

or otherwise). Finally, technology itself has changed, and technology consumers expect to realize more value, from technology that is more approachable, at lower cost.

How are these factors driving change in organizations?:

Emerging Risk Landscapes

Risk has the attention of top executives. Risk shifts quickly in an economy where “speed of change” is the true currency of business, and it emerges in entirely new forms in a world where globalization and automation are forcing shifts in the core values and initiatives of global enterprises.

Evolving Governance, Risk, and Compliance Methodologies

Across risk and control oriented functions spanning a variety of audit functions, fraud, compliance, quality management, enterprise risk management, financial control, and many more, global organizations are acknowledging a need to provide more risk coverage at lower cost (measured in both time and currency), which is driving re-inventions of methodology and automation.

Empowerment Through Technology

Gartner, the leading analyst firm in the enterprise IT space, is very clear that the convergence of four forces—Cloud, Mobile, Data, and Social—is driving the empowerment of individuals as they interact with each other and their information through well-designed technology.

In most organizations, there is no coordinated effort to leverage organizational changes emerging from these three factors in order to develop an integrated approach to mastering risk management. The emerging opportunity is to leverage the change that is occurring, to develop new programs; not just for technology, of course, but also for the critical people, methodology, and process issues. The goal is to provide senior management with a comprehensive and dynamic view of the effectiveness of how an organization is managing risk and embracing change, set in the context of overall strategic and operational objectives.

Where are organizations heading?

“Data Driven GRC” represents a consolidation of methodologies, both functional and technological, that dramatically enhance the opportunity to address emerging risk landscapes and, in turn, maximizing the reliability of organizational performance.

This paper examines the key opportunities to leverage change—both from a risk and an organizational performance management perspective—to build integrated, data-driven GRC processes that optimize the value of audit and risk management activities, as well as the investments in supporting tools and techniques.

Functional Stakeholders of GRC Processes and Technology

The Institute of Internal Auditors’ (IIA) “Three Lines of Defense in Effective Risk Management and Control” model specifically addresses the “who and what” of risk management and control. It distinguishes and describes three role- and responsibility-driven functions:

  • Those that own and manage risks (management – the “first line”)
  • Those that oversee risks (risk, compliance, financial controls, IT – the “second line”)
  • Those functions that provide independent assurance over risks (internal audit – the “third line”)

The overarching context of these three lines acknowledges the broader role of organizational governance and governing bodies.

IIAA

Technology Solutions

Data-Driven GRC is not achievable without a technology platform that supports the steps illustrated above, and integrates directly with the organization’s broader technology environment to acquire the data needed to objectively assess and drive GRC activities.

From a technology perspective, there are four main components required to enable the major steps in Data-Driven GRC methodology:

1. Integrated Risk Assessment

Integrated risk assessment technology maintains the inventory of strategic risks and the assessment of how well they are managed. As the interface of the organization’s most senior professionals into GRC processes, it must be a tool relevant to and usable by executive management. This technology sets the priorities for risk mitigation efforts, thereby driving the development of project plans crafted by each of the functions in the different lines of defense.

2. Project & Controls Management

A project and controls management system (often referred to more narrowly as audit management systems or eGRC systems) enables the establishment of project plans in each risk and control function that map against the risk mitigation efforts identified as required. Projects can then be broken down into actionable sets of tactical level risks, controls that mitigate those risks, and tests that assess those controls.

This becomes the backbone of the organization’s internal control environment and related documentation and evaluation, all setting context for what data is actually required to be tested or monitored in order to meet the organization’s strategic objectives.

3. Risk & Control Analytics

If you think of Integrated Risk Assessment as the brain of the Data-Driven GRC program and the Project & Controls Management component as the backbone, then Risk & Control Analytics are the heart and lungs.

An analytic toolset is critical to reaching out into the organizational environment and acquiring all of the inputs (data) that are required to be aggregated, filtered, and processed in order to route back to the brain for objective decision making. It is important that this toolset be specifically geared toward risk and control analytics so that the filtering and processing functionality is optimized for identifying anomalies representing individual occurrences of risk, while being able to cope with huge populations of data and illustrate trends over time.

4. Knowledge Content

Supporting all of the technology components, knowledge content comes in many forms and provides the specialized knowledge of risks, controls, tests, and data required to perform and automate the methodology across a wide-range of organizational risk areas.

Knowledge content should be acquired in support of individual risk and control objectives and may include items such as:

  • Risk and control templates for addressing specific business processes, problems, or high-level risk areas
  • Integrated compliance frameworks that balance multiple compliance requirements into a single set of implemented and tested controls
  • Data extractors that access specific key corporate systems and extract data sets required for evaluation (e.g., an SAP supported organization may need an extractor that pulls a complete set of fixed asset data from their specific version of SAP that may be used to run all require tests of controls related to fixed assets)
  • Data analysis rule sets (or analytic scripts) that take a specific data set and evaluate what transactions in the data set violate the rules, indicating control failures occurred

Mapping these key technology pieces that make up an integrated risk and control technology platform against the completely integrated Data-Driven GRC methodology looks as follows:

DDGRC

When evaluating technology platforms, it is imperative that each piece of this puzzle directly integrates with the other; otherwise, manual aggregation of results will be required, which is not only laborious but also inconsistent, disorganized and (by definition) violates the Data-Driven GRC methodology.

HiPerfGRC

 

Click here to access ACL’s study

The evolution of GRC

Publié le par hanswillertbleuazurconsultingeu

Attitudes to governance, risk and compliance (GRC) activities are changing among Tier 1 financial institutions. The need to keep up with rapid regulatory change, and the pressure of larger, more publicised penalties dealt out by regulators in recent years have prompted an evolution in how risk is viewed and managed. Financial firms also face an increasingly volatile market environment that requires them to remain nimble – not just to survive, but to thrive.

As a result of these market developments, GRC is now seen, rather than as one strand of the business, as a far more integrated activity with many companies realigning resources around the ‘three lines of defence’ model. GRC is increasingly being treated as an enterprise-wide responsibility by organisations that are successfully navigating these challenging times for global financial markets. This shift in attitudes is also leading to a rethink in relation to the tools used by all three lines of defence to participate in GRC activities. Some are exploring more innovative solutions to support and engage infrequent users – particularly those in the first line of defence (1LoD). The more intuitive design of such tools enables these users to take a more active role in risk-aware decision-making.

These and other innovations promise to bring greater effectiveness and efficiency to an area into which firms have channelled increasing levels of resource in recent years but are struggling to keep up with demand. A recent survey carried out by Risk.net and IBM found that risk and compliance professionals acknowledge the limitations of existing operational risk and regulatory compliance tools and systems to satisfy current and future GRC requirements. The survey polled 106 senior risk, compliance, audit and legal executives at financial firms including banks (53%), insurance companies (21%) and asset management firms (12%). The results revealed that nearly one third of these respondents remain unimpressed with the effectiveness of their organisation’s ability to cope with the complexity and pace of regulatory change. Nearly half gave a similar response regarding their organisation’s efficiency in this area.

With these issues in mind, many of the firms surveyed have started to explore user-experience needs more deeply and combine the results with artificial intelligence (AI) capabilities to further develop GRC systems and processes. These capabilities are designed to enhance compliance systems and processes and make them more intuitive for all. As such, user-experience research and design has become a key consideration for organisations wanting to ensure employees across all three lines of defence can participate more fully in GRC activities. In addition, AI-powered tools can help 1LoD business users better manage risk and ensure compliance by increasing the efficiency and effectiveness of these GRC systems and processes. The survey shows that, while some organisations are already developing these types of solutions, there is still room for greater understanding of the benefits of new and innovative forms of technology throughout the global financial markets. For instance, nearly half of respondents to the survey, when asked about the benefits of AI for GRC activities, were unsure of the potential time efficiencies such tools can bring. More than one-quarter were undecided on whether AI would free up employees’ time to focus on more strategic tasks.

Many organisations are still considering how to move forward in this area, but it will be those that truly embrace user-focused tools and leverage innovative technologies such as AI and advanced analytics to increase efficiencies that can expect to reap the rewards of successfully managing regulatory change and tackling market volatility.

LoD

Current and Future Applications

The survey highlights that financial firms already recognise that these solutions can be used to more efficiently manage the regulatory change process. For example, AI-based solutions can provide smart alerts to highlight the most relevant regulatory changes – 35% of survey respondents see AI as offering the biggest potential improvements in this area.

Improving the speed and accuracy of classification and reporting of information – for example, in relation to loss events – was another area identified for its high AI potential. Nearly one-third of respondents (31%) see possibilities for improvement of current GRC processes in this area. Some financial firms have already started to reap the rewards of this type of approach. Larger firms are typically ahead of the game with such developments, often having more resources to put into research and development. Out of the 13% of larger firms that have seen a decrease in GRC resources over the past year, one-third of survey respondents attribute that to “tools and automation improvements”.

Similarly, 44% of those polled work at organisations already making improvements to improve end-to-end time and user experience in relation to GRC processes and tools. A further 19% plan to do this in the next 12 months and, in line with this, 64% of survey respondents expect their firm’s GRC resources to increase over the next 24 months (see figure 8). While it is not clear from the survey whether these additional resources will be specifically directed towards AI, more than 80% of respondents work at organisations currently considering AI for a range of GRC activities.

The most popular use of AI among financial firms is to improve the speed and/or accuracy of classification and reporting information, such as loss events – 19% of respondents say their organisation is currently using AI for this purpose, with 81% currently considering this type of use. Such events happen fairly infrequently, so training employees to classify and enter such information can be time consuming, but incorrect classification can have a real impact on data quality. By using natural language processing (NLP) tools to understand and categorise loss events automatically, organisations can streamline the time and resources required to train employees to collect and manage this information.

According to the survey, 83% of respondents are also currently considering the use of AI tools to develop smart alerts that will highlight any new rules or updates to existing regulations, helping financial firms manage regulatory change more efficiently. Many organisations already receive an overwhelming amount of alerts every day relating to new rules or changes, but some or all of these changes may not actually apply to their businesses. AI can be used to tailor these alerts to ensure compliance teams only receive the most relevant alerts. Using NLP to create this mechanism can be the difference between sorting through 100 alerts in one day and receiving one smart alert that has been identified by an AI-powered solution.

Control mapping is another area to which AI can add value. When putting controls in place relating to specific obligations within a regulation, for example, compliance teams can either create a new control or, using NLP, detect whether there is already an applicable control in place that can be mapped to record the organisation’s compliance with the rule. This reduces the amount of time spent by the team reading and understanding new legislation or rule changes to determine applicability, as well as improving accuracy and reducing duplicate controls.

Click here to access IBM’s White Paper

Insurance Fraud Report 2019

Publié le par hanswillertbleuazurconsultingeu

Let’s start with some numbers. In this 2019 Insurance Fraud survey, loss ratios were 73% in the US. On average, 10% of the incurred losses were related to fraud, resulting in losses of $34 billion per year.

By actively fighting fraud we can improve these ratios and our customers’ experience. It’s time to take our anti-fraud efforts to a higher level. To effectively fight fraud, a company needs support and commitment throughout the organization, from top management to customer service. Detecting fraudulent claims is important. However, it can’t be the only priority. Insurance carriers must also focus on portfolio quality instead of quantity or volume.

It all comes down to profitable portfolio growth. Why should honest customers have to bear the risks brought in by others? In the end, our entire society suffers from fraud. We’re all paying higher premiums to cover for the dishonest. Things don’t change overnight, but an effective industry-wide fraud approach will result in healthy portfolios for insurers and fair insurance premiums for customers. You can call this honest insurance.

The Insurance Fraud Survey was conducted

  • to gain a better understanding of the current market state,
  • the challenges insurers must overcome
  • and the maturity level of the industry regarding insurance fraud.

This report is a follow up to the Insurance Fraud & Digital Transformation Survey published in 2016. Fraudsters are constantly innovating, so it is important to continuously monitor developments. Today you are reading the latest update on insurance fraud. For some topics the results of this survey are compared to those from the 2016 study.

This report explores global fraud trends in P&C insurance. This research addresses

  • challenges,
  • different approaches,
  • engagement,
  • priority,
  • maturity
  • and data sharing.

It provides insights for online presence, mobile apps, visual screening technology, telematics and predictive analytics.

Fraud-Fighting-Culture

Fraudsters are getting smarter in their attempts to stay under their insurer’s radar. They are often one step ahead of the fraud investigator. As a result, money flows to the wrong people. Of course, these fraudulent claims payments have a negative effect on loss ratio and insurance premiums. Therefore, regulators in many countries around the globe created anti-fraud plans and fraud awareness campaigns. Several industry associations have also issued guidelines and proposed preventive measures to help insurers and their customers.

Fraud1

Engagement between Departments

Fraud affects the entire industry, and fighting it pays off. US insurers say that fraud has climbed over 60% over the last three years. Meanwhile, the total savings of proven fraud cases exceeded $116 million. Insurers are seeing an increase in fraudulent cases and believe awareness and cooperation between departments is key to stopping this costly problem.

Fraud2

Weapons to Fight Fraud

Companies like Google, Spotify and Uber all deliver personalized products or services. Data is the engine of it all. The more you know, the better you can serve your customers. This also holds true for the insurance industry. Knowing your customer is very important, and with lots of data, insurers now know them even better. You’d think in today’s fast digital age, fighting fraud would be an automated task.

That’s not the case. Many companies still rely on their staff instead of automated fraud solutions. 67% of the survey respondents state that their company fights fraud based on the gut feeling of their claim adjusters. There is little or no change when compared to 2016.

Fraud3

Data, Data, Data …

In the fight against fraud, insurance carriers face numerous challenges – many related to data. Compared to the 2016 survey results, there have been minor, yet important developments. Regulations around privacy and security have become stricter and clearer.

The General Data Protection Regulation (GDPR) is only one example of centralized rules being pushed from a governmental level. Laws like this improve clarity on what data can be used, how it may be leveraged, and for what purposes.

Indicating risks or detecting fraud is difficult when the quality of internal data is subpar. However, it is also a growing pain when trying to enhance the customer experience. To improve customer experience, internal data needs to be accurate.

Fraud4

Benefits of Using Fraud Detection Software

Fighting fraud can be a time-consuming and error-prone process, especially when done manually. This approach is often based on the knowledge of claims adjustors. But what if that knowledge leaves the company? The influence of bias or prejudice when investigating fraud also comes into play.

With well-organized and automated risk analysis and fraud detection, the chances of fraudsters slipping into the portfolio are diminished significantly. This is the common belief among 42% of insurers. And applications can be processed even faster. Straightthrough processing or touchless claims handling improves customer experience, and thus customer satisfaction. The survey reported 61% of insurers currently work with fraud detection software to improve realtime fraud detection.

Fraud5

Click here to access FRISS’ detailed Report

The Global Risks Landscape 2019

Publié le par hanswillertbleuazurconsultingeu

Is the world sleepwalking into a crisis? Global risks are intensifying but the collective will to tackle them appears to be lacking. Instead, divisions are hardening. The world’s move into a new phase of strongly state-centred politics, noted in last year’s Global Risks Report, continued throughout 2018. The idea of “taking back control”— whether domestically from political rivals or externally from multilateral or supranational organizations — resonates across many countries and many issues. The energy now expended on consolidating or recovering national control risks weakening collective responses to emerging global challenges. We are drifting deeper into global problems from which we will struggle to extricate ourselves.

During 2018, macroeconomic risks moved into sharper focus. Financial market volatility increased and the headwinds facing the global economy intensified. The rate of global growth appears to have peaked: the latest International Monetary Fund (IMF) forecasts point to a gradual slowdown over the next few years. This is mainly the result of developments in advanced economies, but projections of a slowdown in China—from 6.6% growth in 2018 to 6.2% this year and 5.8% by 2022—are a source of concern. So too is the global debt burden, which is significantly higher than before the global financial crisis, at around 225% of GDP. In addition, a tightening of global financial conditions has placed particular strain on countries that built up dollar-denominated liabilities while interest rates were low.

Geopolitical and geo-economic tensions are rising among the world’s major powers. These tensions represent the most urgent global risks at present. The world is evolving into a period of divergence following a period of globalization that profoundly altered the global political economy. Reconfiguring the relations of deeply integrated countries is fraught with potential risks, and trade and investment relations among many of the world’s powers were difficult during 2018.

Against this backdrop, it is likely to become more difficult to make collective progress on other global challenges—from protecting the environment to responding to the ethical challenges of the Fourth Industrial Revolution. Deepening fissures in the international system suggest that systemic risks may be building. If another global crisis were to hit, would the necessary levels of cooperation and support be forthcoming? Probably, but the tension between the globalization of the world economy and the growing nationalism of world politics is a deepening risk.

Environmental risks continue to dominate the results of our annual Global Risks Perception Survey (GRPS). This year, they accounted for three of the top five risks by likelihood and four by impact. Extreme weather was the risk of greatest concern, but our survey respondents are increasingly worried about environmental policy failure: having fallen in the rankings after Paris, “failure of climate-change mitigation and adaptation” jumped back to number two in terms of impact this year. The results of climate inaction are becoming increasingly clear. The accelerating pace of biodiversity loss is a particular concern. Species abundance is down by 60% since 1970. In the human food chain, biodiversity loss is affecting health and socioeconomic development, with implications for well-being, productivity, and even regional security.

Technology continues to play a profound role in shaping the global risks landscape. Concerns about data fraud and cyber-attacks were prominent again in the GRPS, which also highlighted a number of other technological vulnerabilities: around two-thirds of respondents expect the risks associated with fake news and identity theft to increase in 2019, while three-fifths said the same about loss of privacy to companies and governments. There were further massive data breaches in 2018, new hardware weaknesses were revealed, and research pointed to the potential uses of artificial intelligence to engineer more potent cyberattacks. Last year also provided further evidence that cyber-attacks pose risks to critical infrastructure, prompting countries to strengthen their screening of cross-border partnerships on national grounds.

The importance of the various structural changes that are under way should not distract us from the human side of global risks. For many people, this is an increasingly anxious, unhappy and lonely world. Worldwide, mental health problems now affect an estimated 700 million people. Complex transformations— societal, technological and work-related—are having a profound impact on people’s lived experiences. A common theme is psychological stress related to a feeling of lack of control in the face of uncertainty. These issues deserve more attention: declining psychological and emotional wellbeing is a risk in itself—and one that also affects the wider global risks landscape, notably via impacts on social cohesion and politics.

Another set of risks being amplified by global transformations relate to biological pathogens. Changes in how we live have increased the risk of a devastating outbreak occurring naturally, and emerging technologies are making it increasingly easy for new biological threats to be manufactured and released either deliberately or by accident. The world is badly under-prepared for even modest biological threats, leaving us vulnerable to potentially huge impacts on individual lives, societal well-being, economic activity and national security. Revolutionary new biotechnologies promise miraculous advances, but also create daunting challenges of oversight and control—as demonstrated by claims in 2018 that the world’s first genemodified babies had been created.

Rapidly growing cities and ongoing effects of climate change are making more people vulnerable to rising sea levels. Two-thirds of the global population is expected to live in cities by 2050 and already an estimated 800 million people live in more than 570 coastal cities vulnerable to a sea-level rise of 0.5 metres by 2050. In a vicious circle, urbanization not only concentrates people and property in areas of potential damage and disruption, it also exacerbates those risks— for example by destroying natural sources of resilience such as coastal mangroves and increasing the strain on groundwater reserves. Intensifying impacts will render an increasing amount of land uninhabitable. There are three main strategies for adapting to rising sea-levels:

  1. engineering projects to keep water out,
  2. naturebased defences,
  3. and peoplebased strategies, such as moving households and businesses to safer ground or investing in social capital

to make flood-risk communities more resilient.

In this year’s Future Shocks section, we focus again on the potential for threshold effects that could trigger dramatic deteriorations and cause cascading risks to crystallize with dizzying speed. Each of the 10 shocks we present is a “what-if” scenario—not a prediction, but a reminder of the need to think creatively about risk and to expect the unexpected. Among the topics covered this year are

  • quantum cryptography,
  • monetary populism,
  • affective computing
  • and the death of human rights.

In the Risk Reassessment section, experts share their insights about how to manage risks. John Graham writes about weighing the trade-offs between different risks, and András Tilcsik and Chris Clearfield write about how managers can minimize the risk of systemic failures in their organizations.

And in the Hindsight section, we revisit three of the topics covered in previous reports:

  • food security,
  • civil society
  • and infrastructure investment.

wef1

wef2

click here to access wef-mmc-zurich’s global risks report 2019

 

Successful risk management today may start with governance, risk and compliance (GRC)—but it shouldn’t end there

Publié le par hanswillertbleuazurconsultingeu

As more and more organizations embrace digital transformation, business risk grows in scope and complexity, and the need to manage it in a more agile, responsive manner becomes increasingly pressing.

GRC in its initial incarnation—a set of tools for managing compliance risk— remains valuable for that specific challenge, but it aligns less precisely with today’s evolving definitions of risk and risk management. The answer is not to abandon GRC, though; rather, it’s to allow it to evolve into an approach that is better suited to today’s multifaceted challenges: integrated risk management. This paper maps out the path from a pre-digital, compliance-driven riskmanagement strategy to an adaptable, integrated approach that can keep pace with the fast-changing digital world.

STARTING POINT: RECOGNIZING NEW RISKS

GRC emerged early in this century as a way of improving corporate governance and internal controls to address regulatory compliance requirements. Today, however, the need has evolved from better managing compliance risk to better managing overall risk. And the definition and scope of risk itself has evolved as well, with areas such as digital third-party risk coming into play and moving to the forefront. Strategies that drive business success today, such as technology adoption or market expansion, are creating new opportunities—but at the same time, they are introducing more risk. Consider these examples:

DIGITAL TRANSFORMATION

Digital transformation is clearly a strategic priority today; IDC recently forecast spending in this area to reach $1.3 trillion in 2018. Digital transformation creates new opportunities to thrive and compete—but it also creates digital risk. Digital business typically involves fast-moving projects supported by processes that require a multitude of different applications, expanding the points of risk and the stakes for the organization. The key to seizing the opportunities is managing the risk in critical areas:

  • VENDOR AND OTHER THIRD-PARTY RELATIONSHIPS: Looking to move more quickly and nimbly to exploit business opportunities, organizations are increasingly relying on external parties, such as service providers (especially cloud service providers), vendors, contractors and consultants. This increases risk, since organizations don’t have direct control over the risk a third party creates—but they are nevertheless responsible for managing the risk in third-party relationships.
  • COMPLIANCE AND OVERSIGHT: That brings us to the area that originally led to the emergence of GRC: compliance risk. That risk has not gone away; it’s only been joined by other risks, such as those described above. Given the increasing complexity of business and IT today, compliance has grown more complex, increasing the risk associated with it.

The examples described above represent major categories of risk for organizations today, but they are by no means the only risks organizations face. Every organization is a complex ecosystem of people, processes and technology, and risk can be hidden away in many areas.

NEXT LOGICAL STEP: AN INTEGRATED VIEW OF RISK

A HORIZONTALLY INTEGRATED VIEW
As areas of risk within organizations continue to grow beyond just compliance risk, the need to view them as an integrated whole becomes increasingly clear. There are two primary reasons for this.

  • One is that it’s simply unrealistic and operationally unsustainable to manage them separately, using different risk management platforms.
  • The other reason—far more critical than the first—is that most areas of organizational risk today don’t really exist independent of other risks; rather, they cross over into other areas.

For example, if engaging with a cloud service provider presents a security risk, that’s both a digital risk and a third-party risk. And if that risk isn’t addressed, it may result in issues across multiple areas, from business disruption to compliance. Therefore, organizations need to be able to leverage business processes to build an integrated picture of risk that crosses operational functions and fosters a multidisciplinary approach to risk management. Think of this as a horizontally integrated view of risks that needs to be managed.

AND A VERTICALLY INTEGRATED VIEW
A horizontally integrated view is important—but incomplete. The other part of the picture is a vertically integrated view that connects strategic and operational risk. In the early days of GRC, independent functions were focused more on operational risks with less emphasis on connecting to the strategic business impact. Business and IT were essentially separate functional parts of an organization and there was little connection between these two worlds. That changed as enterprise GRC became a requirement of risk management.

Today, however, when business and technology are intimately connected (or at the very least, mutually influential), risk management must link operational risks to business strategies and vice versa. Security events are a great example. At RSA, we talk about Business-Driven Security™, which puts security-related IT incidents in a business context and makes it possible to calculate the business impact of a security event—and vice versa. This kind of interrelationship allows organizations to bridge the gap between security teams and their business counterparts, creating an environment in which they can reduce the risk that security incidents will negatively affect the business or that business decisions will negatively affect IT. The interrelationships between strategic business goals and operational events are becoming increasingly impactful.

  • A decision made at the strategic level will cascade down and affect the organization’s ability to manage a risk in operations;
  • a seemingly minor operational event can spiral out of control and impact strategic direction.

Thus, connecting the top-to-bottom, strategic-to- operational view of risk—as illustrated in the accompanying graphic—is essential to truly understanding, and addressing, the obstacles to achieving business objectives.

GRC

Click here to access RSA’s White Paper

EIOPA: Peer review assessing how National Competent Authorities (NCAs) supervise and determine whether an insurer’s set­ting of key functions fulfils the legal requirements of Solvency II

Publié le par hanswillertbleuazurconsultingeu

The main task of the European Insurance and Occupational Pensions Authority (EIOPA) is to

  • enhance supervisory convergence,
  • strengthen consumer protection
  • and preserve financial stability.

In the context of enhancing supervisory convergence and in accordance with its mandate, EIOPA regularly conducts peer reviews, working closely with national competent authorities (NCAs), with the aim of strengthening both the convergence of supervisory practices across Europe and the capacity of NCAs to conduct high-quality and effective supervision.

In line with its mandate, the outcome of peer reviews, including identified best practices, are to be made public with the agreement of the NCAs that have been subject to the review.

BACKGROUND AND OBJECTIVES

Enhancing the governance system of insurers is one of the major goals of Solvency II (SII). The four key functions (risk management, actuarial, compliance and internal audit) as required under the SII regulation are an essential part of the system of governance. These key functions are expected to be operationally independent to ensure an effective and robust internal control environment within an insurer and support high quality of decision making by the management. At the same time it is also important that these governance requirements are not overly burdensome for small and medium-sized insurers. Therefore SII allows NCAs to apply the principle of proportionality in relation to compliance with key function holder requirements for those insurers.

Under SII, insurers may combine key functions in one holder. However, such combinations have to be justified by the principle of proportionality and insurers need to properly address the underlying conflicts of interest. Holding a key function should generally not be combined with administrative, management or supervisory body (AMSB) membership or with operational tasks because of their controlling objective. Thus, these combinations should rather occur in exceptional cases, taking into account a risk-based approach and the manner in which the insurer avoids and manages any potential conflict of interest.

This peer review assesses how NCAs supervise and determine whether an insurer’s setting of key functions fulfils the legal requirements of SII with a particular emphasis on proportionality. The peer review examines practices regarding:

  • combining key functions under one holder;
  • combining key functions with AMSB membership or with carrying out operational tasks;
  • subordination of one key function under another key function;
  • split of one key function among several holders;
  • assessment of the fitness of key function holders; and
  • outsourcing of key functions.

The period examined under the scope of this peer review was 2016 but also covered supervisory practices executed before 2016 in the preparatory stage of SII. The peer review was conducted among NCAs from the European Economic Area (EEA) on the basis of EIOPA’s Methodology for conducting Peer Reviews (Methodology).

Detailed information was gathered in the course of the review. All NCAs completed an initial questionnaire. This was followed by fieldwork comprising visits to 8 NCAs and 30 conference calls.

MAIN FINDINGS

The review showed that NCAs in general apply the principle of proportionality and that they have adopted similar approaches.

SUMMARY RESULTS OF THE COMPARATIVE ANALYSIS

  • Supervisory framework: Approximately half of NCAs use written supervisory guidance for the application of the principle of proportionality. Larger NCAs in particular use written supervisory guidance in order to ensure consistency of their supervisory practice among their supervisory staff.
  • Approach of NCAs: Most NCAs have a similar approach. NCAs assess the insurers’ choice of key function holders at the time of initial notification regarding the key function holder’s appointment. If any concerns are noted at this stage, for example regarding combinations or fitness, NCAs generally challenge and discuss these issues with the insurer, rather than issuing formal administrative decisions.
  • Combining key functions in one holder: This occurs in almost all countries. The most frequent combinations are between risk management and actuarial functions and between risk management and compliance functions. Combinations are most commonly used by smaller insurers but are also seen in large insurers. EIOPA has identified the need to draw the attention of NCAs to the need to challenge combinations more strongly, especially when they occur in bigger, more complex insurers, and to ensure that adequate mitigation measures are in place to warrant a robust system of governance.
  • Holding the internal audit function and other key functions: The combination of the internal audit function with other key functions occurs in 15 countries, although the frequency of such combinations is relatively low. Moreover, there were cases of the internal audit function holder also carrying out operational tasks which could lead to conflicts of interest and compromise the operational independence of the internal audit function. It is important to emphasise that the legal exemption of Article 271 of the Commission Delegated Regulation EU (2015/35) does not apply to the combination with operational tasks.
  • Combining a key function holder with AMSB membership: Most NCAs follow a similar and comprehensive approach regarding the combination of key function holder and AMSB member. In this regard, NCAs accept such cases only if deemed justified under the principle of proportionality. This peer review shows that two NCAs request or support combinations of AMSB member and the risk management function holder regardless of the principle of proportionality in order to strengthen the knowledge and expertise regarding risk management within the AMSB.
  • Combining key function holders (excluding internal audit function holder) with operational tasks: In nearly all countries combinations of risk management, actuarial and compliance key function holders with operational tasks occur, but such combinations generally occur rarely or occasionally. However, several NCAs do not have a full market overview of such combinations with operative tasks. Adequate mitigating measures are essential to reduce potential conflicts of interest when key function holders also carry out operational tasks. The most common combinations are the compliance function holder with legal director and the risk management function holder with finance director.
  • Splitting a key function between two holders: About half of the NCAs reported cases where more than one individual is responsible for a particular key function (‘split of key function holder’). The most common split concerns the actuarial function (split between life and non-life business). NCAs should monitor such splits in order to maintain appropriate responsibility and accountability among key function holders.
  • Subordination of a key function holder to another key function holder or head of operational department: This is observed in half of the countries reviewed. An organisational subordination can be accepted, but there needs to be a direct ‘unfiltered’ reporting line from the subordinated key function holder to the AMSB. In cases of subordination, conflicts of interest have to be mitigated and operational independence needs to be ensured including the mitigating measures concerning the remuneration of the subordinated key function holders.
  • Fitness of key function holders: Most NCAs assess the fitness of the key function holder at the time of initial notification and apply the principle of proportionality. Several NCAs did not systematically assess the key function holders appointed before 2016. These NCAs are advised to do so using a risk-based approach.
  • Outsourcing of key function holders: Most NCAs have observed outsourcing of key function holders. According to the proportionality principle, an AMSB member may also be a designated person responsible for overseeing and monitoring the outsourced key function. Eight NCAs make a distinction between intra-group and extra-group outsourcing and six NCAs do not require a designated person in all cases, which may give rise to operational risks.

BEST PRACTICES

Through this peer review, EIOPA identified four best practices.

  • When NCAs adopt a structured proportionate approach based on the nature, scale and complexity of the business of the insurer regarding their supervisory assessment of key function holders and combination of key function holders at the time of initial notification and on an ongoing basis. The best practice also includes supervisory documentation and consistent and uniform data submission requirements (for example an electronic data submission system for key function holder notification). This best practice has been identified in Ireland and the United Kingdom.
  • When an NCA has a supervisory panel set up internally which discusses and advises supervisors about complex issues regarding the application of the proportionality principle in governance requirements regarding key functions. This best practice has been identified in the Netherlands.
  • When assessing the combination of key function holder with AMSB member, EIOPA considers the following as best practice for NCAs:
    • To publicly disclose the NCA’s expectations that controlling key functions should generally not be combined with operational functions for example with the membership of the AMSB. Where those cases occur, NCAs should clearly communicate their expectation that the undertaking ensures that it is aware of possible conflicts of interest arising from such a combination and manages them effectively.
    • To require from insurers that main responsibilities as a member of the AMSB do not lead to a conflict of interest with the tasks as a key function holder.
    • To assess whether the other AMSB members challenge the key function holder also being an AMSB member.

This best practice has been identified in Lithuania.

  • When NCAs apply a risk-based approach for the ongoing supervision that gives the possibility to ensure the fulfilment of fitness requirements of KFHs at all times by holding meetings with key function holders on a regular scheduled basis as part of an NCA’swork plan (annual review plan). The topics for discussion for those meetings can vary, depending for example on actual events and current topics. This best practice has been identified in Ireland and the United Kingdom.

These best practices provide guidance for a more systematic approach regarding the application of the principle of proportionality as well as for ensuring consistent and effective supervisory practice within NCAs.

EIOPA NCA KFH

Click here to access EIOPA’s full report on its Peer Review