DORA: What the new European Framework for Digital Operational Resilience means for Business

Publié le par hanswillertbleuazurconsultingeu

On 10 November 2022, the European Parliament voted to adopt a new EU regulation on digital operational resilience for the
financial sector (DORA). With obligations under DORA coming into effect late in 2024 or early 2025 at the latest, in this briefing we take a closer look at its impact and consider what the regulation will mean for firms, their senior managers and operations and what firms should be doing now in preparation for day one compliance.

What is DORA?

Aimed at harmonising national rules around operational resilience and cybersecurity regulation across the EU, DORA establishes uniform requirements for the security of network and information systems of companies and organisations operating in the financial sector as well as critical third parties which provide services related to information communication technologies (ICT), such as cloud platforms or data analytics services.

DORA creates a regulatory framework on digital operational resilience whereby all in-scope firms need to make sure that they can withstand, respond to, and recover from, all types of ICT-related disruptions and threats. ICT is defined broadly to include digital and data services provided through ICT systems to one or more internal or external users, on an ongoing basis.

DORA forms part of the EU’s Digital Finance Package (DFP), which aims to develop a harmonised European approach to digital finance that fosters technological development and ensures financial stability and consumer protection. The DFP also includes legislative proposals on markets in cryptoassets (MiCA), distributed ledger technology and a digital finance strategy.

Who will need to comply with DORA?

DORA will apply to financial entities, including:

  • credit institutions,
  • payment institutions,
  • e-money institutions,
  • investment firms,
  • cryptoasset service providers (authorised under MiCA) and issuers of asset-referenced tokens,
  • central securities depositories,
  • central counterparties,
  • trading venues,
  • trade repositories,
  • managers of alternative investment funds and management companies,
  • data reporting service providers,
  • insurance and reinsurance undertakings,
  • insurance intermediaries,
  • reinsurance intermediaries and ancillary insurance intermediaries,
  • institutions for occupational retirement pensions,
  • credit rating agencies,
  • administrators of critical benchmarks,
  • crowdfunding service providers and
  • securitisation repositories (Financial Entities).

DORA will also apply to ICT third-party service providers which the European Supervisory Authorities (the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA), acting through their Joint Committee) (ESAs) designate as « critical » for Financial Entities (Critical ICT Third-Party Providers) through a newly established oversight framework.

The ESAs would make this designation based on a set of qualitative and quantitative criteria, including:

  • the systemic impact on the stability, continuity or quality of financial services in the event that the ICT third-party
    provider faced a large-scale operational failure to provide its services;
  • the systemic character or importance of Financial Entities that rely on the ICT third-party service provider;
  • the degree of reliance of those Financial Entities on the services provided by the ICT third-party service provider in
    relation to critical or important functions of those Financial Entities; and
  • the degree of substitutability of the ICT third-party service provider.

Any ICT third-party service provider not designated as critical would have the option to voluntarily « opt in » to the oversight. The ESAs may not make a designation in relation to certain excluded categories of ICT third–party service providers, including where Financial Entities are providing ICT services

  • to other Financial Entities,
  • to ICT third–party service providers delivering services predominantly to the entities of their own group or
  • to those providing ICT services solely in one Member State to financial entities that are active only in that Member State.

What are the key obligations?

DORA introduces targeted rules on ICT risk management capability, reporting and testing, in a way which enables Financial Entities to withstand, respond to and recover from ICT incidents. In principle, some of the requirements imposed by DORA, such as for ICT risk management, are already reflected to a certain extent in existing EU guidance (for example, the EBA Guidelines on ICT and security risk management).

The proposals include requirements relating to:

  • ICT risk management

DORA sets out key principles around internal controls and governance structures. A Financial Entity’s management body will be expected to be responsible for defining, approving, overseeing and being continuously accountable for a firm’s ICT risk management framework as part of its overall risk management framework. As part of the ICT risk management framework, Financial Entities need to maintain resilient ICT systems, revolving around specific functions in ICT risk management such as

  • identification of risks,
  • protection and prevention,
  • detection,
  • response and recovery and
  • stakeholder communication.
  • Reporting of ICT-related incidents

DORA aims to create a consistent incident reporting mechanism, including a management process to detect, manage and notify ICT-related incidents. Incidents deemed « major » would need to be reported to competent authorities within strict time frames, including initial notifications « without delay » on the same day or next day by using mandatory reporting templates. In some cases, communication to service users or customers may be required.

  • Testing

As part of the ICT risk management framework, DORA requires Financial Entities to adopt a robust and comprehensive digital operational resilience testing programme covering ICT tools, systems and processes. Certain Financial Entities must carry out advanced testing of their ICT tools, systems and processes at least every three years using threat-led penetration tests.

  • Information sharing

DORA contains provisions which should facilitate the sharing, among Financial Entities, of cyber threat information and intelligence, including

  • indicators of compromise,
  • tactics,
  • techniques and procedures,
  • cyber security alerts and
  • configuration tools

to strengthen digital operational resilience.

  • Localisation

Financial Entities will only be permitted to make use of the services of a third-country Critical ICT Third-Party Provider if such provider establishes a subsidiary in the EU within 12 months following its designation as a Critical ICT Third-Party Provider.

A simplified set of ICT risk framework requirements will apply to certain Financial Entities, including small and non-interconnected investment firms and payment institutions exempted under the Second Payment Services Directive. Such entities will need to comply with a reduced set of requirements under DORA, including the requirement to put in place and maintain a sound and documented risk management framework that details the mechanisms and measures aimed at a quick, efficient and comprehensive management of all ICT risks, including for the protection of relevant physical components and infrastructures.

What should firms be doing now to prepare?

Although it is not expected that DORA will apply to in-scope entities until late 2024 (see below), firms should now begin
considering the steps that they will need to take to ensure day one compliance. These include:

  • Scope out impact

Taking a risk-based approach reflective of their size, nature, scale and the complexity of their services and operations, Financial Entities should begin to scope out the impact of DORA on their business. Firms should carry out a comprehensive gap analysis of their existing ICT-risk management processes against the new requirements introduced by DORA to identify any aspects of their existing processes that will be impacted by the new requirements and develop detailed implementation plans setting out the steps that will need to be taken to effect relevant changes. As part of this, Financial Entities should ensure that they have in place appropriate:

(i) capabilities to enable a strong and effective ICT risk management environment;

(ii) mechanisms and policies for handling all ICT-related incidents and reporting major incidents; and

(iii) policies for the testing of ICT systems, controls and processes and the management of ICT third-party risk.

This process will be iterative as some of the more detailed requirements of DORA will be further developed through technical standards to be published by the ESAs in due course.

  • Critical ICT Third-Party Providers

Critical ICT Third-Party Providers will be required to have in place comprehensive, sound and effective rules, procedures, mechanisms and arrangements to manage the ICT risks which they may pose to Financial Entities. Although DORA provides that the designation mechanism (pursuant to which the ESAs may designate an ICT third-party service provider as « critical ») must not be used until the Commission has adopted a delegated act specifying further details on the criteria to be used in making such an assessment (to be adopted within 18 months after the date on which DORA enters into force), it is expected that certain categories of providers, such as cloud computing service providers who provide ICT services to Financial Entities, will be designated as Critical Third-Party Providers.

Consequently, such providers may wish to begin the task of benchmarking their existing systems, controls and processes against existing guidelines, such as the EBA Guidelines on ICT and security risk management and Guidelines on outsourcing arrangements, to the extent required, to identify areas that require further investment and maturity. They will also need to consider whether new and existing contracts give them sufficient flexibility to comply with new regulatory rules, orders and directions, even if this would otherwise be inconsistent with their contractual obligations. As set out above, certain categories of ICT third-party service providers are expressly excluded from the designation mechanism, including Financial Entities providing ICT services to other Financial Entities, ICT intra-group service providers and ICT third-party service providers providing ICT services solely in one Member State to Financial Entities that are only active in that Member State.

  • Third Country Critical ICT – Third-Party Providers – Subsidiarisation

The EU subsidiarisation requirement that will apply to third country Critical ICT Third-Party Providers is one that will necessitate early engagement between such providers and the Financial Entities that they serve. While it is not clear what role the EU subsidiary must play in the provision of services to the relevant Financial Entity (e.g. whether the provider must act as contractual counterparty), Recital 58 of DORA indicates that the requirement to set up a subsidiary in the EU does not prevent ICT services and related technical support from being provided from facilities and infrastructures located outside the EU. Nevertheless, where a relevant third country ICT third-party provider that is likely to be designated as « critical » indicates that it does not intend to establish a subsidiary in the EU, even following a designation as such by the ESAs, Financial Entities may wish to commence the process of identifying alternative providers, since they will not be permitted to obtain ICT services from a third country Critical ICT Third-Party Provider that fails to establish a subsidiary in the EU within 12 months following its designation as critical.

Companies that consider they are likely to be classified as Critical ICT Third-Party Providers that do not already have an establishment or subsidiary located in the EU should begin to consider now which Member State would be most appropriate to establish a new subsidiary in, taking into account their business operations and the various applicable legal requirements.

  • Documentation impact

As noted above, DORA sets out core contractual rights in relation to several elements in the performance and termination of contracts with a view to enshrine certain minimum safeguards underpinning the ability of Financial Entities to monitor effectively all risk emerging at ICT third-party level. Some contractual requirements set out in DORA are mandatory and will need to be included in contracts, if not already reflected. Others take the form of principles and recommendations and may require negotiation between the relevant parties. Early mapping and engagement in this respect will be important. Additionally, parties may wish to consider benchmarking their existing contractual arrangements against relevant requirements set out in DORA, as well as existing standard contractual clauses developed by EU institutions.

For example, Recital 55 of DORA notes that « the voluntary use of contractual clauses developed by the Commission for cloud computing services may provide comfort for Financial Entities and ICT third-party providers by enhancing the level of legal certainty on the use of cloud computing services in full alignment with requirements and expectations set out by the financial services regulation ».

As the industry awaits more detailed technical standards to be developed and published by the relevant ESAs, as well as DORA compromise/Level 1 text, in-scope entities may consider using existing guidelines such as the EBA Guidelines on ICT and security risk management and Guidelines on outsourcing arrangements as useful benchmarking tools in preparation for day one compliance.

How does DORA interact with NIS2?

The second iteration of the Security of Network and Information Systems Directive (NIS2) aims to strengthen security requirements and provide further harmonisation of Member States’ cybersecurity laws, replacing the original NIS Directive of 2016 (NIS1). Its timeline is similar to that for DORA, with a provisional agreement among EU institutions reached in May 2022, and its adoption confirmed in a European Parliament plenary session vote on 10 November 2022. NIS2 significantly extends the scope of NIS1 by adding new sectors, including « digital providers » such as social media platforms and online marketplaces, for example, but importantly also introduces uniform size criteria for assessing whether certain financial institutions (and other entities) fall within its scope. NIS2 sets out cybersecurity risk management and reporting obligations for relevant organisations, as well as obligations on cybersecurity information sharing, so there is some overlap in coverage with DORA.

However, this has been addressed during the legislative process to ensure that financial entities will have full clarity on the different rules on digital operational resilience that they need to comply with when operating within the EU. NIS2 specifically provides that any overlap will be addressed by DORA being considered as lex specialis (ie a more specific law that will override the more general NIS2 provisions).

How does DORA compare with international developments?

The introduction of DORA in the EU reflects a global focus on operational resilience and strengthening cybersecurity standards in the wake of ever-increasing digitalisation of financial services and increasingly sophisticated cyber incidents. For example, in March 2021, the Basel Committee on Banking Supervision issued its Principles for operational resilience, as well as an updated set of Principles for the sound management of operational risk (PSMOR), which aim to make banks better able to withstand, adapt to and recover from severe adverse events.

In October 2022, following a G20 request, the Financial Stability Board (FSB) published a consultation on Achieving Greater Convergence in Cyber Incident Reporting, recognising that timely and accurate information on cyber incidents is crucial for effective incident response and recovery and promoting financial stability and with a view to ensuring that financial institutions operating across borders are not subject to multiple conflicting regimes. The FSB proposals include recommendations to address the challenges to achieving greater international convergence in cyber incident reporting, work on establishing common terminologies related to cyber incidents and a proposal to develop a common format for incident reporting exchange.

Following its departure from the EU, the UK has introduced a Financial Services and Markets Bill (the UK Bill) which includes proposals to regulate cloud service providers and other critical third parties supplying services to UK regulated firms and financial market infrastructures. HM Treasury would have powers to designate service suppliers as ‘critical’ and the UK regulators would have new powers to directly oversee designated suppliers, which would be subject to new minimum resilience standards. While the proposals have the same ambitions as, and there are similarities with, the requirements under DORA, there are a number of key differences between them.

For example, the proposed enforcement regime under DORA for Critical ICT Third-Party Providers is very different from the equivalent regime proposed by the UK Bill. Under DORA, the ESAs will be designated as « Lead Overseers », but with the power only to make ‘recommendations’ to Critical ICT Third-Party Providers, in contrast to the ability for UK regulators to make rules applying to, or to give directions to, critical third parties subject to the UK Bill, with the ability to issue sanctions for non-compliance. Under DORA, non-compliance by a Critical ICT Third-Party Provider with recommendations gives the Lead Overseer the ability to notify and publicise such non-compliance and « as a last resort » the option to require Financial Entities to temporarily suspend services provided by such provider until the relevant risks identified in the recommendations have been addressed.

This means that the liability and contractual issues for Critical ICT Third-Party Providers providing services in the EU will be different than for those providing services in the UK, and that contracts for each will need to be considered and negotiated carefully.

Next steps and legislative timeline

Following adoption of DORA by the European Parliament plenary session on 10 November 2022, the regulation is now passing through the final technical stages of the formal procedure for European legislation. The text still needs to be formally approved by the Council of the EU before being published in the Official Journal, which is expected in December 2022 or January 2023.

DORA will come into effect on the twentieth day following the day on which it is published in the Official Journal. It will apply, with direct effect, 24 months from the date on which it enters into force. Therefore, it is expected that DORA will apply to in-scope firms from late 2024 or early 2025 at the latest.

click-here-to-access-clifford-chances-comments-nov-2022-3Télécharger

The CEO’s Dilemma – Building Resilience in a Time of Uncertainty

Publié le par hanswillertbleuazurconsultingeu

Global disruptions and an increasingly complex macroeconomic outlook will be key elements of the strategic environment for the foreseeable future. For leaders, the only certainty is that waiting for clarity is a losing move. The best organizations know how to turn uncertainty into opportunity. Their playbook relies on two critical elements:

  • a shared and clear view of the world and the strategic challenges/opportunities it presents
  • and a resilient and adaptable plan to win.

A view of the world

Today’s global disruptions (e.g., geopolitical tensions, supply chain and economic headwinds (e.g., soaring inflation, rising interest rates, decelerating growth, and currency fluctuations)) have created a complex, once in a generation, competitive environment with significant variations across geographic areas and sectors.

Navigating this unprecedented complexity requires business leaders to develop a dynamic perspective not only on the most likely scenarios for how their operating and economic environments will evolve, but also on the distinct opportunities and risks these scenarios present for their organizations.

This research shows that “winners” in economic uncertainty do not just sit back and wait for recovery instead, they are proactive and turn ambiguity into opportunity.

A plan to win

There is no “one size fits all” solution to today’s complex strategic challenges. But this research suggests that the best companies do two things well in crafting their unique plans to win:

  • First, they have a clear understanding of their strategic starting point that takes into account nuanced and deaveraged perspectives on the economic and operational stability of the markets in which they operate as well as on their own organizations’ financial strength (e.g., profit volatility, free cash flow to debt ratio) ultimately falling into four high level starting point archetypes
  • And second, they embed a “dynamic strategy” mindset into their planning, comprising three elements:
    • Sensing: Observing trends, defining and monitoring critical uncertainties, and outlining a set of scenarios against which to assess business decisions
    • Adapting: Building operational and financial stability by shaping and reshaping strategies based on market trends and data driven forecasts
    • Thriving: Moving rapidly from assessment to action to seize growth opportunities and strengthen competitive advantage

Increasing uncertainty driven by a set of global disruptions and exacerbated by macroeconomic headwinds needs to be met head on.

Dramatic shifts in inflation drivers vary across regions and countries with energy emerging as one of the strongest drivers

Different sectors are affected differently by macro uncertainties

Sectors like agriculture are typically less vulnerable to business cycle shifts, while other sectors (e.g., media, tech, fashion) tend to be more affected. But this varies by recession depending on drivers.

Some sectors (e.g., retail), which were less vulnerable in the early 2000s recessions, are showing greater vulnerability in the current environment.

Top performers in economic uncertainty do not just wait for recovery; instead, they build competitive advantage and turn ambiguity into a source of opportunity.
Business leaders must balance contrasting priorities amid strong macroeconomic headwinds
Understanding the “starting point” is critical to successfully navigate this uncertainty

With the current disruptions and uncertainties, it is imperative for business leaders to reevaluate:

  1. The stability of their portfolio against economic downturns & market disruption
  2. The internal financial stability to cope with uncertainty

Each business context is distinct, but four starting-point archetypes can help leaders understand the moves most relevant for their organizations.

How to navigate uncertainty: Enhance resilience and secure clear pathway for sustained growth
The time to act is now

Take 3 key steps to navigate uncertainty and win in a downturn:

  1. Sensing macroeconomic and disruptive trends to shape (and reshape) future scenarios that guide strategic decisions
  2. Adapting business and functional strategies in response to new insights and to market, economic, and competitive developments
  3. Thriving by building competitive advantage to turn adversity into opportunity

Actions should be based on the specific business context.

Click here to access BCG’s detailed studyTélécharger

Implementing combined audit assurance

Publié le par hanswillertbleuazurconsultingeu

ASSESS IMPACT & CREATE AN ASSURANCE MAP

The audit impact assessment and assurance map are interdependent—and the best possible starting point for your combined assurance journey. An impact assessment begins with a critical look at the current or “as is” state of your organization. As you review your current state, you build out your assurance map with your findings. You can’t really do one without the other. The map, then, will reveal any overlaps and gaps, and provide insight into the resources, time, and costs you might require during your implementation. Looking at an assurance map example will give you a better idea of what we’re talking about. The Institute of Chartered Accountants of England and Wales (ICAEW) has an excellent template.

Galv4

The ICAEW has also provided a guide to building a sound assurance map. The institute suggests you take the following steps:

  1. Identify your sponsor (the main user/senior staff member who will act as a champion).
  2. Determine your scope (identify elements that need assurance, like operational/ business processes, board-level risks, governance, and compliance).
  3. Assess the required amount of assurance for each element (understand what the required or desired amount of assurance is across aspects of the organization).
  4. Identify and list your assurance providers in each line of defense (e.g., audit committee or risk committee in the third line).
  5. Identify your assurance activities (compile and review relevant documentation, select and interview area leads, collate and assess assurance provider information).
  6. Reassess your scope (revisit and update your map scope, based on the information you have gathered/evaluated to date).
  7. Assess the quality of your assurance activities (look at breadth and depth of scope, assurance provider competence, how often activities are reviewed, and the strengths/quality of assurance delivered by each line of defense).
  8. Assess the aggregate actual amount of assurance for each element (the total amount of assurance needs to be assessed, collating all the assurance being provided by each line of defense).
  9. Identify the gaps and overlaps in assurance for each element (compare the actual amount of assurance with the desired amount to determine if there are gaps or overlaps).
  10. Determine your course of action (make recommendations for the actions to be taken/activities to be performed moving forward).

Just based on the steps above, you could understand how your desired state evolves by the time you reach step 10. Ideally, by this point, gaps and overlaps have been eliminated. But the steps we just reviewed don’t cover the frequency of each review and they don’t determine costs. So we’ve decided to add a few more steps to round it out:

  1. Assess the frequency of each assurance activity.
  2. Identify total cost for all the assurance activities in the current state.
  3. Identify the total cost for combined assurance (i.e., when gaps and overlaps have been addressed, and any consequent benefits or cost savings).

DEFINE THE RISKS OF IMPLEMENTATION

Implementing combined assurance is a project, and like any project, there’s a chance it can go sideways and fail, losing you both time and money. So, just like anything else in business, you need to take a risk-based approach. As part of this stage, you’ll want to clearly define the risks of implementing a combined assurance program, and add these risks, along with a mitigation plan and the expected benefits, to your tool kit. As long as the projected benefits of the project outweigh the residual risks and costs, the implementation program is worth pursuing. You’ll need to be able to demonstrate that a little further down the process.

DEFINE RESOURCES & DELIVERABLES

Whoever will own the project of implementing combined assurance will no doubt need dedicated resources in order to execute. So, who do we bring in? On first thought, the internal audit team looks best suited to drive the program forward. But, during the implementation phase, you’ll actually want a cross-functional team of people from internal control, risk, and IT, to work alongside internal audit. So, when you’re considering resourcing, think about each and every team this project touches. Now you know who’s going to do the work, you’ll want to define what they’re doing (key milestones) and when it will be delivered (time frame). And finally, define the actual benefits, as well as the tangible deliverables/outcomes of implementing combined assurance. (The table below provides some examples, but each organization will be unique.)

Galv1

RAISE AWARENESS & GET MANAGEMENT COMMITMENT

Congratulations! You’re now armed with a fancy color-coded impact assessment, and a full list of risks, resources, and deliverables. The next step is to clearly communicate and share the driving factors behind your combined assurance initiative. If you want them to support and champion your efforts, top management will need to be able to quickly take in and understand the rationale behind your desire for combined assurance. Critical output: You’ll want to create a presentation kit of sorts, including the assurance map, lists of risks, resources, and deliverables, a cost/benefit analysis, and any supporting research or frameworks (e.g., the King IV Report, FRC Corporate Governance Code, available industry analysis, and case studies). Chances are, you’ll be presenting this concept more than once, so if you can gather and organize everything in a single spot, that will save a lot of headaches down the track.

ASSIGN ACCOUNTABILITY

When we ask the question, “Who owns the implementation of combined assurance?”, we need to consider two main things:

  • Who would be most impacted if combined assurance were implemented?
  • Who would be senior enough to work across teams to actually get the job done?

It’s evident that a board/C-level executive should lead the project. This project will be spanning multiple departments and require buy-in from many people—so you need someone who can influence and convince. Therefore, we feel that the chief audit executive (CAE) and/or the chief revenue officer (CRO) should be accountable for implementing combined assurance. The CAE literally stands at the intersection of internal and external assurance. Where reliance is placed on the work of others, the CAE is still accountable and responsible for ensuring adequate support for conclusions and opinions reached by the internal audit activity. And the CRO is taking a more active interest in assurance maps as they become increasingly more risk-focused. The Institute of Internal Auditors (IIA), Standard 2050, also assigns accountability to the CAE, stating: “The chief audit executive should share information and coordinate activities with other internal and external assurance providers and consulting services to ensure proper coverage and minimize duplication of effort.” So, not only is the CAE at the intersection of assurance, they’re also directing traffic—exactly the combination we need to drive implementation.

Envisioning the solution

You’ve summarized the current/“as is” state in your assurance map. Now it’s time to move into a future state of mind and envision your desired state. What does your combined assurance solution look like? And, more critically, how will you create it? This stage involves more assessment work. Only now you’ll be digging into the maturity levels of your organization’s risk management and internal audit process, as well as the capabilities and maturity of your Three Lines of Defense. This is where you answer the questions, “What do I want?”, and “Is it even feasible?” Some make-or-break capability factors for implementing combined assurance include:

  1. Corporate risk culture Risk culture and risk appetite shape an organization’s decision-making, and that culture is reflected at every level. Organizations who are more risk-averse tend to be unwilling to make quick decisions without evidence and data. On the other hand, risk-tolerant organizations take more risks, make rapid decisions, and pivot quickly, often without performing due diligence. How will your risk culture shape your combined assurance program?
  2. Risk management awareness If employees don’t know—and don’t prioritize— how risk can and should be managed in your organization, your implementation program will fail. Assurance is very closely tied to risk, so it’s important to communicate constantly and make people aware that risk at every level must be adequately managed.
  3. Risk management processes We just stated that risk and assurance are tightly coupled, so it makes sense that the more mature your risk management processes are, the easier it will be to implement combined assurance. Mature risk management means you’ve got processes defined, documented, running, and refined. For the lucky few who have all of these things, you’re going to have a much easier time compared to those who don’t.
  4. Risk & controls taxonomy Without question, you will require a common risk and compliance language. We can’t have people making up names for tools, referring to processes in different ways, or worst of all, reporting on totally random KPIs. The result of combined assurance should be “one language, one voice, one view” of the risks and issues across the organization.
  5. System & process integrations An integrated system where there is one set of risks and one set of controls is key to delivering effective combined assurance. This includes: Risk registers across the organization, Controls across the organization Issues and audit findings, Reporting.
  6. Technology use Without dedicated software technology, it’s extremely difficult to provide a sustainable risk management system with sound processes, a single taxonomy, and integrated risks and controls. How technology is used in your organization will determine the sustainability of combined assurance. (If you already have a risk management and controls platform that has these integration capabilities, implementation will be easier.)
  7. Using assurance maps as monitoring tools Assurance maps aren’t just for envisioning end-states; they’re also critical monitoring tools that can feed data into your dashboard. They can inform your combined assurance dashboard, to help report on progress.
  8. Continuous improvement mechanisms A mature program will always have improvement mechanisms and feedback loops to incorporate user and stakeholder feedback. A lack of this feedback mechanism will impact the continued effectiveness of combined assurance.

We now assess the maturity of these factors (plus any others that you find relevant) and rank them on a scale of 1-4:

  • Level 1: Not achieved (0-15% of target).
  • Level 2: Partially achieved (15-50%).
  • Level 3: Largely achieved (50-85%).
  • Level 4: Achieved (85-100%).

This rating scale is based on the ISO/IEC 15504 that assigns a rating to the degree each objective (process capability) is achieved. An example of a combined assurance capability maturity assessment can be seen in Figure 2.

Galv2

GAP ANALYSIS

Once the desired levels for all of the factors are agreed on and endorsed by senior management, the next step is to undertake a gap analysis. The example in Figure 2 shows that the current overall maturity level is a 2 and the desired level is a 3 or 4 for each factor. The gap for each factor needs to be analyzed for the activities and resources required to bridge it. Then you can envision the solution and create a roadmap to bridge the gap(s).

SOLUTION VISION & ROADMAP

An example solution vision and roadmap could be:

  • We will use the same terminology and language for risk in all parts of the organization, and establish a single risk dictionary as a central repository.
  • All risks will be categorized according to severity and criticality and be mapped to assurance providers to ensure that no risk is assessed by more than one provider.
  • A rolling assurance plan will be prepared to ensure that risks are appropriately prioritized and reviewed at least once every two years.
  • An integrated, real-time report will be available on demand to show the status, frequency, and coverage of assurance activities.
  • The integrated report/assurance map will be shared with the board, audit committee, and risk committee regularly (e.g., quarterly or half-yearly).
  • To enable these capabilities, risk capture, storage, and reporting will be automated using an integrated software platform.

Figure 3 shows an example roadmap to achieve your desired maturity level.

Galv3

Click here to access Galvanize’s Risk Manangement White Paper

 

Benchmarking digital risk factors facing financial service firms

Publié le par hanswillertbleuazurconsultingeu

Risk management is the foundation upon which financial institutions are built. Recognizing risk in all its forms—measuring it, managing it, mitigating it—are all critical to success. But has every firm achieved that goal? It doesn’t take indepth research beyond the myriad of breach headlines to answer that question.

But many important questions remain: What are key dimensions of the financial sector Internet risk surface? How does that surface compare to other sectors? Which specific industries within Financial Services appear to be managing that risk better than others? We take up these questions and more in this report.

  1. The financial sector boasts the lowest rate of high and critical security exposures among all sectors. This indicates they’re doing a good job managing risk overall.
  2. But not all types of financial service firms appear to be managing risk equally well. For example, the rate of severe findings in the smallest commercial banks is 4x higher than that of the largest banks.
  3. It’s not just small community banks struggling, however. Securities and Commodities firms show a disconcerting combination of having the largest deployment of high-value assets AND the highest rate of critical security exposures.
  4. Others appear to be exceeding the norm. Take credit card issuers: they typically have the largest Internet footprint but balance that by maintaining the lowest rate of security exposures.
  5. Many other challenges and risk factors exist. For instance, the industry average rate of severe security findings in critical cloud-based assets is 3.5x that of assets hosted on-premises.

Dimensions of the Financial Sector Risk Surface

As Digital Transformation ushers in a plethora of changes, critical areas of risk exposure are also changing and expanding. We view the risk surface as anywhere an organization’s ability to operate, reputation, assets, legal obligations, or regulatory compliance is at risk. The aspects of a firm’s risk exposure that are associated with or observable from the internet are considered its internet risk surface. In Figure 1, we compare five key dimensions of the internet risk surface across different industries and highlight where the financial sector ranks among them.

  • Hosts: Number of internet-facing assets associated with an organization.
  • Providers: Number of external service providers used across hosts.
  • Geography: Measure of the geographic distribution of a firm’s hosts.
  • Asset Value: Rating of the data sensitivity and business criticality of hosts based on multiple observed indicators. High value systems that include those that collect GDPR and CCPA regulated information.
  • Findings: Security-relevant issues that expose hosts to various threats, following the CVSS rating scale.

TR1

The values recorded in Figure 1 for these dimensions represent what’s “typical” (as measured by the mean or median) among organizations within each sector. There’s a huge amount of variation, meaning not all financial institutions operate more external hosts than all realtors, but what you see here is the general pattern. The blue highlights trace the ranking of Finance along each dimension.

Financial firms are undoubtedly aware of these tendencies and the need to protect those valuable assets. What’s more, that awareness appears to translate fairly effectively into action. Finance boasts the lowest rate of high and critical security exposures among all sectors. We also ran the numbers specific to high-value assets, and financial institutions show the lowest exposure rates there too. All of this aligns pretty well with expectations—financial firms keep a tight rein on their valuable Internet-exposed assets.

This control tendency becomes even more apparent when examining the distribution of hosts with severe findings in Figure 2. Blue dots mark the average exposure rate for the entire sector (and correspond to values in Figure 1), while the grey bars indicate the amount of variation among individual organizations within each sector. The fact that Finance exhibits the least variation shows that even rotten apples don’t fall as far from the Finance tree as they often do in other sectors. Perhaps a rising tide lifts all boats?

TR2

Security Exposures in Financial Cloud Deployments

We now know financial institutions do well minimizing security findings, but does that record stand equally strong across all infrastructure? Figure 3 answers that question by featuring four of the five key risk surface dimensions:

  • the proportion of hosts (square size),
  • asset value (columns),
  • hosting location (rows),
  • and the rate of severe security findings (color scale and value label).

This view facilitates a range of comparisons, including the relative proportion of assets hosted internally vs. in the cloud, how asset value distributes across hosting locales, and where high-severity issues accumulate.

TR3

From Figure 3, box sizes indicate that organizations in the financial sector host a majority of their Internet-facing systems on-premises, but do leverage the cloud to a greater degree for low-value assets. The bright red box makes it apparent that security exposures concentrate more acutely in high-value assets hosted in the cloud. Overall, the rate of severe findings in cloud-based assets is 3.5x that of on-prem. This suggests the angst many financial firms have over moving to the cloud does indeed have some merit. But when we examine the Finance sector relative to others in Figure 4 the intensity of exposures in critical cloud assets appears much less drastic.

In Figure 3, we can see that the largest number of hosts are on-prem and of medium value. But high-value assets in the cloud exhibit the highest rate of findings.

Given that cloud vs. on-prem exposure disparity, we feel the need to caution against jumping to conclusions. We could interpret these results to proclaim that the cloud isn’t ready for financial applications and should be avoided. Another interpretation could suggest that it’s more about organizational readiness for the cloud than the inherent insecurity of the cloud. Either way, it appears that many financial institutions migrating to the cloud are handling that paradigm shift better than others.

It must also be noted that not all cloud environments are the same. Our Cloud Risk Surface report discovered an average 12X difference between cloud providers with the highest and lowest exposure rates. We still believe this says more about the typical users and use cases of the various cloud platforms than any intrinsic security inequalities. But at the same time, we recommend evaluating cloud providers based on internal features as well as tools and guidance they make available to assist customers in securing their environments. Certain clouds are undoubtedly a better match for financial services use cases while others less so.

TR4

Risk Surface of Subsectors within Financial Services

Having compared Finance to other sectors at a high level, we now examine the risk surface of major subsectors of financial services according to the following NAICS designations:

  • Insurance Carriers: Institutions engaged in underwriting and selling annuities, insurance policies, and benefits.
  • Credit Intermediation: Includes banks, savings institutions, credit card issuers, loan brokers, and processors, etc.
  • Securities & Commodities: Investment banks, brokerages, securities exchanges, portfolio management, etc.
  • Central Banks: Monetary authorities that issue currency, manage national money supply and reserves, etc.
  • Funds & Trusts: Funds and programs that pool securities or other assets on behalf of shareholders or beneficiaries.

TR5

Figure 5 compares these Finance subsectors along the same dimensions used in Figure 1. At the top, we see that Insurance Carriers generally maintain a large Internet surface area (hosts, providers, countries), but a comparatively lower ranking for asset value and security findings. The Credit Intermediation subsector (the NAICS designation that includes banks, brokers, creditors, and processors) follows a similar pattern. This indicates that such organizations are, by and large, able to maintain some level of control over their expanding risk surface.

A leading percentage of high-value assets and a leading percentage of highly critical security findings for the Securities and Commodities subsector is a disconcerting combination. It suggests either unusually high risk tolerance or ineffective risk management (or both), leaving those valuable assets overexposed. The Funds and Trusts subsector exhibits a more riskaverse approach to minimizing exposures across its relatively small digital footprint of valuable assets.

Risk Surface across Banking Institutions

Given that the financial sector is so broad, we thought a closer examination of the risk surface particular to banking institutions was in order. Banks have long concerned themselves with risk. Well before the rise of the Internet or mobile technologies, banks made their profits by determining how to gauge the risk of potential borrowers or loans, plotting the risk and reward of offering various deposit and investment products, or entering different markets, allowing access through several delivery channels. It could be said that the successful management and measurement of risk throughout an organization is perhaps the key factor that has always determined the relative success or failure of any bank.

As a highly-regulated industry in most countries, banking institutions must also consider risk from more than a business or operational perspective. They must take into account the compliance requirements to limit risk in various areas, and ensure that they are properly securing their systems and services in a way that meets regulatory standards. Such pressures undoubtedly affect the risk surface and Figure 6 hints at those effects on different types of banking institutions.

Credit card issuers earn the honored distinction of having the largest average number of Internet-facing hosts (by far) while achieving the lowest prevalence of severe security findings. Credit unions flip this trend with the fewest hosts and most prevalent findings. This likely reflects the perennial struggle of credit unions to get the most bang from their buck.

Traditionally well-resourced commercial banks leverage the most third party providers and have a presence in more countries, all with a better-than-average exposure rate. Our previous research revealed that commercial banks were among the top two generators and receivers of multi-party cyber incidents, possibly due to the size and spread of their risk surface.

TR6

Two Things to Consider

  1. In this interconnected world, third-party and fourth-party risk is your risk. If you are a financial institution, particularly a commercial bank, take a moment to congratulate yourself on managing risk well – but only for a moment. Why? Because every enterprise is critically dependent on a wide array of vendors and partners that span a broad spectrum of industries. Their risk is your risk. The work of your third-party risk team is critically important in holding your vendors accountable to managing your risk interests well.
  2. Managing risk—whether internal or third-party—requires focus. There are simply too many things to do, giving rise to the endless “hamster wheel of risk management.” A better approach starts with obtaining an accurate picture of your risk surface and the critical exposures across it. This includes third-party relationships, and now fourth-party risk, which bank regulators are now requiring. Do you have the resources to sufficiently manage this? Do you know your risk surface?

Click here to access Riskrecon Cyentia’s Study

Uncertainty Visualization

Publié le par hanswillertbleuazurconsultingeu

Uncertainty is inherent to most data and can enter the analysis pipeline during the measurement, modeling, and forecasting phases. Effectively communicating uncertainty is necessary for establishing scientific transparency. Further, people commonly assume that there is uncertainty in data analysis, and they need to know the nature of the uncertainty to make informed decisions.

However, understanding even the most conventional communications of uncertainty is highly challenging for novices and experts alike, which is due in part to the abstract nature of probability and ineffective communication techniques. Reasoning with uncertainty is unilaterally difficult, but researchers are revealing how some types of visualizations can improve decision-making in a variety of diverse contexts,

  • from hazard forecasting,
  • to healthcare communication,
  • to everyday decisions about transit.

Scholars have distinguished different types of uncertainty, including

  • aleatoric (irreducible randomness inherent in a process),
  • epistemic (uncertainty from a lack of knowledge that could theoretically be reduced given more information),
  • and ontological uncertainty (uncertainty about how accurately the modeling describes reality, which can only be described subjectively).

The term risk is also used in some decision-making fields to refer to quantified forms of aleatoric and epistemic uncertainty, whereas uncertainty is reserved for potential error or bias that remains unquantified. Here we use the term uncertainty to refer to quantified uncertainty that can be visualized, most commonly a probability distribution. This article begins with a brief overview of the common uncertainty visualization techniques and then elaborates on the cognitive theories that describe how the approaches influence judgments. The goal is to provide readers with the necessary theoretical infrastructure to critically evaluate the various visualization techniques in the context of their own audience and design constraints. Importantly, there is no one-size-fits-all uncertainty visualization approach guaranteed to improve decisions in all domains, nor even guarantees that presenting uncertainty to readers will necessarily improve judgments or trust. Therefore, visualization designers must think carefully about each of their design choices or risk adding more confusion to an already difficult decision process.

Uncertainty Visualization Design Space

There are two broad categories of uncertainty visualization techniques. The first are graphical annotations that can be used to show properties of a distribution, such as the mean, confidence/credible intervals, and distributional moments.

Numerous visualization techniques use the composition of marks (i.e., geometric primitives, such as dots, lines, and icons) to display uncertainty directly, as in error bars depicting confidence or credible intervals. Other approaches use marks to display uncertainty implicitly as an inherent property of the visualization. For example, hypothetical outcome plots (HOPs) are random draws from a distribution that are presented in an animated sequence, allowing viewers to form an intuitive impression of the uncertainty as they watch.

The second category of techniques focuses on mapping probability or confidence to a visual encoding channel. Visual encoding channels define the appearance of marks using controls such as color, position, and transparency. Techniques that use encoding channels have the added benefit of adjusting a mark that is already in use, such as making a mark more transparent if the uncertainty is high. Marks and encodings that both communicate uncertainty can be combined to create hybrid approaches, such as in contour box plots and probability density and interval plots.

More expressive visualizations provide a fuller picture of the data by depicting more properties, such as the nature of the distribution and outliers, which can be lost with intervals. Other work proposes that showing distributional information in a frequency format (e.g., 1 out of 10 rather than 10%) more naturally matches how people think about uncertainty and can improve performance.

Visualizations that represent frequencies tend to be highly effective communication tools, particularly for individuals with low numeracy (e.g., inability to work with numbers), and can help people overcome various decision-making biases.

Researchers have dedicated a significant amount of work to examining which visual encodings are most appropriate for communicating uncertainty, notably in geographic information systems and cartography. One goal of these approaches is to evoke a sensation of uncertainty, for example, using fuzziness, fogginess, or blur.

Other work that examines uncertainty encodings also seeks to make looking-up values more difficult when the uncertainty is high, such as value-suppressing color pallets.

Given that there is no one-size-fits-all technique, in the following sections, we detail the emerging cognitive theories that describe how and why each visualization technique functions.

VU1

Uncertainty Visualization Theories

The empirical evaluation of uncertainty visualizations is challenging. Many user experience goals (e.g., memorability, engagement, and enjoyment) and performance metrics (e.g., speed, accuracy, and cognitive load) can be considered when evaluating uncertainty visualizations. Beyond identifying the metrics of evaluation, even the most simple tasks have countless configurations. As a result, it is hard for any single study to sufficiently test the effects of a visualization to ensure that it is appropriate to use in all cases. Visualization guidelines based on a single or small set of studies are potentially incomplete. Theories can help bridge the gap between visualizations studies by identifying and synthesizing converging evidence, with the goal of helping scientists make predictions about how a visualization will be used. Understanding foundational theoretical frameworks will empower designers to think critically about the design constraints in their work and generate optimal solutions for their unique applications. The theories detailed in the next sections are only those that have mounting support from numerous evidence-based studies in various contexts. As an overview, The table provides a summary of the dominant theories in uncertainty visualization, along with proposed visualization techniques.

UV2

General Discussion

There are no one-size-fits-all uncertainty visualization approaches, which is why visualization designers must think carefully about each of their design choices or risk adding more confusion to an already difficult decision process. This article overviews many of the common uncertainty visualization techniques and the cognitive theory that describes how and why they function, to help designers think critically about their design choices. We focused on the uncertainty visualization methods and cognitive theories that have received the most support from converging measures (e.g., the practice of testing hypotheses in multiple ways), but there are many approaches not covered in this article that will likely prove to be exceptional visualization techniques in the future.

There is no single visualization technique we endorse, but there are some that should be critically considered before employing them. Intervals, such as error bars and the Cone of Uncertainty, can be particularly challenging for viewers. If a designer needs to show an interval, we also recommend displaying information that is more representative, such as a scatterplot, violin plot, gradient plot, ensemble plot, quantile dotplot, or HOP. Just showing an interval alone could lead people to conceptualize the data as categorical. As alluded to in the prior paragraph, combining various uncertainty visualization approaches may be a way to overcome issues with one technique or get the best of both worlds. For example, each animated draw in a hypothetical outcome plot could leave a trace that slowly builds into a static display such as a gradient plot, or animated draws could be used to help explain the creation of a static technique such as a density plot, error bar, or quantile dotplot. Media outlets such as the New York Times have presented animated dots in a simulation to show inequalities in wealth distribution due to race. More research is needed to understand if and how various uncertainty visualization techniques function together. It is possible that combining techniques is useful in some cases, but new and undocumented issues may arise when approaches are combined.

In closing, we stress the importance of empirically testing each uncertainty visualization approach. As noted in numerous papers, the way that people reason with uncertainty is non-intuitive, which can be exacerbated when uncertainty information is communicated visually. Evaluating uncertainty visualizations can also be challenging, but it is necessary to ensure that people correctly interpret a display. A recent survey of uncertainty visualization evaluations offers practical guidance on how to test uncertainty visualization techniques.

Click her to access the entire article in Handbook of Computational Statistics and Data Science

Overview on EIOPA Consultation Paper on the Opinion on the 2020 review of Solvency II

Publié le par hanswillertbleuazurconsultingeu

The Solvency II Directive provides that certain areas of the framework should be reviewed by the European Commission at the latest by 1 January 2021, namely:

  • long-term guarantees measures and measures on equity risk,
  • methods, assumptions and standard parameters used when calculating the Solvency Capital Requirement standard formula,
  • Member States’ rules and supervisory authorities’ practices regarding the calculation of the Minimum Capital Requirement,
  • group supervision and capital management within a group of insurance or reinsurance undertakings.

Against that background, the European Commission issued a request to EIOPA for technical advice on the review of the Solvency II Directive in February 2019 (call for advice – CfA). The CfA covers 19 topics. In addition to topics that fall under the four areas mentioned above, the following topics are included:

  • transitional measures
  • risk margin
  • Capital Markets Union aspects
  • macroprudential issues
  • recovery and resolution
  • insurance guarantee schemes
  • freedom to provide services and freedom of establishment
  • reporting and disclosure
  • proportionality and thresholds
  • best estimate
  • own funds at solo level

EIOPA is requested to provide technical advice by 30 June 2020.

Executive summary

This consultation paper sets out technical advice for the review of Solvency II Directive. The advice is given in response to a call for advice from the European Commission. EIOPA will provide its final advice in June 2020. The call for advice comprises 19 separate topics. Broadly speaking, these can be divided into three parts.

  1. Firstly, the review of the long term guarantee measures. These measures were always foreseen as being reviewed in 2020, as specified in the Omnibus II Directive. A number of different options are being consulted on, notably on extrapolation and on the volatility adjustment.
  2. Secondly, the potential introduction of new regulatory tools in the Solvency II Directive, notably on macro-prudential issues, recovery and resolution, and insurance guarantee schemes. These new regulatory tools are considered thoroughly in the consultation.
  3. Thirdly, revisions to the existing Solvency II framework including in relation to
    • freedom of services and establishment;
    • reporting and disclosure;
    • and the solvency capital requirement.

Given that the view of EIOPA is that overall the Solvency II framework is working well, the approach here has in general been one of evolution rather than revolution. The principal exceptions arise as a result either of supervisory experience, for example in relation to cross-border business; or of the wider economic context, in particular in relation to interest rate risk. The main specific considerations and proposals of this consultation paper are as follows:

  • Considerations to choose a later starting point for the extrapolation of risk-free interest rates for the euro or to change the extrapolation method to take into account market information beyond the starting point.
  • Considerations to change the calculation of the volatility adjustment to risk-free interest rates, in particular to address overshooting effects and to reflect the illiquidity of insurance liabilities.
  • The proposal to increase the calibration of the interest rate risk submodule in line with empirical evidence. The proposal is consistent with the technical advice EIOPA provided on the Solvency Capital Requirement standard formula in 2018.
  • The proposal to include macro-prudential tools in the Solvency II Directive.
  • The proposal to establish a minimum harmonised and comprehensive recovery and resolution framework for insurance.

A background document to this consultation paper includes a qualitative assessment of the combined impact of all proposed changes. EIOPA will collect data in order to assess the quantitative combined impact and to take it into account in the decision on the proposals to be included in the advice. Beyond the changes on interest rate risk EIOPA aims in general for a balanced impact of the proposals.

The following paragraphs summarise the main content of the consulted advice per chapter.

Long-term guarantees measures and measures on equity risk

EIOPA considers to choose a later starting point for the extrapolation of risk-free interest rates for the euro or to change the extrapolation method to take into account market information beyond the starting point. Changes are considered with the aim to avoid the underestimation of technical provisions and wrong risk management incentives. The impact on the stability of solvency positions and the financial stability is taken into account. The paper sets out two approaches to calculate the volatility adjustment to the risk-free interest rates. Both approaches include application ratios to mitigate overshooting effects of the volatility adjustment and to take into account the illiquidity characteristics of the insurance liabilities the adjustment is applied to.

  • One approach also establishes a clearer split between a permanent component of the adjustment and a macroeconomic component that only exists in times of wide spreads.

EIOPA2

  • The other approach takes into account the undertakings-specific investment allocation to further address overshooting effects.

EIOPA3

Regarding the matching adjustment to risk-free interest rates the proposal is made to recognise in the Solvency Capital Requirement standard formula diversification effects with regard to matching adjustment portfolios. The advice includes proposals to strengthen the public disclosure on the long term guarantees measures and the risk management provisions for those measures.

EIOPA1

The advice includes a review of the capital requirements for equity risk and proposals on the criteria for strategic equity investments and the calculation of long-term equity investments. Because of the introduction of the capital requirement on long-term equity investments EIOPA intends to advise that the duration-based equity risk sub-module is phased out.

Technical provisions

EIOPA identified a larger number of aspects in the calculation of the best estimate of technical provisions where divergent practices among undertakings or supervisors exist. For some of these issues, where EIOPA’s convergence tools cannot ensure consistent practices, the advice sets out proposals to clarify the legal framework, mainly on

  • contract boundaries,
  • the definition of expected profits in future premiums
  • and the expense assumptions for insurance undertakings that have discontinued one product type or even their whole business.

With regard to the risk margin of technical provisions transfer values of insurance liabilities, the sensitivity of the risk margin to interest rate changes and the calculation of the risk margin for undertakings that apply the matching adjustment or the volatility adjustment were analysed. The analysis did not result in a proposal to change the calculation of the risk margin.

Own funds

EIOPA has reviewed the differences in tiering and limits approaches within the insurance and banking framework, utilising quantitative and qualitative assessment. EIOPA has found that they are justifiable in view of the differences in the business of both sectors.

EIOPA4

Solvency Capital Requirement standard formula

EIOPA confirms its advice provided in 2018 to increase the calibration of the interest rate risk sub-module. The current calibration underestimates the risk and does not take into account the possibility of a steep fall of interest rate as experienced during the past years and the existence of negative interest rates. The review

  • of the spread risk sub-module,
  • of the correlation matrices for market risks,
  • the treatment of non-proportional reinsurance,
  • and the use of external ratings

did not result in proposals for change.

Minimum Capital Requirement

Regarding the calculation of the Minimum Capital Requirement it is suggested to update the risk factors for non-life insurance risks in line with recent changes made to the risk factors for the Solvency Capital Requirement standard formula. Furthermore, proposals are made to clarify the legal provisions on noncompliance with the Minimum Capital Requirement.

EIOPA5

Reporting and disclosure

The advice proposes changes to the frequency of the Regular Supervisory Report to supervisors in order to ensure that the reporting is proportionate and supports risk-based supervision. Suggestions are made to streamline and clarify the expected content of the Regular Supervisory Report with the aim to support insurance undertakings in fulfilling their reporting task avoiding overlaps between different reporting requirements and to ensure a level playing field. Some reporting items are proposed for deletion because the information is also available through other sources. The advice includes a review of the reporting templates for insurance groups that takes into account earlier EIOPA proposals on the templates of solo undertakings and group specificities.

EIOPA proposes an auditing requirement for balance sheet at group level in order to improve the reliability and comparability of the disclosed information. It is also suggested to delete the requirement to translate the summary of that report.

Proportionality

EIOPA has reviewed the rules for exempting insurance undertakings from the Solvency II Directive, in particular the thresholds on the size of insurance business. As a result, EIOPA proposes to maintain the general approach to exemptions but to reinforce proportionality across the three pillars of the Solvency II Directive.

Regarding thresholds EIOPA proposes to double the thresholds related to technical provisions and to allow Member States to increase the current threshold for premium income from the current amount of EUR 5 million to up to EUR 25 million.

EIOPA had reviewed the simplified calculation of the standard formula and proposed improvements in 2018. In addition to that the advice includes proposals to simplify the calculation of the counterparty default risk module and for simplified approaches to immaterial risks. Proposals are made to improve the proportionality of the governance requirements for insurance and reinsurance undertakings, in particular on

  • key functions (cumulation with operational functions, cumulation of key functions other than the internal audit, cumulation of key and AMSB function)
  • own risk and solvency assessment (ORSA) (biennial report),
  • written policies (review at least once every three years)
  • and administrative, management and supervisory bodies (AMSB) ( evaluation shall include an assessment on the adequacy of the composition, effectiveness and internal governance of the administrative, management or supervisory body taking into account the nature, scale and complexity of the risks inherent in the undertaking’s business)

Proposals to improve the proportionality in reporting and disclosure of Solvency II framework were made by EIOPA in a separate consultation in July 2019.

Group supervision

EIOPA proposes a number of regulatory changes to address the current legal uncertainties regarding supervision of insurance groups under the Solvency II Directive. This is a welcomed opportunity as the regulatory framework for groups was not very specific in many cases while in others it relies on the mutatis mutandis application of solo rules without much clarifications.

In particular, there are policy proposals to ensure that the

  • definitions applicable to groups,
  • scope of application of group supervision
  • and supervision of intragroup transactions, including issues with third countries

are consistent.

Other proposals focus on the rules governing the calculation of group solvency, including own funds requirements as well as any interaction with the Financial Conglomerates Directive. The last section of the advice focuses on the uncertainties related to the application of governance requirements at group level.

Freedom to provide services and freedom of establishment

EIOPA further provides suggestions in relation to cross border business, in particular to support efficient exchange of information among national supervisory authorities during the process of authorising insurance undertakings and in case of material changes in cross-border activities. It is further recommended to enhance EIOPA’s role in the cooperation platforms that support the supervision of cross-border business.

Macro-prudential policy

EIOPA proposes to include the macroprudential perspective in the Solvency II Directive. Based on previous work, the advice develops a conceptual approach to systemic risk in insurance and then analyses the current existing tools in the Solvency II framework against the sources of systemic risk identified, concluding that there is the need for further improvements in the current framework.

EIOPA7

Against this background, EIOPA proposes a comprehensive framework, covering the tools initially considered by the European Commission (improvements in Own Risk and Solvency Assessment and the prudent person principle, as well as the drafting of systemic risk and liquidity risk management plans), as well as other tools that EIOPA considers necessary to equip national supervisory authorities with sufficient powers to address the sources of systemic risk in insurance. Among the latter, EIOPA proposes to grant national supervisory authorities with the power

  • to require a capital surcharge for systemic risk,
  • to define soft concentration thresholds,
  • to require pre-emptive recovery and resolution plans
  • and to impose a temporarily freeze on redemption rights in exceptional circumstances.

EIOPA8

Recovery and resolution

EIOPA calls for a minimum harmonised and comprehensive recovery and resolution framework for (re)insurers to deliver increased policyholder protection and financial stability in the European Union. Harmonisation of the existing frameworks and the definition of a common approach to the fundamental elements of recovery and resolution will avoid the current fragmented landscape and facilitate cross-border cooperation. In the advice, EIOPA focuses on the recovery measures including the request for pre-emptive recovery planning and early intervention measures. Subsequently, the advice covers all relevant aspects around the resolution process, such as

  • the designation of a resolution authority,
  • the resolution objectives,
  • the need for resolution planning
  • and for a wide range of resolution powers to be exercised in a proportionate way.

The last part of the advice is devoted to the triggers for

  • early intervention,
  • entry into recovery and into resolution.

EIOPA9

Other topics of the review

The review of the ongoing appropriateness of the transitional provisions included in the Solvency II Directive did not result in a proposal for changes. With regard to the fit and proper requirements of the Solvency II Directive EIOPA proposes to clarify the position of national supervisory authorities on the ongoing supervision of propriety of board members and that they should have effective powers in case qualifying shareholders are not proper. Further advice is provided in order to increase the efficiency and intensity of propriety assessments in complex cross-border cases by providing the possibility of joint assessment and use of EIOPA’s powers to assist where supervisors cannot reach a common view.

Click here to access EIOPA’s detailed Consultation Paper

EIOPA outlines key financial stability risks of the European insurance and pensions sector

Publié le par hanswillertbleuazurconsultingeu

The global and European economic outlook has deteriorated in the past months with weakening industrial production and business sentiment and ongoing uncertainties about trade disputes and Brexit. In particular, the “low for long” risk has resurfaced in the EU, as interest rates reached record lows in August 2019 and an increasing number of countries move into negative yield territory for their sovereign bonds even at longer maturities in anticipation of a further round of monetary easing by central banks and a general flight to safety. Bond yields and swap rates have since slightly recovered again, but protracted low interest rates form the key risk for both insurers and pension funds and put pressure on both the capital position and long-term profitability. Large declines in interest rates can also create further incentives for insurers and pension funds to search for yield, which could add to the build-up of vulnerabilities in the financial sector if not properly managed.

Despite the challenging environment, the European insurance sector remains overall well capitalized with a median SCR ratio of 212% as of Q2 2019. However, a slight deterioration could be observed for life insurers in the first half of 2019 and the low interest rate environment is expected to put further pressures on the capital positions of life insurers in the second half of 2019. At the same time, profitability improved in the first half of 2019, mainly due to valuation gains in the equity and bond portfolios of insurers. Nevertheless, the low yield environment is expected to put additional strains on the medium to long term profitability of insurers as higher yielding bonds will have to be replaced by lower yielding bonds, which may make it increasingly difficult for insurers to make investment returns in excess of guaranteed returns issued in the past, which are still prevalent in many countries.

THE EUROPEAN INSURANCE SECTOR

The challenging macroeconomic environment is leading insurance undertakings to further adapt their business models. In order to address the challenges associated with the low yield environment and improve profitability, life insurers are lowering guaranteed rates in traditional products and are increasingly focusing on unit-linked products. On the investment side, insurers are slowly moving towards more alternative investments and illiquid assets, such as unlisted equity, mortgages & loans, infrastructure and property. For non-life insurers, the challenge is mostly focused on managing increasing losses stemming from climate-related risks and cyber events, which may not be adequately reflected in risk models based on historical data, and continued competitive pressures.

Despite the challenging environment, the European insurance sector overall gross written premiums slightly grew by 1.6% on an annual basis in Q2 2019. This growth is particularly driven by the increase in non life GWP (3.7%), in comparison to a slightly decrease in life (-0.5%). This reduction growth rate in life GWP is associated to the slowdown in the economic growth; however this does not seem to have affected the growth of non-life GWP to the same extent. Overall GWP as a percentage of GDP slightly increased from 9% to 11% for the European insurance market, likewise total assets as a share of GDP improved from 70% to 74%. The share of unit-linked business has slightly declined notwithstanding the growth expectations. Even though insurers are increasingly trying to shift towards unit-linked business in the current low yield environment, the total share of unit-linked business in life GWP has slightly decreased from 42% in Q2 2018 to 40% in Q2 2019, likewise the share for the median insurance company declined from 34% in Q2 2018 to 31% in Q2 2019. Considerable differences remain across countries, with some countries still being plagued by low trust due to misselling issues in the past. Overall, the trend towards unit-lead business means that investment risks are increasingly transferred to policyholders with potential reputational risks to the insurance sector in case investment returns turn out lower than anticipated.

EIOPA1

The liquid asset ratio slightly deteriorated in the first half of 2019. The median value for liquid asset increased by 1.5% from 63.3% in 2018 Q2 to 64.8% in 2018 Q4, and after slightly decreased to 63.8% in Q2 2019. Furthermore,  the distribution moved down (10th percentile reduced in the past year by 6 p.p. to 47.9%). Liquid assets are necessary in order to meet payment obligations when they are due. Furthermore, a potential increase in interest rate yields might directly impact the liquidity needs of insurers due to a significant increase in the lapse rate as policyholders might look for more attractive alternative investments.

EIOPA2

Lapse rates in the life business remained stable slightly increased in the first half of 2019. The median value increased from 1.34% in Q2 2018 to 1.38% in Q2 2019. Moreover, a potential sudden reversal of risk premia and abruptly rising yields could trigger an increase in lapse rates and surrender ratios as policyholders might look  for more attractive investments. Although several contractual and fiscal implications could limit the impact of lapses and surrenders in some countries, potential lapses by policyholders could add additional strains on insurers’ financial position once yields start increasing.

The return on investment has substantially declined further over 2018. The investment returns have significantly deteriorated for the main investment classes (bonds, equity and collective instruments). The median return on investment decreased to only 0.31% in 2018, compared to 2.83% in 2016 and 1.95% in 2017. In particular the four main investment options (government and corporate bonds, equity instruments and collective investment undertakings) – which approximately account for two-thirds of insurers’ total investment portfolios – have generated considerably lower or even negative returns in 2018. As a consequence, insurers may increasingly look for alternative investments, such as unlisted equities, mortgages and infrastructure to improve investment returns. This potential search for yield behaviour might differ per country and warrants close monitoring by supervisory authorities as insurers may suffer substantial losses on these more illiquid investments when markets turn sour.

EIOPA3

Despite the challenging investment climate, overall insurer profitability improved in the first half of 2019. The median return on assets (ROA) increased from 0.24% in Q2 2018 to 0.32% in Q2 2019, whereas the median return on excess of assets over liabilities (used as a proxy of return on equity), increased from 2.8% in Q2 2018 to 4.9 % in Q2 2019. The improvement in overall profitability seems to stem mainly from valuation gains in the investment portolio of insurers driven by a strong rebound in equity prices and declining yields (and hence increasing values of bond holdings) throughout the first half of 2019, while profitability could be further supported by strong underwriting results and insurers’ continued focus on cost optimisation. However, decreased expected profits in future premiums (EPIFP) from 11% in Q1 2019 to 10.3% in Q2 2019 suggest expectations of deteriorating profitability looking ahead. Underwriting profitability remained stable and overall positive in the first half of 2019. The median Gross Combined Ratio for non-life business remained below 100% in the first half of 2019 across all lines of business, indicating that most EEA insurers were able to generate positive underwriting results (excluding profits from investments). However, significant outliers can still be observed across lines of business, in particular for credit and suretyship insurance, indicating that several insurers have experienced substantial underwriting losses in this line of business. Furthermore, concerns of underpricing and underreserving remain in the highly competitive motor insurance markets.

EIOPA4

Solvency positions slightly deteriorated in the first half of 2019 and the low interest rate environment is expected to put further pressures on the capital positions in the second half of the year, especially for life insurers. Furthermore, the number of life insurance undertakings with SCR ratios below the 100% threshold increased in comparison with the previous year from 1 in Q2 2018 to 4 in Q2 2019 mainly due to the low interest rate environment, while the number of non-life insurance undertakings with SCR ratios below 100% threshold decreased from 9 in Q2 2018 to 7 in Q2 2019. The median SCR ratio for life insurers is still the highest compared to non-life insurers and composite undertakings. However, the SCR ratio differs substantially among countries.

EIOPA5

The impact of the LTG and transitional measures varies considerably across insurers and countries. The long term guarantees (LTG) and transitional measures were introduced in the Solvency II Directive to ensure an appropriate treatment of insurance products that include long-term guarantees and facilitate a smooth transition of the new regime. These measures can have a significant impact on the SCR ratio by allowing insurance undertakings, among others, to apply a premium to the risk free interest rate used for discounting technical provions. The impact of applying these measures is highest in DE and the UK, where the distribution of SCR ratios is signicantly lower without LTG and transitional measures (Figure 2.16). While it is important to take the effect of LTG measures and transitional measures into account when comparing across insurers and countries, the LTG measures do provide a potential financial stability cushion by reducing overall volatility.

On October 15th 2019, EIOPA launched a public consultation on an Opinion that sets out technical advice for the 2020 review of Solvency II. The call for advice comprises 19 separate topics. Broadly speaking, these can be divided into three parts.

  1. The review of the LTG measures, where a number of different options are being consulted on, notably on extrapolation and on the volatility adjustment.
  2. The potential introduction of new regulatory tools in the Solvency II framework, notably on macro-prudential issues, recovery and resolution, and insurance guarantee schemes. These new regulatory tools are considered thoroughly in the consultation.
  3. Revisions to the existing Solvency II framework including in relation to
    • freedom of services and establishment;
    • reporting and disclosure;
    • and the solvency capital requirement.

The main specific considerations and proposals of this consultation are as follows:

  • Considerations to choose a later starting point for the extrapolation of risk-free interest rates for the euro or to change the extrapolation method to take into account market information beyond the starting point.
  • Considerations to change the calculation of the volatility adjustment to risk-free interest rates, in particular to address overshooting effects and to reflect the illiquidity of insurance liabilities.
  • The proposal to increase the calibration of the interest rate risk sub-module in line with empirical evidence, in particular the existence of negative interest rates. The proposal is consistent with the technical advice EIOPA provided on the Solvency Capital Requirement standard formula in 2018.
  • The proposal to include macro-prudential tools in the Solvency II Directive.
  • The proposal to establish a minimum harmonised and comprehensive recovery and resolution framework for insurance.

The European Supervisory Authorities (ESAs) published on the 4th October 2019 a Joint Opinion on the risks of money laundering and terrorist financing affecting the European Union’s financial sector. In this Joint Opinion, the ESAs identify and analyse current and emerging money laundering and terrorist financing (ML/ TF) risks to which the EU’s financial sector is exposed. In particular, the ESAs have identified that the main cross-cutting risks arise from

  • the withdrawal of the United Kingdom (UK) from the EU,
  • new technologies,
  • virtual currencies,
  • legislative divergence and divergent supervisory practices,
  • weaknesses in internal controls,
  • terrorist financing and de-risking;

in order to mitigate these risks, the ESAs have proposed a number of potential actions for the Competent Authorities.

Following its advice to the European Commission on the integration of sustainability risks in Solvency II and the Insurance Distribution Directive on April 2019, EIOPA has published on 30th September 2019 an Opinion on Sustainability within Solvency II, which addresses the integration of climate-related risks in Solvency II Pillar I requirements. EIOPA found no current evidence to support a change in the calibration of capital requirements for “green” or “brown” assets. In the opinion, EIOPA calls insurance and reinsurance undertakings to implement measures linked with climate change-related risks, especially in view of a substantial impact to their business strategy; in that respect, the importance of scenario analysis in the undertakings’ risk management is highlighted. To increase the European market and citizens’ resilience to climate change, undertakings are called to consider the impact of their underwriting practices on the environment. EIOPA also supports the development of new insurance products, adjustments in the design and pricing of the products and the engagement with public authorities, as part of the industry’s stewardship activity.

On the 15th July 2019 EIOPA submitted to the European Commission draft amendments to the Implementing technical standards (ITS) on reporting and the ITS on public disclosure. The proposed amendments are mainly intended to reflect the changes in the Solvency II Delegated Regulation by the Commission Delegated Regulation (EU) 2019/981 and the Commission Delegated Regulation 2018/1221 as regards the calculation of regulatory capital requirements for securitisations and simple, transparent and standardised securitisations held by insurance and reinsurance undertakings. A more detailed review of the reporting and disclosure requirements will be part of the 2020 review of Solvency II.

On 18th June 2019 the Commission Delegated Regulation (EU) 2019/981 amending the Solvency II Delegated Regulation with respect to the calculation of the SCR for standard formula users was published. The new regulation includes the majority of the changes proposed by EIOPA in its advice to the Commission in February 2018 with the exception of the proposed change regarding interest rate risk. Most of the changes are applicable since July 2019, although changes to the calculation of the loss-absorbing capacity of deferred taxes and non-life and health premium and reserve risk will apply from 1 January 2020.

RISK ASSESSMENT

QUALITATIVE RISK ASSESSMENT

EIOPA conducts twice a year a bottom-up survey among national supervisors to determine the key risks and challenges for the European insurance and pension fund sectors, based on their probability and potential impact.

The EIOPA qualitative Autumn 2019 Survey reveals that low interest rates remain the main risks for both the insurance and pension fund sectors. Equity risks also remain prevalent, ranking as the 3rd and 2nd biggest risk for the insurance and pension funds sectors respectively. The cyber risk category is now rank as the 2nd biggest risk for the insurance sector, as insurers need to adapt their business models to this new type of risk both from an operational risk perspective and an underwriting perspective. Geopolitical risks have become more significant for both markets, along with Macro risks, which continue to be present in the insurance and pension fund sectors, partially due to concerns over protectionism, trade tensions, debt sustainability, sudden increase in risk premia and uncertainty relating to the potential future post-Brexit landscape.

The survey further suggests that all the risks are expected to increase over the coming year. The increased risk of the low for long interest rate environment is in line with the observed market developments, particulary after the ECB’s announcement of renewed monetary easing in September 2019. The significant expected raise of cyber, property, equity, macro and geopolitical risks in the following year is also in line with the observed market developments, indicating increased geopolitical uncertainty, trade tensions, stretched valuations in equity and real estate markets and more frequent and sophisticated cyber attacks which could all potentially affect the financial position of insurers and pension funds. On the other hand, ALM risks and Credit risk for financials are expected to increase in the coming year, while in the last survey in Spring 2019 the expectations were following the opposite direction.

EIOPA6

Although cyber risk is ranking as one of the top risks and expected to increase in the following year, many jurisdictions also see cyber-related insurance activities as a growth opportunity. The rapid pace of technological innovation and digitalisation is a challenge for the insurance market and insurers need to be able to adapt their business models to this challenging environment, nonetheless from a profitability perspective, increased digitalisation may offer significant cost-saving and revenue-increasing opportunities for insurance companies. The increase of awareness of cyber-risk and higher vulnerability to cyber threats among undertakings due to the increased adoption of digital technologies could drive a growth in cyber insurance underwriting.

The survey shows the exposure of an sudden correction of the risk premia significantly differs across EU countries. In the event of a sudden correction in the risk premia, insurance undertakings and pension funds with ample exposure to bonds and real estate, could suffer significant asset value variations that could lead to forced asset sales and potentially amplify the original shock to asset prices in less liquid markets. Some juridictions, however, confirm the limited exposure to this risk due to the low holding of fixed income instruments and well diversified portfolios.

The survey further indicates that national authorities expect the increase of investments in alternative asset classes and more illiquid assets. Conversely, holdings of governement bonds are expected to decrease in favour of corporate bonds within the next 12 months. Overall this might indicate potential search for yield behaviour and a shift towards more illiquid assets continues throughout numerous EU jurisdictions. Property investments – through for instance mortgages and infrastructure investment – are also expected to increase in some jurisdictions, for both insurers and pension funds. A potential downturn of real estate markets could therefore also affect the soundness of the insurance and pension fund sectors.

EIOPA7

QUANTITATIVE RISK ASSESSMENT EUROPEAN INSURANCE SECTOR

This section further assesses the key risks and vulnerabilities for the European insurance sector identified in this report. A detailed breakdown of the investment portfolio and asset allocation is provided with a focus on specific country exposures and interconnectedness with the banking sector. The chapter also analyses in more detail the implications of the current low yield environment for insurers.

INVESTMENTS

Insurance companies’ investments remain broadly stable, with a slight move towards less liquid investment. Government and corporate bonds continue to make up the majority of the investment portfolio, with only a  slight movement towards more non-traditional investment instruments such as unlisted equity and mortgage and loans. Life insurers in particular rely on fixed-income assets, due to the importance of asset-liability matching of their long-term obligations. At the same time, the high shares of fixed-income investments could give rise to significant reinvestment risk in the current low yield environment, in case the maturing fixed-income securities can only be replaced by lower yielding fixed-income securities for the same credit quality.

The overall credit quality of the bond portfolio is broadly satisfactory, although slight changes are observed in 2018. The vast majority of bonds held by European insurers are investment grade, with most rated as CQS1 (AA). However, the share of CQS2 has increased in the first half of 2019, and significant differences can be observed for insurers across countries.

EIOPA8

INTERCONNECTEDNESS BETWEEN INSURERS AND BANKS

The overall exposures towards the banking sector remain significant for insurers in certain countries, which could be one potential transmission channel in case of a sudden reassessment of risk premia. The interconnectedness between insurers and banks could intensify contagion across the financial system through common risk exposures. A potential sudden reassessment of risk premia may not only affect insurers directly, but also indirectly through exposures to the banking sector. This is also a potential transmission channel of emerging markets distress, as banks have on average larger exposures to emerging markets when compared to insurers.

Another channel of risk transmission could be through different types of bank instruments bundled together and credited by institutional investors such as insurers and pension funds.

Insurers’ exposures towards banks are heterogeneous across the EU/EEA countries, with different levels of home bias as well. Hence, countries with primary banks exposed to emerging markets or weak banking sectors could be impacted more in case of economic distress. On average, 15.95% of the EU/EEA insurers’ assets are issued by the banking sector through different types of instruments, mostly bank bonds.

EIOPA9

Click here to access EIOPA’s Dec 2019 Financial Stability Report

From Risk to Strategy : Embracing the Technology Shift

Publié le par hanswillertbleuazurconsultingeu

The role of the risk manager has always been to understand and manage threats to a given business. In theory, this involves a very broad mandate to capture all possible risks, both current and future. In practice, however, some risk managers are assigned to narrower, siloed roles, with tasks that can seem somewhat disconnected from key business objectives.

Amidst a changing risk landscape and increasing availability of technological tools that enable risk managers to do more, there is both a need and an opportunity to move toward that broader risk manager role. This need for change – not only in the risk manager’s role, but also in the broader approach to organizational risk management and technological change – is driven by five factors.

Marsh Ex 1

The rapid pace of change has many C-suite members questioning what will happen to their business models. Research shows that 73 percent of executives predict significant industry disruption in the next three years (up from 26 percent in 2018). In this challenging environment, risk managers have a great opportunity to demonstrate their relevance.

USING NEW TOOLS TO MANAGE RISKS

Emerging technologies present compelling opportunities for the field of risk management. As discussed in our 2017 report, the three levers of data, analytics, and processes allow risk professionals a framework to consider technology initiatives and their potential gains. Emerging tools can support risk managers in delivering a more dynamic, in-depth view of risks in addition to potential cost-savings.

However, this year’s survey shows that across Asia-Pacific, risk managers still feel they are severely lacking knowledge of emerging technologies across the business. Confidence scores were low in all but one category, risk management information systems (RMIS). These scores were only marginally higher for respondents in highly regulated industries (financial services and energy utilities), underscoring the need for further training across all industries.

Marsh Ex 3

When it comes to technology, risk managers should aim for “digital fluency, a level of familiarity that allows them to

  • first determine how technologies can help address different risk areas,
  • and then understand the implications of doing so.

They need not understand the inner workings of various technologies, as their niche should remain aligned with their core expertise: applying risk technical skills, principles, and practices.

CULTIVATING A “DIGITAL-FIRST” MIND-SET

Successful technology adoption does not only present a technical skills challenge. If risk function digitalization is to be effective, risk managers must champion a cultural shift to a “digital-first” mindset across the organization, where all stakeholders develop a habit of thinking about how technology can be used for organizational benefit.

For example, the risk manager of the future will be looking to glean greater insights using increasingly advanced analytics capabilities. To do this, they will need to actively encourage their organization

  • to collect more data,
  • to use their data more effectively,
  • and to conduct more accurate and comprehensive analyses.

Underlying the risk manager’s digitalfirst mind-set will be three supporting mentalities:

1. The first of these is the perception of technology as an opportunity rather than a threat. Some understandable anxiety exists on this topic, since technology vendors often portray technology as a means of eliminating human input and labor. This framing neglects the gains in effectiveness and efficiency that allow risk managers to improve their judgment and decision making, and spend their time on more value-adding activities. In addition, the success of digital risk transformations will depend on the risk professionals who understand the tasks being digitalized; these professionals will need to be brought into the design and implementation process right from the start. After all, as the Japanese saying goes, “it is workers who give wisdom to the machines.” Fortunately, 87 percent of PARIMA surveyed members indicated that automating parts of the risk manager’s job to allow greater efficiency represents an opportunity for the risk function. Furthermore, 63 percent of respondents indicated that this was not merely a small opportunity, but a significant one (Exhibit 6). This positive outlook makes an even stronger statement than findings from an earlier global study in which 72 percent of employees said they see technology as a benefit to their work

2. The second supporting mentality will be a habit of looking for ways in which technology can be used for benefit across the organization, not just within the risk function but also in business processes and client solutions. Concretely, the risk manager can embody this culture by adopting a data-driven approach, whereby they consider:

  • How existing organizational data sources can be better leveraged for risk management
  • How new data sources – both internal and external – can be explored
  • How data accuracy and completeness can be improved

“Risk managers can also benefit from considering outside-the-box use cases, as well as keeping up with the technologies used by competitors,” adds Keith Xia, Chief Risk Officer of OneHealth Healthcare in China.

This is an illustrative rather than comprehensive list, as a data-driven approach – and more broadly, a digital mind-set – is fundamentally about a new way of thinking. If risk managers can grow accustomed to reflecting on technologies’ potential applications, they will be able to pre-emptively spot opportunities, as well as identify and resolve issues such as data gaps.

3. All of this will be complemented by a third mentality: the willingness to accept change, experiment, and learn, such as in testing new data collection and analysis methods. Propelled by cultural transformation and shifting mind-sets, risk managers will need to learn to feel comfortable with – and ultimately be in the driver’s seat for – the trial, error, and adjustment that accompanies digitalization.

MANAGING THE NEW RISKS FROM EMERGING TECHNOLOGIES

The same technological developments and tools that are enabling organizations to transform and advance are also introducing their own set of potential threats.

Our survey shows the PARIMA community is aware of this dynamic, with 96 percent of surveyed members expecting that emerging technologies will introduce some – if not substantial – new risks in the next five years.

The following exhibit gives a further breakdown of views from this 96 percent of respondents, and the perceived sufficiency of their existing frameworks. These risks are evolving in an environment where there are already questions about the relevance and sufficiency of risk identification frameworks. Risk management has become more challenging due to the added complexity from rapid shifts in technology, and individual teams are using risk taxonomies with inconsistent methodologies, which further highlight the challenges that risk managers face in managing their responses to new risk types.

Marsh Ex 9

To assess how new technology in any part of the organization might introduce new risks, consider the following checklist :

HIGH-LEVEL RISK CHECKLIST FOR EMERGING TECHNOLOGY

  1. Does the use of this technology cut across existing risk types (for example, AI risk presents a composite of technology risk, cyber risk, information security risk, and so on depending on the use case and application)? If so, has my organization designated this risk as a new, distinct category of risk with a clear definition and risk appetite?
  2. Is use of this technology aligned to my company’s strategic ambitions and risk appetite ? Are the cost and ease of implementation feasible given my company’s circumstances?
  3. Can this technology’s implications be sufficiently explained and understood within my company (e.g. what systems would rely on it)? Would our use of this technology make sense to a customer?
  4. Is there a clear view of how this technology will be supported and maintained internally, for example, with a digitally fluent workforce and designated second line owner for risks introduced by this technology (e.g. additional cyber risk)?
  5. Has my company considered the business continuity risks associated with this technology malfunctioning?
  6. Am I confident that there are minimal data quality or management risks? Do I have the high quality, large-scale data necessary for advanced analytics? Would customers perceive use of their data as reasonable, and will this data remain private, complete, and safe from cyberattacks?
  7. Am I aware of any potential knock-on effects or reputational risks – for example, through exposure to third (and fourth) parties that may not act in adherence to my values, or through invasive uses of private customer information?
  8. Does my organization understand all implications for accounting, tax, and any other financial reporting obligations?
  9. Are there any additional compliance or regulatory implications of using this technology? Do I need to engage with regulators or seek expert advice?
  10. For financial services companies: Could I explain any algorithms in use to a customer, and would they perceive them to be fair? Am I confident that this technology will not violate sanctions or support crime (for example, fraud, money laundering, terrorism finance)?

SECURING A MORE TECHNOLOGY-CONVERSANT RISK WORKFORCE

As risk managers focus on digitalizing their function, it is important that organizations support this with an equally deliberate approach to their people strategy. This is for two reasons, as Kate Bravery, Global Solutions Leader, Career at Mercer, explains: “First, each technological leap requires an equivalent revolution in talent; and second, talent typically becomes more important following disruption.”

While upskilling the current workforce is a positive step, as addressed before, organizations must also consider a more holistic talent management approach. Risk managers understand this imperative, with survey respondents indicating a strong desire to increase technology expertise in their function within the next five years.

Yet, little progress has been made in adding these skills to the risk function, with a significant gap persisting between aspirations and the reality on the ground. In both 2017 and 2019 surveys, the number of risk managers hoping to recruit technology experts has been at least 4.5 times the number of teams currently possessing those skills.

Marsh Ex 15

EMBEDDING RISK CULTURE THROUGHOUT THE ORGANIZATION

Our survey found that a lack of risk management thinking in other parts of the organization is the biggest barrier the risk function faces in working with other business units. This is a crucial and somewhat alarming finding – but new technologies may be able to help.

Marsh Ex 19

As technology allows for increasingly accurate, relevant, and holistic risk measures, organizations should find it easier to develop risk-based KPIs and incentives that can help employees throughout the business incorporate a risk-aware approach into their daily activities.

From an organizational perspective, a first step would be to describe risk limits and risk tolerance in a language that all stakeholders can relate to, such as potential losses. Organizations can then cascade these firm-wide risk concepts down to operational business units, translating risk language into tangible and relevant incentives that encourages behavior that is consistent with firm values. Research shows that employees in Asia want this linkage, citing a desire to better align their individual goals with business goals.

The question thus becomes how risk processes can be made an easy, intuitive part of employee routines. It is also important to consider KPIs for the risk team itself as a way of encouraging desirable behavior and further embedding a risk-aware culture. Already a majority of surveyed PARIMA members use some form of KPIs in their teams (81 percent), and the fact that reporting performance is the most popular service level measure supports the expectation that PARIMA members actively keep their organization informed.

Marsh Ex 21

At the same time, these survey responses also raise a number of questions. Forty percent of organizations indicate that they measure reporting performance, but far fewer are measuring accuracy (15 percent) or timeliness (16 percent) of risk analytics – which are necessary to achieve improved reporting performance. Moreover, the most-utilized KPIs in this year’s survey tended to be tangible measures around cost, from which it can be difficult to distinguish a mature risk function from a lucky one.

SUPPORTING TRANSFORMATIONAL CHANGE PROGRAMS

Even with a desire from individual risk managers to digitalize and complement organizational intentions, barriers still exist that can leave risk managers using basic tools. In 2017, cost and budgeting concerns were the single, standout barrier to risk function digitalization, chosen by 67 percent of respondents, well clear of second placed human capital concerns at 18 percent. This year’s survey responses were much closer, with a host of ongoing barriers, six of which were cited by more than 40 percent of respondents.

Marsh Ex 22

Implementing the nuts and bolts of digitalization will require a holistic transformation program to address all these barriers. That is not to say that initiatives must necessarily be massive in scale. In fact, well-designed initiatives targeting specific business problems can be a great way to demonstrate success that can then be replicated elsewhere to boost innovation.

Transformational change is inherently difficult, in particular where it spans both technological as well as people dimensions. Many large organizations have generally relied solely on IT teams for their “digital transformation” initiatives. This approach has had limited success, as such teams are usually designed to deliver very specific business functionalities, as opposed to leading change initiatives. If risk managers are to realize the benefits of such transformation, it is incumbent on them to take a more active role in influencing and leading transformation programs.

Click here to access Marsh’s and Parima’s detailed report

Optimizing Your GRC Technology Ecosystem

Publié le par hanswillertbleuazurconsultingeu

Most organizations rely on multiple technologies to manage GRC across the enterprise. Optimizing a GRC technology ecosystem aligned with a defined GRC process structure improves risk-informed business decisions and achievement of strategic business objectives. This illustration outlines ways to continuously optimize your GRC technology ecosystem for

  • greater process consistency
  • and development of actionable information.

An integrated GRC technology ecosystem built on common vocabulary, taxonomy and processes enables

  • more accurate and timely reporting,
  • increased reliability of achievement of objectives
  • and greater confidence in assurance with less burden on the business.

Here are just a few of the key benefits:

Process and Technology Alignment

  • Common methods for core tasks, uniform taxonomies, and consistent vocabulary for governance, risk management and compliance across the organization
  • Risk-based actions and controls that ensure timely responses to changed circumstances
  • Standardized GRC processes based on understanding where in the organization each defined process takes place and how data is used in managing risks and requirements
  • Connected technologies as necessary to gain a complete view of the management actions, controls and information needed by each user

Governance Systems to include:

  • Strategy / Performance
  • Board Management
  • Audit & Assurance Tools

Risk Systems to include:

  • Brand & Reputation
  • Finance / Treasury Risk
  • Information / IT Risk
  • External Risk Content
  • Third Party Risk

Compliance Systems to include:

  • Policies
  • Helpline / Hotline
  • Training
  • EHS (Environment Health and Safety)
  • Fraud / Corruption
  • Global Trade
  • Privacy
  • Regulatory Change
  • AML (Anti Money Laundering) / KYC (Know Your Customer)

Enabling Systems to include:

  • Data Visualization
  • Analytics
  • Business Intelligence
  • Predictive Tools
  • External Data Sources

Protective Systems to include:

  • Information Security
  • Data Protection
  • Assets Control

Benefits and Outcomes

  • Enhanced tracking of achievement of objectives and obstacles
  • Connected reporting for board/management/external stakeholders
  • Timely understanding of impact from operational decisions
  • Actionable view of changes needed to meet regulatory requirements
  • Clear action pathways for resolution of issues and process reviews
  • Consistent risk assessments feeding into advanced analytics
  • Improved predictive capabilities to support strategic planning
  • Control testing and audit trails for response to regulators and auditors
  • Greater confidence in assurance with less burden on the business
  • Enterprise-wide, departmental and geographic control standards

OCEG

Tips for Optimization

1. Process Framework

  • Identify tasks appropriate for standardization and schedule implementation across units
  • Assess vocabulary used throughout organization for inconsistencies and establish rules
  • Adjust process model periodically to continue alignment with business objectives and activities

2. Technology Ecosystem

  • Periodically review GRC technologies for gaps and duplication of systems
  • Assess appropriateness of connection of systems for data sharing and user access
  • Maintain a current road map for re-purposing and acquisition of technologies

3. Outcome Management

  • Apply standard processes for resolution of issues and remediation of identified process framework or technology ecosystem weaknesses
  • Enhance reporting capabilities with refined report structure and delivery methods/schedules
  • Ensure all users apply the process framework and understand how best to use the technology

Click here to access OCEG’s illustration in detail