Implementing combined audit assurance

ASSESS IMPACT & CREATE AN ASSURANCE MAP

The audit impact assessment and assurance map are interdependent—and the best possible starting point for your combined assurance journey. An impact assessment begins with a critical look at the current or “as is” state of your organization. As you review your current state, you build out your assurance map with your findings. You can’t really do one without the other. The map, then, will reveal any overlaps and gaps, and provide insight into the resources, time, and costs you might require during your implementation. Looking at an assurance map example will give you a better idea of what we’re talking about. The Institute of Chartered Accountants of England and Wales (ICAEW) has an excellent template.

Galv4

The ICAEW has also provided a guide to building a sound assurance map. The institute suggests you take the following steps:

  1. Identify your sponsor (the main user/senior staff member who will act as a champion).
  2. Determine your scope (identify elements that need assurance, like operational/ business processes, board-level risks, governance, and compliance).
  3. Assess the required amount of assurance for each element (understand what the required or desired amount of assurance is across aspects of the organization).
  4. Identify and list your assurance providers in each line of defense (e.g., audit committee or risk committee in the third line).
  5. Identify your assurance activities (compile and review relevant documentation, select and interview area leads, collate and assess assurance provider information).
  6. Reassess your scope (revisit and update your map scope, based on the information you have gathered/evaluated to date).
  7. Assess the quality of your assurance activities (look at breadth and depth of scope, assurance provider competence, how often activities are reviewed, and the strengths/quality of assurance delivered by each line of defense).
  8. Assess the aggregate actual amount of assurance for each element (the total amount of assurance needs to be assessed, collating all the assurance being provided by each line of defense).
  9. Identify the gaps and overlaps in assurance for each element (compare the actual amount of assurance with the desired amount to determine if there are gaps or overlaps).
  10. Determine your course of action (make recommendations for the actions to be taken/activities to be performed moving forward).

Just based on the steps above, you could understand how your desired state evolves by the time you reach step 10. Ideally, by this point, gaps and overlaps have been eliminated. But the steps we just reviewed don’t cover the frequency of each review and they don’t determine costs. So we’ve decided to add a few more steps to round it out:

  1. Assess the frequency of each assurance activity.
  2. Identify total cost for all the assurance activities in the current state.
  3. Identify the total cost for combined assurance (i.e., when gaps and overlaps have been addressed, and any consequent benefits or cost savings).

DEFINE THE RISKS OF IMPLEMENTATION

Implementing combined assurance is a project, and like any project, there’s a chance it can go sideways and fail, losing you both time and money. So, just like anything else in business, you need to take a risk-based approach. As part of this stage, you’ll want to clearly define the risks of implementing a combined assurance program, and add these risks, along with a mitigation plan and the expected benefits, to your tool kit. As long as the projected benefits of the project outweigh the residual risks and costs, the implementation program is worth pursuing. You’ll need to be able to demonstrate that a little further down the process.

DEFINE RESOURCES & DELIVERABLES

Whoever will own the project of implementing combined assurance will no doubt need dedicated resources in order to execute. So, who do we bring in? On first thought, the internal audit team looks best suited to drive the program forward. But, during the implementation phase, you’ll actually want a cross-functional team of people from internal control, risk, and IT, to work alongside internal audit. So, when you’re considering resourcing, think about each and every team this project touches. Now you know who’s going to do the work, you’ll want to define what they’re doing (key milestones) and when it will be delivered (time frame). And finally, define the actual benefits, as well as the tangible deliverables/outcomes of implementing combined assurance. (The table below provides some examples, but each organization will be unique.)

Galv1

RAISE AWARENESS & GET MANAGEMENT COMMITMENT

Congratulations! You’re now armed with a fancy color-coded impact assessment, and a full list of risks, resources, and deliverables. The next step is to clearly communicate and share the driving factors behind your combined assurance initiative. If you want them to support and champion your efforts, top management will need to be able to quickly take in and understand the rationale behind your desire for combined assurance. Critical output: You’ll want to create a presentation kit of sorts, including the assurance map, lists of risks, resources, and deliverables, a cost/benefit analysis, and any supporting research or frameworks (e.g., the King IV Report, FRC Corporate Governance Code, available industry analysis, and case studies). Chances are, you’ll be presenting this concept more than once, so if you can gather and organize everything in a single spot, that will save a lot of headaches down the track.

ASSIGN ACCOUNTABILITY

When we ask the question, “Who owns the implementation of combined assurance?”, we need to consider two main things:

  • Who would be most impacted if combined assurance were implemented?
  • Who would be senior enough to work across teams to actually get the job done?

It’s evident that a board/C-level executive should lead the project. This project will be spanning multiple departments and require buy-in from many people—so you need someone who can influence and convince. Therefore, we feel that the chief audit executive (CAE) and/or the chief revenue officer (CRO) should be accountable for implementing combined assurance. The CAE literally stands at the intersection of internal and external assurance. Where reliance is placed on the work of others, the CAE is still accountable and responsible for ensuring adequate support for conclusions and opinions reached by the internal audit activity. And the CRO is taking a more active interest in assurance maps as they become increasingly more risk-focused. The Institute of Internal Auditors (IIA), Standard 2050, also assigns accountability to the CAE, stating: “The chief audit executive should share information and coordinate activities with other internal and external assurance providers and consulting services to ensure proper coverage and minimize duplication of effort.” So, not only is the CAE at the intersection of assurance, they’re also directing traffic—exactly the combination we need to drive implementation.

Envisioning the solution

You’ve summarized the current/“as is” state in your assurance map. Now it’s time to move into a future state of mind and envision your desired state. What does your combined assurance solution look like? And, more critically, how will you create it? This stage involves more assessment work. Only now you’ll be digging into the maturity levels of your organization’s risk management and internal audit process, as well as the capabilities and maturity of your Three Lines of Defense. This is where you answer the questions, “What do I want?”, and “Is it even feasible?” Some make-or-break capability factors for implementing combined assurance include:

  1. Corporate risk culture Risk culture and risk appetite shape an organization’s decision-making, and that culture is reflected at every level. Organizations who are more risk-averse tend to be unwilling to make quick decisions without evidence and data. On the other hand, risk-tolerant organizations take more risks, make rapid decisions, and pivot quickly, often without performing due diligence. How will your risk culture shape your combined assurance program?
  2. Risk management awareness If employees don’t know—and don’t prioritize— how risk can and should be managed in your organization, your implementation program will fail. Assurance is very closely tied to risk, so it’s important to communicate constantly and make people aware that risk at every level must be adequately managed.
  3. Risk management processes We just stated that risk and assurance are tightly coupled, so it makes sense that the more mature your risk management processes are, the easier it will be to implement combined assurance. Mature risk management means you’ve got processes defined, documented, running, and refined. For the lucky few who have all of these things, you’re going to have a much easier time compared to those who don’t.
  4. Risk & controls taxonomy Without question, you will require a common risk and compliance language. We can’t have people making up names for tools, referring to processes in different ways, or worst of all, reporting on totally random KPIs. The result of combined assurance should be “one language, one voice, one view” of the risks and issues across the organization.
  5. System & process integrations An integrated system where there is one set of risks and one set of controls is key to delivering effective combined assurance. This includes: Risk registers across the organization, Controls across the organization Issues and audit findings, Reporting.
  6. Technology use Without dedicated software technology, it’s extremely difficult to provide a sustainable risk management system with sound processes, a single taxonomy, and integrated risks and controls. How technology is used in your organization will determine the sustainability of combined assurance. (If you already have a risk management and controls platform that has these integration capabilities, implementation will be easier.)
  7. Using assurance maps as monitoring tools Assurance maps aren’t just for envisioning end-states; they’re also critical monitoring tools that can feed data into your dashboard. They can inform your combined assurance dashboard, to help report on progress.
  8. Continuous improvement mechanisms A mature program will always have improvement mechanisms and feedback loops to incorporate user and stakeholder feedback. A lack of this feedback mechanism will impact the continued effectiveness of combined assurance.

We now assess the maturity of these factors (plus any others that you find relevant) and rank them on a scale of 1-4:

  • Level 1: Not achieved (0-15% of target).
  • Level 2: Partially achieved (15-50%).
  • Level 3: Largely achieved (50-85%).
  • Level 4: Achieved (85-100%).

This rating scale is based on the ISO/IEC 15504 that assigns a rating to the degree each objective (process capability) is achieved. An example of a combined assurance capability maturity assessment can be seen in Figure 2.

Galv2

GAP ANALYSIS

Once the desired levels for all of the factors are agreed on and endorsed by senior management, the next step is to undertake a gap analysis. The example in Figure 2 shows that the current overall maturity level is a 2 and the desired level is a 3 or 4 for each factor. The gap for each factor needs to be analyzed for the activities and resources required to bridge it. Then you can envision the solution and create a roadmap to bridge the gap(s).

SOLUTION VISION & ROADMAP

An example solution vision and roadmap could be:

  • We will use the same terminology and language for risk in all parts of the organization, and establish a single risk dictionary as a central repository.
  • All risks will be categorized according to severity and criticality and be mapped to assurance providers to ensure that no risk is assessed by more than one provider.
  • A rolling assurance plan will be prepared to ensure that risks are appropriately prioritized and reviewed at least once every two years.
  • An integrated, real-time report will be available on demand to show the status, frequency, and coverage of assurance activities.
  • The integrated report/assurance map will be shared with the board, audit committee, and risk committee regularly (e.g., quarterly or half-yearly).
  • To enable these capabilities, risk capture, storage, and reporting will be automated using an integrated software platform.

Figure 3 shows an example roadmap to achieve your desired maturity level.

Galv3

Click here to access Galvanize’s Risk Manangement White Paper

 

Benchmarking digital risk factors facing financial service firms

Risk management is the foundation upon which financial institutions are built. Recognizing risk in all its forms—measuring it, managing it, mitigating it—are all critical to success. But has every firm achieved that goal? It doesn’t take indepth research beyond the myriad of breach headlines to answer that question.

But many important questions remain: What are key dimensions of the financial sector Internet risk surface? How does that surface compare to other sectors? Which specific industries within Financial Services appear to be managing that risk better than others? We take up these questions and more in this report.

  1. The financial sector boasts the lowest rate of high and critical security exposures among all sectors. This indicates they’re doing a good job managing risk overall.
  2. But not all types of financial service firms appear to be managing risk equally well. For example, the rate of severe findings in the smallest commercial banks is 4x higher than that of the largest banks.
  3. It’s not just small community banks struggling, however. Securities and Commodities firms show a disconcerting combination of having the largest deployment of high-value assets AND the highest rate of critical security exposures.
  4. Others appear to be exceeding the norm. Take credit card issuers: they typically have the largest Internet footprint but balance that by maintaining the lowest rate of security exposures.
  5. Many other challenges and risk factors exist. For instance, the industry average rate of severe security findings in critical cloud-based assets is 3.5x that of assets hosted on-premises.

Dimensions of the Financial Sector Risk Surface

As Digital Transformation ushers in a plethora of changes, critical areas of risk exposure are also changing and expanding. We view the risk surface as anywhere an organization’s ability to operate, reputation, assets, legal obligations, or regulatory compliance is at risk. The aspects of a firm’s risk exposure that are associated with or observable from the internet are considered its internet risk surface. In Figure 1, we compare five key dimensions of the internet risk surface across different industries and highlight where the financial sector ranks among them.

  • Hosts: Number of internet-facing assets associated with an organization.
  • Providers: Number of external service providers used across hosts.
  • Geography: Measure of the geographic distribution of a firm’s hosts.
  • Asset Value: Rating of the data sensitivity and business criticality of hosts based on multiple observed indicators. High value systems that include those that collect GDPR and CCPA regulated information.
  • Findings: Security-relevant issues that expose hosts to various threats, following the CVSS rating scale.

TR1

The values recorded in Figure 1 for these dimensions represent what’s “typical” (as measured by the mean or median) among organizations within each sector. There’s a huge amount of variation, meaning not all financial institutions operate more external hosts than all realtors, but what you see here is the general pattern. The blue highlights trace the ranking of Finance along each dimension.

Financial firms are undoubtedly aware of these tendencies and the need to protect those valuable assets. What’s more, that awareness appears to translate fairly effectively into action. Finance boasts the lowest rate of high and critical security exposures among all sectors. We also ran the numbers specific to high-value assets, and financial institutions show the lowest exposure rates there too. All of this aligns pretty well with expectations—financial firms keep a tight rein on their valuable Internet-exposed assets.

This control tendency becomes even more apparent when examining the distribution of hosts with severe findings in Figure 2. Blue dots mark the average exposure rate for the entire sector (and correspond to values in Figure 1), while the grey bars indicate the amount of variation among individual organizations within each sector. The fact that Finance exhibits the least variation shows that even rotten apples don’t fall as far from the Finance tree as they often do in other sectors. Perhaps a rising tide lifts all boats?

TR2

Security Exposures in Financial Cloud Deployments

We now know financial institutions do well minimizing security findings, but does that record stand equally strong across all infrastructure? Figure 3 answers that question by featuring four of the five key risk surface dimensions:

  • the proportion of hosts (square size),
  • asset value (columns),
  • hosting location (rows),
  • and the rate of severe security findings (color scale and value label).

This view facilitates a range of comparisons, including the relative proportion of assets hosted internally vs. in the cloud, how asset value distributes across hosting locales, and where high-severity issues accumulate.

TR3

From Figure 3, box sizes indicate that organizations in the financial sector host a majority of their Internet-facing systems on-premises, but do leverage the cloud to a greater degree for low-value assets. The bright red box makes it apparent that security exposures concentrate more acutely in high-value assets hosted in the cloud. Overall, the rate of severe findings in cloud-based assets is 3.5x that of on-prem. This suggests the angst many financial firms have over moving to the cloud does indeed have some merit. But when we examine the Finance sector relative to others in Figure 4 the intensity of exposures in critical cloud assets appears much less drastic.

In Figure 3, we can see that the largest number of hosts are on-prem and of medium value. But high-value assets in the cloud exhibit the highest rate of findings.

Given that cloud vs. on-prem exposure disparity, we feel the need to caution against jumping to conclusions. We could interpret these results to proclaim that the cloud isn’t ready for financial applications and should be avoided. Another interpretation could suggest that it’s more about organizational readiness for the cloud than the inherent insecurity of the cloud. Either way, it appears that many financial institutions migrating to the cloud are handling that paradigm shift better than others.

It must also be noted that not all cloud environments are the same. Our Cloud Risk Surface report discovered an average 12X difference between cloud providers with the highest and lowest exposure rates. We still believe this says more about the typical users and use cases of the various cloud platforms than any intrinsic security inequalities. But at the same time, we recommend evaluating cloud providers based on internal features as well as tools and guidance they make available to assist customers in securing their environments. Certain clouds are undoubtedly a better match for financial services use cases while others less so.

TR4

Risk Surface of Subsectors within Financial Services

Having compared Finance to other sectors at a high level, we now examine the risk surface of major subsectors of financial services according to the following NAICS designations:

  • Insurance Carriers: Institutions engaged in underwriting and selling annuities, insurance policies, and benefits.
  • Credit Intermediation: Includes banks, savings institutions, credit card issuers, loan brokers, and processors, etc.
  • Securities & Commodities: Investment banks, brokerages, securities exchanges, portfolio management, etc.
  • Central Banks: Monetary authorities that issue currency, manage national money supply and reserves, etc.
  • Funds & Trusts: Funds and programs that pool securities or other assets on behalf of shareholders or beneficiaries.

TR5

Figure 5 compares these Finance subsectors along the same dimensions used in Figure 1. At the top, we see that Insurance Carriers generally maintain a large Internet surface area (hosts, providers, countries), but a comparatively lower ranking for asset value and security findings. The Credit Intermediation subsector (the NAICS designation that includes banks, brokers, creditors, and processors) follows a similar pattern. This indicates that such organizations are, by and large, able to maintain some level of control over their expanding risk surface.

A leading percentage of high-value assets and a leading percentage of highly critical security findings for the Securities and Commodities subsector is a disconcerting combination. It suggests either unusually high risk tolerance or ineffective risk management (or both), leaving those valuable assets overexposed. The Funds and Trusts subsector exhibits a more riskaverse approach to minimizing exposures across its relatively small digital footprint of valuable assets.

Risk Surface across Banking Institutions

Given that the financial sector is so broad, we thought a closer examination of the risk surface particular to banking institutions was in order. Banks have long concerned themselves with risk. Well before the rise of the Internet or mobile technologies, banks made their profits by determining how to gauge the risk of potential borrowers or loans, plotting the risk and reward of offering various deposit and investment products, or entering different markets, allowing access through several delivery channels. It could be said that the successful management and measurement of risk throughout an organization is perhaps the key factor that has always determined the relative success or failure of any bank.

As a highly-regulated industry in most countries, banking institutions must also consider risk from more than a business or operational perspective. They must take into account the compliance requirements to limit risk in various areas, and ensure that they are properly securing their systems and services in a way that meets regulatory standards. Such pressures undoubtedly affect the risk surface and Figure 6 hints at those effects on different types of banking institutions.

Credit card issuers earn the honored distinction of having the largest average number of Internet-facing hosts (by far) while achieving the lowest prevalence of severe security findings. Credit unions flip this trend with the fewest hosts and most prevalent findings. This likely reflects the perennial struggle of credit unions to get the most bang from their buck.

Traditionally well-resourced commercial banks leverage the most third party providers and have a presence in more countries, all with a better-than-average exposure rate. Our previous research revealed that commercial banks were among the top two generators and receivers of multi-party cyber incidents, possibly due to the size and spread of their risk surface.

TR6

Two Things to Consider

  1. In this interconnected world, third-party and fourth-party risk is your risk. If you are a financial institution, particularly a commercial bank, take a moment to congratulate yourself on managing risk well – but only for a moment. Why? Because every enterprise is critically dependent on a wide array of vendors and partners that span a broad spectrum of industries. Their risk is your risk. The work of your third-party risk team is critically important in holding your vendors accountable to managing your risk interests well.
  2. Managing risk—whether internal or third-party—requires focus. There are simply too many things to do, giving rise to the endless “hamster wheel of risk management.” A better approach starts with obtaining an accurate picture of your risk surface and the critical exposures across it. This includes third-party relationships, and now fourth-party risk, which bank regulators are now requiring. Do you have the resources to sufficiently manage this? Do you know your risk surface?

Click here to access Riskrecon Cyentia’s Study

Uncertainty Visualization

Uncertainty is inherent to most data and can enter the analysis pipeline during the measurement, modeling, and forecasting phases. Effectively communicating uncertainty is necessary for establishing scientific transparency. Further, people commonly assume that there is uncertainty in data analysis, and they need to know the nature of the uncertainty to make informed decisions.

However, understanding even the most conventional communications of uncertainty is highly challenging for novices and experts alike, which is due in part to the abstract nature of probability and ineffective communication techniques. Reasoning with uncertainty is unilaterally difficult, but researchers are revealing how some types of visualizations can improve decision-making in a variety of diverse contexts,

  • from hazard forecasting,
  • to healthcare communication,
  • to everyday decisions about transit.

Scholars have distinguished different types of uncertainty, including

  • aleatoric (irreducible randomness inherent in a process),
  • epistemic (uncertainty from a lack of knowledge that could theoretically be reduced given more information),
  • and ontological uncertainty (uncertainty about how accurately the modeling describes reality, which can only be described subjectively).

The term risk is also used in some decision-making fields to refer to quantified forms of aleatoric and epistemic uncertainty, whereas uncertainty is reserved for potential error or bias that remains unquantified. Here we use the term uncertainty to refer to quantified uncertainty that can be visualized, most commonly a probability distribution. This article begins with a brief overview of the common uncertainty visualization techniques and then elaborates on the cognitive theories that describe how the approaches influence judgments. The goal is to provide readers with the necessary theoretical infrastructure to critically evaluate the various visualization techniques in the context of their own audience and design constraints. Importantly, there is no one-size-fits-all uncertainty visualization approach guaranteed to improve decisions in all domains, nor even guarantees that presenting uncertainty to readers will necessarily improve judgments or trust. Therefore, visualization designers must think carefully about each of their design choices or risk adding more confusion to an already difficult decision process.

Uncertainty Visualization Design Space

There are two broad categories of uncertainty visualization techniques. The first are graphical annotations that can be used to show properties of a distribution, such as the mean, confidence/credible intervals, and distributional moments.

Numerous visualization techniques use the composition of marks (i.e., geometric primitives, such as dots, lines, and icons) to display uncertainty directly, as in error bars depicting confidence or credible intervals. Other approaches use marks to display uncertainty implicitly as an inherent property of the visualization. For example, hypothetical outcome plots (HOPs) are random draws from a distribution that are presented in an animated sequence, allowing viewers to form an intuitive impression of the uncertainty as they watch.

The second category of techniques focuses on mapping probability or confidence to a visual encoding channel. Visual encoding channels define the appearance of marks using controls such as color, position, and transparency. Techniques that use encoding channels have the added benefit of adjusting a mark that is already in use, such as making a mark more transparent if the uncertainty is high. Marks and encodings that both communicate uncertainty can be combined to create hybrid approaches, such as in contour box plots and probability density and interval plots.

More expressive visualizations provide a fuller picture of the data by depicting more properties, such as the nature of the distribution and outliers, which can be lost with intervals. Other work proposes that showing distributional information in a frequency format (e.g., 1 out of 10 rather than 10%) more naturally matches how people think about uncertainty and can improve performance.

Visualizations that represent frequencies tend to be highly effective communication tools, particularly for individuals with low numeracy (e.g., inability to work with numbers), and can help people overcome various decision-making biases.

Researchers have dedicated a significant amount of work to examining which visual encodings are most appropriate for communicating uncertainty, notably in geographic information systems and cartography. One goal of these approaches is to evoke a sensation of uncertainty, for example, using fuzziness, fogginess, or blur.

Other work that examines uncertainty encodings also seeks to make looking-up values more difficult when the uncertainty is high, such as value-suppressing color pallets.

Given that there is no one-size-fits-all technique, in the following sections, we detail the emerging cognitive theories that describe how and why each visualization technique functions.

VU1

Uncertainty Visualization Theories

The empirical evaluation of uncertainty visualizations is challenging. Many user experience goals (e.g., memorability, engagement, and enjoyment) and performance metrics (e.g., speed, accuracy, and cognitive load) can be considered when evaluating uncertainty visualizations. Beyond identifying the metrics of evaluation, even the most simple tasks have countless configurations. As a result, it is hard for any single study to sufficiently test the effects of a visualization to ensure that it is appropriate to use in all cases. Visualization guidelines based on a single or small set of studies are potentially incomplete. Theories can help bridge the gap between visualizations studies by identifying and synthesizing converging evidence, with the goal of helping scientists make predictions about how a visualization will be used. Understanding foundational theoretical frameworks will empower designers to think critically about the design constraints in their work and generate optimal solutions for their unique applications. The theories detailed in the next sections are only those that have mounting support from numerous evidence-based studies in various contexts. As an overview, The table provides a summary of the dominant theories in uncertainty visualization, along with proposed visualization techniques.

UV2

General Discussion

There are no one-size-fits-all uncertainty visualization approaches, which is why visualization designers must think carefully about each of their design choices or risk adding more confusion to an already difficult decision process. This article overviews many of the common uncertainty visualization techniques and the cognitive theory that describes how and why they function, to help designers think critically about their design choices. We focused on the uncertainty visualization methods and cognitive theories that have received the most support from converging measures (e.g., the practice of testing hypotheses in multiple ways), but there are many approaches not covered in this article that will likely prove to be exceptional visualization techniques in the future.

There is no single visualization technique we endorse, but there are some that should be critically considered before employing them. Intervals, such as error bars and the Cone of Uncertainty, can be particularly challenging for viewers. If a designer needs to show an interval, we also recommend displaying information that is more representative, such as a scatterplot, violin plot, gradient plot, ensemble plot, quantile dotplot, or HOP. Just showing an interval alone could lead people to conceptualize the data as categorical. As alluded to in the prior paragraph, combining various uncertainty visualization approaches may be a way to overcome issues with one technique or get the best of both worlds. For example, each animated draw in a hypothetical outcome plot could leave a trace that slowly builds into a static display such as a gradient plot, or animated draws could be used to help explain the creation of a static technique such as a density plot, error bar, or quantile dotplot. Media outlets such as the New York Times have presented animated dots in a simulation to show inequalities in wealth distribution due to race. More research is needed to understand if and how various uncertainty visualization techniques function together. It is possible that combining techniques is useful in some cases, but new and undocumented issues may arise when approaches are combined.

In closing, we stress the importance of empirically testing each uncertainty visualization approach. As noted in numerous papers, the way that people reason with uncertainty is non-intuitive, which can be exacerbated when uncertainty information is communicated visually. Evaluating uncertainty visualizations can also be challenging, but it is necessary to ensure that people correctly interpret a display. A recent survey of uncertainty visualization evaluations offers practical guidance on how to test uncertainty visualization techniques.

Click her to access the entire article in Handbook of Computational Statistics and Data Science

Overview on EIOPA Consultation Paper on the Opinion on the 2020 review of Solvency II

The Solvency II Directive provides that certain areas of the framework should be reviewed by the European Commission at the latest by 1 January 2021, namely:

  • long-term guarantees measures and measures on equity risk,
  • methods, assumptions and standard parameters used when calculating the Solvency Capital Requirement standard formula,
  • Member States’ rules and supervisory authorities’ practices regarding the calculation of the Minimum Capital Requirement,
  • group supervision and capital management within a group of insurance or reinsurance undertakings.

Against that background, the European Commission issued a request to EIOPA for technical advice on the review of the Solvency II Directive in February 2019 (call for advice – CfA). The CfA covers 19 topics. In addition to topics that fall under the four areas mentioned above, the following topics are included:

  • transitional measures
  • risk margin
  • Capital Markets Union aspects
  • macroprudential issues
  • recovery and resolution
  • insurance guarantee schemes
  • freedom to provide services and freedom of establishment
  • reporting and disclosure
  • proportionality and thresholds
  • best estimate
  • own funds at solo level

EIOPA is requested to provide technical advice by 30 June 2020.

Executive summary

This consultation paper sets out technical advice for the review of Solvency II Directive. The advice is given in response to a call for advice from the European Commission. EIOPA will provide its final advice in June 2020. The call for advice comprises 19 separate topics. Broadly speaking, these can be divided into three parts.

  1. Firstly, the review of the long term guarantee measures. These measures were always foreseen as being reviewed in 2020, as specified in the Omnibus II Directive. A number of different options are being consulted on, notably on extrapolation and on the volatility adjustment.
  2. Secondly, the potential introduction of new regulatory tools in the Solvency II Directive, notably on macro-prudential issues, recovery and resolution, and insurance guarantee schemes. These new regulatory tools are considered thoroughly in the consultation.
  3. Thirdly, revisions to the existing Solvency II framework including in relation to
    • freedom of services and establishment;
    • reporting and disclosure;
    • and the solvency capital requirement.

Given that the view of EIOPA is that overall the Solvency II framework is working well, the approach here has in general been one of evolution rather than revolution. The principal exceptions arise as a result either of supervisory experience, for example in relation to cross-border business; or of the wider economic context, in particular in relation to interest rate risk. The main specific considerations and proposals of this consultation paper are as follows:

  • Considerations to choose a later starting point for the extrapolation of risk-free interest rates for the euro or to change the extrapolation method to take into account market information beyond the starting point.
  • Considerations to change the calculation of the volatility adjustment to risk-free interest rates, in particular to address overshooting effects and to reflect the illiquidity of insurance liabilities.
  • The proposal to increase the calibration of the interest rate risk submodule in line with empirical evidence. The proposal is consistent with the technical advice EIOPA provided on the Solvency Capital Requirement standard formula in 2018.
  • The proposal to include macro-prudential tools in the Solvency II Directive.
  • The proposal to establish a minimum harmonised and comprehensive recovery and resolution framework for insurance.

A background document to this consultation paper includes a qualitative assessment of the combined impact of all proposed changes. EIOPA will collect data in order to assess the quantitative combined impact and to take it into account in the decision on the proposals to be included in the advice. Beyond the changes on interest rate risk EIOPA aims in general for a balanced impact of the proposals.

The following paragraphs summarise the main content of the consulted advice per chapter.

Long-term guarantees measures and measures on equity risk

EIOPA considers to choose a later starting point for the extrapolation of risk-free interest rates for the euro or to change the extrapolation method to take into account market information beyond the starting point. Changes are considered with the aim to avoid the underestimation of technical provisions and wrong risk management incentives. The impact on the stability of solvency positions and the financial stability is taken into account. The paper sets out two approaches to calculate the volatility adjustment to the risk-free interest rates. Both approaches include application ratios to mitigate overshooting effects of the volatility adjustment and to take into account the illiquidity characteristics of the insurance liabilities the adjustment is applied to.

  • One approach also establishes a clearer split between a permanent component of the adjustment and a macroeconomic component that only exists in times of wide spreads.

EIOPA2

  • The other approach takes into account the undertakings-specific investment allocation to further address overshooting effects.

EIOPA3

Regarding the matching adjustment to risk-free interest rates the proposal is made to recognise in the Solvency Capital Requirement standard formula diversification effects with regard to matching adjustment portfolios. The advice includes proposals to strengthen the public disclosure on the long term guarantees measures and the risk management provisions for those measures.

EIOPA1

The advice includes a review of the capital requirements for equity risk and proposals on the criteria for strategic equity investments and the calculation of long-term equity investments. Because of the introduction of the capital requirement on long-term equity investments EIOPA intends to advise that the duration-based equity risk sub-module is phased out.

Technical provisions

EIOPA identified a larger number of aspects in the calculation of the best estimate of technical provisions where divergent practices among undertakings or supervisors exist. For some of these issues, where EIOPA’s convergence tools cannot ensure consistent practices, the advice sets out proposals to clarify the legal framework, mainly on

  • contract boundaries,
  • the definition of expected profits in future premiums
  • and the expense assumptions for insurance undertakings that have discontinued one product type or even their whole business.

With regard to the risk margin of technical provisions transfer values of insurance liabilities, the sensitivity of the risk margin to interest rate changes and the calculation of the risk margin for undertakings that apply the matching adjustment or the volatility adjustment were analysed. The analysis did not result in a proposal to change the calculation of the risk margin.

Own funds

EIOPA has reviewed the differences in tiering and limits approaches within the insurance and banking framework, utilising quantitative and qualitative assessment. EIOPA has found that they are justifiable in view of the differences in the business of both sectors.

EIOPA4

Solvency Capital Requirement standard formula

EIOPA confirms its advice provided in 2018 to increase the calibration of the interest rate risk sub-module. The current calibration underestimates the risk and does not take into account the possibility of a steep fall of interest rate as experienced during the past years and the existence of negative interest rates. The review

  • of the spread risk sub-module,
  • of the correlation matrices for market risks,
  • the treatment of non-proportional reinsurance,
  • and the use of external ratings

did not result in proposals for change.

Minimum Capital Requirement

Regarding the calculation of the Minimum Capital Requirement it is suggested to update the risk factors for non-life insurance risks in line with recent changes made to the risk factors for the Solvency Capital Requirement standard formula. Furthermore, proposals are made to clarify the legal provisions on noncompliance with the Minimum Capital Requirement.

EIOPA5

Reporting and disclosure

The advice proposes changes to the frequency of the Regular Supervisory Report to supervisors in order to ensure that the reporting is proportionate and supports risk-based supervision. Suggestions are made to streamline and clarify the expected content of the Regular Supervisory Report with the aim to support insurance undertakings in fulfilling their reporting task avoiding overlaps between different reporting requirements and to ensure a level playing field. Some reporting items are proposed for deletion because the information is also available through other sources. The advice includes a review of the reporting templates for insurance groups that takes into account earlier EIOPA proposals on the templates of solo undertakings and group specificities.

EIOPA proposes an auditing requirement for balance sheet at group level in order to improve the reliability and comparability of the disclosed information. It is also suggested to delete the requirement to translate the summary of that report.

Proportionality

EIOPA has reviewed the rules for exempting insurance undertakings from the Solvency II Directive, in particular the thresholds on the size of insurance business. As a result, EIOPA proposes to maintain the general approach to exemptions but to reinforce proportionality across the three pillars of the Solvency II Directive.

Regarding thresholds EIOPA proposes to double the thresholds related to technical provisions and to allow Member States to increase the current threshold for premium income from the current amount of EUR 5 million to up to EUR 25 million.

EIOPA had reviewed the simplified calculation of the standard formula and proposed improvements in 2018. In addition to that the advice includes proposals to simplify the calculation of the counterparty default risk module and for simplified approaches to immaterial risks. Proposals are made to improve the proportionality of the governance requirements for insurance and reinsurance undertakings, in particular on

  • key functions (cumulation with operational functions, cumulation of key functions other than the internal audit, cumulation of key and AMSB function)
  • own risk and solvency assessment (ORSA) (biennial report),
  • written policies (review at least once every three years)
  • and administrative, management and supervisory bodies (AMSB) ( evaluation shall include an assessment on the adequacy of the composition, effectiveness and internal governance of the administrative, management or supervisory body taking into account the nature, scale and complexity of the risks inherent in the undertaking’s business)

Proposals to improve the proportionality in reporting and disclosure of Solvency II framework were made by EIOPA in a separate consultation in July 2019.

Group supervision

EIOPA proposes a number of regulatory changes to address the current legal uncertainties regarding supervision of insurance groups under the Solvency II Directive. This is a welcomed opportunity as the regulatory framework for groups was not very specific in many cases while in others it relies on the mutatis mutandis application of solo rules without much clarifications.

In particular, there are policy proposals to ensure that the

  • definitions applicable to groups,
  • scope of application of group supervision
  • and supervision of intragroup transactions, including issues with third countries

are consistent.

Other proposals focus on the rules governing the calculation of group solvency, including own funds requirements as well as any interaction with the Financial Conglomerates Directive. The last section of the advice focuses on the uncertainties related to the application of governance requirements at group level.

Freedom to provide services and freedom of establishment

EIOPA further provides suggestions in relation to cross border business, in particular to support efficient exchange of information among national supervisory authorities during the process of authorising insurance undertakings and in case of material changes in cross-border activities. It is further recommended to enhance EIOPA’s role in the cooperation platforms that support the supervision of cross-border business.

Macro-prudential policy

EIOPA proposes to include the macroprudential perspective in the Solvency II Directive. Based on previous work, the advice develops a conceptual approach to systemic risk in insurance and then analyses the current existing tools in the Solvency II framework against the sources of systemic risk identified, concluding that there is the need for further improvements in the current framework.

EIOPA7

Against this background, EIOPA proposes a comprehensive framework, covering the tools initially considered by the European Commission (improvements in Own Risk and Solvency Assessment and the prudent person principle, as well as the drafting of systemic risk and liquidity risk management plans), as well as other tools that EIOPA considers necessary to equip national supervisory authorities with sufficient powers to address the sources of systemic risk in insurance. Among the latter, EIOPA proposes to grant national supervisory authorities with the power

  • to require a capital surcharge for systemic risk,
  • to define soft concentration thresholds,
  • to require pre-emptive recovery and resolution plans
  • and to impose a temporarily freeze on redemption rights in exceptional circumstances.

EIOPA8

Recovery and resolution

EIOPA calls for a minimum harmonised and comprehensive recovery and resolution framework for (re)insurers to deliver increased policyholder protection and financial stability in the European Union. Harmonisation of the existing frameworks and the definition of a common approach to the fundamental elements of recovery and resolution will avoid the current fragmented landscape and facilitate cross-border cooperation. In the advice, EIOPA focuses on the recovery measures including the request for pre-emptive recovery planning and early intervention measures. Subsequently, the advice covers all relevant aspects around the resolution process, such as

  • the designation of a resolution authority,
  • the resolution objectives,
  • the need for resolution planning
  • and for a wide range of resolution powers to be exercised in a proportionate way.

The last part of the advice is devoted to the triggers for

  • early intervention,
  • entry into recovery and into resolution.

EIOPA9

Other topics of the review

The review of the ongoing appropriateness of the transitional provisions included in the Solvency II Directive did not result in a proposal for changes. With regard to the fit and proper requirements of the Solvency II Directive EIOPA proposes to clarify the position of national supervisory authorities on the ongoing supervision of propriety of board members and that they should have effective powers in case qualifying shareholders are not proper. Further advice is provided in order to increase the efficiency and intensity of propriety assessments in complex cross-border cases by providing the possibility of joint assessment and use of EIOPA’s powers to assist where supervisors cannot reach a common view.

Click here to access EIOPA’s detailed Consultation Paper

EIOPA outlines key financial stability risks of the European insurance and pensions sector

The global and European economic outlook has deteriorated in the past months with weakening industrial production and business sentiment and ongoing uncertainties about trade disputes and Brexit. In particular, the “low for long” risk has resurfaced in the EU, as interest rates reached record lows in August 2019 and an increasing number of countries move into negative yield territory for their sovereign bonds even at longer maturities in anticipation of a further round of monetary easing by central banks and a general flight to safety. Bond yields and swap rates have since slightly recovered again, but protracted low interest rates form the key risk for both insurers and pension funds and put pressure on both the capital position and long-term profitability. Large declines in interest rates can also create further incentives for insurers and pension funds to search for yield, which could add to the build-up of vulnerabilities in the financial sector if not properly managed.

Despite the challenging environment, the European insurance sector remains overall well capitalized with a median SCR ratio of 212% as of Q2 2019. However, a slight deterioration could be observed for life insurers in the first half of 2019 and the low interest rate environment is expected to put further pressures on the capital positions of life insurers in the second half of 2019. At the same time, profitability improved in the first half of 2019, mainly due to valuation gains in the equity and bond portfolios of insurers. Nevertheless, the low yield environment is expected to put additional strains on the medium to long term profitability of insurers as higher yielding bonds will have to be replaced by lower yielding bonds, which may make it increasingly difficult for insurers to make investment returns in excess of guaranteed returns issued in the past, which are still prevalent in many countries.

THE EUROPEAN INSURANCE SECTOR

The challenging macroeconomic environment is leading insurance undertakings to further adapt their business models. In order to address the challenges associated with the low yield environment and improve profitability, life insurers are lowering guaranteed rates in traditional products and are increasingly focusing on unit-linked products. On the investment side, insurers are slowly moving towards more alternative investments and illiquid assets, such as unlisted equity, mortgages & loans, infrastructure and property. For non-life insurers, the challenge is mostly focused on managing increasing losses stemming from climate-related risks and cyber events, which may not be adequately reflected in risk models based on historical data, and continued competitive pressures.

Despite the challenging environment, the European insurance sector overall gross written premiums slightly grew by 1.6% on an annual basis in Q2 2019. This growth is particularly driven by the increase in non life GWP (3.7%), in comparison to a slightly decrease in life (-0.5%). This reduction growth rate in life GWP is associated to the slowdown in the economic growth; however this does not seem to have affected the growth of non-life GWP to the same extent. Overall GWP as a percentage of GDP slightly increased from 9% to 11% for the European insurance market, likewise total assets as a share of GDP improved from 70% to 74%. The share of unit-linked business has slightly declined notwithstanding the growth expectations. Even though insurers are increasingly trying to shift towards unit-linked business in the current low yield environment, the total share of unit-linked business in life GWP has slightly decreased from 42% in Q2 2018 to 40% in Q2 2019, likewise the share for the median insurance company declined from 34% in Q2 2018 to 31% in Q2 2019. Considerable differences remain across countries, with some countries still being plagued by low trust due to misselling issues in the past. Overall, the trend towards unit-lead business means that investment risks are increasingly transferred to policyholders with potential reputational risks to the insurance sector in case investment returns turn out lower than anticipated.

EIOPA1

The liquid asset ratio slightly deteriorated in the first half of 2019. The median value for liquid asset increased by 1.5% from 63.3% in 2018 Q2 to 64.8% in 2018 Q4, and after slightly decreased to 63.8% in Q2 2019. Furthermore,  the distribution moved down (10th percentile reduced in the past year by 6 p.p. to 47.9%). Liquid assets are necessary in order to meet payment obligations when they are due. Furthermore, a potential increase in interest rate yields might directly impact the liquidity needs of insurers due to a significant increase in the lapse rate as policyholders might look for more attractive alternative investments.

EIOPA2

Lapse rates in the life business remained stable slightly increased in the first half of 2019. The median value increased from 1.34% in Q2 2018 to 1.38% in Q2 2019. Moreover, a potential sudden reversal of risk premia and abruptly rising yields could trigger an increase in lapse rates and surrender ratios as policyholders might look  for more attractive investments. Although several contractual and fiscal implications could limit the impact of lapses and surrenders in some countries, potential lapses by policyholders could add additional strains on insurers’ financial position once yields start increasing.

The return on investment has substantially declined further over 2018. The investment returns have significantly deteriorated for the main investment classes (bonds, equity and collective instruments). The median return on investment decreased to only 0.31% in 2018, compared to 2.83% in 2016 and 1.95% in 2017. In particular the four main investment options (government and corporate bonds, equity instruments and collective investment undertakings) – which approximately account for two-thirds of insurers’ total investment portfolios – have generated considerably lower or even negative returns in 2018. As a consequence, insurers may increasingly look for alternative investments, such as unlisted equities, mortgages and infrastructure to improve investment returns. This potential search for yield behaviour might differ per country and warrants close monitoring by supervisory authorities as insurers may suffer substantial losses on these more illiquid investments when markets turn sour.

EIOPA3

Despite the challenging investment climate, overall insurer profitability improved in the first half of 2019. The median return on assets (ROA) increased from 0.24% in Q2 2018 to 0.32% in Q2 2019, whereas the median return on excess of assets over liabilities (used as a proxy of return on equity), increased from 2.8% in Q2 2018 to 4.9 % in Q2 2019. The improvement in overall profitability seems to stem mainly from valuation gains in the investment portolio of insurers driven by a strong rebound in equity prices and declining yields (and hence increasing values of bond holdings) throughout the first half of 2019, while profitability could be further supported by strong underwriting results and insurers’ continued focus on cost optimisation. However, decreased expected profits in future premiums (EPIFP) from 11% in Q1 2019 to 10.3% in Q2 2019 suggest expectations of deteriorating profitability looking ahead. Underwriting profitability remained stable and overall positive in the first half of 2019. The median Gross Combined Ratio for non-life business remained below 100% in the first half of 2019 across all lines of business, indicating that most EEA insurers were able to generate positive underwriting results (excluding profits from investments). However, significant outliers can still be observed across lines of business, in particular for credit and suretyship insurance, indicating that several insurers have experienced substantial underwriting losses in this line of business. Furthermore, concerns of underpricing and underreserving remain in the highly competitive motor insurance markets.

EIOPA4

Solvency positions slightly deteriorated in the first half of 2019 and the low interest rate environment is expected to put further pressures on the capital positions in the second half of the year, especially for life insurers. Furthermore, the number of life insurance undertakings with SCR ratios below the 100% threshold increased in comparison with the previous year from 1 in Q2 2018 to 4 in Q2 2019 mainly due to the low interest rate environment, while the number of non-life insurance undertakings with SCR ratios below 100% threshold decreased from 9 in Q2 2018 to 7 in Q2 2019. The median SCR ratio for life insurers is still the highest compared to non-life insurers and composite undertakings. However, the SCR ratio differs substantially among countries.

EIOPA5

The impact of the LTG and transitional measures varies considerably across insurers and countries. The long term guarantees (LTG) and transitional measures were introduced in the Solvency II Directive to ensure an appropriate treatment of insurance products that include long-term guarantees and facilitate a smooth transition of the new regime. These measures can have a significant impact on the SCR ratio by allowing insurance undertakings, among others, to apply a premium to the risk free interest rate used for discounting technical provions. The impact of applying these measures is highest in DE and the UK, where the distribution of SCR ratios is signicantly lower without LTG and transitional measures (Figure 2.16). While it is important to take the effect of LTG measures and transitional measures into account when comparing across insurers and countries, the LTG measures do provide a potential financial stability cushion by reducing overall volatility.

On October 15th 2019, EIOPA launched a public consultation on an Opinion that sets out technical advice for the 2020 review of Solvency II. The call for advice comprises 19 separate topics. Broadly speaking, these can be divided into three parts.

  1. The review of the LTG measures, where a number of different options are being consulted on, notably on extrapolation and on the volatility adjustment.
  2. The potential introduction of new regulatory tools in the Solvency II framework, notably on macro-prudential issues, recovery and resolution, and insurance guarantee schemes. These new regulatory tools are considered thoroughly in the consultation.
  3. Revisions to the existing Solvency II framework including in relation to
    • freedom of services and establishment;
    • reporting and disclosure;
    • and the solvency capital requirement.

The main specific considerations and proposals of this consultation are as follows:

  • Considerations to choose a later starting point for the extrapolation of risk-free interest rates for the euro or to change the extrapolation method to take into account market information beyond the starting point.
  • Considerations to change the calculation of the volatility adjustment to risk-free interest rates, in particular to address overshooting effects and to reflect the illiquidity of insurance liabilities.
  • The proposal to increase the calibration of the interest rate risk sub-module in line with empirical evidence, in particular the existence of negative interest rates. The proposal is consistent with the technical advice EIOPA provided on the Solvency Capital Requirement standard formula in 2018.
  • The proposal to include macro-prudential tools in the Solvency II Directive.
  • The proposal to establish a minimum harmonised and comprehensive recovery and resolution framework for insurance.

The European Supervisory Authorities (ESAs) published on the 4th October 2019 a Joint Opinion on the risks of money laundering and terrorist financing affecting the European Union’s financial sector. In this Joint Opinion, the ESAs identify and analyse current and emerging money laundering and terrorist financing (ML/ TF) risks to which the EU’s financial sector is exposed. In particular, the ESAs have identified that the main cross-cutting risks arise from

  • the withdrawal of the United Kingdom (UK) from the EU,
  • new technologies,
  • virtual currencies,
  • legislative divergence and divergent supervisory practices,
  • weaknesses in internal controls,
  • terrorist financing and de-risking;

in order to mitigate these risks, the ESAs have proposed a number of potential actions for the Competent Authorities.

Following its advice to the European Commission on the integration of sustainability risks in Solvency II and the Insurance Distribution Directive on April 2019, EIOPA has published on 30th September 2019 an Opinion on Sustainability within Solvency II, which addresses the integration of climate-related risks in Solvency II Pillar I requirements. EIOPA found no current evidence to support a change in the calibration of capital requirements for “green” or “brown” assets. In the opinion, EIOPA calls insurance and reinsurance undertakings to implement measures linked with climate change-related risks, especially in view of a substantial impact to their business strategy; in that respect, the importance of scenario analysis in the undertakings’ risk management is highlighted. To increase the European market and citizens’ resilience to climate change, undertakings are called to consider the impact of their underwriting practices on the environment. EIOPA also supports the development of new insurance products, adjustments in the design and pricing of the products and the engagement with public authorities, as part of the industry’s stewardship activity.

On the 15th July 2019 EIOPA submitted to the European Commission draft amendments to the Implementing technical standards (ITS) on reporting and the ITS on public disclosure. The proposed amendments are mainly intended to reflect the changes in the Solvency II Delegated Regulation by the Commission Delegated Regulation (EU) 2019/981 and the Commission Delegated Regulation 2018/1221 as regards the calculation of regulatory capital requirements for securitisations and simple, transparent and standardised securitisations held by insurance and reinsurance undertakings. A more detailed review of the reporting and disclosure requirements will be part of the 2020 review of Solvency II.

On 18th June 2019 the Commission Delegated Regulation (EU) 2019/981 amending the Solvency II Delegated Regulation with respect to the calculation of the SCR for standard formula users was published. The new regulation includes the majority of the changes proposed by EIOPA in its advice to the Commission in February 2018 with the exception of the proposed change regarding interest rate risk. Most of the changes are applicable since July 2019, although changes to the calculation of the loss-absorbing capacity of deferred taxes and non-life and health premium and reserve risk will apply from 1 January 2020.

RISK ASSESSMENT

QUALITATIVE RISK ASSESSMENT

EIOPA conducts twice a year a bottom-up survey among national supervisors to determine the key risks and challenges for the European insurance and pension fund sectors, based on their probability and potential impact.

The EIOPA qualitative Autumn 2019 Survey reveals that low interest rates remain the main risks for both the insurance and pension fund sectors. Equity risks also remain prevalent, ranking as the 3rd and 2nd biggest risk for the insurance and pension funds sectors respectively. The cyber risk category is now rank as the 2nd biggest risk for the insurance sector, as insurers need to adapt their business models to this new type of risk both from an operational risk perspective and an underwriting perspective. Geopolitical risks have become more significant for both markets, along with Macro risks, which continue to be present in the insurance and pension fund sectors, partially due to concerns over protectionism, trade tensions, debt sustainability, sudden increase in risk premia and uncertainty relating to the potential future post-Brexit landscape.

The survey further suggests that all the risks are expected to increase over the coming year. The increased risk of the low for long interest rate environment is in line with the observed market developments, particulary after the ECB’s announcement of renewed monetary easing in September 2019. The significant expected raise of cyber, property, equity, macro and geopolitical risks in the following year is also in line with the observed market developments, indicating increased geopolitical uncertainty, trade tensions, stretched valuations in equity and real estate markets and more frequent and sophisticated cyber attacks which could all potentially affect the financial position of insurers and pension funds. On the other hand, ALM risks and Credit risk for financials are expected to increase in the coming year, while in the last survey in Spring 2019 the expectations were following the opposite direction.

EIOPA6

Although cyber risk is ranking as one of the top risks and expected to increase in the following year, many jurisdictions also see cyber-related insurance activities as a growth opportunity. The rapid pace of technological innovation and digitalisation is a challenge for the insurance market and insurers need to be able to adapt their business models to this challenging environment, nonetheless from a profitability perspective, increased digitalisation may offer significant cost-saving and revenue-increasing opportunities for insurance companies. The increase of awareness of cyber-risk and higher vulnerability to cyber threats among undertakings due to the increased adoption of digital technologies could drive a growth in cyber insurance underwriting.

The survey shows the exposure of an sudden correction of the risk premia significantly differs across EU countries. In the event of a sudden correction in the risk premia, insurance undertakings and pension funds with ample exposure to bonds and real estate, could suffer significant asset value variations that could lead to forced asset sales and potentially amplify the original shock to asset prices in less liquid markets. Some juridictions, however, confirm the limited exposure to this risk due to the low holding of fixed income instruments and well diversified portfolios.

The survey further indicates that national authorities expect the increase of investments in alternative asset classes and more illiquid assets. Conversely, holdings of governement bonds are expected to decrease in favour of corporate bonds within the next 12 months. Overall this might indicate potential search for yield behaviour and a shift towards more illiquid assets continues throughout numerous EU jurisdictions. Property investments – through for instance mortgages and infrastructure investment – are also expected to increase in some jurisdictions, for both insurers and pension funds. A potential downturn of real estate markets could therefore also affect the soundness of the insurance and pension fund sectors.

EIOPA7

QUANTITATIVE RISK ASSESSMENT EUROPEAN INSURANCE SECTOR

This section further assesses the key risks and vulnerabilities for the European insurance sector identified in this report. A detailed breakdown of the investment portfolio and asset allocation is provided with a focus on specific country exposures and interconnectedness with the banking sector. The chapter also analyses in more detail the implications of the current low yield environment for insurers.

INVESTMENTS

Insurance companies’ investments remain broadly stable, with a slight move towards less liquid investment. Government and corporate bonds continue to make up the majority of the investment portfolio, with only a  slight movement towards more non-traditional investment instruments such as unlisted equity and mortgage and loans. Life insurers in particular rely on fixed-income assets, due to the importance of asset-liability matching of their long-term obligations. At the same time, the high shares of fixed-income investments could give rise to significant reinvestment risk in the current low yield environment, in case the maturing fixed-income securities can only be replaced by lower yielding fixed-income securities for the same credit quality.

The overall credit quality of the bond portfolio is broadly satisfactory, although slight changes are observed in 2018. The vast majority of bonds held by European insurers are investment grade, with most rated as CQS1 (AA). However, the share of CQS2 has increased in the first half of 2019, and significant differences can be observed for insurers across countries.

EIOPA8

INTERCONNECTEDNESS BETWEEN INSURERS AND BANKS

The overall exposures towards the banking sector remain significant for insurers in certain countries, which could be one potential transmission channel in case of a sudden reassessment of risk premia. The interconnectedness between insurers and banks could intensify contagion across the financial system through common risk exposures. A potential sudden reassessment of risk premia may not only affect insurers directly, but also indirectly through exposures to the banking sector. This is also a potential transmission channel of emerging markets distress, as banks have on average larger exposures to emerging markets when compared to insurers.

Another channel of risk transmission could be through different types of bank instruments bundled together and credited by institutional investors such as insurers and pension funds.

Insurers’ exposures towards banks are heterogeneous across the EU/EEA countries, with different levels of home bias as well. Hence, countries with primary banks exposed to emerging markets or weak banking sectors could be impacted more in case of economic distress. On average, 15.95% of the EU/EEA insurers’ assets are issued by the banking sector through different types of instruments, mostly bank bonds.

EIOPA9

Click here to access EIOPA’s Dec 2019 Financial Stability Report

From Risk to Strategy : Embracing the Technology Shift

The role of the risk manager has always been to understand and manage threats to a given business. In theory, this involves a very broad mandate to capture all possible risks, both current and future. In practice, however, some risk managers are assigned to narrower, siloed roles, with tasks that can seem somewhat disconnected from key business objectives.

Amidst a changing risk landscape and increasing availability of technological tools that enable risk managers to do more, there is both a need and an opportunity to move toward that broader risk manager role. This need for change – not only in the risk manager’s role, but also in the broader approach to organizational risk management and technological change – is driven by five factors.

Marsh Ex 1

The rapid pace of change has many C-suite members questioning what will happen to their business models. Research shows that 73 percent of executives predict significant industry disruption in the next three years (up from 26 percent in 2018). In this challenging environment, risk managers have a great opportunity to demonstrate their relevance.

USING NEW TOOLS TO MANAGE RISKS

Emerging technologies present compelling opportunities for the field of risk management. As discussed in our 2017 report, the three levers of data, analytics, and processes allow risk professionals a framework to consider technology initiatives and their potential gains. Emerging tools can support risk managers in delivering a more dynamic, in-depth view of risks in addition to potential cost-savings.

However, this year’s survey shows that across Asia-Pacific, risk managers still feel they are severely lacking knowledge of emerging technologies across the business. Confidence scores were low in all but one category, risk management information systems (RMIS). These scores were only marginally higher for respondents in highly regulated industries (financial services and energy utilities), underscoring the need for further training across all industries.

Marsh Ex 3

When it comes to technology, risk managers should aim for “digital fluency, a level of familiarity that allows them to

  • first determine how technologies can help address different risk areas,
  • and then understand the implications of doing so.

They need not understand the inner workings of various technologies, as their niche should remain aligned with their core expertise: applying risk technical skills, principles, and practices.

CULTIVATING A “DIGITAL-FIRST” MIND-SET

Successful technology adoption does not only present a technical skills challenge. If risk function digitalization is to be effective, risk managers must champion a cultural shift to a “digital-first” mindset across the organization, where all stakeholders develop a habit of thinking about how technology can be used for organizational benefit.

For example, the risk manager of the future will be looking to glean greater insights using increasingly advanced analytics capabilities. To do this, they will need to actively encourage their organization

  • to collect more data,
  • to use their data more effectively,
  • and to conduct more accurate and comprehensive analyses.

Underlying the risk manager’s digitalfirst mind-set will be three supporting mentalities:

1. The first of these is the perception of technology as an opportunity rather than a threat. Some understandable anxiety exists on this topic, since technology vendors often portray technology as a means of eliminating human input and labor. This framing neglects the gains in effectiveness and efficiency that allow risk managers to improve their judgment and decision making, and spend their time on more value-adding activities. In addition, the success of digital risk transformations will depend on the risk professionals who understand the tasks being digitalized; these professionals will need to be brought into the design and implementation process right from the start. After all, as the Japanese saying goes, “it is workers who give wisdom to the machines.” Fortunately, 87 percent of PARIMA surveyed members indicated that automating parts of the risk manager’s job to allow greater efficiency represents an opportunity for the risk function. Furthermore, 63 percent of respondents indicated that this was not merely a small opportunity, but a significant one (Exhibit 6). This positive outlook makes an even stronger statement than findings from an earlier global study in which 72 percent of employees said they see technology as a benefit to their work

2. The second supporting mentality will be a habit of looking for ways in which technology can be used for benefit across the organization, not just within the risk function but also in business processes and client solutions. Concretely, the risk manager can embody this culture by adopting a data-driven approach, whereby they consider:

  • How existing organizational data sources can be better leveraged for risk management
  • How new data sources – both internal and external – can be explored
  • How data accuracy and completeness can be improved

“Risk managers can also benefit from considering outside-the-box use cases, as well as keeping up with the technologies used by competitors,” adds Keith Xia, Chief Risk Officer of OneHealth Healthcare in China.

This is an illustrative rather than comprehensive list, as a data-driven approach – and more broadly, a digital mind-set – is fundamentally about a new way of thinking. If risk managers can grow accustomed to reflecting on technologies’ potential applications, they will be able to pre-emptively spot opportunities, as well as identify and resolve issues such as data gaps.

3. All of this will be complemented by a third mentality: the willingness to accept change, experiment, and learn, such as in testing new data collection and analysis methods. Propelled by cultural transformation and shifting mind-sets, risk managers will need to learn to feel comfortable with – and ultimately be in the driver’s seat for – the trial, error, and adjustment that accompanies digitalization.

MANAGING THE NEW RISKS FROM EMERGING TECHNOLOGIES

The same technological developments and tools that are enabling organizations to transform and advance are also introducing their own set of potential threats.

Our survey shows the PARIMA community is aware of this dynamic, with 96 percent of surveyed members expecting that emerging technologies will introduce some – if not substantial – new risks in the next five years.

The following exhibit gives a further breakdown of views from this 96 percent of respondents, and the perceived sufficiency of their existing frameworks. These risks are evolving in an environment where there are already questions about the relevance and sufficiency of risk identification frameworks. Risk management has become more challenging due to the added complexity from rapid shifts in technology, and individual teams are using risk taxonomies with inconsistent methodologies, which further highlight the challenges that risk managers face in managing their responses to new risk types.

Marsh Ex 9

To assess how new technology in any part of the organization might introduce new risks, consider the following checklist :

HIGH-LEVEL RISK CHECKLIST FOR EMERGING TECHNOLOGY

  1. Does the use of this technology cut across existing risk types (for example, AI risk presents a composite of technology risk, cyber risk, information security risk, and so on depending on the use case and application)? If so, has my organization designated this risk as a new, distinct category of risk with a clear definition and risk appetite?
  2. Is use of this technology aligned to my company’s strategic ambitions and risk appetite ? Are the cost and ease of implementation feasible given my company’s circumstances?
  3. Can this technology’s implications be sufficiently explained and understood within my company (e.g. what systems would rely on it)? Would our use of this technology make sense to a customer?
  4. Is there a clear view of how this technology will be supported and maintained internally, for example, with a digitally fluent workforce and designated second line owner for risks introduced by this technology (e.g. additional cyber risk)?
  5. Has my company considered the business continuity risks associated with this technology malfunctioning?
  6. Am I confident that there are minimal data quality or management risks? Do I have the high quality, large-scale data necessary for advanced analytics? Would customers perceive use of their data as reasonable, and will this data remain private, complete, and safe from cyberattacks?
  7. Am I aware of any potential knock-on effects or reputational risks – for example, through exposure to third (and fourth) parties that may not act in adherence to my values, or through invasive uses of private customer information?
  8. Does my organization understand all implications for accounting, tax, and any other financial reporting obligations?
  9. Are there any additional compliance or regulatory implications of using this technology? Do I need to engage with regulators or seek expert advice?
  10. For financial services companies: Could I explain any algorithms in use to a customer, and would they perceive them to be fair? Am I confident that this technology will not violate sanctions or support crime (for example, fraud, money laundering, terrorism finance)?

SECURING A MORE TECHNOLOGY-CONVERSANT RISK WORKFORCE

As risk managers focus on digitalizing their function, it is important that organizations support this with an equally deliberate approach to their people strategy. This is for two reasons, as Kate Bravery, Global Solutions Leader, Career at Mercer, explains: “First, each technological leap requires an equivalent revolution in talent; and second, talent typically becomes more important following disruption.”

While upskilling the current workforce is a positive step, as addressed before, organizations must also consider a more holistic talent management approach. Risk managers understand this imperative, with survey respondents indicating a strong desire to increase technology expertise in their function within the next five years.

Yet, little progress has been made in adding these skills to the risk function, with a significant gap persisting between aspirations and the reality on the ground. In both 2017 and 2019 surveys, the number of risk managers hoping to recruit technology experts has been at least 4.5 times the number of teams currently possessing those skills.

Marsh Ex 15

EMBEDDING RISK CULTURE THROUGHOUT THE ORGANIZATION

Our survey found that a lack of risk management thinking in other parts of the organization is the biggest barrier the risk function faces in working with other business units. This is a crucial and somewhat alarming finding – but new technologies may be able to help.

Marsh Ex 19

As technology allows for increasingly accurate, relevant, and holistic risk measures, organizations should find it easier to develop risk-based KPIs and incentives that can help employees throughout the business incorporate a risk-aware approach into their daily activities.

From an organizational perspective, a first step would be to describe risk limits and risk tolerance in a language that all stakeholders can relate to, such as potential losses. Organizations can then cascade these firm-wide risk concepts down to operational business units, translating risk language into tangible and relevant incentives that encourages behavior that is consistent with firm values. Research shows that employees in Asia want this linkage, citing a desire to better align their individual goals with business goals.

The question thus becomes how risk processes can be made an easy, intuitive part of employee routines. It is also important to consider KPIs for the risk team itself as a way of encouraging desirable behavior and further embedding a risk-aware culture. Already a majority of surveyed PARIMA members use some form of KPIs in their teams (81 percent), and the fact that reporting performance is the most popular service level measure supports the expectation that PARIMA members actively keep their organization informed.

Marsh Ex 21

At the same time, these survey responses also raise a number of questions. Forty percent of organizations indicate that they measure reporting performance, but far fewer are measuring accuracy (15 percent) or timeliness (16 percent) of risk analytics – which are necessary to achieve improved reporting performance. Moreover, the most-utilized KPIs in this year’s survey tended to be tangible measures around cost, from which it can be difficult to distinguish a mature risk function from a lucky one.

SUPPORTING TRANSFORMATIONAL CHANGE PROGRAMS

Even with a desire from individual risk managers to digitalize and complement organizational intentions, barriers still exist that can leave risk managers using basic tools. In 2017, cost and budgeting concerns were the single, standout barrier to risk function digitalization, chosen by 67 percent of respondents, well clear of second placed human capital concerns at 18 percent. This year’s survey responses were much closer, with a host of ongoing barriers, six of which were cited by more than 40 percent of respondents.

Marsh Ex 22

Implementing the nuts and bolts of digitalization will require a holistic transformation program to address all these barriers. That is not to say that initiatives must necessarily be massive in scale. In fact, well-designed initiatives targeting specific business problems can be a great way to demonstrate success that can then be replicated elsewhere to boost innovation.

Transformational change is inherently difficult, in particular where it spans both technological as well as people dimensions. Many large organizations have generally relied solely on IT teams for their “digital transformation” initiatives. This approach has had limited success, as such teams are usually designed to deliver very specific business functionalities, as opposed to leading change initiatives. If risk managers are to realize the benefits of such transformation, it is incumbent on them to take a more active role in influencing and leading transformation programs.

Click here to access Marsh’s and Parima’s detailed report

Optimizing Your GRC Technology Ecosystem

Most organizations rely on multiple technologies to manage GRC across the enterprise. Optimizing a GRC technology ecosystem aligned with a defined GRC process structure improves risk-informed business decisions and achievement of strategic business objectives. This illustration outlines ways to continuously optimize your GRC technology ecosystem for

  • greater process consistency
  • and development of actionable information.

An integrated GRC technology ecosystem built on common vocabulary, taxonomy and processes enables

  • more accurate and timely reporting,
  • increased reliability of achievement of objectives
  • and greater confidence in assurance with less burden on the business.

Here are just a few of the key benefits:

Process and Technology Alignment

  • Common methods for core tasks, uniform taxonomies, and consistent vocabulary for governance, risk management and compliance across the organization
  • Risk-based actions and controls that ensure timely responses to changed circumstances
  • Standardized GRC processes based on understanding where in the organization each defined process takes place and how data is used in managing risks and requirements
  • Connected technologies as necessary to gain a complete view of the management actions, controls and information needed by each user

Governance Systems to include:

  • Strategy / Performance
  • Board Management
  • Audit & Assurance Tools

Risk Systems to include:

  • Brand & Reputation
  • Finance / Treasury Risk
  • Information / IT Risk
  • External Risk Content
  • Third Party Risk

Compliance Systems to include:

  • Policies
  • Helpline / Hotline
  • Training
  • EHS (Environment Health and Safety)
  • Fraud / Corruption
  • Global Trade
  • Privacy
  • Regulatory Change
  • AML (Anti Money Laundering) / KYC (Know Your Customer)

Enabling Systems to include:

  • Data Visualization
  • Analytics
  • Business Intelligence
  • Predictive Tools
  • External Data Sources

Protective Systems to include:

  • Information Security
  • Data Protection
  • Assets Control

Benefits and Outcomes

  • Enhanced tracking of achievement of objectives and obstacles
  • Connected reporting for board/management/external stakeholders
  • Timely understanding of impact from operational decisions
  • Actionable view of changes needed to meet regulatory requirements
  • Clear action pathways for resolution of issues and process reviews
  • Consistent risk assessments feeding into advanced analytics
  • Improved predictive capabilities to support strategic planning
  • Control testing and audit trails for response to regulators and auditors
  • Greater confidence in assurance with less burden on the business
  • Enterprise-wide, departmental and geographic control standards

OCEG

Tips for Optimization

1. Process Framework

  • Identify tasks appropriate for standardization and schedule implementation across units
  • Assess vocabulary used throughout organization for inconsistencies and establish rules
  • Adjust process model periodically to continue alignment with business objectives and activities

2. Technology Ecosystem

  • Periodically review GRC technologies for gaps and duplication of systems
  • Assess appropriateness of connection of systems for data sharing and user access
  • Maintain a current road map for re-purposing and acquisition of technologies

3. Outcome Management

  • Apply standard processes for resolution of issues and remediation of identified process framework or technology ecosystem weaknesses
  • Enhance reporting capabilities with refined report structure and delivery methods/schedules
  • Ensure all users apply the process framework and understand how best to use the technology

Click here to access OCEG’s illustration in detail

Cyber Risk Management – From Security to Resilience

Rapidly evolving threats and infiltration techniques have rendered traditional cyber defense strategies insufficient and ineffective. The emerging threat vectors and speed of change amplified by the digital transformation cannot be addressed by traditional means. Globally, laws are also changing to keep pace as cybercrime evolves, knowing no
boundaries. Therefore, organizations must be nimble and agile to keep pace with policy changes, especially when expanding across different jurisdictions.

This report highlights three strategic imperatives to strengthen cyber resilience:

  • Understand (know your threats): Identify organization and industry-specific cyber threats and regulations calls for robust strategies that include cross-disciplinary considerations.
  • Measure (know yourself): Quantify the potential financial impact of cyber exposures to compare against the level of risk appetite acceptable to the board. This will determine the amount of investment necessary to mitigate and transfer any residual risk.
  • Manage (know what you can do): Proactively manage cyber risks by having clear action plans based on your capabilities and capacities to protect against cyber criminals.

It is inefficient and impractical to expect organizations to be ahead of every threat, but organizations should at least be on par with the evolution of cyber threats while ensuring compliance with changing laws and regulations. While cyber attacks are inevitable, proper preparation is the essential element that sets resilient organizations apart from the rest in managing risk, minimizing damage, and recovering quickly from any incidents.

Cyber Risk: A Top Concern

Technology continues to play a profound role in shaping the global risk landscape for individuals, businesses, and governments. Risk experts around the world continue to rank massive data fraud and theft and cyber attacks as their greatest and most likely risks over the next decade, a pattern that is consistent with previous years. Most risk experts also expect cyber attacks to have a much greater impact through business disruption and the targeted theft of money, data and intellectual property. Our increased dependence on pervasive, integrated digital technologies also increases anxiety around cyber security.

Rapid Innovation

The pace of business innovation has been driven by technology and connectivity megatrends such as mobile, the Internet of Things (IoT), big data and cloud solutions. The adoption and use of mobile devices have surpassed that of desktops since the last quarter of 2016, with mobile traffic accounting for 52 percent of total internet traffic in 2018. While business benefits include greater convenience and productivity, the use of mobile devices for both work and personal reasons has blurred the lines between sensitive corporate and confidential personal data, which are increasingly exposed to weaker application security features, mobile malware and other vulnerabilities.

Pervasive, Sophisticated Technologies

A recent study by FireEye Mandiant revealed that cyber attackers have followed cloud-reliant organizations, such as software-as-a-service and cloud computing, into the cloud. Mandiant researchers observed an increased volume of attacks against organizations with access to vast amounts of personal and confidential data, such as cloud providers, telecommunications, and retail and hospitality. More than 730 investigations were performed by Mandiant experts globally in 2018, a higher volume than any year before and an increase of more than 30 percent over 2017.

Devious, Organized Threat Actors

The modern cyber risk landscape is rapidly evolving and populated by threat actors with a myriad of motivations and attack sophistication levels. The methodologies can vary from highly-targeted and deliberate, to mass-scale with self-distributing malware. Different threat actors also have different motivations and ambitions that can be uniquely destructive.

Motivations and methodologies of threat actors can also overlap with one another. In many cases, similar tools and techniques are used by different groups since those may be the only tools available. In some cases, state-sponsored actors may even work with hacktivists to carry out an attack. Some threat groups demonstrate increased determination by maintaining persistence in victims’ networks. Some APT attackers plan out their modus operandi and patiently pursue their goals over a long period of time—months or years—before they launch their attack. They rapidly adapt to a victim organization’s attempts to remove them from the network and frequently target the same victim again if access is lost.

After an organization has been successfully attacked, there is a higher probability of re-compromise. According to FireEye, globally two in three (64 percent) compromised organizations were successfully attacked again within a year. It is more significant in APAC where almost eight in 10 (78 percent) of compromised organizations are likely to face at least one additional significant attack over the next year.

Organizations that have been attacked should strengthen their cyber security defenses and close any identified gaps to mitigate risks; unfortunately, this doesn’t always happen.

MMC1

Data Sharing Economies

Data sharing is inevitable as we accelerate into the digital economy. Our growing interconnectedness is combined with a massive increase in velocity, volume, and variety of data shared across boundaries and jurisdictions. The accelerated digitalization of countries and industries amplifies the systemic effects from cyber attacks and increases the severity of successful cyber attacks.

With the advent of digital and transformative technologies that change the nature of business, policymakers are challenged to maintain the robustness of cyber laws and legislations. The anonymity of the Internet further ensures little or no risk of repercussion for cyber criminals.

According to FireEye CEO Kevin Mandia, ”We are on a slippery slope in terms of frequency and seriousness of cyber attacks” and it is likely to get worse unless serious consequences can be put in place for criminal behavior.

Although cyber regulations have lagged behind evolving cyber threats, the past years have seen a substantial increase in new cyber laws and other regulatory schemes, and this is expected to continue. Most regulatory schemes aim to protect data and privacy and fulfil notification obligations by breached organizations, but disclosures and notifications are critical first steps to reveal the volume, frequency and complexity of breaches before data protection and privacy can be further improved.

Complications That Impact Cyber Resilience

In an increasingly complex business and cyber landscape, organizations encounter greater challenges when trying to balance their business resilience and cyber security priorities.

Between 2016 and 2018, the rate of growth for internet users was 10 times faster than the global population. Correspondingly, the surface area for attack has expanded exponentially. The exposure is estimated to impact up to six billion internet users by 2022, approximately three-quarters of the projected world population. Increased connectivity coupled with the expanded adoption of mobile devices makes building cyber security defenses much more challenging since every employee or web-connected device now represents a potential vulnerability.

Underlying Trends Impose Additional Layers of Fiduciary Responsibilities

Rapid digitalization amplifies the systemic effect of cyber threats, which leads to more cyber regulations and policies. In addition to safeguarding the interests of individuals and businesses, governments and policymakers also aim provide a conducive and well-regulated environment to develop transformative technologies to spearhead their respective digital economies.

Unsurprisingly, their business models are impacted by new cyber laws and regulations. As these laws are introduced, revised and enacted, companies can find themselves in a continually reactive state when attempting to comply with changing policies. Organizations with operations across national boundaries face additional compliance costs as they attempt to navigate diverse regulations in different jurisdictions. While GDPR has led to the convergence of cyber security and data protection laws in the EU, cyber regulations in other parts of the world remain largely localized and diverse.

Re-Thinking a Cyber Resilient Culture

To reduce our growing vulnerability to humanenabled cyber threats, workplace culture needs to change. The outlook, attitudes, values, moral goals and legacy systems shared within an organization have a direct impact on how cyber threats are perceived and managed. While cyber security involves many different technical and information solutions, necessary defenses and resilience cannot be fully achieved without the right mindset.

To establish a cyber resilient culture, everyone in the organization—from executive leadership and management to data analysts and salespeople—have an equal and important role to play in defense.

Through social engineering, threat actors increasingly exploit individuals as the weakest link of the cyber security chain. Therefore, cyber security and resilience must begin with the individual. Although Finance or HR departments may be primary targets for potential access to sensitive information, other executives and employees may also be targeted to gain network access.

How To Line Up Your Defense

Given the reality of the cyber threat landscape, you need to determine the tools you need to mitigate and respond to inevitable cyber attacks. Unfortunately, while both the aggressiveness and sophistication of cyber attacks have accelerated, defensive capabilities have been relatively slow to evolve and respond.

MMC2

Darren Thayre, Partner in the Digital, Technology and Analytics Practice for Asia Pacific at Oliver Wyman, mentioned that typical cyber security discussions are often absent when organizations initially strategize on cloud implementation, a process normally driven by developers or infrastructure demands.

Many victim organizations and those working diligently on defensive improvements still lack the fundamental security controls and capabilities to either prevent breaches or to minimize the damages and consequences of an inevitable compromise.

Based on trend observations, Kelly Butler, Head of Cyber Practice, Pacific, Marsh, stated that while security remains important in the 2019 cyber landscape, it is becoming more about resilience.

Organizations must maintain a posture of continuous cyber resilience to prepare for and adapt to the changing threat landscape and recover from the disruptive attacks. Otherwise, they risk facing significant gaps in both basic security controls and—more critically—visibility and detection of targeted attacks. The saying goes, “what gets measured, gets managed,” but you can only measure what you understand.

Understand Cyber Risks from a Business Perspective

Cyber risk is now at the forefront of most corporate risk agendas. Organizations are increasingly looking to understand and assess the nature and extent of their potential cyber-related losses—a necessary first step to mitigate those losses.

A cyber defense strategy delivers substantial benefits for both the senior management and the organization, especially when the strategy and associated action plans are mandated from the top and prioritized with the necessary investments and budgets. A proactive cyber defense strategy demonstrates to regulators that the organization takes cyber risk management seriously and has clear priorities in place.

A cyber security strategy is how you direct and focus the creation of an actionable roadmap and build a comprehensive cyber security program. This process allows you to clearly link gaps identified in the program assessment to your organization’s cyber security investments. However, developing a fit-for-purpose strategy and obtaining buy-in for the cyber security program from senior management can be difficult.

MMC3

After you understand cyber risks from a business perspective, you need to identify how much cyber risk is acceptable (to be absorbed) across your entire organization. This baseline helps make decisions related to cyber risk and implement controls.

For example, you can use a structured methodology to determine your organization’s cyber risk appetite. Ideally, you should break down and prioritize your cyber risk appetite, and the metrics you need to inform and measure the risk appetite. Later, you can develop recommendations regarding governance and operating model requirements, which in turn will determine and influence corporate decisions with respect to cyber security investments.

MMC4

After you assess the amount of acceptable cyber risk, work to quantify your potential cyber risk exposure. Measure its financial impact to inform the business case for cyber security investments as well as cyber insurance that can mitigate or transfer risk.

Quantification determines nature and extent of risk impacts for different threats and scenarios. However, boards and senior executives often struggle to clearly and comprehensively gain a current understanding of their organization’s cyber risk profile.

MMC5

The increase in awareness, cyber data breaches and adoption of cloud-based services are a few of the factors that drive the growth of the cyber insurance market, while high costs inhibit growth. High premiums can be effectively overcome by systematically and clearly understanding organization-specific cyber risks to lower risk exposure and enhance risk profile. For example, the use of data analytics to quantify risk exposure and underwrite cyber risks has proved to drive more efficient and effective risk profiling and provide more accurate policy coverage.

MMC6

With an internally aligned cyber risk strategy and adequately measured risk exposure around expected losses due to cyber attacks, organizations can better insure and secure stronger financials to respond and recover from an incident. An incident response plan requires the support of proper security technologies and expertise. At a minimum, a response plan requires full view of IT assets, strong detection capabilities, clear roles and responsibilities and fast reaction times. The plan must also be regularly practiced through drills to ensure that personnel know their roles and to track and record various metrics that measure their performance. Frequent testing can help identify areas for improvement and provide opportunities to continually refine processes and protocols.

Click here to access MMC-FireEye’s Report

Financial Risk Management – Global Practice Analysis Report

Survey participants indicated they are involved in the daily practice of financial risk management as financial risk managers, in supervisory roles, as consultants, academics and trainers, auditors and regulators. They self-identified as highly educated — 71 percent hold a Master’s degree or higher. While 61 percent of respondents had more than five year’s experience in the financial services industry, less than half — 41 percent — had more than five year’s experience in financial risk management. This indicates that experienced financial services professionals enter the field of risk management from other areas of responsibility at financial institutions.

GARP1

More than 40 percent of respondents worked at banks, with consulting and asset management firms employing 17 and 16 percent, respectively. Approximately one-third of respondents hold the title of risk manager, one-quarter are analysts and 11 percent are consultants. Approximately 61 percent are employed at firms with more than 1,000 employees.

The GARP Global Practice Analysis survey addressed 49 specific tasks across six process-based domains. Respondents were asked to assign an importance rating from 1 (not important) to 4 (extremely important) to each task. Significantly, all 49 tasks were found to be important on the 4-point Importance Scale, meeting the industry best-practices threshold of 2.5 out of 4. Forty-seven of the 49 tasks received a mean importance rating of at least 3.0, indicating that these tasks are considered of moderate to high importance to the work of financial risk managers.

The top five tasks identified by respondents as most important, earning a mean importance rating of at least 3.3 among all survey respondents, are to:

  1. Identify signs of potential risk based on exposure, trends, monitoring systems regulatory and environmental change, organizational culture and behavior.
  2. Analyze and assess underlying risk drivers and risk interconnections.
  3. Communicate with relevant business stakeholders.
  4. Monitor risk exposure in comparison to limits and tolerances.
  5. Evaluate materiality of risk and impact on business.

The five tasks identified as least important, with a mean importance rating of or below 3.0 among all respondents, are:

  1. Create and inventory of models.
  2. Generate, validate, and communicate standardized risk reports for external purposes.
  3. Develop transparent model documentation for independent replication/validation.
  4. Set capital allocations and risk budgets in accordance with risk management framework.
  5. Recommend policy revisions as necessary.

Respondents were asked to identify at what level of experience each task should be part of the financial risk manager’s profile, according to a five-level Experience Scale:

  • Not necessary
  • Less than 2 years
  • 2 to 5 years
  • 6 to 10 years
  • More than 10 years

One-half of respondents indicated that financial risk managers should be able to perform all 49 tasks within the first five years of practice.

More than 77 percent of respondents said financial risk managers should be able to perform these specific tasks within their first five years of practice in financial risk management:

  • Monitor risk exposure in comparison to limits and tolerances
  • Define and determine type of risk (e.g., credit, market, operational) by classifying risk factors using a consistent risk taxonomy
  • Gather quantitative data to perform model evaluation
  • Select monitoring methods and set frequency (e.g., intra-daily, daily, weekly, monthly)
  • Gather qualitative information to perform model evaluation
  • Generate, validate, and communicate standardized risk reports for internal purposes (e.g., staff, executive management, board of directors)
  • Identify risk owners
  • Investigate why limits are exceeded by performing root-cause analysis
  • Analyze and assess underlying risk drivers and risk interconnections
  • Escalate breach when limits or alert levels are exceeded according to risk management plan/policies/strategies
  • Generate, validate, and communicate ad hoc reports to meet specific requirements
  • Escalate unusual behavior or potential risks according to risk management plan/ policies/strategies

GARP2

Financial risk managers are vital to any integrated financial system of managing and communicating risk. The GPA study is a contemporary and comprehensive description of the work of risk managers across work settings, geographic regions, job roles and experience levels.

The process of a practice analysis is important for programs that desire to continually evolve and reflect the critical knowledge and tasks in the industry. It is important for practitioners who desire to evolve and be successful in their career.

Click here to access GARP’s detailed survey report

 

EIOPA’s Insurance Stress Test 2018 Recommendations

Introduction

During the course of 2018, EIOPA carried out a European-wide stress test (ST) in accordance with Articles 21(2)(b) and 32 of Regulation (EU) 1094/2010 of 24 November 2010 of the European Parliament and of the Council (hereafter the ‘Regulation’).

The Recommendations contained in this document are issued in accordance with Article 21(2)(b) of the Regulation in order to address issues identified in the stress test.

EIOPA will support National Competent Authorities (NCAs) and undertakings through guidance and other measures if needed.

The 2018 Stress Test results showed that on aggregate the insurance sector is sufficiently capitalised to absorb the combination of shocks prescribed in the three scenarios. However, it also confirms the significant sensitivity to market shocks for the European insurance sector with Groups being vulnerable

  • not only to low yields and longevity risk,
  • but also to a sudden and abrupt reversal of risk premia, combined with an instantaneous shock to lapse rates and claims inflation.

The exercise further reveals potential transmission channels of the tested shocks to insurers’ balance sheets. For instance, in the YCU scenario the assumed claim inflation shock leads to a net increase in the liabilities of those Groups more exposed to non-life business through claims inflation. Finally, both the YCD and YCU scenario have similar negative impact on post-stress SCR ratios.

As outlined in the Executive Summary of the 2018 Insurance Stress Test Report, further analyses of the results are required by EIOPA and the NCAs to obtain a deeper understanding of the risks and vulnerabilities of the sector.

In order to follow-up on the main vulnerabilities, EIOPA is issuing the present Recommendations related to the 2018 stress test exercise.

Recommendation 1
NCAs should strengthen the supervision of the Groups identified as facing greater exposure to Yield Curve Up and/or Yield Curve Down scenarios. This affects, in particular, those Groups where transitional measures have a greater impact.

Recommendation 2
NCAs should carefully review and, where necessary, challenge the capital and risk management strategies of the affected Groups. In particular:

  • NCAs should require Groups to clarify the impact of the stress test in terms of capital and risk management.
  • For the affected Groups, stress test scenarios similar to YCU and YCD should be properly considered in the risk management framework, including the ORSAs.
  • Review the risk appetite framework for the affected Groups.

Recommendation 3
NCAs should evaluate the potential management actions to be implemented by the affected Groups. In particular:

  • NCAs should require Groups to indicate the range of actions based on the results of the stress testing.
  • NCAs should assess if the actions identified are realistic in such stress scenarios.
  • NCAs should consider any eventual second-round effects.

Recommendation 4
NCAs should further contribute to enhance the stress test process.

Recommendation 5
NCAs should enhance cooperation and information exchange with other relevant Authorities, such as the ECB/SSM or other national authorities, concerning the stress test results of the affected insurers which form part of a financial conglomerate.

EIOPA ST

Click here to access EIOPA’s Recommendations