Managing innovation around risk
The need for innovative insurance solutions, the growing difficulty with managing cyber risk and the challenge of managing risk across international borders were high on the agenda at the 2014 Airmic conference, held in Birmingham, June 16 to 18.
The UK’s risk management society’s conference began with addresses from Airmic’s CEO John Hurrell and chairman Chris McGloin, who both highlighted Airmic’s forward-looking focus.
Hurrell spoke on the launch of a new Airmic document, Efficacy of Business Insurance, which covers a range of issues which risk managers and everyone who is advising risk managers should consider in order to ensure policies pay out when required to do so.
“It is now a relatively routine, and frankly understandable, process for insurers to refer major claims to their coverage lawyers—and of course those coverage lawyers have a duty to advise if there is any defence point that the insurer should consider in relation to any major claim,” he said.
“If the insurer is given a defence point by the coverage lawyer it is very difficult to proceed to settlement. This is the moment of truth—will the insurance policy pay out as intended, that is, in full and in a timely fashion?”
He said that by talking to brokers, insurers, loss adjusters and lawyers, Airmic’s representatives have developed a good idea of what can go wrong. The good news in almost every case is that these problems can be avoided by undertaking a rigorous process prior to the inception of a policy.
A key recommendation in the document is that the renewal process should start up to 60 days earlier than it does at present.
“There is no other business in the world where contracts with so much at stake are entered into before the final contract wording is available,” he said.
New thinking
Picking up on the theme of change, McGloin said that the need for innovation figures highly as a concern for risk managers in Airmic’s pre-conference survey.
“Our industry is not alone—all customers across all industries now expect and demand higher quality service and better quality products. I’ve been in many discussions where insurers tell me they have a real desire for product innovation.”
Although insurers have expressed a willingness to innovate, the capital adequacy models released under Solvency II pose a challenge to innovation, he said.
“Solvency II was intended to support and drive innovation, but is it really having that effect?” McGloin said. “People tell me that the absence of hard exposure and loss data plus uncertainty over recognised litigation standards is certainly an issue for insurers seeking to develop new products.”
He added that properly effective integrated enterprise risk management is the best way to enable risk managers to take control of their own destiny and put themselves in a position to address the new risks, and also to develop new risk transfer solutions.
It is important to have a clear understanding of the risks, and to have clarity as to the responsibility for these risks—particularly understanding which ones risk manager can control within their organisations, which ones involve proper engagement with customers, partners and supply chain and, last, which risks are beyond any individual organisation and require proper engagement with government.
“The development of clearly understood approaches to mapping and sharing risk information will become vital if we are to address these exposures effectively,” he said. “ERM within corporations needs to expand, perhaps to embrace a more systemic resilience management, recognising interconnectivity between companies and countries.”
Safety online
McGloin and Hurrell’s addresses were followed by an opening keynote speech from cybersecurity expert Dr Simon Moores, who highlighted the fact that computers are riddled with security vulnerabilities and there is no easy way to patch them.
Even more disturbingly, anti-virus software companies are starting to admit that they cannot keep up with the deluge of computer-generated viruses now attacking computer systems on a daily basis.
Moores said that the 2013 leak of US National Security Agency (NSA) material by Edward Snowden had shown that everything about the safety of the internet as a common communications medium has been broken.
“The crisis and damage caused, not by Snowden but by the unregulated unrestrained conduct of national security agencies, will last for decades,” he said.
He added that the internet has had gaping vulnerabilities from its inception.
“The NSA’s specific objective was to weaken the security of the entire physical fabric of the internet,” he said. “One of its main goals was to shape the worldwide commercial cryptography market to make it more tractable to advanced cryptoanalytic capabilities being developed by that organisation.”
When Snowden started leaking classified info from the US intelligence agencies the world started learning about programs such as Dishfire, a covert global surveillance collection system and database run by the NSA.
“Only this month The Guardian newspaper revealed that Vodafone has secret wires that will allow government agencies to listen to all the conversations on its network,” he added.
Moores went on to give an overview of the other sources of security breaches, summarising them into three distinct threats: electronic criminal groups, nation-sponsored activities and non-state actors.
He gave insights into the way in which criminal groups operate via what is known as the ‘dark net’ or ‘deep web’, which makes up the 90 percent of the internet never accessed by search engines such as Google.
He also highlighted the fact that even large companies such as eBay have experienced security breaches.
As for how companies should address the growing risk, he warned that companies should never assume the first ‘loss’ is a coincidence, and should be careful to use the right people to evaluate risk. It is vital to listen to your staff, he added, and to thoroughly investigate all avenues relating to a breach.
“Best practices are no guarantee of safety—but they should not be ignored because we are living in an age of litigation and remediation,” he said.
An important market
Speaking to Intelligent Insurer during the conference, Dan Hopkinson, underwriter, technology, media and business specialty lines at Beazley, predicted that the market for this cyber cover will grow significantly as awareness and actual experience of breaches increase.
“We look at every risk on the basis that we believe they are going to have an incident at some point,” he said.
“You can’t offer 100 percent security because it’s not just the hacker trying to get in, it could be a rogue employee, it could be a simple operational mistake such as a lost or stolen laptop—lots of things can occur that cause an issue that an organisation has to respond to.”
As more insurers move into the cyber arena, he said that their success will depend on their ability to keep pace with changes.
“Innovation will continue and will drive who has the success and who doesn’t, as it does with any line of insurance,” he said. “The market is going to be big enough for there to be a few main players.”
Hopkinson has seen a steady rise in demand for Beazley’s innovative and comprehensive cyber package.
“The insurance offering we have put together is very much like kidnap and ransom in that it’s not just insurance products—it’s very heavily serviced,” he said.
Beazley’s offering includes the services of privacy lawyers, IT forensics and a host of other service providers and help organisations in the event of a breach, including notification companies, mailing houses, a call centre, and data and credit monitoring companies.
Beazley was the first insurer to bring services in as part of the solution, and its product—Beazley Breach Response—is structured so that the service provision sits separately from the main tower of liability.
“This means insureds can access those services knowing that they’re still going to have a full tower of liability intact if somebody brings a claim against them,” he said.
Risk database
Compliance in the global marketplace also featured highly on the agenda at the conference, during which Airmic’s new database to help risk managers ensure insurance programmes are globally compliant was launched.
Insight Risk Manager, developed in collaboration with global insurance market information supplier Axco, was created because global compliance of insurance programmes has repeatedly come near the top of risk manager concerns in surveys conducted by Airmic.
Rules vary not only between countries, but also within some territories such as Australia and the US, and they can change without notice. Failure to comply can result in fines, cancellation of cover, reputational damage and, in exceptional cases, imprisonment.
The main focus of Insight Risk Manager is to address risk managers’ concerns by providing guidance on the rules covering admitted and non-admitted insurances by jurisdiction.
Incoming Airmic chairman Helen Pope said of the launch: “Insight Risk Manager is a product that doesn’t need much introduction. Over the last four or five years we have been trying to develop such a tool for risk managers to understand their own compliance needs, as opposed to those of the insurers and the brokers.
“I’m delighted that I get to produce it in its first format on the eve of my incoming chairmanship.”
The conference concluded with a keynote speech by Michael Woodford MBE, a former CEO of Olympus who blew the whistle on massive fraud in the company. He highlighted the need for corporations to have clear procedures for dealing with issues raised by whistleblowers.
Speaking to Intelligent Insurer ahead of his speech he explained: “You can have grand rhetoric about trust and honesty and transparency and open cultures and all of that, but to me most of it is utterly meaningless: you have to have systems in place, be it vigorous forensic audit whistleblowing lines and hard mechanisms rather than the soft talk that often goes on. People think they can change cultures or prevent these things from happening by simply using words—and they can’t.”
