Developing a risk culture or risk conduct framework will be a top area of focus for Asia-Pacific Chief Risk Officers (CROs) in the year ahead, even if fewer than half of them have done so at their organisation, the latest EY survey has revealed.
EY’s "APAC Insurance CRO survey 2017-2018 — Empowering for transformation", which surveyed CROs from across Australia, Greater China and Southeast Asia, found that while risk frameworks have been widely adopted in the banking sector, they remain relatively new to the insurance industry, with only 45% of insurers across Asia-Pacific having implemented them.
Australian CROs lead the way
However, results vary across the region with Australian insurance CROs citing “implementing a strong risk culture” as among their greatest accomplishments within the past 12 to 24 months — reflective of the relative maturity of that market. Mr Jonathan Zhao, EY Asia-Pacific Insurance Leader, said that differences between markets across the region are largely due to different regulatory expectations and approaches to conduct risk.
“When it comes to implementing risk culture frameworks, Australian CROs are leading the way, while those in other Asian markets, such as China and Singapore, will need to focus on this over the coming 12 months. It’s also fair to say that larger firms operating in the region, with headquarters in the US or Europe where regulators have set high-conduct risk management benchmarks, tend to have more advanced practices,” said Mr Zhao.
Cyber risk management hampered by talent challenge
The survey also found that insurers’ maturity in understanding, measuring and governing cyber risks has come a long way over the last 12 months. CROs understand that cyber attackers do not just target money or credit card details, but also other valuable information, including customer data. The damage caused by a major data breach will not only be financial, but will also have a significant reputational impact to the organisation.
Despite the material improvement in understanding cyber risks and potential impacts, risk teams are struggling to bring cyber expertise into the risk function — driven by a skillset shortage in Asia-Pacific. In fact, 45% of survey respondents across the region are yet to allocate a devoted risk resource toward managing cyber risk.
Mr Sumit Narayanan, EY ASEAN Insurance Leader, said that the shortage of cyber risk specialists, combined with stagnant budget and headcount projections, means that CROs must also consider the increasing role of technology solutions in monitoring and identifying risk.
“The CROs in our survey are especially looking for expertise in cyber and IT security, data analytics and big data, machine learning, anti-money laundering, and artificial intelligence (AI). Finding the budget and resources to invest in these areas is proving problematic. Risk functions must therefore find the right balance between securing scarce talent and investing in new technologies,” said Mr Narayanan.
Shift in CRO role
In addition to addressing transformation in their own functions, the insurance CRO’s role itself is evolving — shifting from traditional risk and regulatory compliance to becoming a partner within the business, with greater influence over the company’s strategic direction. More than 70% of respondents said that their attention was split 70:30 between business and regulatory issues. Most have also increased their influence over or secured approval of key processes.
“In future, we expect insurance CROs to play an even greater role in business and strategic planning as they help prepare their businesses for the emerging risk landscape. This will involve creating heightened sensitivity to risk at the executive table and becoming more involved in strategy setting. CROs should stop “rubber-stamping” ideas and proactively ensure that the business strategy takes into account emerging risks and opportunities,” said Mr Narayanan.
Need to invest resources to keep pace
While this is a positive sign for the inclusion of CROs in wider business — raising the profile and value of the risk function — it does pose potential new challenges at a time when the continuing increase in external regulatory requirements is also placing more demand on the risk function. CROs will need to invest in the necessary resources, tools and talent if they want to keep pace with the evolving risk landscape.
The full EY report is available here.