While Solvency II work lingers on, risk managers are having to expand their expertise into a broader array of risks – notably in the cyber and technology space – as chief risk officers discuss in part two of this InsuranceERM/BearingPoint roundtable
Attendees
Mark Chaplin - UK Insurance CRO, Aviva
Michael Hosking - CRO, Faraday
Ruediger Lambrecht - Senior manager and product owner for ABACUS/Solvency II, BearingPoint
Greg Shepherd - CRO, Markel International and Global Head of Risk Management for Markel Corporation
Chaired by Christopher Cundy, managing editor, InsuranceERM
Ongoing investment
Chris Cundy: Is there still a willingness by the board to invest in better risk management?
Mark Chaplin: 
I need to distinguish between risk management and the risk function. Risk management is what insurance companies do, so whether it is prevention or identification, better risk selection or use of data analytics, it's a huge share of investment.
Then the risk function itself: like the insurance industry more generally, we need to be ever more efficient, deliver better value for customers and be competitive. This means reapportioning budgets to focus on the evolution of the risk function.
Greg Shepherd: Ultimately, it is the first line that manages risk. We come in as part of the second line, and observe and collate and report on what is happening. So, risk management with a little 'R' and a little 'M' is critical and still very much being invested in. I do not see risk management staff numbers as such growing hugely in this current phase of the market.
Chris Cundy: Where are you directing investment at the moment?
Greg Shepherd: We are partnering on operational cyber risk with people from our security team. That has been a very productive partnership in terms of understanding what the risks are, and then being able to use some of our processes to enhance communication of those risks.
Mark Chaplin: One area is IT risks. Customers expect 24/7 availability now, so you need resilience and reliability in your systems. The risk function needs an ability to review and challenge the demands placed on IT systems and the dependency of the business on them. Then there's cyber security: expertise is also needed in that space.
As the business shifts towards the use of artificial intelligence and machine learning, we need to think about how we assess processes that have far less human involvement in them.
We also need to understand how we can use these tools. For me, the next generation of conduct risk management is trying to apply analytical tools to identify poor customer outcomes and identify predictive factors that might then help you to understand the recourse.
For example, is the way your literature is written meaning that you are getting a preponderance of older or younger customers complaining? You can potentially work backwards by doing the analysis of the complaints and find that a predictor factor for complaints is age, and then try and find the root cause.
Michael Hosking: As a risk function, we do not create too much data ourselves: we collate, refine and analyse data from the business. That is a skill set that we need to keep on developing.
Also, the expectations around the risk function's knowledge of all risk types is very high now. You have to create relationships with the relevant individuals within the company and make sure that communication is robust.
Digitalisation
Chris Cundy: What particular issues does the digitalisation of the insurance sector pose for the risk function? How do you support that transition to a digitalised business?
Mark Chaplin: 
There are significant challenges for the risk function, from understanding the technology and where it is heading, through to thinking about how our processes will need to change and how digitalisation changes our business.
At one level, digitalisation is simply automating, through computers, things that already happen today. It can be as simple as moving from paper to online documentation. That has challenges in terms of conduct risk, demands on legacy systems, and the usage and storage of data.
The risk management function also has a strategic role, in trying to see what could threaten the business model – such as not picking the right trends and technologies.
In a digital world, can you re-imagine the business model and the way you serve the customer? Simply automating a 300-year-old insurance business is not going to survive in the long term.
Chris Cundy: Do you think this trend is placing greater expectations on the risk function?
Mark Chaplin: I think the expectations remain the same. It is just challenging for us to keep up with those expectations.
Michael Hosking: Also, the information we are providing needs to be up to date and timely. You have got hot-off-the-press information being presented to the board on their iPads, but it is almost impossible to present risk analysis on that same information at the same time. It puts pressure on you to maintain relevance.
Chris Cundy: Do you feel you need to build a faster-moving risk function?
Greg Shepherd: We need to be increasingly agile. If we really want to transform ourselves from focusing on Solvency II implementation to being a genuine partner with the business, we have to be very quick to respond to produce analyses and reports.
Insurtech
Chris Cundy: What opportunities are there for the risk function to benefit from new technologies?
Mark Chaplin: There are numerous opportunities, too many to go into right now from automation, data visualisation to identify patterns, machine learning using unstructured data and analytics all have potential uses in the risk function.
For example, we have lots of information such as risk event logs, customer complaints and staff surveys. You might be able to combine that data and analyse it to predict and address risks better. But the bigger challenge is to decide where to place your bets.
Michael Hosking: Fraud analytics is absolutely worth looking at. However, I question the science behind some of that operational network elements. Being too clever about operational risk is something I am sceptical of, because of the human aspect. You cannot apply too much mathematical science to human behaviour.
Interconnectedness of risk
Chris Cundy: In the modern world we are very much 'connected' and risks – notably cyber – can spread in unexpected ways. Are you concerned by the interconnectedness of risk and is it something you are trying to model?
Mark Chaplin: We need to be interested in interconnectivity, but the global system is infinitely complex, so I am somewhat sceptical about an ability to model it in an accurate way. When we do scenario analysis about potential interconnectivity, I think we sometimes end up trying to boil the ocean.
I would rather spend time thinking about the resilience of the organisation to risk, wherever it comes from, rather than measuring and mapping out the potential interconnectivity.
Greg Shepherd: Interconnectivity is so difficult, because the thing that is really going to hurt you is the thing that nobody has thought about. Running through interconnected loss scenarios might not identify the actual problem itself, but at least you are getting people to think about what could happen.
Blockchain technology
Chris Cundy: Have you paid much attention to the development of blockchain technology? Are you excited about it?
Mark Chaplin: It is one of the strands of digital developments that is being explored within our digital garage. It is clearly an area of interest.
Greg Shepherd: I think it has enormous potential.
Michael Hosking: It does lend itself perhaps to a Lloyd's model, where you can track back the original communications between brokers and whole-of-market advisors from the underwriting side. From a fraud and contract perspective, you can track exactly what the dialogue was.
It will probably take a demonstration of its ability to add value in other financial services arrangements before insurance takes it wholeheartedly.