Immediate Vault Immediate Access

Cyber, Regulation Seen as Top Emerging Risks, Report Finds

SAN DIEGO—Forecasting risk is not expected to get easier in the next three years, with cyberattacks and regulation topping the list of emerging risks, according to a new report published jointly by Marsh and RIMS.

online pharmacy spiriva with best prices today in the USA

The 13th annual Excellence in Risk Management report found that while risk professionals are increasingly relied upon to identify and assess emerging risks, there are still organizational and other barriers to identifying those risks. In fact, nearly half of survey respondents—48%—predicted that forecasting critical business risks will be more difficult three years from now, while just over one-quarter said it would be the same.

“Whether emerging risks are on your doorstep, around the corner, or on the far horizon, they have the potential to catch organizations unaware,” said Brian Elowe, Marsh’s U.S. client executive leader and co-author of the report. “It’s important for risk professionals to maintain awareness of global risk trends, and to make the connection to their organizations’ business strategy.”

Where do risk professionals turn when trying to understand the impacts of emerging risks on their organization? According to the report:
One of the goals of this year’s Excellence survey’s goal was to better understand how organizations view the emerging risks facing them, what tools they use and the barriers they face in assessing, modeling, and understanding the risks. According to the findings, a majority of respondents—61%—cited cyber-attacks as the likely source of their organization’s next critical risk. This was followed by regulation, cited by 58% of the respondents, and talent availability, cited by 40% of the respondents.

Based on survey responses and insights from numerous focus group discussions, it became clear that risk professionals generally agree on the importance of identifying emerging risks, and also that there is no clearly established framework for doing so. More can be done to better identify, assess, and manage the impact emerging risks may have on organizations.

For example, a majority—60%—of the risk management respondents said they use claims-based reviews as one of the primary means to assess emerging risks, compared to 38% who said they use predictive analytics.

“The widespread use of claims-based reviews means that a majority of organizations are relying on studying past incidents to predict how emerging risks will behave rather than using predictive analytic techniques like stochastic modeling and game theory to help inform their decision making,” Elowe said.

Survey respondents also cited several barriers to understanding the impact of emerging risks on their business strategy.

online pharmacy vilitra with best prices today in the USA

Decisions with lack of cross-organization collaboration ranked first among risk professional respondents.

“Lack of collaboration across the organization is still an issue for many risk professionals. On the other hand, breaking down silos has become less of a concern for executives,” said Carol Fox, vice president of strategic initiatives for RIMS and co-author of the report. “Tackling emerging risks often requires creative yet pragmatic approaches. It has to encompass internal cross-functional conversations — formal and informal — around the intersection of risk and strategy, senior-leadership engagement, and tapping into external information sources. Risk professionals are encouraged to broaden the scope and collaboration around emerging risk issues within their organizations.”

According to the report:

As the risk environment becomes increasingly complex and more entwined with financial decisions, risk strategy is increasingly a boardroom issue. As we have seen in past Excellence surveys, senior leaders’ expectations of the risk management department have increased in everything from leading enterprise risk management to providing better risk quantification and analysis.

However, while more is being asked of risk professionals, investment is not necessarily keeping pace. For example, the percentage that say they expect to hire more staff dropped to 25% this year from 37% when we asked in 2015. “We’ve all experienced this elevation of risk management at our institutions, but…as we are battling for budget, it becomes pretty easy for risk management to get pushed over to the side,” said the assistant vice president of risk management at a major university.

The survey is based on more than 700 responses to an online survey and a series of focus groups with risk executives in January and February 2016.

Survey Finds Alliance with Organizations and Risk Reporting Structures

NEW ORLEANS—Seventy-nine percent of companies are aligned with their risk management reporting structure, however, only 27% of risk professionals believe that emerging risks will be a company priority in the coming year, according to the 12th annual “Excellence in Risk Management Survey” released here by Marsh and RIMS.

In the last five or six years, “We have seen significant narrowing of the gap, where there is better alignment of what risk managers and risk executives are providing their organization and what their C-suite and management is looking for and needing in this riskier world that we all live in,” said Brian Elowe, a managing director at Marsh and co-author of the report. Findings are based on more than 300 responses to an online survey and a series of focus groups with leading risk executives.

Elowe explained that the study focused on organizational alignment, risk management effectiveness, data analytics and technology and cyberrisk.

In their study of organizational dynamics, he said, “We looked at priority setting, organizational structure and performance measurement standards to understand effective execution of a risk management strategy.”

The first insight was in respect to structures risk management reports to inside an organization. “We also asked whether the people responding to the survey felt risk management was reporting to the correct area inside the organization. We found that 79% of the respondents said they felt risk management was reporting into the appropriate area inside their organization,” Elowe said.

Looking deeper, he said the survey found that 50% of executives report into the finance area. The other half reports into a wide number of areas inside the company–12% report to general counsel, 8% to other C-suite members, 5% to internal audit, 5% to operations, 2% to human resources and 11% to “other” functions.

“We found that while they are all in the risk management function, those that report to areas outside of finance tend to be involved in areas deemed to be more strategic in nature. So they are more likely to be involved with things like ERM strategies, IT, privacy and security.”

Elowe said, “We think that finance executives might be well-served to help facilitate greater connections inside their companies to help broaden the perspective that risk executives reporting into finance might be able to have inside their own companies.”

In addition, only 27% of risk professionals reporting to the CFO or treasurer said they expected an increase in spending for training risk management staff. This is compared to 46% in increases expected by those reporting to other areas.

The top-five programs reporting to risk management were insurance management (92%), claims management (88%), enterprise risk management (67%), captive operations (65%) and emergency response (63%).

Looking at functions that report into risk management, he said that while the traditional functions of insurance and claims were well aligned, there is a significant alignment with IT. This is compared to several years ago when IT “operated in and of itself in an organization. That is an outcome of the growing cyberrrisk and the need for organizations to have a multi-disciplinary approach to how cyber is affecting their organization.”

Discussion groups agreed that the “here and now” is most important to their companies and that more needs to be done to develop understanding of emerging risks. “Risk managers are concerned they are not looking far enough ahead,” Elowe said, adding that company focus is largely directed to regulations and compliance. Carol Fox, director of the strategic and enterprise risk practice at RIMS and co-author of the report observed that organizations focused on operations are generally not as involved in strategy. She said management understands risks, but fell off in actually planning for emerging risks.

Findings include:

  • Risk management departments that do not report into finance are generally better aligned with other strategic functions within their organizations — most notably in the areas of enterprise risk management, compliance, information technology (IT) risk management, privacy, and security.
  • Despite the importance placed on emerging risks by many board members, senior leaders, and risk executives, only 27% of survey respondents said that identifying emerging risks would be a priority in the coming year.
  • Over the next two years, 42% of organizations expect to increase the level of investment in risk analytics, according to our survey, with 57% saying it would remain flat.
  • Nearly 60% of respondents said their organization has no formal communications plan in anticipation of a cyber event.
  • Risk professionals who report into the CFO or treasurer are much less likely to expect an increase in spending for training risk management staff in the coming year compared to those reporting elsewhere.

 

New Reports Support Call for TRIA Extension

Two recent reports from the Presidential Working Group (PWG) on Financial Markets and Marsh & McLennan Companies support the argument for a long term extension of the federal Terrorism Risk Insurance Program, otherwise known as TRIA. The much anticipated report from the PWG draws upon comments from many industry groups and interested parties, including RIMS, while the Marsh report is a follow-up to a similar report issued in May 2013.

The “2014 Marsh Terrorism Risk Insurance Report,” released Tuesday, states that “if Congress does not renew or extend the federal backstop, the market dynamics for terrorism insurance will be disrupted and will likely result in increased pricing and limited capacity.” Marsh’s support for a long-term extension of the program is in line with the majority of the insurance industry as TRIA nears its December 31, 2014 expiration. “The potential for adverse economic consequences due to limited or unavailable terrorism insurance should be an impetus for quick congressional action to reauthorize [TRIA].”

Similarly, the PWG study, required by TRIA legislation, made several findings relating to the need for extending the program:

  • Insurance for terrorism risk currently is available and affordable;
  • Prices for terrorism insurance have declined since TRIA was enacted;
  • Take-up rates have improved since TRIA’s passage;
  • The market is currently tightening in light of TRIA’s uncertain future;
  • The private market does not have the capacity to provide reinsurance for terrorism risk to the extent currently provided by TRIA; and,
  • Terrorism insurance would likely be less available should TRIA be allowed to expire

Bi-partisan legislation was recently introduced in the Senate that would extend TRIA for seven years; however, the industry continues to eagerly await legislation from the House Financial Services Committee leadership. While the Senate bill reforms the program, many expect House leadership to ask for more far reaching changes.

Marsh Report Shows Continued Demand for Terrorism Coverage

As the current Terrorism Risk Insurance Act (TRIA) moves closer to its scheduled expiration date of December 31, 2014, the debate is heating up over whether the federal backstop remains necessary and whether the market demand for terrorism coverage still exists. According to the Marsh 2013 Terrorism Risk Insurance Report, released April 30, demand for coverage has remained both steady and strong. These results only reinforce the need for a long-term extension of the terrorism backstop.

During the first full year of TRIA, only 27% of organizations obtained terrorism coverage as the market was still adjusting to the TRIA program and the fallout from the 9/11 attacks. Since that time, take-up rates have grown steadily. By 2005 the take-up rate for terrorism insurance was 58%. Today the rate is more than 60%—where it has been since 2009. The take-up rates are highest among companies with total insured value (TIV) over $500 million, but even those companies with less than $100 million in TIV obtained terrorism insurance at a 59% rate in 2012.

Take-up rates did vary amongst different industry sectors. Companies within the media, education, financial institutions, health care or nonprofit sectors obtained terrorism coverage at a rate above 70% during 2012, with the media sector leading the way with an 81% take-up rate. The food and beverage, manufacturing, chemical and energy and mining and sectors were at the low end with take-up rates of 50% or lower.

With regard to region, companies located in the Northeast were most likely to obtain terrorism insurance with a take-up rate of 77% in 2012. This is to be expected given the concentration of large metro areas with high population density. However, other regions are showing a strong need for coverage as well. Companies located in the South, West and Midwest regions obtained coverage at the rates of 63%, 53%, and 58% respectively in 2012. The threat of terrorism is not just a Northeast problem, and companies in regions with a less-perceived threat of terrorism are showing recognition of that fact.

If TRIA is allowed to expire, these numbers could change drastically as capacity would be significantly decreased. Without TRIA, insurers would no longer be required to offer terrorism coverage. The Marsh report shows that terrorism pricing, as a part of property premiums, has remained within the 3-5% range since 2010. Premiums would likely rise, however, without TRIA, and the certainty it provides insurers essentially subsidizes current rates. Additionally, companies with a high exposure concentration in central business districts or major metropolitan areas would likely not be able to purchase the necessary amount of coverage, forcing them to self-insure all or part of their terrorism risks.

The Marsh report covers many other issues surrounding the terrorism market that are not discussed here, including: considerations in using captives for terrorism coverage; the terrorism reinsurance market; the standalone terrorism market; and implications on workers compensation and general liability coverage if TRIA were allowed to expire.