Future of Risk Analytics

Originally Published on
SummaryNov, 2017

As global risks rise, companies are having to overhaul their approach to risk analytics and management. Big data and artificial intelligence open the way to breakthrough strategies - although smart companies recognise that change comes from people as well as tech. CEOs are turning their risk teams into strategic advisors and seeking boardroom input from insurers to tackle the new generation of threats such as cybercrime. This report comprises independent journalism in collaboration with Airmic and financially supported by RSA

In this report

In a risky world, insurers are granted a direct line to the boardroom

AI and cybersecurity among areas in which industry’s know-how counts

Modern insurers know all about risk, cybersecurity, and artificial intelligence – so isn’t it time they were afforded greater influence as strategic advisors in the boardroom?

Vincent Vandendael of Lloyd’s of London
Vincent Vandendael of Lloyd’s

The inexorable march of technology has enabled insurers to arm themselves with cutting-edge risk-analytics tools – harnessing AI in particular – to make better sense of big data. As such, their value to organisations, in terms of risk assessment and management, has greatly increased.

“The risk-management needs of businesses are changing and the engagement with their insurers needs to be deeper and broader than ever,” insists Vincent Vandendael, chief commercial officer at Lloyd’s of London, regarded as the world’s leading insurance market. “Risks are interconnected, dynamic and widespread. Businesses are therefore looking for insurers who are uniquely focused on their needs.

“They need deeper risk insights as well as smart and flexible products that help them to militate against these threats, which include manmade perils, like cyber attacks, natural catastrophes, and new and emerging risks, such as autonomous technologies or AI.”

Vineet Singh, Tata Consultancy Services’ head of insurance technology in Europe, similarly believes the industry’s ever-improving ability to mine rich sources of data that could inform critical business decisions is becoming too irresistible to ignore. His organisation’s Global Trend Study, published in August, found that of the 13 industries surveyed insurers invested $124 million in AI, almost double the $70 million cross-sector average.

“Insurance is among front-runners in AI adoption, which may come as a surprise to some,” Singh says. “For instance, the rise of the smart home, with smart devices – such as the Amazon Echo and Nest thermostats – is helping the home insurance industry to reap the benefits of AI, machine learning, and the Internet of Things.

“These devices and sensors are gathering information in real time, providing a continuous flow of data on how people live. This data – once just an unmeasurable flood of information – can now be quickly analysed and used thanks to AI.”

Cybersecurity is moving up the list of priorities for C-suiters, and the insurance industry can assist in this area, too. Nik Whitfield, chief executive of Panaseer, a cybersecurity company that advises directors on their level of risk, notes that Allianz expects the cyber insurance market to generate $20 billion in premiums per annum by 2025 (the current figure is almost $4 billion), making it “one of the fastest growing segments of the industry”.

Little wonder, then, that the world’s first cyber insurance comparison website, CyberDecider, launched in September. Neil Hare-Brown, chief executive of CyberDecider, says insurance experts are “now being presented as a consultancy option for boards – especially where their experience and data relate to loss-event frequency, and magnitude, because that can help better understand cyber and other complex operational and political risks”.

He continues: “There is no doubt that the richer data from insurers is becoming more sector-specific and valuable to businesses. Helping organisations achieve better risk management with an optimal balance of mitigation, transfer, avoidance and acceptance will not only make businesses more resilient but also allow them to compete better.”

Insurers should be very careful about the line they tread, for reasons of conflict of interest.

However, business consultant Marc Lawn, who has worked at a high level with organisations as diverse as BP and Ordnance Survey, warns: “Insurers should be very careful about the line they tread, for reasons of conflict of interest. If they are advising a client that they are also insuring then they could walk into a legal minefield. Do they open themselves to litigation later because they influenced a decision that badly backfired? Could they be accused of inflated profits because there are no checks and balances in terms of risk advice and premiums?”

Hare-Brown agrees, and says: “There is a potential problem with intelligence being delivered by insurers themselves. One might envisage that certain consulting and boardroom interactions could result in an insurer becoming conflicted in their understanding of business controls and the provision of insurance cover.

“It is therefore important that insurance specialists should also be suitably independent from the implementation of controls within the organisations to whom they are providing advice.”

This topic of data-rich insurers evolving to become vital boardroom allies is only likely to intensify, though. “Insurers will soon be using blockchain technology in their operations,” says Singh, pointing out that the September-launched insurer collective B3i (Blockchain Insurance Industry Initiative) is already “actively looking at ways the technology can make businesses in the sector more efficient”.

Mark Boulton, UK and Ireland insurance sector lead for IT solutions provider Fujitsu, is equally optimistic that insurers will become invaluable consultants to businesses of all sizes – and sooner rather than later. “The digital age has ushered in an incredible opportunity for insurers to evolve the very purpose of the industry in the very near future,” he says. “New technology is enabling it to shift its focus away from reactive to proactive.”

Vandendael of Lloyd’s adds: “Boards do not like surprises and by having a deep, strategic partnership with their insurers businesses are able to respond to a growing array of risk-management challenges.”

Risk analytics and imagining the end of ‘black swan’ events

Big data and innovative thinking are helping reduce the risk of extreme incidents

What if, when the Fukushima nuclear plant was struck by a tsunami in 2011, the wind had blown onshore instead of out to sea? Or if a solar storm had hit during the London Olympics in 2012 — an event said to have a likelihood of 4 per cent?

These might sound like abstract thought experiments, but they are cited in a recent Lloyd’s of London report on so-called “counterfactual risk analysis”, a technique that involves imagining in detail how the past might have turned out differently to inform better risk modelling for businesses, insurers and risk managers.

Such work is part of a broader movement in risk analysis towards using big data, artificial intelligence and fresh approaches that are widely expected to yield vast improvements in forecasting, ultimately improving safety and reducing premiums.

Some insurers are already working on translating big data — enormous data sets that can be crunched to reveal new insights and trends — into predictive analytic tools that can, for example, identify the locations most likely to experience a loss, and identify equipment most likely to be to blame for a problem.

This means they can not only determine the severity of risk, but also where loss is most likely to occur — with accuracy never before possible.

Colin Farquhar, a director in risk and compliance practice at Protiviti
Colin Farquhar of Protiviti: legacy systems and data privacy are holding risk managers back

Colin Farquhar, a director in risk and compliance practice at Protiviti, a risk consultancy, says: “As more diverse data sets become available and more sophisticated computational algorithms analyse the data combinations, the ability to assess the likelihood of different outcomes will improve.”

The rise of connected devices and sensors, via the so-called internet of things, will also mean insurers will become much more attuned to changes that clients make at, say, manufacturing facilities, and whether those changes alter the risk profile, he adds.

Mr Farquhar offers an example of the benefits of improved risk modelling in the healthcare industry: anonymous data will facilitate the development of algorithms to “better predict longevity, medication outcomes, survival rates, time in hospital, readmission rates”, he says.

If more diverse data sets, and more sophisticated algorithms to analyse this data, are going to radically improve the ability to assess risk, is the “black swan” going to become an endangered species?

The term, coined by Nassim Nicholas Taleb, a finance professor, comes from the observation that black swans were thought to be extremely rare - until they were discovered living in vast numbers in Australia. It is now used to describe an extraordinary event that existing knowledge finds difficult to predict. Mr Farquhar suggests there is at least the potential for a reassessment of what qualifies as a black swan.

Improved predictions should lead to a lower frequency of extreme events and/or less severity when they occur

“Improved predictions should lead to a lower frequency of extreme events and/or less severity when they occur,” says Mr Farquhar. “They should also lead to better preparedness to deal with extreme events.”

What about a risk that, on the surface at least, arrives entirely out of the blue, such as the infamous series of industrial explosions in Tianjin, China, in 2015 which killed 173 people?

Reducing the risk of such a tragedy will partly depend on the willingness of business to invest in risk analysis. “In engineering terms, it is possible, given information about each component, to estimate the mean time to failure of an engine, as an example,” says Mr Farquhar. “If underlying component reliability was not well measured in general then the probability of extreme events across industries rises.”

However, he adds: “Extreme events, including unforeseen ones with substantial outcomes such as bankruptcy, cannot be totally prevented.

“There are always low probability but high impact events which may occur. Certainty is not possible and, if it were, there would be little opportunity to generate above risk-free returns,” Mr Farquhar points out.

There’s also caution over the extent to which businesses and risk managers are prepared to adopt the new approaches.

Paul Henninger, who runs the data and analytics practice at business advisory firm FTI Consulting, says: “Much of analytics that are used today are based on the idea of a ‘normal distribution’ where most things that happen are similar and very few unusual events happen out at the margins.”

“Understanding more about unusual events requires a different kind of math. Rare events are almost by definition marginal and you need to use an analytics approach that gives you information on the margins instead of on the most common events.”

Mr Farquhar says there is a wide variety of preparedness to embrace these new ways of analysing risk: “Some are forging ahead with leveraging this data while others have hardly started. Overall, developments are behind where they could be but much of this is driven by legacy system issues and sensitivities around data privacy.”

Those that don’t engage with the new approach to risk analysis risk being left behind, he warns: “Much of the technology and analytical techniques are quite different to that which have been used previously, so implementing such will involve considerable effort and organisational redesign to lead to effective outcomes.

“Firms which do not adapt are rapidly finding themselves disenfranchised by more disruptive entrants to their market but then have little time to react.”

Joined-up data provides a new way to navigate risks

The rich trove of information gathered by insurers can find new ways to avoid losses

How can a business better get to grips with the range of risks that they are exposed to, and anticipate those risks that are just over the horizon?  As data is gathered and fed into increasingly advanced risk analytics tools, how are insurers using their insights to help businesses make the decisions that can affect their futures and prevent prospective losses?

Neil Strickland, Director of Risk Consulting, RSA

As the commercial benefits of globalisation and interconnectedness become apparent, shifts in the way businesses operate have given rise to the development of new and often invisible risks.  In the absence of hard data to model and to help us understand these emerging risks, an almost instinctive form of risk management has been applied, based on ‘gut feeling’.  This makes the creation of an effective risk management strategy and its substantiation somewhat challenging.

 For the more traditional property and casualty based risks, many tools are available to help a business compile a general understanding of existing risk factors and their relative importance.  As well as this being a one-dimensional view of risk at a single point in time, the data’s relevance is often limited due to the time that passes between its capture and its application.

Insurers are becoming more aware of the hunger for sector-specific insight

While we cannot wholly depend on the past to inform our understanding of future risks, captured data nonetheless presents a base from which to begin the journey towards deeper understanding.  Businesses are increasingly using historical data to build insights into the types of risks that are most likely to impact their organisation down the line and what a future risk management strategy should look like. Simply put, businesses are striving to make insight-led decisions, which is where insurers are well-positioned to provide support -  data having been the lifeblood of the insurance industry since its formation.

Through activities such as claims handling, underwriting processes and visits to customers’ premises, insurers have been gathering huge amounts of data and insight into trends in the sectors in which they specialise.  Historically insurers have not been expected to share their knowledge outside their own organisations. However, there is a shift developing as insurers become more cognisant of the hunger among their customers and partners for sector-specific insight which in turn is driving greater innovation and functionality in the tools they are using.

Most current risk management tools are IT systems that provide workflow tracking of risk management activity and risk data collection from site surveys and desktop/prospect reviews. However, as analytics tools become more advanced they are evolving to offer:

  • Real-time updates to risk improvements flowing through to show the impact on risk profile;
  • Risk quality benchmarking across own portfolio of locations and against peers;
  • Inclusion of multifaceted data from publicaly available sources;
  • Business intelligence software allowing bespoke insights to be uncovered, and bridges to be built linking data sets; and
  • User-friendly content with full and transparent access for businesses.

Advances in risk analytics have been highlighting the gaps in traditional insurer methods of evaluating risk.  One notable example is the long-established property site survey programme provided by insurers and/or brokers that aims to help a business reduce the frequency of a loss event occurring - and reduce the severity if it does.

Frequent mid-sized losses have the same effect on the bottom line as one single large loss

For large businesses that operate across various sites, this survey programme typically has been deployed to locations based on a matrix that drives focus towards the higher financial value, higher hazard locations.  Generally speaking though, these sites already have a significant understanding of risk and a good risk mitigation strategy in place and a correspondingly good loss record.

Joining together incident/loss data with site risk data has identified an increasing trend that smaller value/lower hazard, often ‘off radar’ locations pose a level of risk that has been escalating and it is no longer enough to rely on these sites interpreting and applying centrally-issued corporate risk standards.  It should be remembered that frequent mid-sized losses have the same effect on the bottom line as one single large loss, but it is generally easier and more cost effective to work with a single site to improve their risks than many sites.

As analytics tools develop, achieving the panacea prediction of when, where and what will be the impact of the next loss remains a goal for the future, particularly considering that humans are involved – we remain the root cause of many a loss.  But identification of the markers of a location or situation that has an increased propensity for a loss to occur can be achieved, thereby allowing a degree of proactive intervention to avoid or minimise the predicted loss.

With all this data at their fingertips, insurers are in an enviable position and they are increasingly sharing the insight the data provides more openly in order to help businesses better understand their risks and reduce them, and ultimately inform future decision-making.

Shouldn’t we stop looking in the rear view mirror at the risks we failed to anticipate, and spend our efforts using analytics to help avoid those coming towards us?

Neil Strickland is Director of Risk Consulting at RSA

To find out more about RSA Risk Consulting, or to speak to one of RSA’s Risk Consultants, click here.

From Brexit to festivals, tools must measure a new generation of risks

Improved analytics find favour as traditional tools struggle with new hazards

The analysis of business risk is changing fast. Organisations have traditionally assessed risk through mapping techniques, plotting charts showing the likelihood of an event against the potential damage to the business. However Aon’s Global Risk Management Index 2017 surveyed 2,000 organisations and found that traditional insurable risks such as business interruption and third party liability, are becoming less of a headache.

Partially insurable risks, such as damage to brand and cybercrime, remain important but the real concerns are now around risks such as economic slowdown and failure to attract talent.

As an example, DJ Rob da Bank has been running the Bestival music festival since 2004, advised on risk by Paul Bedford, chairman of Edition Capital, a specialist financial advisor to media and entertainment firms. While the Bestival organisation is insured for the usual suspects - public liability and so on – it has also insured against cancellation, a vital safeguard given the unpredictability of the British summer. The Y Not Festival in Derbyshire had to refund festival-goers 50% of the cost of their tickets in 2017 after it was halted due to adverse weather, blowing a significant hole in its finances.

The British clouds may be unpredictable on any particular day, but there are centuries of data to help insurers assess risks. However, Mr Bedford says recent world events means Bestival’s team is also looking at the more intangible risks of terrorism insurance. “Premiums quadrupled this year,” he says.

Companies are now turning to more sophisticated analytical tools and techniques to better quantify those newer, difficult-to-measure risks.

Aon, for example, has established information analytics centres in Singapore and Dublin employing three hundred data scientists, behavioural scientists and actuaries and invests around $400 million a year in data and analytics. Eddie McLaughlin, chief commercial officer for Aon Global Risk Consulting, says: “Every time we place a piece of business, large or small, we gather premium data and exposure information, all the pricing components.”

The company also has a web-based tool called Brexit Navigator, helping organisations with UK exposure to understand the potential risks around leaving the EU - a long way from the traditional sort of risks that troubled insurers.

Some 85% of firms say they will be using more powerful analytics tools by 2020

There is strong interest from risk managers in more powerful analytical tools. The Association of Insurance and Risk Managers, Airmic, recently carried out a survey on their use. A third of companies are using them now but 85% say they expect to do so by 2020.

Sectors with a high maturity in risk management – financial institutions, technology, energy and pharmaceutical companies – are at the forefront, says Airmic’s technical director Julia Graham.

Georgina Oakes, Airmic’s research and development manager
Georgina Oakes of Airmic

Georgina Oakes, Airmic’s research and development manager, says the main barrier to adoption is a belief that the data tools are not powerful enough, although getting access to good data is also a challenge. Some business leaders also do not recognise the potential value of analytics.

Combining seemingly unrelated data in new ways is just one analytical technique that promises to turn risk into opportunity, particularly when coupled with the power of artificial intelligence.

The internet of things also looks set to be big in risk analytics. “Companies are installing IoT sensors into machinery which can predict when the machine is acting oddly but before it breaks down. You can work out where claims are going to happen,” says Oakes.

Sensors… can predict when a machine is acting oddly but before it breaks down

All this points to a growing feeling that organisations are recognising that risk does not have to just have a downside.

Christopher Ittner, professor of accounting for The Wharton School at The University of Pennsylvania says: “Directors are increasingly challenged to be aware of and understand the key risks their organisations face and how these risks are being managed. Reductions in insurance premiums are yet another potential financial benefit for organisations exhibiting more mature risk management processes.”

Michelle Tuveson, executive director of the Cambridge Centre for Risk Studies, agrees: “Risk management and its supporting research will need to expand to address the demand for greater clarity in modelling and communicating collective risks and foreseeable harm that corporations might face in the future, and better understanding their financial implications. ”

“Organisations that lead in identifying and assessing risks that today are both non-standardised and foreseeable will indeed be creating a competitive advantage.”

The whole firm needs to unite to reduce risks

Rules can reduce risk but the real gains can only come from changing company culture

When Tony Hayward was appointed to the top job at BP, he vowed to improve safety. In 2010, that promise came back to haunt him after an explosion at the Deepwater Horizon oil platform killed 11 people and caused an environmental nightmare - and cost the oil giant more than $60 billion.

A repeated theme of the many official reports into the disaster was that BP put cost savings before safety, rushing to get work done on a drilling project that was running late. It is an example of how badly projects can go wrong when risk is misunderstood.

Many companies regard risk management as a compliance and therefore rules-based issue; comply with the regulatory framework and that’s the job done. But risk is far more complicated than that; it covers the whole culture of an organisation and requires every employee to take an intelligent approach.

According to a 2016 report from consultants EY, The route to risk reduction: “Rules…address only a part of how we behave and make decisions. Behaviours and decision-making are also influenced by culture and the relationships and power structures that shape our work environment.”

Hywel Ball, head of assurance at EY
EY’s Hywel Ball: “Technology gives us the ability to join the dots on a series of data signals.”

Hywel Ball, head of assurance at EY, says one of the key themes in risk management is predictive compliance, using technology to scan for odd behaviour patterns among staff such as trigger words in communications. “For example, in West Africa, the word ‘goat’ is local slang for fraud. Or you might see a phrase out of context, or a transaction taking place at an odd time. Technology gives us the ability to join the dots on a series of data signals.”

Technology can also transform compliance, according to Raza Sadiq, chair of the Institute of Risk Management’s special interest group in enterprise risk management in banking and financial services. He says: “Companies such as IBM/Watson and Droit [a New York-based tech firm] automate global regulations within real-time trading systems, minimising legal and regulatory risk. The money spent on compliance is significant and companies could make better use of the technology.”

Critically, risk management needs to be adjusted to the unique needs of each organisation; there has to be a level of flexibility, not to mention an increase in timeliness. Sadiq says a standard risk dashboard that is updated quarterly has limited value; he suggests a monthly or even daily updating brings optimum benefits. Risk modelling only goes so far, not least because it has tended to use historical data and, as the financial services disclaimer points out, “past performance is no guarantee of the future”. But the 2008 crash proved the dangers of many traditional risk metrics in the financial sector; such measures may be useful in a “normal” market, but risk management needs to be more agile and proactive.

We should be mindful of what a model is telling us.

“We should be mindful of what a model is telling us,” says Mr Sadiq. “Models need to be developed with more realistic variability in play.”

Moreover, such models need to be understood at board level, yet explaining complex metrics to the C-suite is often not part of the skill set of the IT teams who develop risk management tools. The capacity to flex risk management also requires an ability to distinguish between different types of risk – preventable risk (such as not asking a client the correct regulatory questions before selling a product) may be tackled with training or technology, but strategic risk (such as the decision to drill for oil in the Gulf of Mexico) cannot be subject to rules.

Assessing the dangers of reputational risk is the highest level of all; the risk of a rogue employee or a cyberattack may be small but the reputational risk can be enormous. Moreover, even beyond simple risk frameworks, there are elements of risk that need to be understood; the risk of a rogue employee or a cyberattack may be small but the reputational risk can be enormous.

There are costs, yes, in reducing risk. But increasingly it can also be a selling point. John Davies, head of data and analytics at insurance brokers Marsh, is only too well aware of the new generation of risks; the company has in place carefully established procedures for handling client data that is designed to prevent any breach. He says: “We have very clear rules in place to manage that risk, which sounds quite boring on the face of it; but it’s a very compelling sales message when talking to clients.”

See the original post on The Times