Megrow Podcast: Episode 3

Episode 3 of the Megrow Podcast is live ! It focuses on the tangible benefits that good ERM brings to a company. If you like to listen to the video podcast, click the embedded link below. However, if you like to read the (almost) verbatim script, just scroll down and enjoy.

The Script of Episode 3

Megrow Podcast Episode 3 picks-up the topic trail where episode two ended. Back in episode 2, I scratched on the importance of making ERM a tangible benefit to any business. In this episode I will elaborate substantially more on this topic and most importantly share some examples to illustrate my point.

the evolution of the benefit slides

I start with a slide that is a core part of Megrow’s marketing materials since almost day 1 of the company. When I show this slide to colleagues and clients, the reactions are always very positive.

all stakeholders benefit from good enterprise risk management

Everybody seems to see the message of “benefits to business” right away. Naturally, some people tell me that the looks of the slide is borderline childish and inappropriate for business. However, the many spontaneous, “eyes wide-open” positive reactions I got and keep getting from different audiences convince me that it is a good slide. Hence, it keeps its important spot in many of my presentations.


Having said that, as I keep acquiring and completing more mandates, I felt the need to give the slide a good second look and decided to overhaul it: more focus and a slightly more polished look. So, here is the new version of the slide:

Good ERM improves results!

The diverse, colorful head image is the best representation of the variety of stakeholders that benefit from good ERM. For the updated version, I reduced the number of “benefits boxes”. Furthermore, I significantly enlarged the “improved results”. The “improved results” text box now sits right below the image – simply to give it the importance it deserves!

On to the real topic now: I will focus on a few, very tangible benefits of good Enterprise Risk Management.

ERM and Credit Rating

I start with the lever that Enterprise Risk Management has on credit rating.

Credit rating is the combination of balance sheet strength analysis and a number of adjustment factors; ERM being a crucial adjustment factor to derive a final credit rating. I refer to AM Bests’ credit rating approach, because I’m most familiar with their method. Having said that, all credit rating agencies use similar ways to go about it.

AM Best increase their assessment by one “notch” for a leading ERM-approach and, most importantly, lower their rating by up to 4 “notches” for an nonexistent ERM-approach. 

”Minus four notches” – that is very very significant. In other words, it pays off greatly to be at the “good practice level” for ERM. At the other end of the scale it is devastating to have a sub-standard ERM-output.

Higher credit rating means access to additional business, hence higher profits. Furthermore, a higher credit rating also lowers financing cost for a company. In reverse, a lowered credit rating closes some doors to business and makes access to some forms of capital more expensive. Hence, good ERM translates 1:1 to improved profit.

ERM Eases Communication

I’m very grateful to the CEO of a customer who “lifted” me onto the second “benefit” I highlight in this paragraph.

During a past mandate, the senior management team of the customer and I spent a lot of time compiling a good “risk appetite statement”. We managed to find a very sensible balance between some quantitative and a few, selective qualitative statements. In other words, we managed to define a tangible, yet flexible enough risk-appetite description. This enables the company to evaluate the up- and downside risks of some major strategic endeavors against its own perception of risk. I was very happy with that outcome.

The icing on the cake: what the CEO shared with me after the company’s next board meeting. According to the CEO, the revised risk appetite statement made the communication with the board so much more tangible, faster, efficient and easier. The bottom line: a significantly more efficient board of directors meeting!

ERM and Cyber

The risk landscape is continuously evolving; most risks are more interconnected and more challenging to mitigate than ever before. The entire realm of Cyber risk is a prime example. Exposures are interlinked, severity and frequency sometimes difficult to estimate and a plethora of mitigation efforts are deployed. ERM with its company-wide, consistent approach to identify and mitigate risk, is the best tool to “up” the defense for a company. It also is best suited to help a company finding additional business opportunities in the Cyber realm.

Thank you for reading through the transcript of the Megrow Podcast Episode 3. More episodes are in the making already. Megrow is here to make your ERM-journey fast and efficient. Contact details are at the bottom of the page.



CyberRisk: To Insure or To Ensure ?

CyberRisk: To Insure or To Ensure
security increasingly takes center stage in the golden age of the internet

Dr. Dennis Bessant, Specialist Advisor to Megrow, wrote this article in June 2019.

the golden age of the internet

Robert K Merton, an American sociologist, popularised the “the law of unintended consequences” in the 20th century; it says that actions always have effects that are unanticipated or not intended. What has a visionary social scientist got to do with the technical challenges of CyberRisk that besiege enterprises of the 21st century? 
Well, the golden dawn of the internet, the exponential surge of technological change and their benefits have also led to unintended attack by CyberRisks. The days of a simple malfunction of computer hardware or data damage which need a quick IT fix are gone. A new vocabulary emerges: malware, LockerGoga ransomware, state sponsored cyberattacks, NotPetya and so on! 

to insure – is NOT good enough

When significant new risks emerge there is rush to seek insurance solutions to transfer the exposure. But Insurance alone is not Enough! Let’s look closer at what is actually happening in global markets today. 

The impact of technology through cyber has overtaken conventional insurance all risk (or accidental) contract language. The burden of proof lies with Insurers when such CyberRisk claims occur. Based on recently widely reported controversial landmark disputes, these claims are being denied using the conventional war Exclusion in an attempt to understand the nature of their manifestation. There is a lack of contract certainty for cyber claims as insurers attempt to define the right language for these novel and until recently unexpected events. 

Markets are struggling to find a sound foothold for the language to use in insurance contracts. Reinsurers and their retrocessionaires are also having to come to terms with potential aggregation issues and varying contract language. All this creates an air of uncertainty for enterprises facing such complex risks. Of course there is a desire by the insurance markets to respond given the vast potential premium pool globally. But the first port of call for any enterprise….governmental or corporate….is to do the basics themselves with specialist help rather than seek quick fix risk transfer solutions only to find they are exposing their organisations to tens of millions of dollars in potentially unsettled claims.

In Insurance we trust?

Interestingly, research done by the Mactavish group, published here, reveals that a around of third of respondents do NOT think that insurance is the desired solution to their Cyber exposures! Why is that so? Read on…

it is in the contract

Fortunately, attempts to improve the governance of contracts is underway. For example, Mactavish, a well respected adviser in this field in the relatively sophisticated UK market, has suggested the insurance industry eliminate eight ‘flaws’. These ‘flaws’ are prominent in off-the-shelf cyber policies and hence, insurers use them often to deny claims. Insurance is for the unforeseeable. These days, computer and equipment systems, controls, hardware and software are essential components of virtually any enterprise. Critically, the systems intricately link with their human endeavour. Furthermore, their protection is a cost of doing business to Ensure they stay in business. A known and foreseeable necessity is therefore their oversight, governance and control by each enterprise depending on the level of exposure foreseen. 

We need to look the original question of “CyberRisk: To Insure or To Ensure” also from the ensure perspective.

to ensure is better

So what can enterprises do to Ensure CyberRisk is mitigated or reduced without sole dependency to Insure. Find out Tips from the largest global commercial property insurer (FM Global, see below) on where to start and what to do. Think outside the box.

the human factor

Crucially, seventy to eighty percent of cyber deficiencies are human factor related. In other words, the person behind the machine is the weakest link! Awareness and training are vital to reduce risk. Stress testing to ensure business/service continuity and protect customer data is critical. Controls of security, data management, infrastructure oversight and protection will reap huge dividends to Ensure enterprise resilience whilst the insurance industry attempts to wrestle with the complexities of what to Insure in this complex field. The challenge will continue to grow exponentially as local, national, regional and global accumulations and aggregations stack up exacerbated by yet more AI, automation and smart machines! Ensure your enterprise is built to last.

CyberRisk: To Insure or To Ensure

In conclusion, ensurance – in the form of good Cyber hygiene – is a critical component in managing the ever-evolving CyberRisk landscape. In addition, the insurance industry faces significant challenges and opportunities to position itself as a key risk mitigant in the “CyberRisk: To Insure or To Ensure” realm.

references

  • Commercial Risk Europe: Merck Pharma in dispute with insurers over the 2017 NotPetya attack
  • Financial Times: Mondelez sues Zurich in $100mill test for cyber hack insurance; 1,700 servers and 24,000 laptops ‘permanently dysfunctional’
  • The Times UK: Companies at risk as Hiscox rules out DLA Piper’s cyberattack claim
  • Mactavish: Cyber Risk & Insurance Report, November 2018
  • FM Global Insights & Impacts (2018): Cyber Risk: The Answers to Five Big Questions; 5 Questions Every Risk Manager Should Ask; Threats to Physical Security Industrial Controls.”
  • images are used under creative commons license

the author

Dr. Dennis Bessant is Specialist Adviser to Megrow. Find out more about him and read some of his recent publications.



The Superhuman CRO

I wrote about the “ideal” CRO Superhuman almost a year ago in a blogpost. Interestingly, this topic remains an evergreen. During almost all conversations about ERM sooner or later the question about the CRO’s ideal skill set come up.

the decathlete

In my earlier blog, I used the “decathlete” analogy quite frequently. Whilst this analogy is tangible, it probably isn’t the best explanation in a business context. Hence, I came up with a different, more business-relevant description. A good CRO has a “thorough understanding of the entire value chain” of the respective industry.

What does that mean? Taking the insurance industry as an example, a CRO must understand how risk management and capital provision interlude along the value chain. If we imagine the value chain as a line, then insured and capital provider sit at either end. In business reality, the risk and the capital pass through many hands and undergo multiple transformations. Each component of the value chain has its idiosyncrasies, uncertainties, upside and downside risk embedded in it. Hence, the understanding of the interlude and which ‘change’ triggers which reaction is the key.

In other words, the CRO’s ensures that the organisation

  • understands both external and internal drivers that influence the value chain
  • recognises, quantifies and mitigates downside risks and opportunities associated with these drivers in a consistent manner
who then?

(1) Any professional who has developed a thorough understanding of the entire value chain is a good candidate. Naturally, qualified actuaries and CIIs (or equivalents) with leadership experience are very well suited.

(2) a strong trait of constructive curiosity, excellent communication and influencing skills in all dimension of an organisations current set-up.

(3) a mind-set and corresponding actions to position good ERM as a strategic tool that supports all stakeholders.

Over the past years, I’ve had the opportunity to support clients who asked themselves the “superhuman” question. Together we found a matching answer every time!

you can reach me at reto.brosi@megrow.asia



The Megrow Podcast is LIVE!!!

Episodes Released

I’m very pleased to announce the release of Episode 1 and Episode 2 of the Megrow Podcast.

The Podcast is hosted on Megrow’s YouTube channel. I aptly named it the “Asia Risk and Opportunity Podcast” or “AROC” for short.

Episode one is a general, introductory episode explaining the why / what / how:

Episode 1 of the AROC Podcast – hosted by Megrow


Episode two dives right into the core matter of Enterprise Risk Management: what are the benefits to business?. I use CyberRisk as an example to demonstrate the tangible outcomes of good Enterprise Risk Management. “Tangible” in this context clearly refers to dollars and cents.

Episode 2 of the AROC podcast hosted by Megrow
why?

I’ve been thinking for quite some time about which channels are best suited to share my thoughts about ERM. Obviously, this blog is my first choice, followed by LinkedIn and then Twitter. These three avenues all have their benefits and particularities. But I always felt something was missing. After quite some pondering, I decided to try a Podcast to complement my current channels.

looking for contributors

This podcast is fully open to anybody who is looking for a channel to share ideas and views about risks and opportunities. However, I have two border conditions: first, the message must be of practical value and secondly, a distinctive focus on matters in and across Asia is sought. Ironically, I broke my second rule with Episode 2 already, so next time I need to do better.

the future

I’m planning to release a few episodes over the course of 2019. However, neither do I want to stress nor limit myself by an overly specific target. If I find sufficient speakers, I might release an episode every 2 weeks, otherwise there will be just a handful in 2019.

The beauty of this podcast lies in its flexibility with regards to length and looks. It can be a 60 seconds video or a 30 minutes conversation – and anything in between.

Hence, if you are passionate about a risk-relevant topic with a distinctive Asia-relevant touch to it: please please stand-up and get in touch with me. Recording and editing isn’t a big anymore. Let us have a chat soon!



ERM – More on the Benefits

constant dripping wears away the stone

I’m constantly praising the tangible business benefits of good ERM. A number of blogposts here and on other social media are testimony to this. Until a few month ago, I felt like the proverbial “lonely prophet”. A lot of ERM-related publications had a distinctive retro- / crisis-touch to it and nobody appeared to pay much attention to the strategic aspects of it.

finally

Then things changed. First, COSO issued a compendium of “real business cases” in 2018, which was great. However, I was rather disappointed that this compendium required extra subscription, instead of providing it together with the release of the revised framework.

And now, academia is following suit. The NC State Poole College of Management released a study titled “The Value Proposition for ERM: From Intangible to Tangible”. When I spotted to article, I was elated to see the increased focus on the tangible benefits of ERM! Finally, I’m no longer the sole preacher in the desert.

the study

The document is available here. They provide an executive summary, which really is a summary. Secondly, it is well written and concise. And most importantly, they cite a number of tangible, real life cases.

Two points stand out from that work:

  1. the link between ERM and strategy. ERM is a forward-looking tool.
  2. the identification of emerging risks and converting them into opportunities (vs only looking at the downside).

btw: the NC state university website is valuable resource for ERM matters in general. Suggest you head over and spend some time there.


COSO ERM Framework – One Year After the Update

The COSO ERM framework update

COSO released a significant update of its well-known ERM-framework in late 2017. An executive summary is accessible on their website.  The ERM community, especially the “COSO-istas” most eagerly awaited the update. Additionally, the wider stakeholder community was excited to see how the new framework will benefit businesses.  I’m a fan of COSO because their approach is forward looking and tries to integrate strategy and performance with Enterprise Risk Management.

So far so good.

who is the target?

Once I started reading the executive summary, a few questions came to my mind. First, who is the target audience? Second, how many ERM-sceptics can this update convince? And lastly, where are the increased, practical benefits of this version versus its predecessors? I’ve shared some of my supportive and critical views about the new framework in a few blogposts.

gnōthi seauton

Lo and behold, pwc, one of the key contributors to the revision, published a blog reflecting on the “so what” question one year after the update. I really like the open and candid views in that blogpost. Hurdles, miss-conceptions, prejudices, resistance to change… not surprisingly, it’s all there. My advice: “NEVER EVER GIVE UP”.  Having said that, it is no surprise to me that “take up” of the new framework probably isn’t where the authors envisaged it.

and now?

Talking to practitioners and clients across Asia, I noticed that the new framework needs significantly more marketing. It appears not to be known (almost) at all. Out of the many people I spoke to, only ONE (yes 1) appears to have read the new framework.

I have a few suggestions

  1. The effort to summarise the entire approach into a picture is a great endeavour. However, this double-triple helix (*) needs to be simplified and made more tangible. Only then, business leaders will buy into it. In plain simple English: the current depiction is too complicated.

    COSO ERM framework update
    the COSO ERM double triple helix
  2. Nothing beats tangible, $$$-denominated examples. Concepts and frameworks are great, but ultimately businesses will only buy into it, once they see tangible top and bottom line benefits. Preferably, these benefits are palpable within the coming quarter or two.  Dear reader: I “hear” you screaming that ERM is a long-term strategic undertaking,,,, but after all,,,,, sales and results drive a business.
  3. I’m also cognisant that a special compendium with “real life” cases has been released. However, why do we need to buy and read even another document to convince us that the first document (the framework) is a good thing? Somehow counter-intuitive..
megrow

Whenever I speak or write about ERM, I make a point to emphasise the tangible benefits of good ERM for the business. The benefits come in various shapes and forms:

  1. better understanding of new risks can be transformed into new business
  2. better ERM contributes to positive credit rating evaluation, which will lower capital costs and open doors to new business as well
  3. properly managed Cyber exposures protect the downside and can lead to new business opportunities, too
  4. good ERM will lower compliance costKeen to know more? Contact Megrow via the “buttons” at the bottom of the site and stay tuned for new blogs on www.megrow.asia

    (*) the picture is used with permission from COSO as stated on their website.


Will the next crisis be the same as the last?

Dennis Bessant, Specialist Advisor to Megrow, has written a very insightful and thought-provoking article. It is  a commentary on the attitudinal  state of the industry and offers controversial thoughts for change.

Asia Insurance Review just published the article in its SIRC 2018 supplement.

You can access the article on Asia Insurance Review’s website or download it from our website: Dr. Bessant in AIR Resilience and Loss Prevention.

Dr. Dennis Bessant

Dennis is Specialist Advisor to Megrow. You can read much more about him and hist more recent publications here.



ERM – The Benefits

ERM done – so what

I’ve shared some technical and practical considerations about ERM in a few previous blogposts. This episode addresses the most important topic: “ERM done – so what”. Whenever I talk about Enterprise Risk Management, I emphasize on its tangible benefits. ERM is about managing downside and creating opportunity.

The picture below displays a wide, although not complete, stakeholder landscape and the tangible benefits of good ERM. The regulatory, governance and credit rating agency related values are clear. Furthermore, an optimal alignment of risk appetite and capital possibly supports increased risk taking. So far, all so good.

good ERM - happy stakeholders
all stakeholders profit from good ERM

cyber

IMHO Cyber Risk is one of the best cases in point to illustrate practical benefits of ERM; two aspects:

  1. Firstly, the defensive angle: companies must prepare to deal with Cyber attacks as an “entirety”, silos don’t work. This is relatively new category of risk(s), hence it requires some subject matter expertise and a very diligent look “across” the entire organization. Megrow has done Cyber risk mapping with clients (and for its own good – just to state the obvious). I will not dwell on that here. However, if you are interested in good Cyber-webinars, I highly recommend FireEye.com – excellent!
  2. Secondly, the opportunity angle. Let’s assume an insurer covers small and medium sized enterprises. Very many of these clients could and should do more to identify and manage Cyber risks. Buying Cyber insurance is only one mitigating factor. How can the insurer provide additional value and services for this type of risk? The principles of Cyber Risk management are rather universal. In other words, if an insurer has a good grip on its own Cyber risk landscape, this knowledge can become part of its service offering to insureds. This works exactly the same way as traditional loss prevention services that insurers offer their customers. Any sales person of that insurance company will be more than pleased to have an additional service ace in his/her sleeve!

 

In other words, we killed two birds with one ERM-stone. Thorough ERM helps this insurer manage potential downside risk of Cyber and enhances the company’s value proposition to its customers. It doesn’t get much better than this!


Megrow Consulting Heads into Year 4!

Happy Birthday Megrow

Megrow Consulting has turned three. A big “thank you” to all the clients, business partners, advisors and supporters for another fruitful year! Time really flies. Sometimes it is hard to believe that Megrow now is in its forth year of operation.

a brief glance back

Clients understandably ask for references prior to engaging Megrow’s services.  Confidentiality is key, hence I cannot share details of prior and current engagements. However,  I did a bit of data mining to get a view over the services Megrow provided over the past 3+ years.

ERM, Underwriting and Strategy work make up for app 70% of Megrow’s services over the past three years.

The remaining 30% comprise of other work such as coaching, training, providing second opinion on matters and similar type of work. Clients comprise local, regional and global players in Asia and the European Union.

ERM-, strategy- and underwriting consulting are the main activities of Megrow consulting
Megrow Consulting developed a balanced portfolio of mandates over the past 3+ years

a sneak peak into the future

Risk and the management thereof is a growing business. Opportunities for Megrow to deploy its distinct value proposition to clients will continue to emerge. Stay tuned for updates on this blog. In the meantime, you could read some of my more technical articles about ERM here.


 

ERM in Hong Kong – A Practical View

part two

In an earlier blogpost I wrote about setting risk appetite for insurance companies under the evolving Hong Kong ERM framework. My focus is on firms that develop their own ERM-framework.

In this blogpost, I “continue” the journey to building an ERM-framework and ponder about risk mapping. Whilst occasionally making reference to Hong Kong,  most of the scribble is applicable to every insurer who wants to take its nascent ERM-framework to a next level.

I will share my thoughts about some key steps, write about challenges and, of course, how Megrow Consulting can support your ERM-journey. And most importantly, I keep advertising ERM as a strategic tool to support your business and not to paralyze it.

risk mapping

I like doing risk mapping! However, there is a significant risk (hahaha pun intended…) of getting lost along the journey when engaging an entire company in a comprehensive risk mapping exercise.

Plenty of competent bodies, such as COSO, describe risk mapping at great length and detail, hence I will not dwell on the methodology here. Instead, I share a number of practical aspects, pitfalls, successes and other considerations here.

When I lead or coach risk mapping work, I prefer to do it in small groups and over several iterations. Depending on the circumstances, some initial “ice breaking” might be needed. Generally speaking though, insurance practitioners LOVE to talk about risk, so there is little to worry about. That is good news! Having said that, there are a few points to bear in mind.

watch-out

Firstly, we need to ensure that the involved teams cover risks across ALL major business activities. In my experience, operational risk often tends to rank highest in terms of risk “count”. Your risk officer or an experienced third party will need to moderate the mapping efforts to bring balance to the risk universe of your company. Secondly, we also need to ensure that the thinking is current and prospective, looking into the back mirror is important, but only looking backward will not get us very far. Thirdly, quantification efforts need to consistent across the entire risk catalogue, otherwise we compare the proverbial apples with oranges.

prioritise

Last but not least, probably the hardest step on the mapping journey is prioritization of risks. One “must have item” is a list containing the few, all important strategic and key operational risks. Senior management and the directors will give all their TLC to that all-important set of risks. Yes, every risk is important, but depending on expected frequency and impact, it is handled at the appropriate level of the company! No CEO or board risk committee member wants to look at a risk register with 5000 entries, trust me on this one!

local and global perspective

Good risk mapping focuses on what matter most for the current and prospective market environment. Hence, a focus on Hong Kong (in our example) certainly makes sense. However, other risks, such as “Cyber” are prime examples where good risk mapping must take a bigger picture, global view. Quantification and mitigation of risks that are outside well-known “home turf” are a challenge. The good news is: there are ways and means to deal with that.

and then?

Senior management and the directors will sign off the risk map. Subsequently, the register enters its next phase. The risk officer will need to maintain it! After all, good risk management is all about mitigation of existing risks and detecting new risks (and opportunities). An important caveat, enlarging the risk register four times a year by adding new considerations isn’t best practice. Ideally, some risks should disappear from the list over time, otherwise the list will get bloated to an extend that nobody can distinguish the chaff from the wheat any longer.

Stay tuned for more blogposts about ERM in Hong Kong here @megrow.asia !