Exclusive Q&A on Insurance with John Hurrell

Can you outline the current insurance and risk management landscape in your jurisdiction?

Insurance continues to be available in plentiful supply at lower rates than possibly ever before! Insurers are facing the triple whammy of seemingly endless supplies of capital creating ever more capacity, historically low and declining investment income and virtually zero growth in the economy. 

At the same time, new and emerging risks are challenging insurers' ability to respond to changing buyer needs which are increasingly focused on soft assets such as IP, brand, reputation, technology capability and people assets. 

Risk management is certainly moving rapidly up the boardroom agenda for most organisations due to the frequency of high profile failures which often have immediate and profound reputational implications. However, boards feel ill equipped to oversee ever more complex risk profiles which they are facing. The risk profession has a great opportunity to step up and to provide more support to their boards. 
 
Have there been any recent regulatory changes or interesting developments?

On the insurance side, the most profound change in contract law in over 100 years comes fully into force in August 2016. This has very significant implications for how commercial insurance is placed and managed, including the ways in which risks must be presented to insurers, the remedies for innocent non-disclosure and the ways in which warranties can be applied and used to challenge claims. 

This new law, the Insurance Act, will modernise contract law and create a level playing field between insurers and policyholders. 

On the risk front the UK Financial Reporting Council's Corporate Governance Code on Risk and Going Concern is now having a very positive impact on risk governance and has led to the issue of guidance on corporate culture (published in July 2016) which seeks to address some of the cultural failures which have led to risk management problems over the last few years. 
 
How frequently should an organisation renew their policies and review their strategies? 

Recognising the greater level of underwriter engagement and effective due diligence now required as part of the placement process following the Insurance Act, there is an argument that policies should have a longer shelf life than one year. However, insured firms are changing their risk profiles faster than ever before due to technological and business model changes whereby even a year might be seen to be too long to pick up major risk profile changes. 

The market will have to consider how to stay up to date on client risk changes within a longer term contractual relationship. For example, half yearly exception reporting within a 36 month contract. 

This, of course, is putting pressure on risk functions who increasingly are seeking to embed effective risk governance into the functions and operations of their businesses. Airmic members report that they have better access to the board than ever before but embedding risk into the business is continuing to be a challenge! 
 
What are the biggest misconceptions regarding insurance and risk management? 

Insurance - the biggest misconception is that it will pay out on a major claim in the way you expect without you, as the policyholder, having undertaken detailed wordings reviews based on scenario planning with professional legal advice. Insurance policies are some of the biggest and most complex legal contracts most companies will ever enter into and should be treated accordingly!

Risk Management - is not about risk prevention! It's about taking more risk but with confidence based upon thorough analysis and assessment. Business is all about taking risk and too few business are pursuing growth strategies at the present time which is why most economies are flat lining. Risk professionals need to rebrand themselves to make it clear they are there to assist in the development and execution  of strategy not pure risk prevention!
 
What areas of risk management are most frequently neglected? 

Everything to do with corporate culture. Airmic's research shows that most catastrophic risk failures can be traced back to cultural shortcomings often driven by the board. Scandals in the banking system, failures in the energy and automotive industry and many others can be traced back to a culture of putting short term commercial success ahead of the maintenance of core values based on serving the customers best interests at all times. 
 
What risks have the biggest financial consequence if they were to occur?

This is strongly linked to the answer to question 5. The risks which have catastrophic consequences are those which impact on the company's reputation. Often organisations could recover from law suits, physical damage or other major losses but for one thing- the reputational fall out. 

Boards should have prepared for their careful review one version of the risk map which focuses purely on reputational risks against each of the major stakeholder groups such as shareholders, staff, customer, regulators, media, governments etc. 
 
What are the biggest concerns in risk management regarding cyber security?

Many organisations are focused on systems security but 50% of data breaches are caused by staff failures or staff deliberate acts. So cyber security is an HR issue but HR are often not involved.
 
Boards recognise that there is a major risk governance issue on cyber risk and they often feel vulnerable as the technology,upon which their businesses depend, probably did not exist when they were coming up through the ranks and they do not directly understand some of these risks. The CIO may not fully appreciate the HR or business reputational issues and operations may not understand the nature of the threats and vulnerabilities of the systems. 

What is needed is a fully integrated function across the business conducted without regard to structures or backgrounds. Easier said than done!
  
Is it fair to say companies place too much emphasis on risk management rather than risk prevention?

As discussed in question 4, the risk profession has been too typecast as 'risk prevention'. The analogy is that an effective risk function is like a great set of brakes on a car. It enables the driver to go faster! 

Risk management is about taking more risk but with greater confidence. To do this, the risks must be analysed, understood, modeled and planned for. Risk managers can support corporate strategy.

John Hurrell was appointed as Chief Executive of Airmic in January 2008 following a career of almost 30 years in the Marsh and McLennan Group of Companies.
 
John was involved in a number of senior management roles at Marsh and, prior to his retirement from the company, was Chief Executive of Marsh’s Risk Consulting business throughout Europe and the Middle East for five years.
 
During his period at Airmic, he has been involved in extensive research into risk and insurance related issues which has resulted in a number of ground breaking publications from Airmic, including Roads to Ruin and Roads to Resilience.
 
John is a Fellow of The Chartered Insurance Institute and a Chartered Insurer.

John can be contacted on 020 7680 3088 or by email at john.hurrell@airmic.co.uk