The global insurance industry has been impacted heavily by COVID and extreme weather events. Insurers worldwide have had to respond and adapt to such issues as legal challenge to coverage of existing policy terms, unexpected claims across policy types such as travel, health, and business disruption, as well as cyber claims exacerbated by workforces becoming more distributed.
By necessity, insurers have had to invest in technology to enable improvement in digital interfaces with their customers, streamlined claims processes, enabling remote workforces, and addressing security. Unfortunately for many, digitisation of their risk and compliance program hasn’t kept pace. The capability of risk and compliance management has not kept pace with the risk and compliance needs of the changed world, as highlighted in Deloitte’s recent 2022 Insurance Industry Outlook.
So what does it mean to digitise your enterprise risk management (ERM) program and what happens when we are slow to digitise? When you digitise and bring your risk and compliance management up to standard, how can you transition from your existing legacy systems?
What do we mean by digitisation?
There isn’t much data that isn’t constructed of bits and bytes. Spreadsheets, Word documents and emails are digital artifacts. Digitisation is transforming data into a consistent form by categorising and recognising relationships between that data, allowing insights to be gleaned. It is about automating manual processes through technology and using automated workflow to ensure the process operates with minimal human intervention. The combination of insights and automation improve the speed and accuracy of decision making.
We are still surprised by the number of organisations that have large scale mature business processes and integration for their key services and products, but manage risk, compliance and related disciplines or processes through spreadsheets or point solutions that don’t talk to other systems or allow for those insights to be identified and turned into business enablers.
What are the risks associated with failure to digitise?
Spreadsheets are flexible tools for capturing risk and compliance data, yet quickly present challenges for understanding data relationships and interdependencies, and maintaining coherent information. There is limited version control, particularly if multiple people are required to make changes. By the same token there is a limited audit trail for who created, edited, or authorised data, or the ability to restore data to a previous version if required. In the case of certain documents like risk registers, there may be different versions for different business units or processes that become difficult to pull together or aggregate when needed.
Single point solutions usually address those issues, but don’t allow you to build consistent data relationships that allow for insights when looking at the bigger picture.
We’ve worked with clients whose trigger to pursue digitisation was in response to:
- Ineffectively controlled risks that people on the front lines knew about, but were not visible to top management until an incident occurred
- Compliance obligations overlooked due to hidden rows in a spreadsheet
- Emails inadvertently overlooked for renewal of a regulatory licence which became overdue
- Duplicated data across multiple risk registers that became misaligned, resulting in over-investment in controls that were already being addressed by another team
- Consolidation of multiple single-point solutions in order to gain better insights while delivering cost savings
The results of Deloitte’s 2022 Insurance Outlook Survey also show that many respondents expect a rise in headcount in risk management personnel, while simultaneously being one of the roles they expect to have difficulty in recruiting. The efficiencies gained from digitising your risk management activities can help alleviate this pressure.
Digitising Risk Management
When risks and controls are managed manually across multiple business units and processes, it can become difficult to see the big picture. Reports that reach top management may be out of date by the time they are received, and there may be limited ability to find relevant detail without manual effort and follow-up. Digitising risk management enables aggregation and categorisation to identify key areas for improvement or that need addressing. Once embedded it also provides confidence to management that they have the information when they need it, enabling them to make decisions with eyes wide open.
Digitising Compliance
Digitising compliance attestations and control testing can automate much of this process, allowing the compliance manager to focus on more value-adding activities. Being a partner to the business and spending time providing them insights on upcoming change (whether driven internally or by regulatory change), is much more valuable than chasing down emails.
In an industry where regulatory change is the norm, automating and integrating that change directly into your compliance system via a regulatory news feed means you won’t overlook changes that are important to your organisation.
Digitising Incident Management
Incidents are an important learning opportunity for insurers, both from a general operations perspective as well as highlighting potential issues or improvements related to products or their delivery. Incidents might be well handled individually, but if they are captured in reports created in Word, it becomes challenging to identify trends and systemic issues, particularly identifying common causes, that can help shape the future and prevent reoccurrence.
Digitising Third-Party Risk Management
Depending on the nature of the products offered, insurers may have a large stable of third parties that are critical to managing policies or claims. There has been an increased focus in recent years on ensuring that risks presented by third parties are managed effectively, which may include such elements as:
- Obtaining assurance on their capability to manage cyber-related security and data privacy if they have access to customer data
- Obtaining assurance on their ability to provide services in the face of disruption affecting their business
- Seeking evidence that they have any licences required to provide their services
- Obtaining assurance that they understand regulatory obligations that apply to services they are providing
Manually collating and following up on this data can become a tedious task. Single point solutions can help but may not integrate with broader enterprise risk management to provide insights not just about individual suppliers, but about the effectiveness of the third-party processes.
Bringing it all together
A standardised framework with digitisation allows for aggregation and reporting across all of the elements of a comprehensive enterprise risk management framework. This includes:
- A single source of truth, ensuring everyone is using the same data and talking the same language
- Automated workflows and escalation, improving efficiency and enabling people to act on what matters most
- A single view of risks and the effect that control assessments, compliance attestations and audit findings have on the confidence that the risk is well managed
- The ability to quickly identify and act on potential discrepancies across data sources and the ‘story’ they tell; for example, a risk rated low while having multiple control weaknesses or audit findings may warrant a challenge
- Allowing for control optimisation by aggregating their effect on multiple risks
- Tracking of early warning indicators that enable corrective action before incidents occur
- Clear accountability for risks and controls – and immediate insight when they are not being effectively managed
- Provide insight into risk and compliance culture
How do you transform from your legacy systems?
Data transition can be a challenge if moving from legacy data storage to cloud-based systems, but it may be possible to transform your existing data to enable immediate insights. Some rough steps to transforming the data:
Determine what you have. Catalogue the types of data that you either intend to include in the transition or will form the basis of how information will be created in the new solution. For third-party risk management, this might include initial due diligence questionnaires, policies collected from the third party, and ongoing quality assessments.
Determine how much you need. Will the historical data serve a purpose in the planned solution? If yes, what continuity of data do you need? This will be driven by the insights you expect to gain. e.g. if you want to see 12 months of incident data, you may only need to consider transforming 12 months of data and archiving the rest. In short, don’t spend effort transforming data that won’t provide new insights.
Determine how it needs to be transformed. This step requires the most thought, giving consideration for the quality of the existing information and how you want to build relationships between the data moving forwards. For example, risk registers that include information about controls or treatments may require separation. It may also require the data to be in a particular format. If they aren’t required as part of your solution, you may still want to consider taxonomies or categorisation that will help you gain intelligence from aggregation and analysis.
Transform the data. Once you know how it needs to be transformed, the next step is to reformat it or separate data against the defined criteria.
Upload the data. Most solutions will allow for direct import of the data once it is in the required format.
Start your insights journey. Now that the data is transformed you can start gaining intelligence driven by your solution and optimising your processes.
The good news is that most solution providers will be able to provide guidance and assistance on these steps in terms of both good practice in what types of information and data relationships enable insights, and the steps you will need to take to transform your specific data.
It’s important to acknowledge change management as a critical part throughout the process, and the timing of the transition will need to be considered to ensure there is no disruption to processes and that there is continuity of data where required.
Is it time to digitise your enterprise risk management and bring it up to the standard expected to support the wider business in this changing world? Download our eBook on the Digitisation of Risk Management today to find out more.
If you would like to know more about how Protecht can help your business achieve sustainable compliance and risk operations, request a demo of our Protecht.ERM system now.