Airmic’s annual survey shows the threats that are most important to managers in 2019. Ahead of the release of the report, StrategicRISK caught up with deputy CEO and technical director, Julia Graham, to find out how the profession needs to adapt to deal with them
Loss of reputation and/or brand value, business interruption following a cyber event and political uncertainty are the top three risks that are top of risk managers’ minds, according to survey results, seen by StrategicRISK ahead of the survey’s formal release.
Political uncertainty has risen one place this year in Airmic’s annual survey – to be published at the association’s annual conference on 3 to 5 June, in Harrogate – possibly thanks to Brexit keeping such risks at the top of the agenda.
Both reputational risk and cyber risks dominated the top two spots last year and remain firmly top of mind in 2019.
The challenges of intangible risks
Reputational risk is growing in importance – particularly from a board’s perspective, as non-tangible assets make up an ever-larger proportion of a company’s value, says Julia Graham, deputy CEO and technical director at Airmic.
Despite this, insurance products that allow organisations to transfer these risks are few and far between.
Speaking exclusively to StrategicRISK, Graham explains: “The challenge is to produce cover that is worth having at a price that is worth paying. The problem with reputation is that that it doesn’t behave in a linear way.
“If you have a reputational impact but recover incredibly, there is research out there that says a well-managed crisis can actually add to your shareholder value. So, insurers have to be very careful when underwriting this because, unlike a building, it does not behave in a tangible manner.”
Even though the challenges are difficult Graham fully expects more insurers to start offering products that help risk managers deal with threats to brand.
She says: “It’s common knowledge that intangible assets these days typically are worth a great deal more on the balance sheet than the physical assets. So, while that remains the case – and I don’t see it changing anytime soon – there will be a continued pressure on insurers to say, what can you do?
“If insurers respond to the needs of their customers and can find mechanisms to offer that cover in a way that is comfortable with their own risk management objectives then I think more will be prepared to do it.”
Digital transformation is pushes cyber up the corporate agenda
Even though the challenges of managing cyber interruption have long been top-of-mind for risk managers, digital transformation is making them even more critical, says Graham.
She explains: “The risk itself is growing! Every business in the world is affected by technology in some way, shape or form these days and as that means that how they are affected is going to increase at a speeding rate.
“It isn’t just that people are going to be hacked more, it’s actually that the exposure and the risks are greater.”
Fortunately, cyber insurance products have grown in sophistication allowing businesses more opportunities to transfer the risk.
Graham says: “For those sophisticated buyers there are some very good solutions out there now for cyber and I think people are happier with it than perhaps they used to be.”
But she cautions against companies relying on non-cyber policies to bridge the gap.
She says: “I would never advise somebody to rely on a policy that was not designed to insure cyber in the hope and anticipation that it will pay everything you would like it to pay. if you’re a sophisticated organisation your cover must be designed to suit your risks.
“It’s a very dangerous game to rely on other insurance to pay a claim because the only time you’ll test it is when you have a loss and that’s a bit late.”
Graham also strongly believes that the current attempts by the International Standards Organisation to try and create a standard for cyber insurance are misguided.
She says: “I definitely don’t agree with the standard as it is drafted, and I think it’s incredibly dangerous to try and reduce a subject like that to the level of simplicity that you think you can write a standard for it. It’s far more complex than that.”
Politics – looking beyond Brexit
Turning her attention to the third top risk – political uncertainty – Graham is keen to point out that risk managers need to be looking at far more than just Brexit.
She says: “Look at the rise of populism elsewhere in the world. We’ve had this week the debate with the Americans continuing with China and we’ve seen the effect that had on stock prices overnight which is not great. A risk between China and the United States affects all of us, so it’s not just Brexit.”
However, she does acknowledge that the continued uncertainty around Brexit is helping to keep political risks top of mind for businesses.
With that in mind, Graham strongly recommends that organisations use Brexit planning to seek new opportunities and strengthen their business models.
She says: “There’s been some very interesting cases recently of organisations that when challenged by Brexit have said, ‘OK we’re going to look at different ways of running this business. We’re going to do a few things for ourselves rather than relying on imports’ and there are companies out there that as a result have re-engineered themselves and actually ended up with a fitter business.
“Everything that pressures you can turn into a step change in improvement and many of the innovations in the world have been thrust upon people because they had to change.
“You may change because things are uncertain, or it might be because things are certain but you just don’t like what they are - but I would never make a general assumption that there are no opportunities in Brexit because I think that there are.”
New opportunities for risk managers
As political, cyber and reputational risks continue at the top of the corporate agenda, there are great opportunities for risk managers to step up to a more senior level, says Graham.
This is – in part at least – because many of the new intangible risks have severe impacts for the board and the c-suite if things go wrong.
Graham explains: “Boards are being held much more accountable for managing these issues and specifically held responsible under the FRC code for emerging risk. The responsibilities on the shoulders of the boards have increased so they are looking for people in the organisation who can offer support in the understanding of these risks.”
To achieve this, risk managers may need to learn new skills that allow them to engage with senior management in a useful manner and step up to the level of seniority required.
Graham concludes: “If you’re going to step forward and help with this as a risk professional you may need to step a little bit away from the back office towards the front office and to be able to do that then there is some additional skilling that some of our members need to have.
“You don’t suddenly take on that role – you need to learn some new tricks to do it. For instance you have to be able to understand and use data and there is a growing demand that people will not just use spreadsheets. Risk managers need got to be more informed on issues like analytics.
“At the same time, if you’re going to perform at board level then that brings in more things like communication, storytelling and having the ability to converse with the board in an appropriate way.”