Increasing uncertainty, complexity around cyber, and best practice in risk cultivation within an organisation were the key topics of debate during a roundtable held by StrategicRISK and CNA Hardy
Discussion centred around the findings of CNA Hardy’s latest risk and confidence survey – ‘taking the pulse of British business’ in the Autumn of 2017.
One of the key findings of the survey was that business confidence levels had plummeted to only 28%, from 71% when the survey was carried out in the Spring of 2017. Participants of the roundtable were quick to point to political and economic factors driving business uncertainty and therefore a dip in confidence levels.
“It’s clear the confidence base of UK-based multinationals has dipped, considerably, but we are encouraged by the fact they are still planning on top-line growth into 2018,” observed CNA Hardy’s chief underwriting officer, Patrick Gage.
“In spring of 2017, 71% of the base of customers were confident about delivering a more optimistic outlook for the future. That’s dipped now to 28%. So that’s very interesting. What’s dominating this is what we call ‘headline grabbing issues’ around political and economic risk. Since that original survey, we’ve had the difficulty in Brexit negotiations for the UK, and also the UK general election that provided a very inconclusive outcome. What does business hate? Uncertainty. This has definitely driven the way they’re thinking over the next 6-12 months,” said Gage.
One risk manager participating in the discussion said: “With Brexit continually trundling along, there doesn’t seem to be any confidence in where we are going with this and it makes the board uneasy. How can businesses plan properly for the next three or five-year timelines when they’re not sure what’s happening in 18 months? They don’t know what they can control, where they can spend money or what to focus on. For those managing the risk, it’s hard.”
Certain about uncertainty
“As we sit here in the UK in the fourth quarter of 2017, the only certainty seems to be the uncertainty of Brexit, and that it’s going to be an extended period of uncertainty,” said Paul Jack, partner, Lockton. “Nobody planning for six months or even ten years likes uncertainty.”
So, is this the new norm? The risk managers who participated in the discussion both agreed uncertainty was going to have to be something they had to become more comfortable with when carrying out risk assessments and scenario testing.
“You are continuously on your toes,” said one risk manager. “What you could take for granted two to three years ago, you no longer can, so we’re doing multiple scenario planning because we don’t know where we’ll be. In fact, if anything, we are looking at overseas markets increasingly for stability.”
Despite confidence levels dropping, CNA Hardy’s Autumn 2017 confidence survey did show that business leaders are still pressing ahead with 62% actively hiring, 52% are investing in R&D and 51% are prioritising topline growth. In addition to this, driving growth in overseas markets is on the business agenda for the UK multinationals that were surveyed, with a focus on Europe and Asia over the next six months.
With the focus still on overseas markets, participants around the table were quick to identify the importance of risk partnerships between business and the insurance industry to better realise the growth potential from overseas markets.
“The partners who can work with clients to see them work through and identify risks within emerging markets will be winners at the end of the day,” said Ailsa King, chief client officer at Marsh. I think some of us maybe have our eye off the ball and we’re not focusing on those emerging markets our clients are looking at. And they need partners to help them through the risks in those emerging markets,” she said.
Focus point: Cyber
In the survey, almost half of UK business leaders predict cyber will be their top concern by spring 2018. Cyber risk was predicted by 48% of respondents to be their top concern by spring 2018, expecting the threat of malware, viruses, hacks or data theft will increase.
Another 39% identified technology risk, such as failure of systems and processes to keep them competitive, as their top concern by Spring next year.
But participants of the roundtable agreed that cyber risk does not have a one-size fits all definition and as a result, it is “incredibly difficult to get your arms around it”, said one risk manager and “incredibly hard to buy the right protection”.
“One of the challenges with cyber is we always look to the past,” said Dave Brosnan, chief executive officer of CNA Hardy. “This is what happened in the past, so how will it impact me again if it happens. But we don’t know where cyber will take us. It’s a new and evolving risk. So, a year from now we may be talking about something completely different,” he added.
One of the risk managers at the table said: “And I think that as risk professionals, this is the situation we’re currently in. We’ve got Brexit, and nobody knows what’s going on with that. We’ve got cyber, and nobody really knows what’s going on with that either. So, it’s taking a lot of air time at board level as we try to discuss and predict and try to get common sense scenarios. But what is common sense, because a few years ago none of us would have predicted we would be in this place.”
While discussing some hacking scenarios, including scenarios faced by our risk managers at the table, it became clear there is a real issue around the ability to collate information to better inform the risk manager of the risks surrounding cyber. This is in part down to companies insisting on tighter controls on information sharing from country to country, said one risk manager, and the other issue is around accountability – who looks after cyber in a business?
“When this question of cyber came up a couple of years ago, we went to IT and said, ‘Are you responsible?’ And they said no,” explained one risk manager at the table. “We went to a number of departments, and we couldn’t find who was responsible. So, from the insurance side, the cover is packaged as cyber, but I’m looking for the head of cyber and it doesn’t exist. The risk resides in about 20 different departments. So, as a risk manager, we look for risk, and for many of these things, we can’t find it. There’s no point in buying insurance if you don’t understand what risk you have in the first place.”
Education will play a really important role when it comes to better understanding the possible exposures linked to cyber, which in turn will improve the products related to the risk and additional aggregation, the participants agreed.
“I’m perceiving a change in how people look at cyber,” said Marsh’s King. “A few years ago, there was a huge desire to buy cyber protection, but I think that’s changing as companies are more focused on finding out more about how to manage this risk internally which means as an industry, we need to do more to help with the scenario planning, the testing, and the analysis.
King added: “I think now the requirement is for a risk-first bespoke solution, and then, if possible, look to mitigate. But as we’ve identified, it’s not that simple, because as we’ve already explored, there’s different types of cyber coverage. We need to be able to answer whether we are protecting our consumer, or is it interruption to the business, or the complexity of the supply chain”
CNA Hardy’s Gage continued: “It’s a great topic as it really does show how insurance and risk sit hand-in-hand. My view of the insurance market is we’re great at building products we’re comfortable with but not so great at anticipating products our customers need. The technology is very different now.
“What the insurance industry does is bolt on different bits of coverage and you end up with everybody feeling dissatisfied. The client doesn’t get the coverage they needed or thought they had, the insurer pays a claim they didn’t think they would have to pay, and everyone falls out. So, when it comes to building product and service, we need to understand much better about what we need to deliver. It’s about the consultancy function, working with our brokers and understanding best practice based on our industry knowledge,” said Gage.
What this part of the discussion demonstrated, above all else, is that there is no organisation or industry immune to this type or risk – whether it is a third or first party risk, or indeed and more likely, both.
“It’s on your horizon,” said Lockton’s Jack. “The scale of potential scenarios is endless and as an industry, we need to get much better at having open discussions around this and sharing the knowledge required to build better and more relevant products.”
Caught up in a short-term conversation?
Although the challenges surrounding Brexit and other political and economic factors across the UK and Europe should be high up on the agenda, another risk manager warned businesses could be at risk of missing out on opportunities.
“We risk having a problem because people are concentrating so much on one thing that they’re missing everything else. One of the things I’m concerned about is that the UK is looking at Brexit, and the whole world is moving on in a certain direction,” said the risk manager. “My take on confidence is give the best advice you can to the board. I can only advise them, then they have to make the best decision. But my advice is to look for the opportunities out there, even in the next six months. Even though we are living and working in uncertain times, there are still opportunities out there and we should be taking them, otherwise we’ll be too late, and we will have missed them.”