Not just cybersecurity. Companies today face many risks: “From corporate social responsibility to sustainability, from reputation to social change. Risks that need to be addressed by combining new and different skills”. Alessandro De Felice is sure of this: “Risks for companies are to be expected at all times, the key is not avoiding, but rather being aware of them.” the President of Anra, the national association of Risk Managers and Company Insurance Managers, said.
Reconfirmed in March, De Felice regards the future as bright. He is confident that risks can also create opportunities for companies. Including insurance industry. “Just follow the principle that a company where no risks are taken, or where too many risks are, is not fair.” he said. Here are the functions, according to him, that Risk Managers now undertake and the outlook for the insurance industry.
Well, it is influenced by the size and organizational model of the company: in large listed companies there is a governance and risk compliance system which centralises policies in terms of transparency, company management with regard to authorization of organizational procedures and risk analysis by the Board of Directors. In such cases, the risk manager has a direct contact with the Board of Directors or with a special committee within the Board, the so-called Risk Control Committee. From an organizational point of view, therefore, the risk manager can be a person in the CEO staff, or, in other cases, a person in the administration, finance and control area or in the legal department of the Group. Smaller and unlisted companies, on the other hand, have a risk management section usually in the administration, finance and control and legal departments, although in the operations department as well: the inclusion of this role in the different departments depends on the company’s core business, on its organization and functions. Furthermore, there are companies where professionals engaged in certain tasks hold the role of Risk Manager as well. The trend of recent years, however, is the steady growth of the risk manager as a consultant: there are small companies that, due to their size, cannot justify an internal officer engaged in risk management, entrusting this role in outsourcing to third-party professionals.
How does the risk manager deal with innovation throughout the company?
The risk manager relates to all the functions within the company: its role is precisely that of being a cross-party to all areas of the company in order to identify the risk dynamics to be assessed, quantified and managed. Its role in innovation is even more delicate given the risks involved in it, which cannot be assessed on the basis of the historical nature of the situation. It is up to Risk Manager to verify that an innovative product is designed according to the so-called risk-based thinking principle set out in ISO 9001:2015.
New things also bring new risks for companies. First and foremost, cybersecurity. What other new risks are dormant?
Cybersecurity is the most popular risk as it is rebounded in the press and also ends up in “trendy” newspapers. A positive aspect, of course, since it raises the spotlight on new risks, and their evaluation as well. Cyber, however, cannot be considered as a risk per se or as a matter of IT or IT security only, it is a concept that must be addressed as part of a risk culture. It implies evaluating people’s behaviors and opinions, always the main cause of weakness in a system. Among the other new risks that a company must assess today, first and foremost there is a risk linked to the sustainability of companies due to climate change and the impact of the company itself on the environment; there is a corporate social responsibility that the company must assess in order to avoid specific risks. Not to mention social changes: we live in a world with dynamics and speed of change never seen before that can dramatically modify consumer habits and behaviors, suddenly making a company’s business model or product no longer worthwhile on the market, and this is a strategic risk that companies must worry about. Finally, there are reputation risks: fake news and mass influencing events move along social networks enabling the destruction of a brand or company reputation like wildfire.
Cybersecurity, however, can also be an opportunity for companies offering targeted services in this industry. How about it?
The insurance market today offers solutions for cybersecurity. There is, however, a training problem: often both insurance company subscribers and brokers are not trained on the subject, have neither technical knowledge nor the ability to integrate the topic into a system of governance & compliance and risk awareness as well. This is a flaw since cyber, as already mentioned, cannot be addressed as a stand-alone topic. The result is that products on the market are very often not tailored particularly to the needs of companies. However, there are peaks of excellence and here we can talk about cybersecurity opportunities for companies: both a handful of insurance carriers and brokers have professionals specialised in this topic offering a tailored service on risk analysis, defense measures and recovery plans and, only then, insurance offers as well. In an integrated way: this adds value and should be the direction a company should go in.
We therefore need specific skills on the subject. Specifically, what skills are required?
More than individual skills, really important is to integrate the different skills: some insurance carriers and brokers have already been integrating their functions, joining IoT security specialists with business continuity managers to offer a comprehensive service. This proposal is being made also by non-standard brokers, such as cybersecurity companies offering insurance cover. This is the best solution.
With regard to the application of blockchains in insurance, however, which advantages and which risks?
The blockchain will have a positive impact on all aspects of the administrative backoffice. Just think of a system where the certification of a data or a transaction does not require a third-party certification authority since the same system certifies with its data unchangeability. Interesting things have been experienced in insurance: for example, in the retail area, there is the implementation of smart contracts, in particular on travel policies, where the system is able to connect airline websites with airports, certify that a piece of luggage has been lost and automatically arrange insurance compensation without any intervention from either the policyholder or the insurance carrier. Such insurances are being considered for the entire domotics industry, for example for domestic damage, on guarantees for consumer products, electronics (washing machines, chillers, etc.): in such cases the connection between smart contract, IoT, sensor and blockchain works since the mechanism is recurring, for example if the refrigerator breaks, assistance is called and covered by insurance.
Throughout the industrial sector, these new tools are applied to cover the entire logistics chain and transport insurance: let’s look, for example, at goods that do not reach their final recipients or are damaged. Some large companies are considering blockchains and smart contracts to manage tracking on international programs in several countries.
Risks? Only one: still today we have not fully understood the potential of these tools.
So smart contracts are to be feared as we don’t really know them?
Smart contracts are the classic example of innovation and risks thereof: when a contract is executed electronically and no human intervention is required, it is important that the underlying algorithm has been determined in a security by design manner, or rather that it has been designed so as to ensure it can be deactivated whenever it is needed and reverted to the manual procedure. This innovation is one of which we do not really know all the potential critical elements. Therefore, it’s worth saying: cheers to smart contract but with care and always having a B plan and an exit plan shouldn’t it work. Moreover, Smart contracts and blockchains raise a problem of legal loopholes: no legislation worldwide is designed for this purpose, there may be no legal reference to refer to in case of an e-contract tort. The introduction of electronic civil and criminal liability is even under discussion. The “e-legal person”, therefore, is the new frontier.
