addition to evaluating the company’s
own controls around cyber and emerging cyber risk, the task force helps the
business identify opportunity.
“As cyber risk changes, we look at how
that affects what we’re writing,” Dunbar
says. “For instance, what does the growing
Internet of Things mean to a company
like ours? What is our internal exposure,
what is our exposure across the various
lines of business that we write, and are
there any changes to policies or products
that we can make as a result?”
A top priority the company identified
for 2016 was addressing the cyber risk of
third-party administrators (TPAs) and
managing general agents (MGAs). “We
have gradually shifted over time from a
more introspective approach to looking
at cyber risk more broadly,” Dunbar says.
“With the merger of the two companies,
we also realized that we now have a lot
more third-parties partnering with us
than we had before. We are looking more
deeply at how we manage them, because
they are managing data for us.”
As a result of that risk identification,
XL Catlin put in place a new risk assess-
ment process for any new MGA or TPA.
“Internally, we follow ISO standards, which
is a good way to tell our customers about
our level of cybersecurity. We realize that
small companies may not be be totally
ISO-compliant around data security, but
we need to measure them against that
standard and demand the same level of
security around data as if we managed that
data ourselves,” Dunbar says.
XL Catlin developed a detailed evaluation process that scores third parties
on a low-to-high scale around areas such
as email security, data transmission protocols, and overall data center controls. The
process involves personnel from the task
force, the external vendor, and the internal business unit that is using or considering using the services of that vendor.
“The evaluation process is based on
the same one we use to measure our-
selves in terms of program maturity. We
help [third parties] address any deficien-
cies and report that information back
to the business units so they can make
informed decisions,” Dunbar says.
He adds that one of the most import-
ant features of XL Catlin’s overall ERM
program is an enterprise-level risk register.
“The benefit of the register is that it
allows us to know who risk owners are,”
Dunbar says. “When we look at cyber
risk, even though it is a technology risk,
it is ‘owned’ by the business side. Having
that knowledge and accountability
provides for more effective management
of risk, and is particularly important to a
company our size.”
Another key benefit insurers have achieved
from enterprise risk management is the
ability to take the knowledge gained
through their own processes and apply it to
the services they offer to customers.
Zurich can provide its customers
ERM diagnostic services that identify
strengths, weaknesses, and strategies for
improving processes and filling gaps that
exist in a company’s current risk management infrastructure. The company also
provides a version of its Risk Room in app
form for Apple and Android devices.
“Risk Room gives customers insight
into key risk elements by country,
including the fact that risk exposure may
not be evenly distributed by country or
may be linked or compounded by other
exposures,” Conrad says.
For instance, U.K. weather is often
characterized by rain, but aging in-
frastructure that does not allow water
to flow where it is most needed may
in fact be the biggest water-based risk
that companies in the U.K. face. “Many
areas in the U.K. have a water shortage,”
Conrad says. “Understanding a risk and
how it interconnects with other risks can
be hard to identify and visualize, but can
have a significant impact on a company.”
Zurich also offers an online ERM
Healthcheck Assessment. Initially
designed for financial institutions, the
online assessment provides customized
recommendations for creating a more
risk-aware internal culture and management framework.
Companies that are further along than
others on the enterprise risk management
evolutionary scale view ERM as more
than just a compliance or one-off activity.
“One of our biggest realizations over
time is how important it is to embed
enterprise risk management into our
day-to-day operations,” Conrad says.
“When risk is discussed as much as
profit is, that’s where the real value lies,”
she adds. “You need to take risk to make
a profit and increase shareholder value.
The earlier you can identify risk, the
less expensive it is to mitigate it and the
more likely it is that you can leverage the
opportunity for growth.”
“The role of ERM is not to take away
risk. It doesn’t even necessarily reduce
risk in all circumstances,” says Chester.
“But, ERM does help you anticipate risk.
As long as you have a good understanding of the risks you face, and as long as
you can project a reasonable quantitative estimate of what this risk might be
under different scenarios, you’ll be well
prepared to take action.” ITA