StrategicRISK Forum 2015: live updates

5.00pm - Jessica Reid, editor, Asia, StrategicRISK

Well, that’s a wrap.  Over the course of the day, nearly 200 delegates took part in some 21 sessions that covered everything from cyber risk and sustainability issues, to improving board engagement and crisis management. It was a jam-packed schedule, with all elements of the risk landscape covered in one way or another. 

If I took one thing away from the forum, it was that the risk conversation across companies of all sizes is evolving. In the past, a lot of the discussion around risk focused on how companies could control internal risks. Now it seems the focus is on external risks – the types of risks that are difficult for companies to manage. Cyber and reputation being two key cases in point.

The latter of these topics was covered in the forum’s keynote presentation by InterContinental Hotels Group (IHG) director of corporate risk and reputation, greater China, Rudi Wertheim. 

Wertheim began his presentation with a stern warning to the market: “Reputation is critical to business success and, in the future, the performance of corporate directors will be measured by reputation metrics and on feedback from stakeholders and customers.”  Indeed, 63% of risk managers expect reputation management to be a higher priority for their company in the next two to three years.  

So what does that mean for risk managers today?  First, an increasing need to measure and quantify the value of their firm’s reputation. For example, IHG and the Reputation Institute are pioneering a solution to measure the damage arising from their reputation risk. Other firms are sure to follow suit, if they haven’t already. 

A key reason that reputational damage is so high on the boardroom agenda is that almost all roads lead to brand risk: supply chain interruptions, corporate social responsibility, media events, bribery and corruption… there are so many triggers that have the potential to impact a brand’s reputation. And in our new connected age, bad news travels fast. Any brand damage can happen quickly and severely. 

So it’s no surprise that one of the second key themes at the StrategicRISK Forum was cyber. But delegates at the forum were keen to point out that cyber should not be considered an ‘emerging’ risk. It is, however, clearly underestimated and un-addressed by many firms (as demonstrated by the live hack conducted by cyber security experts FireEye at the event). Despite the huge scale of the problem – some 96% of businesses have suffered a cyber breach, according to research discussed at the event – take-up of cyber insurance around the world is low. 

Companies are focusing too much on malware, FireEye’s engineering director Steve Ledzian pointed out, rather than the human behind the cyber attack. The adversary is usually very well resourced, such as a state-sponsored entity or cyber criminal syndicate. This creates a huge challenge.

However, the tide is starting to turn. The latest reports in London say that within the next 10 years, cyber insurance will become as common a purchase for UK and European businesses as property insurance.

But will the Asian market follow suit? Only time will tell. The only certainty is that innovation is needed in the areas of both reputation and cyber mitigation to stay ahead of the risk management curve.

From my experience, the insurance market in particular is often criticised for its lack of innovation. But innovation and risk management go hand in hand because everyone that innovates takes a risk. The challenge is finding the balance between a risk-based approach and making decisions quickly, while still remaining compliant. Indeed regulation, as ever, remains a consistent theme for the industry. And no matter what part of the world you travel to, regulation and compliance remain top of the priority and concern list for risk managers.

In addition, there is many more challenges that the industry is facing. And so, one of my first priorities as the new editor of StrategicRISK Asia will be getting out to meet the market. I look forward to meeting you and learning more about the risks and issues that are important to you.

 

2:00pm - Delegate view

InterContinental Hotels Group director and head of risk management, Asia Australasia, told StrategicRISK the current issues she is facing.

”Keeping on top of regulatory changes is a big challenge for risk managers. The problem is that laws differ from country to country and they are constantly changing, so understanding how these changes can affect a business can be difficult,” she says. 

”Additionally, the systems and procedures that companies have in place for managing compliance and regulatory risks differ in quality. For instance, legal resources may not be adequate to address emerging issues. Having support from a legal representative is vital in managing and mitigating regulatory risk, because decisions have to be made quickly. But it is equally as important to apply a risk-based approach. The challenge for risk managers is finding the balance between a risk-based approach and making decisions quickly.”

 

12:35pm - Panel discussion: Innovation in risk management and risk financing

Thomas says a more strategic approach to the management of risk can result in a win-win for both insurer and insured, with lower losses needing to be covered by the insurer and the insured becoming more resilient and competitive in their market. The insurance industry needs to get better at promoting that element of their business, he suggests.

 

12:30pm - Panel discussion: Innovation in risk management and risk financing

Matt Harris says: ”AIG is investing in a science business unit and we have appointed a chief science officer to lead this unit. Among the myriad of risks, the team is looking at threats associated with Big Data. The unit has 250 employees and this demonstrates how committed we are to innovation.”

Douglass Ure says: ”Gathering data is important and this is where we are investing a lot of our time. We are also exploring ways to look at risk in a qualitative way.”

 

12:15pm - Panel discussion: Innovation in risk management and risk financing

Matt Harris says: “ERM needs to move to where companies do not see it as an outlay.

“Directors need to understand the risk and communicate ERM so that this [knowledge] is cascaded down the business. It would be great to see KPIs around risk management embedded within the business.”

 

12:05pm - Panel discussion: Innovation in risk management and risk financing

Cyber risk is raised as a key area for innovation.

Johnson says he thinks cyber risk has been very well known for more than a decade, and while it is getting more severe it is not an ‘emerging’ risk. He says that large companies in the US and Europe buy cyber risk policies as as matter of course, however in Asia, very few companies actually buy such policies at present.

Douglas Ure on cyber risk “A lot of organisations do not their understand cyber risk exposure. So a lot to businesses will jump on insurers and will say, ‘insurance does not cover the risk and solutions cost too much’. But when you ask risk managers to describe their risk profile, financial risk and, provide us with data, their faces go blank.

Zurich chief executive Global Corporate Asia Pacific Keith Thomas added: “This morning’s cyber discussion was both terrifying and interesting”

 

12:00pm - Panel discussion: Innovation in risk management and risk financing

Douglas Ure on risk profession and risk conversation: “The risk conversation is evolving. In the past a lot of the risk discussion was focused on how companies can control internal risks but now we focusing on external risks - the types of risks that are difficult for companies to manage.

“But the risk conversation can evolve further. Businesses and risk managers need to consider their risk management objectives so that they are not focused on reducing the cost of insurance premiums but how they can respond effectively to a risk as soon as they unfold.”

11:55am - Panel discussion: Innovation in risk management and risk financing

Zurich’s Thomas says a more strategic approach to the management of risk can result in a win-win for both insurer and insured, with lower losses needing to be covered by the insurer and the insured becoming more resilient and competitive in their market. The insurance industry needs to get better at promoting that element of their business, he suggests.

11:50am - Panel discussion: Innovation in risk management and risk financing

XL’s Johnson says when big events happen, “it’s often the unknown unknowns that really hit us”, citing the example of the impact of the 2011 Thai floods on global supply chains. He cautions that the current strength of the US dollar combined with a weak oil price could be the next ‘unknown unknown’.

11:45am - Panel discussion: Innovation in risk management and risk financing

AIG’s Harris says: “There are a myriad of risks and the panel has highlighted a few - the advancement in technology in the emergence of driverless cars, for example, and heightened supply chain threats. The challenge is identifying which of these risks to focus on.”

11:30am - Panel discussion: Innovation in risk management and risk financing

Our expert panel were asked how they define innovation. Here’s what they said:

• AIG Asia Pacific Insurance chief executive Matt Harris says: “True innovation is when it applies to the entire supply chain. For insurers, it is important that they conduct thorough research to identify whether there is a genuine need to create a new product and that insurers are not ‘innovating’ for the sake of innovating.”
• Marsh Risk Consulting practice leader Douglas Ure says: “The world of risk is changing dramatically. For instance, the risks that we spoke about this morning - reputation and cyber - were not threats the industry was talking about five years ago. Insurers and businesses need to find creative and innovative solutions to today’s complex risks.”
• Swiss Re Corporate Solutions head of Asia Pacific Fred Kleiterp says there are two elements to innovation: “Innovation should make things possible that weren’t possible before, or it should make an existing product or solution better.” In insurance, he sees parametric insurance as one of the biggest sources of innovation in the future.
• XL country head for Singapore and Labuan Robin Johnson defines innovation as incremental or radical change to either external or internal products and services, and points out that it must have value for both customers and the insurance company. What risk managers don’t always see, he suggests, is how internal innovation is driving down costs for them - that is, making risk cheaper to transfer.
• Zurich chief executive of global corporate business Asia-Pacific Keith Thomas highlights the sharing of information between insurer and customer. This information could be about such issues as concentration of risk or the extent of supply chain risk, for example. Innovation, Thomas says, is all about building tools to help customers understand what their risks are and how they’re moving. He says the big challenge is that insurers often get very different answers from different levels of an organisation, so tools are required to facilitate better awareness and communication of a firm’s overall strategic direction.
• International Finance Corporation – World Bank Group principal insurance officer Jan P Mumenthaler says: “Innovation and risk management go hand in hand because everyone that innovates takes a risk.” He adds that there is a need to closer align clients’ risks with the solution that is brought to the table. “Too often I see a mismatch between an exposure that exists and the product that the insurer is bringing to the table,” he says.

11:15am

The first expert panel at StrategicRISK Forum kicks off, discussing innovation in risk management and financing 

 

10:25am - Underestimated, un-addressed: cyber risk

Ledzian suggests that organisations consider utilising services such as response readiness assessments, security programme transformations and incident response and malware analysis training.

He concludes that, when it comes to cyber risk, the problem is now a ‘who’ not just a ‘what’. In other words, it’s the threat actor that companies must get to know and understand, not just the malware they are using.

10:15am - Underestimated, un-addressed: cyber risk

A report published last week concentrates on an entity known as Attack Group APT30, which is targeting organisations in the ASEAN region. Ledzian says that the region’s threat landscape is now filled with such groups.

10:10am - Underestimated, un-addressed: cyber risk

Around $30bn dollars are spent on cyber security but 96% of companies have been breached.”

Steve Ledzian, FireEye

Companies are focusing too much on malware, Ledzian points out, rather than the human behind the cyber attack. The adversary is usually very well resourced, such as a state-sponsored entity or cyber criminal syndicate. This creates a huge challenge.

Ledzian says 96% of companies are breached, but only 69% learn about that breach. The average time from breach to discovery of the breach is more than 200 days!

10:00am - Underestimated, un-addressed: cyber risk

Internet response is something that FireEye specialises in, which Ledzian says positions it as a cyber attack first responder. He advises that companies need to be prepared in this way so they can respond quickly to a breach.

Ledzian demonstrates to the audience what is possible in a cyber attack using malware. In it, the attacker tricks someone in an organisation to make an outbound connection from the victim machine via the internet to the attacking server. They do so by profiling the victim company, building a resume for a job advertised by the organisation and putting malware into the resume. The malware infects the machine and gives the attacker full control over the victim machine.

9:45am - Underestimated, un-addressed: cyber risk

FireEye systems engineering director - Asia, Steve Ledzian says we’re starting to see executive leaders take more responsibility for cyber risk, but it’s still a slow process.

He points out that the idea of ‘cyber resilience’ should be a boardroom priority. In other words, not aiming to prevent all attacks, but working out how to respond when the inevitable breaches occur.

9:30am - Keynote presentation: Managing brand and reputation risk

Reputation risk may no longer be intangible and unquantifiable, say Wertheim. InterContinental Hotel Group and the Reputation Institute are pioneering a solution to measure the damage arising from reputation risk.

Wertheim also says that keeping on top of emerging threats is crucial to managing reputation risk. “I want risk owners to focus on emerging risks - the threats that are coming up that could hurt the company and its reputation,” he says.

9:15am - Keynote presentation: Managing brand and reputation risk

Rudi Wertheim from InterContinental Hotel Group says 63% of risk managers expect reputation management to be a higher priority for their company in the next two to three years.

9:00am - Keynote presentation: Managing brand and reputation risk

Rudi Wertheim, director of corporate risk and reputation, greater China at InterContinental Hotel Group, kick-started the StrategicRISK Forum this morning with a stern warning: ”Reputation is critical to business success and, in the future, the performance of corporate directors will be measured by reputation metrics and on feedback from stakeholders and customers.”

 

8:40am - Chairman’s opening remarks

“I have been enormously impressed with all the risk professionals I have encountered either in Singapore or elsewhere in this wonderfully diverse region,” says StrategicRISK editor Mike Jones.

8:35am - Chairman’s opening remarks

StrategicRISK editor Mike Jones announces the appointment of Jessica Reid as the new StrategicRISK Asia editor. Jessica will take over from Sean Mooney who is stepping into the role of executive editor.

8:30am - Welcome address

StrategicRISK Forum 2015 kicks off at the Four Seasons Hotel in Singapore. Publisher Will Sanders welcomes delegates to the second annual event.