(Re)insuring new and emerging risks requires data and, ideally, a historical loss record upon which to manage an exposure. But what does the future of risk management look like when so many of these exposures are intangible or unexpected?
Sudden and dramatic breakdowns become more likely in a highly interconnected and increasingly polarized world, warns the “Global Risks Report 2019” from the World Economic Forum (WEF). “Firms should focus as much on risk response as on risk mitigation,” advises John Drzik, president of global risk and digital at Marsh, one of the report sponsors. “There’s an inevitability to having a certain number of shock events, and firms should focus on how to respond to fast-moving events with a high degree of uncertainty.”
Macrotrends such as climate change, urbanization and digitization are all combining in a way that makes major claims more impactful when things go wrong. But are all low-probability/high-consequence events truly beyond our ability to identify and manage?
Dr. Gordon Woo, catastrophist at RMS, believes that in an age of big data and advanced analytics, information is available that can help corporates, insurers and reinsurers to understand the plethora of new and emerging risks they face. “The sources of emerging risk insight are out there,” says Woo. “The challenge is understanding the significance of the information available and ensuring it is used to inform decision-makers.”
However, it is not always possible to gain access to the insight needed. “Some of the near-miss data regarding new software and designs may be available online,” says Woo. “For example, with the Boeing 737 Max 8, there were postings by pilots where control problems were discussed prior to the Lion Air disaster of October 2018. Equally, intelligence information on terrorist plots may be available from online terrorist chatter. But typically, it is much harder for individuals to access this information, other than security agencies.
“Peter Drucker [consultant and author] was right when he said: ‘If you can’t measure it, you can’t improve it,’” he adds. “And this is the issue for (re)insurers when it comes to emerging risks. There is currently not a lot of standardization between risk compliance systems and the way the information is gathered, and corporations are still very reluctant to give information away to insurers.”
While traditional physical risks, such as fire and flood, are well understood, well modeled and widely insured, new and emerging risks facing businesses and communities are increasingly intangible and risk transfer solutions are less widely available.
While there is an important upside to many technological innovations, for example, there are also downsides that are not yet fully understood or even recognized, thinks Robert Muir-Wood, chief research officer of science and technology at RMS.
“Last year’s Typhoon Jebi caused coastal flooding in the Kansai region of Japan,” he says. “There were a lot of cars on the quayside close to where the storm made landfall and many of these just caught on fire. It burnt out a large number of cars that were heading for export.
“The reason for the fires was the improved capability of batteries in cars,” he explains. “And when these batteries are immersed in water they burst into flames. So, with this technology you’ve created a whole new peril.
There is currently not a lot of standardization between risk compliance systems and the way the information is gathered
“As new technology emerges, new risks emerge,” he concludes. “And it’s not as though the old risks go away. They sort of morph and they always will. Clearly the more that software becomes a critical part of how things function, then there is more of an opportunity for things to go wrong.”
From nonphysical-damage business interruption and reputational harm to the theft of intellectual property and a cyber data breach, the ability for underwriters to get a handle on these risks and potential losses is one of the industry’s biggest modern-day challenges. The dearth of products and services for esoteric commercial risks is known as the “intangibles protection gap,” explains Muir-Wood.
“There is this question within the whole span of risk management of organizations — of which an increasing amount is intangible — whether they will be able to buy insurance for those elements of their risk that they feel they do not have control over.”
While the (re)insurance industry is responding with new products and services geared toward emerging risks, such as cyber, there are some organizational perils, such as reputational risk, that are best addressed by instilling the right risk management culture and setting the tone from the top within organizations, thinks Wayne Ratcliffe, head of risk management at SCOR.
“Enterprise risk management is about taking a holistic view of the company and having multidisciplinary teams brainstorming together,” he says. “It’s a tendency of human nature to work in silos in which everyone has their own domain to protect and to work on, but working across an organization is the only way to carry out proper risk management.
“There are many causes and consequences of reputational risk, for instance,” he continues. “When I think of past examples where things have gone horribly wrong — and there are so many of them, from Deepwater Horizon to Enron — in certain cases there were questionable ethics and a failure in risk management culture. Companies have to set the tone at the top and then ensure it has spread across the whole organization. This requires constant checking and vigilance.”
The best way of checking that risk management procedures are being adhered to is by being really close to the ground, thinks Ratcliffe. “We’re moving too far into a world of emails and communication by Skype. What people need to be doing is talking to each other in person and cross-checking facts. Human contact is essential to understanding the risk.”
What of future black swans? As per Donald Rumsfeld’s “unknown unknowns,” so called black swan events are typically those that come from left field. They take everyone by surprise (although are often explained away in hindsight) and have an impact that cascades through economic, political and social systems in ways that were previously unimagined, with severe and widespread consequences.
“As (re)insurers we can look at past data, but you have to be aware of the trends and forces at play,” thinks Ratcliffe. “You have to be aware of the source of the risk. In ‘The Big Short’ by Michael Lewis, the only person who really understood the impending subprime collapse was the one who went house-to-house asking people if they were having trouble paying their mortgages, which they were.
New technologies are creating more opportunities but they’re also making society more vulnerable to sophisticated cyberattacks
“Sometimes you need to go out of the bounds of data analytics into a more intuition-based way of picking up signals where there is no data,” he continues. “You need imagination and to come up with scenarios that can happen based on a group of experts talking together and debating how exposures can connect and interconnect.
“It’s a little dangerous to base everything on big data measurement and statistics, and at SCOR we talk about the ‘art and science of risk,’” he continues. “And science is more than statistics. We often need hard science behind what we are measuring. A single-point estimate of the measure is not sufficient. We also need confidence intervals corresponding to a range of probabilities.”
In its “Global Risks Report 2019,” the WEF examines a series of “what-if” future shocks and asks if its scenarios, while not predictions, are at least “a reminder of the need to think creatively about risk and to expect the unexpected?” The WEF believes future shocks could come about as a result of advances in technology, the depletion of global resources and other major macrotrends clashing in new and extreme ways.
“The world is becoming hyperconnected,” says Ratcliffe. “People are becoming more dependent on social media, which is even shaping political decisions, and organizations are increasingly connected via technology and the internet of things. New technologies are creating more opportunities but they’re also making society more vulnerable to sophisticated cyberattacks. We have to think about the systemic nature of it all.”
As governments are pressured to manage the effects of climate change, for instance, will the use of weather manipulation tools — such as cloud seeding to induce or suppress rainfall — result in geopolitical conflict? Could biometrics and AI that recognize and respond to emotions be used to further polarize and/or control society? And will quantum computing render digital cryptography obsolete, leaving sensitive data exposed?
The risk of cyberattack was the No. 1 risk identified by business leaders in virtually all advanced economies in the WEF’s “Global Risks Report 2019,” with concern about both data breach and direct attacks on company infrastructure causing business interruption. The report found that cyberattacks continue to pose a risk to critical infrastructure, noting the attack in July 2018 that compromised many U.S. power suppliers.
In the attack, state-backed Russian hackers gained remote access to utility- company control rooms in order to carry out reconnaissance. However, in a more extreme scenario the attackers were in a position to trigger widespread blackouts across the U.S., according to the Department of Homeland Security.
Woo points to a cyberattack that impacted Norsk Hydro, the company that was responsible for a massive bauxite spill at an aluminum plant in Brazil last year, with a targeted strain of ransomware known as “LockerGoga.” With an apparent motivation to wreak revenge for the environmental damage caused, hackers gained access to the company’s IT infrastructure, including the control systems at its aluminum smelting plants. He thinks a similar type of attack by state-sponsored actors could cause significantly greater disruption if the attackers’ motivation was simply to cause damage to industrial control systems.
Woo thinks cyber risk has significant potential to cause a major global shock due to the interconnected nature of global IT systems. “WannaCry was probably the closest we’ve come to a cyber 911,” he explains. “If the malware had been released earlier, say January 2017 before the vulnerability was patched, losses would have been a magnitude higher as the malware would have spread like measles as there was no herd immunity. The release of a really dangerous cyber weapon with the right timing could be extremely powerful.”