Risk management is at the heart of insurance. The purpose of the insurance industry is to assist customers, to help them mitigate the risks that they or their businesses face which might cause significant or irreparable financial damage or loss. Whether that be the loss of a persons’ home through fire, or a fully laden bulk carrier owned by a shipping company sinking. Individuals and businesses need insurance to help protect them. It is a part of the financial system and provides financial stability. In the case of Covid-19 the system has failed but possibly not in the way that those outside the industry consider that it has.
This article does not intend to attempt to explain why the insurance industry, an industry focused on risk, failed to be fully prepared for the Covid-19 pandemic but it will consider some of the evidence as a part of an analysis of what insurers and the industry needs to fix for the longer term. We will do this by comparing the industries approach to the risk of pandemics with the approach to cyber risk.
It is not uncommon for insurers to find insured losses coming from unexpected quarters. Insurers work to identify potential risks to clients and how that may impact the coverage that they offer, but losses can still be unexpected. In our view, as we set out in this article a portion of the reason comes from a lack of sophistication and a disconnect between the work of the firms risk management functions and the work undertaken, or which should be undertaken during product development and oversight, known in the industry as product governance which covers the lifecycle of products. There may also be other factors in play.
However, in the case of the Covid-19 pandemic we take the view that there was enough evidence to indicate that firms could have done better at identifying the risk and preparing for it. Interestingly, this may or may not have resulted in a better outcome for customers but at a minimum it should have meant more clarity for everyone leading to a better understanding for all.
The Framework In Which Insurers Operate
Insurers are all subject to requirements around how they identify, assess, record and manage the risks they face as a business. Within the risk frameworks that they operate there are a series of grouped risks which each firm must consider. Two key risks they face are threats in the form of operational risks and the losses they face through the insurance business they underwrite. Both, along with others such as ‘Market Risk’, must be identified, assessed, recorded and managed through the use of controls. Assessment of the risk will include the assessment of likelihood and impact.
Operational risks are those risks which arise because of the business model adopted by the insurer and requires an assessment of external and internal risks which could impact the ability of the business to provide its services and/or to continue to trade. This includes for example, the failure of IT, the illness of a significant number of staff, a cyber-attack or a terrorist attack in or near the company’s offices. The key control is often a Business Continuity Plan designed to be implemented in the event that one of these risks comes to fruition.
One of the most significant controls for insurance risk is the product development process insurers are required to operate and, in most cases, have been operating for years. This process is designed to ensure that the products they are developing are suitable for their customers. It requires an assessment of the target market, the product wording (which is the cover that is to be offered) and other product documentation, the distribution model and customer value. Products are required to be approved and once approved the insurer is expected to monitor the performance of the product using a series of metrics.
The Contrasting Approaches
We are going to contrast the approach to pandemics with the approach to Cyber Risk. Both present to insurance firms an operational risk, the illness of a significant number of employees at the same time (or as we have seen an inability to access working premises) or the interruption of a firm’s IT systems, and an insurance risk, being the risk under a policy that the insurer has underwritten providing cover for a risk so that a claim may be payable.
We approach the review of insurer’s position on pandemics by contrasting it to their approach to Cyber Risk.
We will start by looking at Cyber Risk. There has been a significant increase in the risk to consumers and businesses from cyber-attack. Worms in computers were invented in 1971. The first malicious worm in 1988 and since then there has been a rapid increase in their application to today when there are daily malicious attacks. And they can have a significant impact on a firm. In 2013 Yahoo was attacked resulting in the details of millions of users information being stolen. In 2017 the first ransomware appeared by which a cyber attacker could lock off an IT system requiring payment of a fee for access to be returned. Wannacry infected over 230,000 computers in 150 countries in one day. In 2017 Notpetya infected 12,500 computers including large banks and government departments who are expected to have sophisticated firewalls and systems protecting them IT environments.
Not surprisingly, in the past 10 to 15 years there has been a significant increase in focus on cyber risk in the insurance industry because of the possibility of catastrophic losses arising very quickly. The reason is obvious when you look at the increase in the risk to individuals and businesses including insurance firms. Insurers have had to ensure that they have identified, assessed, recorded and managed the operational risk they faced. This was driven by senior management, regulators and the firm’s external auditors.
For the same reason, the prevalence of cyber risk also drove a need to look at the insurance risk to insurers which presented through the insurance products which firms had been offering to their customers. Initially managers of insurers were concerned to ensure that their firm was not inadvertently covering the risk of a cyber-attack on one of their clients which could lead to a substantial insured loss. Simultaneously insurers recognised that there was a commercial opportunity as individuals and businesses may want to be covered but that they should be paying an appropriate fee or premium. This led to a considerable amount of work to redefine the cover provided by insurers to their customers across a range of products including property, product and third party liability policies, contingency policies and others where it may be considered that cover could arguably be available and the birth of a whole cyber insurance industry which is still growing. In many cases that work involved the close collaboration between risk managers, underwriters and others as the products underwent review and ultimately approval through the firm’s product governance processes.
There are unlikely to be better examples of how the approach to risk management within insurers has been fully embedded into the firm’s environment and led to a review of products offered to customers. This has included the review of the terms and conditions of the insurance policies and other documentation provided to brokers and customers such as the Policy Summaries resulting in clarity about where cover is provided and where it is not. It should and has also generally led to a review of the distribution for these products where there remains a requirement for insurers to ensure that those dealing with the ultimate end customer is receiving a product which is suitable for them.
In contrast, flu viruses and other disease pandemics have been around as long as history has existed. The numbers impacted for the 1889-90 flu was one million people, then there was 1918-20 with between 17 and 100 million people, 1957-58 Asian Flu involving 1 to 4 million, 1968-69 Hong Kong Flu 1 to 4 million, 2003-4 SARS, 2009 Swine Flu 150,000 to 575,000 and in 2013-16 the West African Ebola outbreak. Annually, somewhere between 290,000 and 650,000 people globally typically die from seasonal flu. The risk is not new. What is increasingly becoming prevalent is that these outbreaks are less easy to contain, are less easy to detect and do not respond to available and known medicines. They may not spread as quickly as a computer virus but they do, because of modern transport and the large scale movement of people, spread quickly and can be significant in size and impact on people and businesses. Modern practices with an outbreak include isolation and social distancing often resulting in impacts to individuals and businesses.
In most cases insurance firms had recognised the possibility of a pandemic or similar catastrophic event as an operational risk leading to the potential for significant disruption to the firm’s ability to trade in turn leading to the possibility that their Business Continuity Plans may need to be implemented. In some cases, the recognition has come in the form of pandemics being identified in risk registers as an emerging risk, something likely to happen but not imminent. In others a risk which is likely to happen but with little assessment of the likely frequency and in others a tail risk, that is less likely than a 1 in 100 or 1 in 200 year event. Additionally, the impact of a pandemic has been assessed with considerable variation ranging from very low to high depending on the firm’s assessment of the whereabouts that a pandemic may occur.
There are a range of reasons expressed as to why pandemics have been given such a variation in assessment within the industry. It is easy to see, in hindsight, what was probably staring everyone in the face – that pandemics spread quickly and can have a catastrophic impact – leaving you to question whether behavioural economics was in play. It is also possible that there were other dynamics involved. Few recent viral outbreaks or diseases had resulted in significant economic loss to businesses which bought insurance because they tended to occur in third world countries or the impact was otherwise felt by the poorer in second or first world countries, leading to little economic benefit to insurers seeking to develop specific products. One assumes that a significant element of the regulatory diagnostic work reviewing what went wrong will look at this.
The outcome, however, has been that there has been no market wide review by firms of the possible impact to them of pandemics presented through insurance risk. Operational risk yes, but insurance risk, less so. The embedding of what was a known risk to risk management functions has not resulted in a deeper review of insurance risk in the way that cyber risk was. There has been no push by managers of insurance firms, their regulators or Auditors to ensure that a risk identified as an operational risk was not also present as an insurance risk. There has also been no push from customers for cover, meaning potentially no market or opportunity for insurers to develop. The consequence is what is playing out across the world now. Not all product wordings are clear, leaving customers not knowing whether they have cover, customers who may have been led to believe that they were covered when they may not be, customers who may have received poor advice about the cover which they were buying and outcomes for customers which are not what they should be. At the same time insurers are facing potential losses that they had not anticipated and had not charged a premium for. In some cases, these losses may be existential without further investment from capital providers leading to a significant degree of uncertainty for customers, any intermediaries and insurers.
In the eyes of the regulators this level of uncertainty is a failure whatever the outcome.
At some point there will be an assessment by the regulators of what went wrong. Diagnostics often come in the form of a thematic or market review on aspects of the market or outlier firms. More often, it will be market wide so that the regulators can assess the full gamut of responses and thereby get a better understanding of which firms really were outliers.
Firms themselves will also no doubt already be diagnosing their own internal processes and controls with a view to identifying whether there are other risks which they should reassess. Certainly, any firm which is presently an outlier will need to be considering this and taking steps to improve their processes, procedures, controls and governance.
Our thoughts are that the following are areas at the top of the list which need to be considered:
- Is there enough challenge at Board or Board Committee of the risk assessments being undertaken by risk management functions?
- Do those on Risk Committees or the Board of Directors have sufficient knowledge or experience of risk issues to provide that challenge?
- Risk registers need a thorough review:
- Are the risks all captured?
- Is the assessment of their frequency and impact appropriate?
- Are there risks identified as emerging which are more appropriately to be considered as existing?
- Has risk properly been embedded within the business and in particular is there a clear link between identified risks and the firm’s approach to its product development and governance?
- Is the product governance process effective at ensuring:
- That products are suitable for the target market;
- At ensuring that the product literature is clear and easy to understand; and
- That those distributing the product to the end customer will know and understand the product.
There is also a need for the insurance market to consider whether it has the capability to respond to pandemic and other significant losses and thus provided the necessary stability to financial markets and the economic infrastructure. There is work already underway to consider a government backed pool or reinsurance arrangement and regulators have also already expressed a positive response to the concept. We would respectfully suggest that any such solution needs to look further than just at virus pandemics. There are possibly other risks which have been identified as having considerable potential impact but a very low frequency. The history of risks and losses is littered with events which have been considered to be “tail” events because the data available has not been sufficient for relatively accurate modelling, but which have occurred. Rather than limiting any tactical response it might be the time to look a little more strategically and seek to provide a safety net covering more such events to provide a greater level or certainty to the financial markets and the economic infrastructure.
If you would like to know more about the implications of the Product Governance regulations in the context of the Covid-19 pandemic for your business, please contact us in complete confidence.