What’s ‘hot right now’ in risk management?

The risk management industry and regulatory landscape is as dynamic as ever and can be challenging to navigate for experienced practitioners, let along young actuaries. To help young risk actuaries get up to speed on some of the ‘hot topics in risk management’, attendees were treated to a fascinating discussion on risk management topics attracting increasing levels of attention within organisations, but also from regulators.

Experienced professionals in the industry presented their insights on the prominent risk management topics of:

• Data and AI Ethics – Chris Dolman, Executive Manager, Algorithmic Ethics at IAG

• Climate Risk – Francesca Kirby, Actuary at Finity Consulting

• Cyber Security – Dan Barron, Director, EY Cyber Security Consulting

Presentations were followed by a live Q&A panel with the speakers that attracted some thoughtful and engaging discussion. Here are some of the key takeaways.

Data and AI ethics

Constant failure as a motivator

• Automated systems pose data and ethics risks and there are several (sometimes shocking) examples where Artificial Intelligence (AI) has unintentionally gone wrong.

• Case studies range from unwanted headlines, racist photo tagging by Google, silly motor fines (where a bus lane camera mistook a woman’s sweater for a number plate), or even a bald referee being mistaken for the soccer ball during a game!

Why do failures keep happening?

• The root cause for these failures comes back to poor/lack of governance and monitoring and control gaps – central tenets of any good risk management framework.

• Ultimately, computers are not people and robust risk management requires exercising judgment and applying discretion – particularly when ethics are involved – which AI cannot undertake.

• Worrying about data privacy and security is necessary but not sufficient; when data drives consequential decisions, conduct risks will arise.

What can we do?

• Actuaries can get involved through the opportunity to play a significant role in helping design practical data and AI ethics governance frameworks.

• There is practical guidance available to assist:
  • The Information Note on Automated Decision-Making Systems was released in late-2020, by the Institute’s Data Analytics Practice Committee; and

  • What all actuaries will be familiar with – an application of the Actuarial Control Cycle through defining the problem, designing the solution, monitoring the solution with professionalism applied throughout – refer to the presentation for a worked example.

Climate Risk

It is important to distinguish between the drivers of climate risk

• Transition risk, i.e., cost of transitioning to a low carbon economy. This could manifest through, for example, the costs of implementing a carbon tax which can lead to stranded assets (e.g., a coal mine) which in turn translates to financial (market) risk through repricing of equities, fixed income or commodities.

• Liability risk, i.e., the cost of compensation for losses suffered from climate change. For example, some superannuation funds have been recently sued by members for failing to incorporate climate risk in their investment strategies.

• Physical risk, i.e., chronic (gradual) or acute (catastrophic) changes in the climate and the risk driver we are most familiar with. This could manifest through insurance and financial risks, e.g., damage to physical property leading to increasing insured losses or rise in credit risk losses through increasing loan defaults following a catastrophic event.

Challenges with measuring climate risk

• Difficult to draw conclusions from past catastrophic events data as ‘signals’ are often confused by ‘noise’ in the dataset e.g., if the risk likelihood of a low frequency/high severity event doubled from 3% to 6%, we would need over 300 years of data to demonstrate this change with 90% confidence.

• Difficulties in using claims data with changes in exposure, product coverage, building codes, the impact of climate cycles and inconsistent definition and historical recording of events over time all pose challenges; measuring climate risk requires an analysis of the underlying risk drivers vs. looking at the ‘outcomes’ through claims data.

Australian Actuaries Climate Index (AACI) as a solution, its limitations and opportunities

• Focusing on the ‘physical risk’ driver of climate risk, the AACI is the composite of a number of weather indices providing objective measures of historical extreme weather and sea levels rather than averages – this can be correlated to catastrophic ‘risks’.

• Designed to help inform high-level conversations for actuaries, public policymakers, organisations and the general public about climate trends in Australia.

• Calculated by looking at the frequency of extreme weather events exceeding the 99^th percentile of weather metrics in a reference ‘base period’ and standardised using the base period standard deviation.

• While the Index provides a big step forward to measuring extreme weather patterns, there are some limitations that also present opportunities for ongoing enhancement of the Index.
  • Weather, not risk – while correlated, the extreme weather changes measured by the Index do not directly translate to risk. How can we more closely relate the Index to cost using weather metrics?

  • Low resolution –the index is made up of large geographical areas which can ‘miss’ localised/concentrated events. How can we achieve more spatial granularity through the data collected and analysed?

  • Not predictive – data used is historical and unable to be extrapolated for future trends. How can we increase the value of the Index by incorporating information on future climates?

  • Potentially difficult to understand – particularly for non-actuaries given the calculations involved. How can we better collaborate with other stakeholders and make the index easier to interpret?

Cyber Security

An update on the cyber threat landscape

• Two common terms typically referenced in cyber threat media communications
  • ‘Nation-state threat actors’ which can either be silent or espionage-based or, more active actors that ‘open the door’ for organised crime to exploit through their actions; and

  • ‘Sophistication of attacks’, which as a rule, tends to generally be low.

• Recent case studies highlight the rise of the supply chain attack trend and ransomware payments involved with such attacks – now often paid through cryptocurrency and ‘paying off’ for organised crime.
  • SolarWinds, a software company providing network monitoring solutions was compromised in late 2019/early 2020 by a nation-state threat actor in a carefully planned attack involving significant software development detail to ‘preserve’ the original product and target specific customers through malicious code. Ironically, the attack only became known to industry through an impacted cyber security company.

  • Kaseya, a remote administration software used by managed software providers was compromised by organised crime allowing the threat actor to take control of the remote administration. The ‘attack surface’ was significant with extortion demands against Kaseya as the provider of the software, demands on the managed service providers to rescue their customers’ information and finally demands on the customers to regain access back to their domain.

Legislative and regulatory trends

• Starting to see both increasing regulatory powers legislated and a refocusing of legislation that was not necessarily designed to deal with all aspects of cyber, e.g.
  • Ransomware Payments Bill 2021 – establishes a mandatory requirement for government and corporations to report ransomware payments paid for attacks.

  • Surveillance Legislation Amendment (Identify and Disrupt) Bill 2021 introduces warrants for government authorities to modify, add, copy or delete data (Data Disruption); collect intelligence on serious criminal activity (Network Activity); and take over a person’s online account (Account Takeover).

• APRA CPS 234 – formalises an organisation’s internal information security implementation, monitoring and reporting requirements, irrespective of whether the entity or a third party undertakes the activity.

• Scenario-based assessments – how do regulators assess industry cyber security posture?
  • Reviewing an entity’s policy framework alone is ineffective and any metrics can be commercially sensitive.

  • One possible solution is using scenario-based assessments to execute a simulated attack, understanding the impact on business processes and the remediation actions available to be implemented e.g., the Cyber Operational Resilience Intelligence-led Exercises (CORIE) framework developed by the Council of Financial Regulators (CFR), which aids preparation and execution of industry-wide cyber resilience exercises.

Modelling considerations for cyber security investment (not insurance risk exposures…)

• Approaches look at the loss exposure and expected ‘pay-off’ from security investments
  • Asset-centric approaches look specifically at the infrastructure assets the entity is trying to protect and the controls in place to support e.g., the Factor Analysis of Information Risk (FAIR) approach.

  • Scenario-based approaches are relatively more flexible and look more broadly at a key scenario to examine the threat actor, impact on revenue streams, mitigation activity, etc.

  • In practice, most organisations undertake security hygiene activities first to determine how they can reduce threat exposure before pursuing modelling.

Challenges involved

• Asset-centric approach – dependent on the availability of skills in the organisation, and benefits from modelling vs. security hygiene activity

• Scenario-based approach – modelling considerations are heavily dependent on the scenario being chosen to model.

CPD: Actuaries Institute Members can claim two CPD points for every hour of reading articles on Actuaries Digital.