April 2015 // issue 06

14

Solutions for a risky world

data vision10Using the right data and applying industry knowledge

is vital to avoid information overload

mega trendS Financial institutions face paradigm shifts

Political hot spotsCompanies face possible sovereign defaults, riots and security threats in Russia and ukraine

Katrina, 10 years on...similar catastrophes could happen any time, so what can policymakers and insurers do about it?

Managing food scarcity socioeconomic, agronomic and land/water-resource challenges raise the prospect of food shortages

28 36

6

resilience // issue 06 // April 2015

Welcome

The future is not what it used to be. Neither is the past. As we build stores of data and begin to analyse this data we are discovering correlations and trends that were not readily apparent in the past. These correlations are challenging, if not upending, the way we look at the future. Still, as the proverbial

black swans become increasingly grey, we know that data cannot entirely predict future events. How do we get the most from this ‘new past’? That is, how can the study of data and building of analytical models, powered by insightful algorithms, change our understanding of the past in a way that gives us a clear view into the future?

With more to learn, this future is coming into focus for all of us in the risk world. At its most basic, predictive analytics allows us to align current risk management priorities with spend. It empowers us to embed risk management decisions into C-suite strategies. At the edges, it is beginning to allow us to think about risk financing in new ways, supporting the development of new and often customised risk transfer products, for risks historically considered ‘uninsurable’.

As we explore in this edition of Resilience, weather forecasting and natural catastrophes are two areas where analytics has already made a real difference. Since Hurricane Katrina ten years ago, many improvements have been made to the use and application of catastrophe models – including the collection of more extensive claims and engineering data, the introduction of climate change features and the use of more accurate exposure data. This results in a much better view of prospective catastrophic events.

New alternative sources of data – such as amateur weather observations via smartphones – are increasingly used to help predict and manage extreme events. Drones, for example, can help pinpoint cracks, instability or other damage caused by earthquakes or hurricanes.

There are also societal ramifications. Better analysis of better data helps emerging economies to mitigate the impact of natural disasters,

such as drought, boosting their productivity and consequently managing the threat of food scarcity. By analysing rainfall data in certain African countries, index-based risk finance capabilities have been developed that pay out to countries as soon as severe weather events occur, thereby minimising losses and speeding up the restoration process.

Improved data and analytics can also help companies to tailor their risk transfer options more keenly, through the use of captive insurers, or even to attract new kinds of capital, such as financial-markets-backed catastrophe bonds for property exposures. A captive insurer often collects a huge amount of data, including information on values, exposures and claims. Analysis of this data can help to predict future costs and possible adverse scenarios, enabling organisations to direct risk control activities.

Future synthesisWhat does this mean for the workforce of the future?

The emergence of applied predictive analytics has inadvertently led to a dichotomy, in some areas, between workers who think like a physicist, relying on the power of technical, algorithmic approaches, and those that rely on a more heuristic approach – trusting their experience and judgement. In the future successful risk management professionals will need to synthesise these two approaches and mindsets into a form of thinking adept at combining human judgement and analytics to reach the end goal: greater understanding and better decision making.

Companies should adopt a healthy agnosticism when first measuring data and looking for patterns, and here industry knowledge will be vital. Ultimately, getting the most from data will require the effective use of human capital. That’s where the future challenge lies – that’s where risk managers and Willis can work together.

By John Merkovsky, group director of risk & AnAlytics At Willis group Holdings

Data and analytics are redrawing the insurance landscape and drastically improving companies’ risk management and performance.

7.4IMPACT DIFFICULTY

7

Regulatory changes and complexity

Risks associated with businesses taking advantage of light touch regulatory regimes

Tension between customers' trust of higher regulation and the need for business fl exibility offered by lower regulation environments

Rise of competitors, such as NBFIs and FinTech fi rms, not subject to same regulatory requirements as traditional FIs

Changes in investment and capital sources and returns Demographic and behavioural changes

Global talent and skills race

Regulatory pressure on senior managers prompting people to leave industry, or move to more lightly-regulated fi rms

Increasing complexity of risk assessment and regulatory pressures is moving risk management away from specialist risk managers to board level and C-suite

Need to develop and up-skill risk managers to deal with complexity and importance of new and emerging risk issues

Recruiting and retaining new joiners, staff and global leaders against competing industries

Loss of clients and potential markets as management focus shifts towards restructuring and away from clients

New intermediaries creating risks in the value chain and/or shifting sources of revenue

Loss of intermediaries causing loss of specialist skills and knowledge and driving down profi ts

The rise of specialist competitors and providers: new entrants, regional and wholesale specialists

6.46.2

New customer base in emerging markets not served by traditional models

Mature customers moving against intermediaries due to a perception of a lack of transparency and/or high cost

New generation of customers with different requirements for service and transactions

Rise of major LatAm and Asian 'mass affl uent' consumers requiring a new approach to markets

Grey market becoming larger and more demanding of high-touch services

Macroeconomic factors: QE impact and infl ation/defl ation

Drag on returns caused by regulatory capital requirements

Search for yield encouraging riskier products or behaviours

6.1

6.8

Potential talent gap as skills needed to remain competitive change and evolve with increasing speed

Pressure placed on traditional FI models by technological advances which is prompting rise of FinTech companies and new challengers taking market share

Increasing costs of regulatory compliance and increasing risk of changes due to political reaction and interference

Increased transparency putting pressure on traditional sources of revenue or cost

Technological advances changing interaction to online/social media based service, real-time investment updates, etc…

New entrants and challengers, unburdened with legacy IT issues, using technology to simplify or change the service/cost paradigm

Technological ubiquity creating new risks: cyber attacks, cyber extortions and hacktivists

6.2

6.1

6

6

5.9 5.9

6.1

6.1

Increasing costs associated with ongoing IT infrastructure investment and upgrades

6.3

Disproportionate returns on capital as between traditional FIs and new entrants with lighter regulatory burdens

5.8

5.9

6

5.6

5.6

5.6

5.9

5.5

5.9

6.1

6.1

5.7

5.8

5.8

6.2Risks associated with operating in regimes with strong regulation or high-risk regulation/customers

6.1

Digitalisation and technological advances

Business operating model pressures (e.g. segmentation and disintermediation)

6.7IMPACT

6IMPACT 5.8

IMPACT

5.8IMPACT

5.7IMPACT

DIFFICULTY

6.6

DIFFICULTY

5.8DIFFICULTY

5.5DIFFICULTY

5.5

DIFFICULTY

5.4

2323

China's captive embraceChinese companies’ improving risk management is leading to an uptake in captive insurance

Under cyber attack? Critical infrastructure faces cyber attacks due to increased internet usage and nation-state support

Future of risk analytics Avoid information overload by using the right data and employing industry knowledge

Political hot spotsPossible sovereign defaults, riots and security threats in Russia and Ukraine

Financial mega trendsRegulatory complexities and technological advances top financial institutions' mega trends

Future of bankingBNY Mellon’s Izzy Dawood says banks should return to traditional practices and leverage technology

Katrina, 10 years on...Similar catastrophes could happen any time, so what can we do about it?

Extreme forecastsCatastrophe modelling can help to manage the impact of climate variability

Freeing the dronesDetecting property damage after hurricanes and aiding forecasts is just the beginning for drones

Facing food shortagesThe prospect of food shortages is raised by socioeconomic and land/water-resource challenges

ContEnts

24

04

06

10

14

20

24

28

32

34

36

28

If you would like to discuss any of the issues raised in this publication please contact Miles Russell on +44 (0)20 3124 7446/miles.russell@willis.com or your local Willis office. Contact details can be found at willis.com/Contact_Us

content marketing services provided by Grist, 21 noel street, soho, london, W1f 8gpPublisher Mark Wellings editor Matthew BroomfieldArt director Andrew Beswick Telephone +44 (0)20 7434 1447 Website www.gristonline.com

© Copyright 2015 Willis Limited. All rights reserved: no part of this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, whether electronic, mechanical, photocopying, recording, or otherwise, without the written permission of Willis Limited.

Some information contained in this document may be compiled from third party sources we consider to be reliable. However, we do not guarantee and are not responsible for the accuracy of such. The views expressed in this document are not necessarily those of the Willis Group. Willis Limited accepts no responsibility for the content or quality of any third party websites or publications to which we refer. This publication and all of the information material, data and contents contained herein are for general informational purposes only, are not presented for purposes of reliance, and do not constitute risk management advice, legal advice, tax advice, investment advice or any other form of professional advice. This document is for general discussion and/or guidance only, is not intended to be relied upon, and action based on or in connection with anything contained herein should not be taken without first obtaining specific advice from a suitably qualified professional.

34

22

36

As China’s growth accelerates and the government works to reform the economy, domestic companies are increasingly exploring the possibility of captive insurance.

By Paul Owens, Chief exeCutive OffiCer GlOBal Captives at Willis, and lincOln Pan, CeO Of Willis China

China’s Captive audienCe

I n territories outside of Asia, like the US and Europe, risk financing through captives is a well-trodden path. Of the non-Chinese Fortune 500 companies, more than 85% use a captive as part of their risk management programme, yet of Chinese companies (which account for 100 of the Fortune 500) less than a handful use captives.

This is set to change. The insurance market in China has grown in size and complexity over the past few decades, almost from a standing start. In July 2014 the rating agency Moody’s assigned its first rating to a captive domiciled in China – signalling that the practice of self-insuring through captives is establishing itself in the country and in Asia more generally.

In parallel, the Chinese Insurance Regulatory Committee (CIRC), which regulates all insurance companies/intermediaries in China and economic development in the sector, has recognised the link between a vibrant, sustainable insurance market and a captive insurance sector.

Consequently, the CIRC has been extremely supportive of captive insurance. It has taken advice from successful domiciles around the world and is shaping its regulatory framework to be attractive not only for local companies but also for

international ones considering China as a captive domicile. Much of the legislation has been crafted from internationally recognised regulation. For example, it has decided to adopt risk-based capital along the lines of the soon-to-be-implemented European Commission’s Solvency II Directive.

Hong Kong has an established captive framework and some early adopters have decided to locate their captive here, although Singapore is also attractive. Both locations have local resources, expertise, infrastructure and, of course, exceptional language skills. CIRC will promote mainland China as a domicile of choice, and may use the recently formed free trade zones (most likely to be Shanghai) to accelerate the captive market – as was seen in the 1990s in Dublin.

taking controlWith rates soft in the commercial insurance market, the logical assumption is that companies wouldn’t need to form a captive insurer. But captive utilisation is not all about price. As organisations become more aware of risk management techniques, and seek to better control distributed insurance programmes and to retain more data and risk, captives become an obvious solution.

A captive will need to collect a huge amount of data, including on values, exposures and claims. Analytical techniques can be used to predict future costs and exposures, enabling organisations to direct risk control activities and make appropriate decisions on risk retention and transfer. Analytics also enable captive owners to develop their captive’s use and efficiency.

Initial interest in China has been for a captive to cover property risks, but new areas of coverage will be developed, including those that may be difficult to price in the commercial market, such as cyber risk. In some cases, captives are used to enable new business models, for instance providing insurance to an organisation’s customers (such as extended warranty on products). Non-correlated risks may also be attractive candidates for captives. For example, the provision of employee benefits by the captive may be possible without an equivalent increase in capital requirements.

There are also significant commercial pressures. In order to compete and partner with US and European companies who use captives, Chinese companies need to follow suit. Many Chinese companies have commercial partners and joint ventures with companies in the West and wish to operate on a level playing field.

Through mergers and acquisitions, Chinese companies are also beginning to acquire captives. For example, a Chinese energy company recently bought a company in Canada that had an existing Barbadian captive. Recognising the benefit that this captive brought to the risk management programme, the acquirer has accelerated their investigation into forming a captive for their existing assets.

resilienCe // issue 06 // April 2015

Analytical techniques can be used to predict future costs and exposures, enabling organisations to direct risk control activities and make appropriate decisions on risk retention and transfer.”

Fruitful competitionInsurance companies in China have no choice but to come to terms with the rapidly expanding captive landscape. They now face even tougher competition, with corporations beginning to drive their own risk management agendas. Commercial insurance companies should not feel challenged by captive growth, however. Captives should be encouraged, as their owners are signalling they are taking risk management seriously and trying to control costs, all of which should align perfectly with underwriters’ objectives. Often a captive will require reinsurance – which insurance companies can provide, and if they do so for captives they will accept a better quality of risk.

As Chinese organisations expand into overseas markets, they must ensure their captive is fully compliant overseas, which global insurers can help with by providing ‘fronting’. A fronting

arrangement is where the insurer provides coverage, policies and compliance locally but reinsure into the captive. Hence the assured achieves risk retention through its captive while maintaining full local compliance – achieving the best of both worlds.

The decision to create a captive should not be taken lightly. Insurance is unlikely to be the core business of the company making the decision, so a whole new vocabulary, set of procedures and systems will be required. Senior management will need to be educated and the organisation may have to start working with financial regulators for the first time.

However, as Chinese companies’ risk management standards continue to increase, captive utilisation will increase too, inaugurating a period of more sophisticated and data-oriented risk management commensurate with Chinese companies’ growing international footprint.

willis wire

Solvency II – burden or opportunity? ow.ly/LnvzO

blog.willis.com

Next stop, catastrophe boNds

The Chinese Insurance Regulatory Committee (CIRC) has initiated discussions on creating an insurance linked securities (ILS) market in China, with a particular focus on catastrophe bonds.

The ILS market continues to experience greater than 20% compound annual growth, with 2014 seeing the ILS market reach an issuance high of $9 billion. The growth has been driven by a demand increase from institutional investors seeking asset diversification in the attractive yields of ILS products.

While CIRC has not commented on what form the China ILS market may take, it is not too early to speculate what this market could look like for insurers and corporate clients.

The first application will be to use catastrophe bonds to offset risk exposures at large state-owned insurers in China. CIRC has already announced its intentions to create a catastrophe bond fund, and discussions have begun on how to analytically define pools of risks in the property and liability portfolios of large insurers. Offsetting catastrophe risk in such pools will inevitably require the issuance of multi-tranche catastrophe bonds for different layers of risk. Such an application of catastrophe bonds will follow the trends taken in other insurance markets globally, simply on a national and,

likely, larger scale. The second application could follow the current CIRC

push for captives, by encouraging large current and former state-owned enterprises in China to explore alternative risk transfer strategies. Over the past 12 months, we have seen increasing interest from large clients in China to explore cost-effective solutions to large, complex catastrophic risk. Clients are increasingly exploring whether catastrophe insurance options are available to manage these risks. Such risks include massive-scale mortality risk from farming and agriculture, pandemic disease risk from large transportation companies, and depopulation risks from utilities in areas impacted by earthquakes.

Risk and triggersInsurance solutions for large-scale risk remain expensive and difficult to underwrite for many local insurers, irrespective of the significant underwriting capacity available to China. The challenge remains appropriately structuring the risk and triggers for payback – which presents a significant and meaningful opportunity for risk management professionals. The impact, however, for large corporate clients in China could be significant in protecting their balance sheets and operations from massive risk, as illustrated by several potential solutions

highlighted below: • A parametric catastrophe bond could stand behind the

loan book of a regional bank with large project and SME exposure to an earthquake exposed region. The bond would trigger and pay upon tremors and seismic activity exceeding agreed levels in specified areas of the region. The bond would effectively act as a reserve source of capital, providing a solvency backstop to a mid-sized regional bank in the event of a massive catastrophe.

• A bond triggered by declining occupancy rates at a national hotel chain as a result of public declaration of a health pandemic by the local or national government.

• A bond issued by a large national or regional power plant seeking to protect itself from depopulation losses resulting from a massive earthquake impacting an area of China.

Increasing CIRC support behind an ILS market will trigger interest from more large organisations in China. Combined with growth and comfort of Chinese institutional investors for higher yielding corporate bonds and increasing sophistication of earthquake and catastrophe models in China, the ILS market has been seeded with an appropriate foundation to expand and grow. An ILS market of any form in China still remains three to five years away but it is already visible on the horizon.

liNcolN paNlincoln.pan@willis.com

Lincoln became Willis China’s chief executive officer in January 2015,

transferring from Willis Hong Kong where he was the executive director responsible for commercial leadership and operations.

paul oweNspaul.owens@willis.com

Paul is CEO of Willis's Global Captive Practice, comprising the

captive operations of North America, Europe and other regions. He was previously COO of Willis Limited and Global Businesses.

willis wire

ILSs and cat bonds in 2015ow.ly/Lna4x

blog.willis.com

0504

I nfrastructure services underpin our way of life. For example, the US definition of critical infrastructure, embedded in the Patriot Act of 2001, refers to systems and assets “so vital to the US that incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety”.

You might imagine, therefore, that the security surrounding critical systems, and underpinning organisations’ ability to provide related services, would reflect the significant role this infrastructure plays. Sadly this is not always the case.

During the summer of 2014, several cyber security organisations honed in on the existence of a sophisticated piece of malware often referred to as ‘Energetic Bear’. Energetic Bear allows a cyber criminal to monitor in real time the demand and supply balance across a utility company’s supply grid, such as oil and gas pipelines, electricity supply grid, water distribution and so forth. It also enables the remote controller to attack specific field equipment like pumps, valves and control gear.

An analysis of some of the examples of the virus revealed that the earliest infections had been in some organisations’ networks for 18 months before they were discovered, and many thousands of examples of the malware have been discovered so far.

Energetic Bear represents an opportunity

for cyber criminals to determine the point of maximum demand, and co-ordinate this with interventions that could see the supply interrupted or equipment damaged at the point where they are needed most.

Eating into suppliesEnergetic Bear also raises questions about the vulnerability of companies’ supply chains. The supply chain is part of any organisation’s life-blood, with the perimeter of an organisation often including critical suppliers. With critical national infrastructure (CNI) there are several areas of critical extension of the enterprise boundary that must meet the same levels of

rigour and surety expectations employed within the CNI organisation itself.

Most CNI organisations (with the obvious exception of financial service institutions) have very significant engineering content in their operations. In the drive for continuously improved financial performance, there is increasingly widespread reliance upon outsourced, third-party engineering services. The third-party service provider spreads across many contracts the cost of the installation of remote monitoring provision, the equipment that they may own and provide to the CNI organisation and the cost of service engineers to maximise their own profitability.

Dependence upon such third-party services is pervasive and CNI organisations must consider this extended perimeter when reviewing their risk profiles. Yet, while procurement disciplines routinely require specific compliance requirements for those services, very few service contracts extend those disciplines to commitments around cyber security. If a back-up diesel generator for a critical part of plant operation is monitored remotely, it takes little effort to use the remote maintenance access port from the supplier into the diesel generator in the CNI organisation, alter the phase controller of the generator and let the receiving grid do the rest and destroy it.

But how many organisations, when ending a service contract with a provider, require the

resilience // issue 06 // April 2015

critical infrastructure is more exposed than ever to cyber attacks owing to increased internet usage, the borderless nature of technology, tacit support of nation states and the simple risk-and-reward imbalance for cyber crime.

By Peter Armstrong, ExEcutivE DirEctor anD HEaD of cyBEr for Willis's finEx GloBal

facing bordErlEss cybEr thrEats

Cyber attacks are sometimes an extension of the execution of government policy, backed by government resources, sophistication and persistence.”

0706

resilience // issue 06 // April 2015

service provider to ensure that any remote control connections to equipment are severed? Not enough – I have seen too many instances of connections still being open to long-since departed suppliers.

In the case of Energetic Bear, the supply chain vulnerability that was exploited was through the supply of firmware and software updates to industrial control software. It should be noted that industrial control systems are not just Supervisory Control and Data Acquisition (SCADA) systems. SCADA is merely the aggregation and control layer of operational networks. Below these layers are static data pools, field equipment, pumps, valves, temperature sensors, pressure sensors and so on. So in an operational control network most of the connected devices in the network are programmable logic controllers (PLCs) and field devices (rather than PCs and mouse/pointing devices), which a SCADA system links, aggregates and controls.

rotting the systemEnergetic Bear was spread mostly through the firmware and software updates to SCADA and intermediate PLCs. In effect, the controlling logic at a fundamental level was infected before it arrived in the CNI organisation. This makes sense from a cyber attacker’s perspective because all plants are controlled by a relatively small number of similar systems provided by global vendors, who are usually so large that the relative purchasing power of the buyer and supplier is skewed in the vendor’s favour. This can make it difficult for a CNI organisation to demand the levels of rigour in surety that they need.

Remote tampering with 'data pools' can be extremely dangerous. Every time a pump runs, it sends little pieces of data to a data pool from which the SCADA system can determine if the pump is running in normal condition. It does

this by sensors on the pump, and in the pipe to which it is pumping, that can record many parameters, such as the pressure levels. The SCADA system tells the sensor how often to send the reading, which could be every 10 seconds, every 30 seconds or every several minutes. There may be a sensor that says, for example, discharge

pressure is 2000 pounds per square inch. Every time the data point is sent it goes

to a static data pool. The integrity of the data is

absolutely vital because it is the repository of what is normal. For

instance, if the pump discharge pressure falls to 1800 pounds per

square inch, an alarm might need to sound, but only if we can guarantee the

integrity of the static data. Energetic Bear can alter this data, raising an alarm when it is not needed or suppressing an alarm when it is. This could lead to a relief valve shutting when it needs to stay open, resulting in an over-pressurised pump blowing the pipe.

This is a real vulnerability that consumer and market innovations – such as smart meters and smart cars – will all have to manage in the future, because these incremental services now require the convergence of business systems and industrial control systems, which have previously been kept separate.

hearing the trojan roar

We are accustomed to the use of digital assets, particularly big data analytics, to produce differentiation and greater levels of efficiency and effectiveness. But this approach is also employed by cyber criminals. Consider, for example, the big data analytics command and control page for Citadel, one of the most sophisticated banking viruses.

It is a Zeus-like Trojan that allows a Botmaster (cyber criminality co-ordinator) to analyse the most effective of their deployed malware. Such deployment will include unwitting use of many thousands of infected mobile devices (particularly Android devices) as the agents to conduct denial of service attacks, which is the means to create background white noise to deafen banking network defences. The devices may have been infected by the Botmaster buying elements of stolen user credential databases, or by using Citadel Mobile Extension to capture credentials at a public mobile hotspot. The same Botmaster may auction denial of service time for other cyber criminals to monetise their own attacks.

peter armstongpeter.armstrong@willis.com

Peter joined Willis’s FINEX Global in 2014 to lead the development

of the TMT and Cyber Practice. Peter is a representative on the UK Cyber Growth Partnership and sits on the TechUK Cyber Management Committee.

CNI is under attack. Its importance to nations dictates the sophistication of those attacks, which could affect entire nations and exist at the apogee of cyber criminality and are sometimes instigated by nation states themselves. The nation-state component of the threat to CNI is very significant because cyber becomes an extension of the execution of government policy, backed by government resources, sophistication and persistence. The

willis wire

Emerging cyber risks in 2015 ow.ly/lnw6s

blog.willis.com

enemy within

Financial institutions’ diversity of services is matched by a commensurate level of cyber defence. Retail banks are at the apogee of cyber capability, but they still face problems around the vulnerability of their customers, driven largely by lack of customer awareness and understanding of the cyber threat. This is evidenced by their unwitting contribution to denial of service attacks and provision of valid session codes for online banking transactions. Retail banks also face threats from the inside: staff with malevolent intent, and employees’ simple stupidity, remain key threat vectors. Awareness and education are at the heart of defence.

There are also significant technological threats, as demonstrated by the recently discovered so-called ‘Carbanak’ attack on financial institutions, which affected more than 100 institutions and resulted in the theft of more than $1 billion. These threats pose such a challenge because of the sophistication of the institutionalised criminality targeting the financial institutions – for every facet of sophistication in legitimate digital activities there is an equivalent in the dark web of digital activity.

The current three billion users of six billion devices is expected to grow to six billion users and twenty billion devices by 2020. At this rate of growth, 15–20% of lost value becomes unsustainable for the capital markets. We can reasonably expect a reaction from those markets to stimulate organisations to improve their cyber defence in order to reduce the scale of losses.

Aside from retail banking, asset management, merchant banks, the insurance

sector and traditional and alternative investment markets each face significant threats from nation states when they deal with significant market shaping transactions. They also face sophisticated organised criminality looking to manipulate market trades on the back of access to market sensitive commercial information. This is a particularly strong trend, where hackers effectively become insider traders and then place seemingly legitimate trades on the global electronic markets.

SoUR

CE: K

ASPE

RSKY

LAB

S

motivations may differ, with one group after commercial or military advantage, the other after more pervasive surveillance in order to secure their societal aims, but the result for companies can be existential. Every aspect of a CNI organisation’s operation is open to attack, and with every new cyber threat the stakes are raised even higher.

All of this sounds rather bleak: in truth it is not a rosy picture. However, governments and their

critical infrastructure partners are working together to look to mitigate these challenges. Some of this is a technical response but those early gains will be achieved by focusing on security culture and the education and awareness of those working in these sectors. A safety case with a man in the loop is not enough. Governance that recognises this and establishes an internal educational and awareness campaign is a critical first step.

How the Carbanak cybergang stole $1bnA targeted attack on a bank

carbanak backdoor sent as an attachment

Bank employee

1. infection 2. Harvesting intelligence Intercepting the clerks’ screens

3. Mimicking the staff How the money was stolen

cash transfer systems

rec

Hundreds of machines infectedIn search of the admin PC

Emails with exploits

Credentials stolen

online bankingMoney was transferred to

fraudsters' accounts

E-payment systemsMoney was transferred to banks in China and the US

inflating account balancesThe extra funds were pocketed

via a fraudulent transaction

controlling atMsorders to dispense cash at

a predetermined time

willis wire

Take cyber risk seriously before it’s too lateow.ly/lnbsZ

blog.willis.com

0908

resilience // issue 06 // April 2015

Future oF risk analytics

Q&A

and regulators. The main aim of what we do is to support stronger decisions by our clients. One of the ways this is done is by demonstrating how effective insurance can be as a hedge to protect corporate financial performance. This is a different way of thinking about insurance and it elevates the conversation to where it ought to be in an organisation.

The focus has been on controlling cost but, with enhancements in data and applied analytics, all types of risks are being measured and mitigation processes are being implemented.

Where should risk managers start?ellis: One of the best uses for risk analytics is to identify where the biggest risks and failure points are for an organisation, before a major event even happens. Risk analytics can be used to make senior management aware that at some point they are likely to go through a 'reversal of fortune', and then better understand the consequences of that and take adequate measures to prepare.

Willis’s research on corporate catastrophes

How is the rise of risk analytics changing the insurance industry?

Phil ellis: Insurance brokers are increasingly taking their clients data and applying advanced risk analytical methods to help them make better strategic decisions about the risks they face. The rise of analytic tools in corporate insurance is making a significant difference in the way risks are understood, measured, mitigated and transferred. Companies are used to getting a professional fact-based decision making approach from management consultants, bankers and lawyers, but they traditionally have not had the same level of decision making support from the insurance industry.

How does risk analytics benefit corporate risk managers?

ellis: In three main ways: by providing them with at least as good information about their risks as the insurance markets have; by giving them the fact base on which to make good decisions; and by providing a clear decision trail and logic that will stand up to scrutiny by management

As the 'internet of things' continues to grow, we have access to more data on anything and everything – often leading to greater

understanding. However, in this age of information overload, it is important to use the right data and apply the correct

assumptions to answer the right questions.

A conversAtion with Phil Ellis, GlobAl heAd of strAteGic risk consultinG At willis, And BEn Fidlow, GlobAl heAd of core AnAlytics At willis

We have acces

s to more and

more data,

which enhanc

es our unders

tanding of

risk and oppo

rtunity. But it

is important

to ensure you

are using the

right data

to answer the

right question

s.”

1110

resilience // issue 06 // April 2015

has shown that the largest companies undergo a severe reversal of fortune on average every eight years. Most companies believe that they are immune from such reversals but, given that the average tenure of a chief executive is around ten years, they should expect at least one reversal while they are in the job.

Which sectors would benefit most from risk analytics?

Ben Fidlow: Currently, we see the most uptake of risk analytics among energy, power and utilities, and healthcare companies. These companies are already quite advanced in their use of data. Retail companies can also benefit by gaining a better understanding of the impact of a data breach, or exploring economic metrics, for example, when looking at where to open a new store.

How do risk analytics help when buying insurance?

Fidlow: Companies can use risk analytics so they can make insurance buying decisions in the way they would any other investment – by taking a return-on-investment view. With a quantified view of risk, now the return versus risk continuum can be analysed, allowing for financial based decision making around whether to even buy

insurance, and the best way to do so, regarding limit, retention and individual layer costs.

Is there a sweet spot for the use of risk analytics?

ellis: The more data, the more confident we can be in the outcome of analytics. So one might think that the ‘sweet spot’ is high-frequency, low-severity risk. But some of our most important work is on the game-changing risks in the low-frequency and high-severity range where there is little or no data. In these instances, we can use processes we’ve developed to elicit quantification of these risks from experts within a client’s organisation. Or if a client has never suffered from a severe downturn we can look for downturn experience from related companies or industries and draw conclusions based on modelling these risks.

Can risk analytics help find new solutions for transferring risks?

Fidlow: Once risks are quantified, it is easier to attract financial markets. Risk analytics will set the stage for new investment classes, as we have already seen with the development of catastrophe bonds for property exposures. There is also a role for analytics in making intangible

risks – like reputation or contingent business interruption – more insurable because, armed with sound analyses, brokers will be able to make a better case for the placement of those types of risk to both traditional and non-traditional capital markets.

What challenges need to be overcome to increase the adoption of risk analytics?

ellis: I believe that the biggest barrier currently is the training and skills required to work with and interpret analytics. We want all of our client discussions to be analytically-based. Fidlow: One of the biggest hurdles is getting our hands on the relevant data. Often companies already hold the data, but it is usually spread across the organisation and is difficult to aggregate. The support of senior management in helping to gain access to this data is crucial but these people are busy running the company so this may not be a top priority for them. For that reason, the value of harnessing data needs to be presented in a concise and impactful way in order to gain senior management buy-in.

Getting the most from risk analytics is more about the people than the models. No model fits all risks and you need expertise to take a view on the data. Software gets you there, but it is also about the mindset.”

Q&A

willis wire

Banks’ big data: friend or foe?ow.ly/lnxDq blog.willis.com

How analytics can protect earnings

A large multinational firm asked Willis to evaluate its existing insurance programmes in a more scientific and objective way than had previously been done.

Protecting EBITDA (earnings before interest, taxes, depreciation and amortisation) from a certain severity and frequency of reversal was paramount to the company’s success. Willis modelled the performance of the company's current insurance programme against thousands of alternative programmes to see how it would perform in protecting EBITDA in the case of a severe financial loss. This modelling defined the frequencies and severities of reversals to EBITDA, and enabled the client to assess the amount of risk it was comfortable with. The organisation decided it wanted to avoid a one-in-one-hundred-year insurable hit to EBITDA, which, at that frequency, equated to about $100 million.

Willis calculated whether each layer of each of the company’s insurance programmes was adding value in pursuit of the client’s EBITDA objective. We found that several layers were not focused towards achieving this goal and should be ‘switched off’, while another layer, directors’ and officers’ excess, should be added. The projected savings for the company were $7 million per year in premium plus expected losses.

In parallel, Willis determined whether the price the company was currently paying for each line was efficient. To do so, Willis demonstrated the loss ratios that underwriters were achieving on the company’s risk, versus what underwriters were achieving on average for a given line of insurance. This analysis showed that even if the company didn’t change their programmes, by simply re-marketing them the company could save up to $3 million.

Evaluation of the company’s existing insurance programmes helped the company’s CFO to understand the effectiveness of insurance as a hedge to his key performance measures. The analysis upgraded the reputation of insurance as a serious financial hedging instrument within the C-suite, thereby demonstrating the insurance buyer’s valuable contribution to the company’s strategic direction.

Are risk analytics becoming more accessible?

Fidlow: It’s only a matter of time before risk modellers become an integral part of corporate risk management teams. This will be driven by company treasury departments and senior management who will increasingly demand it, while risk managers will need to demonstrate that risk management investments and insurance decisions have been made with analytical rigour.

Where next for the use of analytics?ellis: Within the next five to ten years I would expect to see risk managers become much more involved in strategic business decisions. As we’ve said, insurance is a hedge and, as such, can be applied to any investment decision where there is insurable risk. It’s a great new frontier for insurance. Fidlow: The big game changer will come when risk analytics are integrated with company financials and applied to strategic decision making.

ben fidlowben.fidlow@willis.com

Ben Fidlow leads Willis’s Core Analytics Practice globally, responsible for

the implementation and delivery of decision support risk analytics. He previously founded analytics capabilities at two other major insurance brokers.

pHil ellisellisp@willis.com

Phil is chief executive officer of Willis Global Solutions Consulting

Group, which helps large corporations to manage their risks through transfer, mitigation, retention, and/or avoidance.

willis wire

What is analytics?ow.ly/lnc8g blog.willis.com

1312

Companies face growing political risks, ranging from the eurozone debt crisis, possible sovereign defaults in Latin

America through to security threats in Russia and Ukraine. Placing a dollar value on these exposures can help companies

to make better investment decisions.

a conversation with Sam Wilkin, senior advisor, Political risk, at oxford analytica, and paul davidSon, chief executive officer at willis financial solutions

Political risk

hot spots

ResiLienCe // issUe 06 // APRiL 2015

Political violence in Eastern Ukraine has led to direct political risk losses

How significant an issue is political risk exposure around the world?

sam Wilkin: Political risk is of rising significance. Consider just one indicator: many multinational banks cut the number of staff employed in political risk analysis during the 1990s – a decade of relative economic stability. After taking some heavy losses in the turmoil following the global financial crisis, many banks are now restoring their political risk units and, in some cases, expanding their political risk management capabilities significantly. Partly this trend reflects new regulatory pressures, but also it reflects new risks, including the eurozone debt crisis, the security threats relating to Russia and Ukraine, and concerns about China’s growth slowdown.

Where are the hot spots?Wilkin: After an oil price collapse, expect a wave of sovereign debt defaults. That was the lesson of the 1980s, when collapsing oil prices triggered sovereign defaults in Mexico, Venezuela, Bolivia – actually, in most of Latin America. First the oil-dependent countries defaulted, then the countries dependent on easy credit defaulted. That is the shock we are bracing for, now that oil prices have collapsed again. Venezuela is the obvious concern but, if oil prices stay down for a long period, more are likely to follow.

Can you give any recent examples of majorincidents or large losses?

Wilkin: The two major ongoing sources of large political risk losses and claims are Ukraine and Venezuela. Recent quarterly earnings reports included a lot of charges taken for currency inconvertibility risk in Venezuela. For example, Ford Motor reported it was taking a pre-tax charge of $800 million for its

Venezuela business – blaming Venezuelan exchange control regulations for restricting its operations in the country from paying dividends and obligations in US dollars. Nappy and tissue maker Kimberly-Clark Corp has said it took a fourth-quarter charge of $462 million for its Venezuelan business – blaming increased uncertainty and lack of liquidity in Venezuela for its decision to alter the rate at which it measured its bolivar-denominated monetary assets.

More generally, many multinational companies with large Venezuelan operations will suffer from having to hold currency that is stuck in the country and depreciating in value.

Ford has announced that it will make an accounting change that will isolate the rest of the company from its Venezuela operations, while household products maker Clorox decided in 2014 to completely exit Venezuela.

In Ukraine, by contrast, direct political risk losses so far are mainly the result of political violence, mostly occurring in Eastern Ukraine. That said, some foreign investors with broader Ukraine exposures have also suffered losses. For instance, Russian telecoms operator VimpelCom recorded an impairment charge of roughly $2 billion relating to its Ukraine operations. Other businesses have been caught by the sanctions that have accompanied the conflict, including EU sanctions against the Russian bank Bank Rossiya, and Russian sanctions and a port embargo imposed on Lithuania. Foreign companies owed money by Ukrainian government entities also face sovereign default risks, despite the recent IMF bailout.

Any lessons learnt?Wilkin: Don’t only evaluate your political risk exposures when making trading or investment decisions

Q&A

1514

WhErE coUld invEstors losE oUt to Political tUrmoil?north Korea is currently the politically riskiest country covered by vaPor model, from Willis and oxford analytica

losses per every $100 invested over 10 years*

Which is risKiEr?in Ghana a difficult economic situation threatens to cause hard currency shortages, making cross-border transactions a challenge

north korea

financial sector in Ghana

oil and Gas in niGeria

tourism & leisure in

mexico

retail in india

transPort in hunGary

ukrainerussiavenezuelaukusa

$40

$25$19$9$7$3

$34$30$20$1$1

ResiLienCe // issUe 06 // APRiL 2015

*Based on a simplified VAPOR model calculation (in practice, VAPOR loss estimates would vary based on which perils the investment is exposed to and the industry of the investment)*

sour

ce: w

illi

s, o

xfor

d an

alyt

ica

Q&A

–update this evaluation periodically. World events, such as the Greek sovereign default, violence in Ukraine, and now the collapse in oil prices, have caused significant shifts in geopolitical risk levels, and companies need to understand how they might be impacted.

The conflict and risks in Ukraine reflect the challenges posed by ‘people power’ movements, like the wave of colour revolutions in Eastern Europe (including Ukraine's own orange revolution) and the Arab Spring. These are generally positive, signalling people's growing ability to stand up to repression and bad government. But the outcomes of democratic uprisings can be unpredictable, as shown by the challenges Egypt is now facing. And in Ukraine the toppling of the pro-Russian government was an expression of people power, but in the near term it has brought Ukraine into conflict with Russia and has resulted in serious risks to investors.

What challenges do companies face when trying to quantify their political risks?

Paul Davidson: In any one country there isn’t a uniform risk across different perils, so assessing them is difficult. Most country political risk indicators are generic, but a company’s political risks will obviously be particular to their own

willis wire

Putting a price on political riskow.ly/lnwMl

blog.willis.com

World events, such as the Greek sovereign default, violence in Ukraine, and now the collapse in oil prices, have caused significant shifts in geopolitical risk levels, and companies need to understand how they might be impacted.”

PaUl davidsondavidsonp@willis.com

Paul is chairman and ceo of financial lines, financial

solutions division and is also responsible for the development and publication of the willis Political risk index.

sam WilKinswilkin@oxford-analytica.com

sam is senior advisor, Political risk, at oxford analytica. He

is a frequent speaker on current affairs, the economic outlook, emerging markets, and geopolitical risk.

1716

profile, the country they are operating in and the type of project or enterprise concerned.

For example, an oil and gas company will have very different risks to a utilities or power company operating in the same country. Extracting energy companies are sometimes seen as taking natural resources out of a country, and therefore exploiting that country’s wealth, particularly if their work has a tangible physical and/or environmental impact on the landscape. Their work is very strategic and impacts a country’s entire fabric. Their exposure to political risks therefore tends to be very high. However, a manufacturing company producing a benign, non-strategic product could be at the other end of the political risk spectrum in the same country.

At Willis we endeavour to differentiate the different political risks across multiple industries, many of which have very different risk profiles. Some risks are also more long-tail than others, so whether a company’s activity in a country is short, medium or long term will have a material impact on their political risk profile.

What solutions can help companies manage their political risks?

Davidson: Four years ago we started to develop a new methodology for quantifying exposure to political risk in collaboration with Oxford Analytica, which we call VAPOR. Apart from putting some monetary value against these risks, this model provides a much more granular level of risk analysis.

VAPOR can potentially produce a dollar value for political risks across all perils and

ResiLienCe // issUe 06 // mARCh 2015

reinsurance sector. These models helped the reinsurance sector to regain profitability. During the 1980s and early 1990s, many reinsurers mispriced coverage of natural catastrophe risks, and in some cases lost a lot of money. Then catastrophe risk models were developed that helped these reinsurance companies to price risk more accurately and thus shore up their profits. The lesson of this experience is that it is possible to do business profitably in a volatile world, provided one can price risks accurately. The new VAPOR online system offers companies one way to do this for political risk.Davidson: In the VAPOR model, we assign

ResiLienCe // issUe 06 // APRiL 2015

Q&A

industries. This will allow a company to produce its own ‘country-risk weighted discounted cash flow models’, which will help them to better evaluate their potential return on capital when entering or operating in a new country. This enables a company to compare its political risks, and the overall likely investment opportunities, across different countries, thereby improving its global investment strategies.

What are the key considerations for large multinational businesses?

Wilkin: When we were developing the VAPOR tool with Willis, the Willis Analytics team drew on catastrophe risk models used in the

It is possible to do business profitably in a volatile world, provided one can price risks accurately.”

willis wire

Political risk hot spots around the worldow.ly/lnzdz

blog.willis.com

FocUs on BraZil

an investor in Brazil might expect to lose, over ten years:

losses per every $100 invested*

in Powerin mininG

in aGriculturein retail

$16$11$8$5

FocUs on UKrainE

an investor in ukraine might expect to lose, over ten years:

exProPriation, exchanGe transfer and embarGo risks

losses per every $100 invested*

sovereiGn default

war

$22$20$14confidence levels to the predicted outcomes. If you’re modelling a risk on a one-year basis, those parameters will be narrow, but they will increase if you model over ten years. For that reason, insurance capacity will diminish the further into the future a buyer wishes to secure coverage, so there could be a significant amount of capacity on a one-year basis, but much less on a ten-year basis.

Though VAPOR monitors these risks on an ongoing basis, the model is not a crystal ball. No company can make judgements just on the basis of a model, but the acid test is whether the output of the model is helpful in reaching a better informed judgement.

sour

ce: w

illi

s, o

xfor

d an

alyt

ica

*Based on a simplified VaPor model calculation (in practice, VaPor loss estimates would vary based on which perils the investment is exposed to and the industry of the investment)

$34Political

risk

1918

Digitalisation and technological advancesTechnological advancement is changing financial institutions and the ways people interact. It has created opportunities for new challengers to disrupt traditional business models and penetrate new markets. The ubiquity of technology across the globe, such as the World Wide Web, mobile phones and Apps, has created FinTech companies who offer lower cost services for traditional services, such as e-payments and online trading. Technology is changing the way that customers interact with financial institutions. Although investment in IT infrastructure has increased massively over the last few years, many traditional banks remain behind the curve. Social media companies such as Facebook, Twitter and Google have a huge user base and are moving into the financial sector, bringing new sources of capital and investment.

Technology is also creating new opportunities that circumvent the traditional financial sector. For example, cryptocurrencies remain small but have significant implications for the future of financial services.

Changes in investment and capital sources and returnsRegulatory capital requirements are causing a drag on returns and taking significant management time. Banks are complying with stress tests, responding to regulatory investigations or managing increasingly punitive regulatory fines. Some non-bank financial institutions are more profitable than banks and are as large and significant in terms of global stability. Entrants with lighter regulatory burdens are moving into areas (insurance, lending, ownership of hard assets) traditionally undertaken by banks, in a search for yield, and are creating or exploiting opportunities. Non-bank financial institutions are investing in new challengers to banks. New FinTech firms, providing financial solutions, are investing heavily and online only banking ventures, or other platforms, are attracting investment and gaining traction.

The financial institutions industry is being redefined by six mega trends, which will change the sector almost beyond recognition, according to exclusive Willis research.

By Jagdev Kenth, Director of risk anD regulatory strategy at Willis

resilience // issue 06 // April 2015

Since the financial crisis, regulatory pressures have increased the cost of capital, prompted banks to divest themselves of 'risky' or capital intensive businesses or departments, shaped bank attitude towards risk and redrawn the boundary between retail and wholesale banking. Banks have withdrawn from lending to certain constituents, such as SMEs and infrastructure, whilst investing and recruiting heavily in compliance to meet new regulatory requirements. Amidst this regulatory pressure, non-banking financial institutions, especially FinTech firms that are not subject to the same financial pressures, are offering competing services to bank clients, establishing specific funds or investing in new challengers.

Regulatory changes and complexity

1 23

6 mega trendsFINANCIAl INSTITuTIoNS'

download

F1000 cyber disclosure by financial institutions

ow.ly/Lny1X

Demographic and behavioural changesThere is a new generation of young people (millennials) with different expectations and ways of interacting with financial institutions: through online and social media based platforms. They are using social media to connect, communicate or complain and do not have traditional customer loyalties. Mature customers and retirees are demanding improved returns from investments and moving against intermediaries due to a perception of a lack of transparency. There is government and regulatory pressure upon pension funds and asset managers to reduce management fees yet maximise returns for the 'grey market'. High net worth and ultra high net worth individuals and families are growing outside of the uK/uS/Europe, in new regions, such as latAm, the Middle East and parts of Asia. This is in concert with improved education, skills and a rising middle class in these areas creating a new 'mass affluent' class, potential client base and work force.

Global talent and skills race

Regulatory pressures, risk management and technological advances are creating a new and challenging environment which risks driving out some of today’s leaders. Financial institutions will need new leaders who can identify, understand and manage new and emerging risks. New leaders will be sought by traditional banks, NBFIs, FinTech firms and regulators. Competition will become fierce as the talent pool decreases but demand increases for those who can keep pace with the changing financial landscape. Emerging markets such as latAm and Asia will offer new consumers and a highly skilled labour force, creating new outsourcing hubs in regions outside the uK/uS and Europe. Technology will diminish the geographical divide but only new leaders will bridge the cultural differences. There will be a renewed focus on risk management but, as regulators improve their understanding of risk and compliance, there will be a skills gap as firms try to recruit new staff, up-skill existing teams and rely on specialist risk advisors.

Business operating model pressuresTraditional business operating structures are under pressure from regulators demanding transparency over fees and greater competition for consumers. There is pressure on the efficacy/profitability of the universal bank model and a return to the wholesale/retail banking division, driving down returns and potentially stifling innovation. The financial sector is becoming increasingly segmented. Regulatory pressures and the cost of capital is pushing financial institutions to focus on core consumers, creating opportunities for specialist service providers, such as infrastructure or SME focused funds or through online platforms. There is a rise of specialist retail and wholesale competitors, or successful regional banks in the uS or Multilatinas. These pressures are also driving disintermediation as intermediaries are displaced and/or specialist providers cater to specific sectors and take market share from traditional FIs. New challengers are obtaining market share through innovative uses of technology, such as P2P lending, crowdfunding and mobile payment.

4 5 6

The financial institutions industry – including banks, asset managers and financial technology companies – is currently faced with a paradigm shift caused by a number of key mega trends.

Institutions are focusing ever more on regulatory capital requirements, while digitalisation and technological advances are challenging the way traditional players interact with clients. Meanwhile, new market participants are inducing changes in investment and capital sources and returns, while demographic and behavioural changes are creating a new generation of customers with different expectations of financial institutions. Traditional

business operating models are being challenged more by increasing customer and product-offering segmentation.

The complex needs of financial institutions will demand increasingly sophisticated leadership in the future. So in early 2015 Willis undertook research into the evolution of the financial industry’s risk landscape over the next ten years – founded on a quantitative survey of 150 C-suite individuals within the financial institutions space globally and in-depth interviews with senior figures from across the sector. The full report is available on Willis.com. We present a snapshot of the key findings here.

Jagdev Kenthjagdev.kenth@willis.com

Jagdev is the director of risk and regulatory strategy

within the Financial Institutions Group at Willis. Before joining Willis, he worked in the enforcement and financial crime division of the Financial Services Authority (now Financial Conduct Authority).

2120

7.4impact difficulty

7

Regulatory changes and complexity

Risks associated with businesses taking advantage of light touch regulatory regimes

Tension between customers' trust of higher regulation and the need for business flexibility offered by lower regulation environments

Rise of competitors, such as NBFIs and FinTech firms, not subject to same regulatory requirements as traditional FIs

resilience // issue 06 // April 2015

sp

ec

ific

ris

ks

/

se

ve

rit

y o

f r

isk

po

se

dm

eg

A t

re

nd

s

Increasing costs of regulatory compliance and increasing risk of changes due to political reaction and interference

Increased transparency putting pressure on traditional sources of revenue or cost

Technological advances changing interaction to online/social media based service, real-time investment updates, etc…

New entrants and challengers, unburdened with legacy IT issues, using technology to simplify or change the service/cost paradigm

Technological ubiquity creating new risks: cyber attacks, cyber extortions and hacktivists

6.2

the biggest risks don’t stem from the most impactful and difficult-to-manage mega trends.

perception vs reality

6.1

6

6

5.9 5.9

6.1

6.1

Increasing costs associated with ongoing IT infrastructure investment and upgrades

6.3

Risks associated with operating in regimes with strong regulation or high-risk regulation/customers

6.1

Digitalisation and technological advances6.7impact difficulty

6.6

specific risks

All scores are out of 10: 10 = very significant 0 = insignificant

Business impact difficulty of managing

K E y

lthough business leaders in the financial institutions industry identify regulatory changes and complexity as the most impactful and difficult-to-manage mega trend, their biggest

risks stem from other mega trends, which they assess as less impactful and easier to manage. The risks relating to the most impactful and difficult-to-manage mega trends are relatively well-managed, whereas some other risks, relating to less impactful mega trends, pose a bigger threat and need more focus and management in future.

Willis research: Based on a quantitative survey of 150 c-suite individuals within the global financial institutions space and in-depth interviews with respect to:1) the mega trends impacting the financial sector2) the risks caused by the mega trends, and3) the impact of the mega trends and associated risks on financial institutions and the wider financial sector.

A full report is available on Willis.com but here we present a snapshot of the high-level findings.

FINaNcIal INsTITuTIoNs'

A

changes in investment and capital sources and returns Demographic and behavioural changes

Global talent and skills race

Regulatory pressure on senior managers prompting people to leave industry, or move to more lightly-regulated firms

Increasing complexity of risk assessment and regulatory pressures is moving risk management away from specialist risk managers to board level and c-suite

Need to develop and up-skill risk managers to deal with complexity and importance of new and emerging risk issues

Recruiting and retaining new joiners, staff and global leaders against competing industries

Loss of clients and potential markets as management focus shifts towards restructuring and away from clients

New intermediaries creating risks in the value chain and/or shifting sources of revenue

loss of intermediaries causing loss of specialist skills and knowledge and driving down profits

The rise of specialist competitors and providers: new entrants, regional and wholesale specialists

6.46.2

New customer base in emerging markets not served by traditional models

Mature customers moving against intermediaries due to a perception of a lack of transparency and/or high cost

New generation of customers with different requirements for service and transactions

Rise of major latam and asian 'mass affluent' consumers requiring a new approach to markets

Grey market becoming larger and more demanding of high-touch services

Macroeconomic factors: QE impact and inflation/deflation

Drag on returns caused by regulatory capital requirements

search for yield encouraging riskier products or behaviours

6.1

6.8

Potential talent gap as skills needed to remain competitive change and evolve with increasing speed

Pressure placed on traditional FI models by technological advances which is prompting rise of FinTech companies and new challengers taking market share

Disproportionate returns on capital as between traditional FIs and new entrants with lighter regulatory burdens

5.8

5.9

6

5.6

5.6

5.6

5.9

5.5

5.9

6.1

6.1

5.7

5.8

5.8

6.2

Business operating model pressures (e.g. segmentation and disintermediation)

6impact 5.8

impact

5.8impact

5.7impact

difficulty

5.8difficulty

5.5difficulty

5.5

difficulty

5.4

23232322

resilience // issue 06 // APril 2015

The 30 years leading up to late 2008 is an anomaly in the banking industry’s history.”

Do you think our six mega trends for financial services are accurate? Was anything missed?

Izzy: One thing that wasn’t noted is the accelerating shift in preparations for retirement. Individuals are living longer across the globe. In the last 40 years, life expectancy in the US has gone up by 8 years. The implications of longer lives go well beyond just retirement strategies but the impact on companies is very evident. In the US and the eurozone, company-sponsored pension programmes are a dying breed, so there is a massive shift from defined benefit programmes to defined contribution programmes. Most individuals are now required not only to save for their own retirement, in order to supplement any government income, but to also make those investment decisions themselves. So the public are increasingly becoming investors and therefore have to:• be more educated on investment choices and

life expectancy• have a better understanding of the long-term

risk and rewards of their decisions• understand how much they can protect

themselves from making the wrong decision.

As emerging market companies compete more with traditional Westernfinancial services, could some Westerneconomies employ protectionism?

Izzy: Protectionism will only end up hurting countries that employ such a strategy. The

Western countries that will do well will need to open their borders to ensure that they drive monetary and fiscal discipline, along with greater transparency for investors and trading partners. For example, countries like Mexico and Canada have benefited from the US opening up its border to the NAFTA agreement and, in return, continue to make tremendous economic progress.

How do you see regulation shaping the financial services industry?

Izzy: First, a key requirement for all successful financial systems is trust and transparency. Capital and risk standards increase the level of trust and transparency in the financial system.

The challenge comes when there are different standards for different companies or countries, which may create an unfair playing field. Capital will find its way to where it can earn the highest risk related return. If one set of regulators requires different capital requirements for the same activity, this could inadvertently create a greater concentration of risk.

Second, I believe the largest banks in the US and the eurozone banking sector will revert back to traditional banking activities similar to those that existed for many generations until the mid 1980s. If you look at the history of the banking industry, the 30 years leading up to late 2008 is an anomaly in the industry’s history.

After the oil crisis from the mid-1970s to late 70s and the subsequent battle against inflation, Thatcherism in the UK, and the fall of the Berlin

large, globally regulated banks face growing competition from non-traditional financial institutions, fast-paced technological innovations,

changing consumer habits and regulatory requirements. returning to traditional practices and leveraging technology

should be a key part of their strategy to outperform.

By IsmaIl (Izzy) DawooD, CFO, Investment servICes, at Bny mellOn

BankIng In the 21st century

Q&A

phot

ogra

phy

pasc

al p

eric

h

2524

resilience // issue 06 // APril 2015

Wall , we ushered in an era of tremendous global economic growth. Concurrently, technology innovations and regulatory change led to easier access for individuals to stock markets and other financial products. Whereas previously access to stocks was limited to a small societal strata, it now became commonly available to anybody with a phone. These broker activities grew a lot faster than required capital to support the businesses, leading ‘traditional’ banks to buy these organisations and/or create these products in order to grow their returns. The growth was compounded by easier access to credit, with financial innovations in securitisation, Risk Adjusted Return on Capital (RAROC) modelling, a steady decline in long-term interest rates and a growth in housing stock. But the whole process, leading right up to the financial crisis in 2008, was a period of excess returns that eventually would have to return to its long-term potential.

The industry will likely revert to something that has shallower cycles and performance that is more recognisable by our parents and grandparents. And to some degree regular citizens may lose access to certain products and innovations via banks. Overall the 're-risking' is being transferred to other parts of the economy that are not as transparent or regulated, such as the growing peer-to-peer lending space or direct capital raising offered by investor networks. I believe capital will continue to flow – it will just happen outside the traditional banking network.

How do you feel about the rise of alternative finance providers who are operating in this regulatory lacuna?

Izzy: Traditionally, financial institutions were banks. You went to a ‘bank’ for everything, whether you were a large firm, small firm or an individual. Now financial services is a broad spectrum of activities performed in myriad organisations. Consider firms like M-Pesa in Kenya – it is not really a financial institution – it is a telecommunications firm, yet it provides financial services.

‘Banks’ will probably have to return to their

traditional functions and values. Our parents put money in a bank because they knew it would be safe. In future banks are going to start emphasising and focusing on their safety and soundness, and this will be their differentiator. There will always be cycles in other financial institutions, so banks can say, ‘If you keep your money with us, you can sleep peacefully at night if you are willing to sacrifice some return.’ That’s where the larger banking institutions over time will have a phenomenal advantage, due to their strength and stability.

So you think banks should become more conservative?

Izzy: As mentioned earlier, the younger generation will have to directly invest for their future/retirement, so it’s going to be interesting

to see how they perceive the soundness and safety of the advice they are getting. Do they want it from a non-bank financial institution or from a traditional bank? Will it take one significant bear market to jolt their behaviour? Individuals tend to forget about bad events much faster than good events. The equity market returns over the last few years are creating higher expectations of future returns.

It’s going to be an interesting battle that will come down to a basic issue of trust. If I trust an advisor I am more likely to work with them as opposed to going for a larger return with more risk etc. because this is what I need for my retirement. So I believe that trust, brand reputation and brand loyalty will increasingly become more important and will offset, to some degree, the greater returns that might be offered elsewhere.

Q&A

Trust and reputation will become even more important for banks

What impact will new technologies have upon traditional financial institutions?

Izzy: New technologies are already changing how traditional financial institutions conduct their business. The greatest impact has been on the consumer as they are readily transferring monies and getting incentives to drive certain behaviours…at their fingertips. This is a global phenomenon that is growing exponentially.

How do you feel about cryptocurrencies?

Izzy: I think cryptocurrencies cannot exist in an environment where trust and loyalty will become more important. It’s very difficult for me personally to reconcile these two concepts. People will make decisions based on what a company stands for, which, I think, will make it difficult for cryptocurrencies to gain long-term traction. However, this is not to be confused with the technology that underlies a cryptocurrency. The ability to have decentralised authentication (block chain) is very, very powerful and will change the way financial institutions will do business in the future.

where and how they conduct their work – these factors are a bigger determinant of their loyalty to a company – while climbing the corporate ladder is less of a focus. This will change the way managers and leaders operate within the traditional corporate framework.

How should financial servicescompanies respond to these changes?

Izzy: As a global firm we have to get better connected and figure out different ways of communicating and collaborating with younger generations. People are sharing a lot more information and ideas online, and are very comfortable open-sourcing questions. Facebook’s a great example – it’s an open source for questions and wider conversation. The current generation is much more comfortable with these forums, which is an opportunity for companies like BNY Mellon. The flipside is that financial services firms probably face increased risks of cyber security. For example, ‘bring your own device’ schemes can provide employees with far greater work–home connectivity, but they can potentially increase the exposure of a company’s data and other IP to external cyber criminals.

What do you think the talent of 2025 will be like?

Izzy: They will probably be a lot more connected. Not in terms of traditional PowerPoint presentations and Word documents, or phone calls and conference calls, but in terms of their ability to ‘connect the dots’ between different terminologies and succeed in using multiple sources of information and social technology. Individuals will also be able to figure out how to explain things in shorter sound-bites, using platforms such as Twitter, Instagram and Snapchat.

Though business and economics degrees and MBAs will continue to be important for career development, I think the classics could acquire more importance because they have withstood the test of time, and maybe we can finally burn those jeans we wore in the 80s!

But, by growing up in the internetage, aren’t younger generations morecomfortable with not necessarilyknowing who they are speaking to?

Izzy: This is true, but being comfortable with not knowing the identity of someone online, per se, is very different from how they will think about their own personal finances. Financial decision making is taken very seriously by younger generations because of the financial challenges that they have lived through and the impact on their families – such as job shortages, redundancies and losses on property. It is evidenced by the number of individuals who are living with their parents for a longer time and the decreasing percentage of home ownership in the US. They will have a very different perspective on financial risk, relative to the baby boomers and GenXers.

What are the implications of generational behavioral changes for thefinancial services?

Izzy: Behavioral changes among millennials is a big issue for the financial services. Younger generations are no longer working for a single company for 20–30–plus years. They also appear to be a lot more altruistic, and are more interested in creating a healthy work–life–community balance for themselves and their families. The ability to work remotely and their financial priorities are a part of that approach, so the rise of socially responsible investing is attracting a lot of attention.

With some socially responsible investments, the monetary return may not be as good, but people are increasingly making investment decisions based on social impact as well as pure capitalistic returns (which was sometimes the only consideration in previous decades). The younger generations want to feel good about where they are making their investments and are willing to pay a premium for it.

They also want to ensure that the work they’re doing has a purpose, or at least is tied to a purpose. They want to have flexibility regarding

willis wire

Chief data officers – do you need one?ow.ly/Loda1

blog.willis.com

izzy's resume

izzy Dawood is an executive vice-president and the cFo for investment services for BNy Mellon. he is responsible for providing financial and strategic leadership for BNy Mellon’s largest business, with over $10 billion in revenue. in prior roles at BNy Mellon, izzy has led various functions including as director of investor relations, and corporate Development and Financial planning and analysis.

Before joining BNy Mellon in 2006 he held a variety of senior finance and treasury roles at Wachovia corporation. in his career, izzy has been involved in closing over three dozen meaningful transactions.

he holds an MBa from the Wharton school of Business and a bachelor’s degree in Finance from st John’s University, along with a cFa, or chartered Financial analyst, designation.

willis wire

Banks get ready! ow.ly/LocEj

blog.willis.com

2726

resilience // issue 06 // APril 2015

as it happened

On the morning of 29 August 2005 Hurricane Katrina struck the Gulf Coast bringing with it sustained wind speeds of 100–140 miles per hour. It eventually engulfed a 400-mile-stretch of the coastline causing almost 2,000 deaths and more than $100 billion worth of damage. High winds

destroyed beachfront towns across Mississippi and Louisiana, leading to the evacuation of several hundred thousand people.

After the levees in the low-lying areas of the city of New Orleans were breached, more than 80% of the city was flooded by the subsequent storm surge waves, which reached over 20 feet. The levees were designed for Category 3 type storms, but Hurricane Katrina peaked at a Category 5 out in the Gulf of Mexico, with winds of up to 175 miles per hour.

Many residents in New Orleans were trapped, with some stranded on rooftops without power, food and water for days. Some claim that the federal government was slow to execute rescue efforts. This led to chaos, mayhem and looting, even for the several thousand who sought refuge in the city’s Superdome (the city's nominated emergency shelter at the time) and the Convention Center.

A year after these horrific events first unfolded

hurricane Katrina10 years on...

Hurricane Katrina caused the deaths of thousands of people, wreaked havoc on an entire region and left a scar on the American psyche. catastrophes of a similar scale could happen at any time,

so what can policymakers, local communities, private sector organisations and the insurance industry do about it?

By Marc LehMann, Strategic riSk conSulting, williS

willis wire

Chasing tornado dataow.ly/LnxPy

blog.willis.com

H urricane Katrina was the largest and third strongest hurricane to ever make landfall in the US. It has often been referred to as the most anticipated disaster in modern American history. Prior to the event the Federal Emergency Management Agency (FEMA) categorised New Orleans and San Francisco as the two cities in the US most exposed to extreme natural disaster. On the eve of Katrina's landfall, the National Weather Service warned that the hurricane would cause “human suffering incredible by modern standards”. During the preceding century, hurricanes flooded New Orleans on five other occasions – in 1915, 1940, 1947, 1965 and 1969.

Back in the early 1990s, following Hurricane Andrew and the Northridge earthquake, catastrophe models were developed to help the insurance industry better assess the likely losses that they could face for insured asset portfolios that were exposed to natural hazards. Today, these probabilistic models are used widely across the insurance markets and can simulate a range of possible hazards – such as earthquakes, storms and floods – to provide estimated property damage and business interruption losses for a range of probabilities (or return periods).

In 2005 following Hurricane Katrina, however, there were indications that some of the models being used at the time did not perform as anticipated and actually estimated the losses incorrectly – largely due to the unexpected flooding and storm surge impacts following the failure of the levees. The effects of the storm were also exacerbated by gradual loss of the protective wetlands, local bathymetry (i.e. the shape and depth of the ocean floor), inadequate evacuation procedures and a failure of critical pumping systems that support the levee system. These were real world factors that the models had not anticipated.

Since Katrina, however, there have been many improvements in the way that catastrophe models are used and applied, which allow for better loss estimations. These improvements include:• the collection of more extensive claims data

to adjust fragility functions in the gulf region • simulation of Katrina-style catastrophe

events • improved modelling of storm surge perils;

and the use of more appropriate property characteristics. Extreme historical events such as Ivan,

Katrina and Ike turned out to be hurricanes

New Orleans’ population was still only half its pre-storm size and most of the city’s hospitals were only partially operational – partly because only half of the city’s doctors were available. Power was restored but at only two-thirds of its original capacity. Many working class American