The chief risk officer role is crucial at any modern organisation, perhaps especially so at a multinational insurance organisation where risk on the books and in the system are constantly re-evaluated.
Here, AIG Europe’s CRO Fabrice Brossart spoke with bobsguide on assessing this year’s major events, and what the firm is doing about them.
How did you come to be CRO of AIG Europe?
I’ve been with AIG for seven years, originally joining as the Europe chief actuary before shifting into risk management. I was asked by the CEO of Europe at that time to become the chief risk officer and manage the Solvency II programme, as there was quite a bit of overlap with my actuarial remit.
We use the three lines of defence to implement good governance and risk management, the first line would be the risk takers, so the underwriters in insurance, the second line would be risk and compliance and the third line is audit. As chief actuary and CRO I was straddling the first and second lines of defence so I had to make a choice and decided to continue with risk management from 2013.
I chose to leap into risk management because it was kind of a new frontier in insurance: we were developing capital models, implementing Solvency II and starting to touch on culture and organisation resilience, and that was quite attractive to me.
At AIG, I have been lucky to spend a couple of years in the head office in the US which was interesting because capital models are newer in the US than in Europe, and this was something we wanted to develop more as a group.
I’ve been back in London for the last couple of years and I look after the international side of AIG, i.e. the risk teams outside of the US and Japan, so quite a diverse group.
What is your current nightmare scenario for 2018?
We spend time scanning the horizon and identifying potential pitfalls, so I’m not too concerned about any upcoming risks. In insurance and banking, I think the most damaging scenarios that get you are typically slow burners. Of course, you’ll get the big pops, and everyone will talk about the massive cyber-attack on the horizon, but all you can do there is ensure you’re one of the better protected firms, have good plans to deal with such incidents when they happen, and practice often.
I’m more worried about the slow burner risks, like losing talent or loss of experience within the insurance industry because people move around a lot more. One of the key aspects of risk - learning from past scenarios - is increasingly difficult as the people that may have experienced an issue say ten years ago are not around anymore so when something similar occurs either you design a solution from scratch or you bring in consultants who may not have the full business context Now, with disruptive tech firms, corporate restructuring and the thinning of middle management, there’s less of a clearly defined career path for graduates to follow and accumulate experience.
Attracting the diverse talent needed to the insurance industry is a real challenge for us. When you look at the pyramid of ages within the industry we’ve got a lot of experienced people exiting and the dilemma is how we replace them with a younger workforce with a dynamic skill set that is more suited to the current changing demands of business with less emphasis on specialising in a specific function. Brian Duperreault (AIG CEO) has been very vocal on this point because that’s a real issue for the industry. Personally, I am involved in initiatives such as Mission Include to attract and develop diverse talent within financial services.
The other one is culture. The industry has seen some bad practices in the past, which have demonstrated the importance of reputation and fostering a well-principled culture. It’s interesting to see what other jurisdictions are doing, and I think the Australians are leading the way. The Australian Prudential Regulation Authority (APRA) put together a new standard on risk culture for insurers and bankers. In the Netherlands, psychologists are present in board meetings to assess and review decision making and individual dynamics.
That’s where I see significant potential for risk. If there is a bad, misaligned culture even in a small part of a firm then bad things can happen. That’s why we work with the management team to define risk adjusted job objectives and ensure that behaviours are taken into account when reviewing performance.. Our business as an insurance company is to take on risk and we are helping management ensure we do this in a healthy way.
Long term, the slow burners such as loss of talent and ‘bad’ culture are far more worrying to me than big pops like cyber-attacks, where we can run scenarios and rehearse responses.
How does GDPR affect the insurance industry?
I think society has certainly been demanding tighter regulation for data for some time. I’m very supportive of the principles of GDPR, particularly that people need to understand their data and how and where it is collected and being used. At the same time, for many companies, the challenge is not so much collecting the data, but not being overwhelmed by it.
Overall, I think implementing GDPR will be a challenge for many financial services companies, partly because processes and activities have become more complex and, particularly in insurance, a lot of those activities rely on third parties - handling claims, selling products, servicing customers etc. GDPR has certainly made us much more aware of the end-to-end processes and how we can give assurance to the customers first, and the regulators second, that their data is being managed correctly.
Another interesting question for us as insurers is that we have data collected a long time ago. An insurer can have employment records which stretch back 10, 20 or 30 years which it uses to process employers’ liability claims, and, under GDPR it’s not clear if explicit consent was given back then. Sometimes the regulation and what is good for the customer aren’t historically aligned. It makes implementing GDPR that little bit more interesting.
How is AIG augmenting data?
We’ve done a lot around putting data in data lakes and warehouses that are much more accessible. Solvency II has really forced us to up our game on data, to identify where we’ve got gaps on some of that data and to ensure these are filled. For example, some of our insured historically may have only provided the address of their head office whereas we offer property cover for all their locations across the UK so we’ve spent a lot of time using external sources of data and working with the insured to better understand and fill in those gaps.
We’re also partnering with other firms in the technology space and using our own science and actuarial teams to figure out how to sift through that data and recognise patterns quickly and efficiently.
What sort of technologies would you be using to sort that data? AI?
I think the term AI covers such a lot of ground, it should be better known as artificially inflated! I think it’s fairer to say that when we talk about AI we’re talking about specific applications, such as automated pattern recognition; when you collect additional data you can quickly see whether it’s predictive or not in terms of risk.
Another aspect developing fast is machine learning (ML) and the use of robots to perform common tasks. As an example, here at AIG, we have a robot that automates the resolution of some 90% of internal IT faults, learning as it goes to improve the efficiency of the IT troubleshooting system and passing on the 10% that need human intervention. We want to leverage this type of technique to automate more processes to improve service, reduce cost and minimise the number of operational errors.
From a risk point of view, we spend a lot of time looking at system resilience, including IT resilience. Resilience means, that if something goes wrong can it patch itself, or will it just unravel?
What sort of skillset should you have to be successful in risk?
You have to be curious first and foremost. Day to day, you’ll need to be able to shift from topic to topic and problem to problem so you’ll have to pick things up quickly and learn fast. To keep interested in all those different topics requires a degree of curiosity. People often refer to risk professionals as sceptics, as you need to constantly question why things are a certain way.
Integrity is also essential within risk management, and I would say more than independence as we’re still organisationally co-dependent on the business. We try to be objective within that co-dependence, with a no surprise approach, especially when we have a difference of opinion. A key aspect of a risk manager’s personality is sticking to their guns and not being afraid to speak up.
There are many different roles within risk that require different specialities but it’s that mindset that I look out for when I’m bringing people on board. It’s also important that it’s a two way street and that we have guys and girls from other parts of the organisation doing stints in risk and vice versa; it infuses the risk management mindset into the organisation as a whole.
How is AIG adapting to this changing world where disruptive fintechs ‘steal’ talent?
We have a tech enabled subsidiary called Blackboard run by its CEO, Seraina Macia, which is responsible for using and experimenting with technology to help us better serve SMEs. Blackboard started in the US but we have ambitions to roll it out globally. I think AIG is becoming more decentralised; our leadership is focused on making sure the business is run end to end as smaller entities. In this way we can get the best of both worlds, the scale and brand of the business as a whole but the nimbleness of smaller entities to keep up with this fast paced world.