Mr Nagumantry Roop Kumar is a Risk & Insurance professional, with 31 years of experience (20 years in LIC of India and 11 years in SBI Life Insurance Co) in handling Enterprise Risk Management, Business Continuity Management, Information & Cyber Security, Fraud Monitoring, Operations & Marketing. In an interview with The Insurance Times
, Mr Roop Kumar talks about the Risk Management Practices in India.
What is the Current Scenario of Risk Management Practices in India?
India is one of the fastest growing economies in the world, facing significant challenges in risk, business continuity & cyber security. Indian Regulators are according high priority to Risk Management & Governance. They have mandated that all institutions are to put in place, an ERM framework to deal with various challenges which they are facing.
The insurance regulator, IRDAI, is coming up with Risk Based Capital & Risk Based Supervision Guidelines. Also in the past, IRDAI has released Corporate Governance guidelines of 2016, Information Security Guidelines 2017, Outsourcing Guidelines 2017 etc.
RBI in its latest mandate directs “NBFCs to appoint Chief Risk Officer and the CRO should be reporting to the MD&CEO/Risk Management Committee (RMC) of the Board.”
RBI Guidelines, Basel 3 guidelines to Banks, also stress upon creating a strong ERM framework. The Indian industry is in need of competent risk professionals to manage this increasing need.
Deloitte 2018 Global Risk Survey highlights that-
- Only 64% of the Organizations have an “in-house” risk management function.
- Only 61% have a full time CRO
The Indian industry is well below the Global average in this regard.
- Risk management is an emerging discipline in India and not completely mature.
- Technical, professional qualifications and special interest groups/societies are still taking root in the country.
- Regulations are recent and evolving, and are in the process of implementation in India.
The top new risks which risk practitioners are facing in India as per FICCI (Federation of Indian Chambers of Commerce & Industry) & Pinkerton Survey 2018 are as follows :
Information & Cyber Security
- Information & Cyber Security
- Natural Disasters
- Terrorism and Insurgency
- Political and Governance instability
– data theft, phishing, ransomware attacks, privacy breach and Reputational risks.
As on March 7, 2018, 22,207 Indian websites were hacked between April 2017 to January 2018 including 114 government websites (attacks on public websites like Aadhar etc.)
A KPMG survey found that only 32% to 37% of the Insurance CEOs found their organizations prepared for ransomware and DDOs attacks respectively.
The challenge is equipping companies to deal such attacks and also put in place proper risk and control mechanisms.
Natural disasters/Fire/Hazards –
global warming is throwing up new challenges in this regard.
For instance, in Kerala, where heavy rains created a flood situation, the damage estimated by the government is 2755 million USD.
Insurance companies have already received claim intimations worth 137 Million USD.
For example, In 2017, Mumbai witnessed 12 major fire incidences that killed 14 people.
Emerging Risks for the future are :-
Reputational risks to companies-
Advancement in cognitive technologies –
- Need to analyze threats/trends/action on behavior.
- Evolve proactive brand related crisis management.
- Create responses to social media incidents, initiate targeted campaigns, create Brand Advocates.
- Foster a “Risk Intelligent” culture and training of employees.
Artificial Intelligence and Data Analytics are helping companies to manage risks by use of smart machines to detect, predict and prevent risks.
Use of sensor enabled devices, to prevent/reduce cyber security attacks, improve traceability, facilitate predictive risk modelling, automate compliance monitoring, and analyzing customer behavior.
Cloud Computing and Blockchain technologies offer safety and security to transactions. Companies have to learn how to integrate their technologies into their systems and processes.
What are the Major Challenges in the Cyber Security Space Today?
With the growing incidences of cyber attacks, managing cyber space has become a nightmare for CISOs and organizations. It has become necessary to have Cyber insurance. Asia-Pacific is a very lucrative market for cyber security insurance companies. The companies in this region are prone to cyber-attacks owing to poor protection against cyber-attacks. Though cyber security insurance market is at nascent stage in this region but it is growing rapidly. In India, the demand for cyber security insurance rose by more than 50% in 2017 as compared to that with 2016. Around 250 companies, including banks, bought cyber security insurance in 2017. As of now, the cyber security insurance premium is INR 200 crore, which is expected to increase to INR 400 crore in years to come. Moreover, there is huge demand of this market from telecom service providers as well.
In a nutshell, rise in cyber data breaches and increasing adoption of cloud-based services are a few factors driving the growth of cyber security insurance market, whereas, high costs and low awareness is inhibiting its growth.
What are the Important Areas that Needs to be Kept in Mind While Planning for Enterprise Risk Management?
Effective management of risks is essential to achieve company’s strategic and operational objectives and goals.
The risk management framework encompasses risk management activities integrated with the business objectives of the organization and forms the base for compliance, monitoring and reporting of those activities.
The key focus areas for the ERM framework-
a) Strategic Risk Assessment & Capital Planning :–
Organization should conduct Strategic Risk Assessment activity for identification, assessment, mitigation, monitoring and controlling top risks facing the company on an annual basis and to all the new activities/process which the company wants to initiate.
b) Governance :-
Organization should be having well-documented risk management policy approved by the Board. A risk reporting process has to be there and implemented to manage risk governance requirements. Risk management is considered to be the responsibility of every employee of the organization and the same should be driven by the board.
Further, an assessment should be carried out to identify the major risks faced by the company for the ensuing year. Detailed mitigation plans should get devised for the top risks and should be monitored closely.
c) Risk Universe :-
Any organization gets exposed to several risks like operational risk, market risk, hazard risk, Strategic risk in its pursuit for achievement of its business goals and objectives. The organization should put in place adequate safeguard(s) to mitigate these risks. In the capital adequacy framework, various risks should get assessed and quantified by allocating capital to each risk at the desired level of confidence.
Enterprise Risk Management should be managed through tools like Risk Registers, Risk Control Self-Assessment (RCSA), web based Incident Reporting, Business Continuity Planning, Business Impact Analysis, Information Security processes and Key Risk Indicators (KRIs). The risks should get discussed with stakeholders and mitigation strategies should get devised with appropriate monitoring and control.
d) Risk Awareness :-
Sensitization and awareness creation of risk management across the company are must for Risk Aware Culture.
My Risk Mantras for Risk Awareness is-
1) Propagate ERM as “Everyone is a Risk Manager”,
2) Educate stakeholders to be “Be Risk Aware, Be Data Aware and Be Secure”,
3) I work to “Integrate Risk Management with Strategy & Performance”.
How Important is Business Continuity Management in Today’s Environment?
BCM involves planning for any potential disaster by identifying potential threats to an organisation and analysing their impact on its day-to-day operations.
Effective BCM ensures the business can provide a minimum acceptable service in the event of a disaster, and helps preserve corporate reputation, image and revenue.
A growing body of legislation requires businesses in essential areas to implement effective business continuity arrangements. Globally, corporate governance regulations require directors to “exercise reasonable care, skill and diligence” to mitigate risks facing the organisation.
Implementing effective BCM is the best-practice approach to effectively manage business interruptions and incidents, and to meet the directive’s requirements.
The current cyber threat landscape has made business leaders more aware of the risks of cyber-attacks, and the importance of being able to respond to and recover from such attacks.
Effective BCM, based on international best-practice standards such as ISO 22301, can protect organisations from widespread business disruption in the event of a successful cyber-attack.
An effective BCMS (business continuity management system) is centred around the BCM lifecycle, which involves identifying threats, performing a business impact analysis, designing and implementing a business continuity plan, compiling documentation, measuring and testing performance, and maintaining and improving BCM processes.
Business continuity planning involves developing, testing and maintaining business continuity plans that enable an organisation to continue operating during and after a disaster. BCPs (business continuity plans) are an essential element of a BCMS.
BCPs typically detail how to manage incidents that affect the organisation’s business-critical processes and activities, from failure of a single server all the way through to complete loss of a major facility. Best practice for business continuity planning is set out in ISO 22301.
Disaster recovery planning usually takes place within the BCMS framework. Disaster recovery plans are often relatively technical and focus on the recovery of specific operations, functions, sites, services or applications. A single BCP might contain or refer to a number of disaster recovery plans. Best practice for disaster recovery is set out in ISO 22301.
Fraud in Indian Insurance Industry has been a Major Cause of Concern. Why Insurance fraud is Continuing to Grow and Insurers have not been able to Cap it Fully. Do you Think IRDAI Should Come Out With a Comprehensive Policy?
Insurance fraud is one of the most serious problems threatening viability of insurance companies. Insurance frauds are driving up the overall costs of insurers and premiums for policyholders.
It encompasses a wide range of illicit practices and illegal acts like
1) Insurance Claims Fraud – Deadman Insurance etc.
2) Bogus Business – Non Existence of Insured and Insurance Policy is being issued etc.
3) Medical Impersonation – Health Misrepresentation etc.
4) Dual Employment- Person working in two organizations at a time etc.
Insurance companies have witnessed increase in the number of fraud cases since couple of years. Risk management has been acquiring monumental importance in insurance industry. Insurance business is of dynamic nature that puts an additional onus on risk management. So insurance companies need comprehensive risk management strategies that involve fraud risk assessment and fraud prevention.
Do You Think Risk Management Education and Awareness in India Needs a Serious Thought From All Stakeholders of the Insurance Industry?
At present, there are no degree courses on risk management offered by colleges/universities in India similar to MSC/MS in risk management.
There is a need in the country for involving colleges/universities for creating of full time/part time risk qualifications.
Risk associations like RIMS USA, IRM UK are assessing the scope for professional development of the Risk community and trying to establish local chapters in India.
They are also trying to talk to colleges/institutions for developing risk courses and certifications like CRMP.
IIRM (Hyderabad, India) is also tied up with IRM (London) to promote their risk certifications.
There is a vast scope for professional courses in ERM, Infosec, BCM keeping in mind the economic growth and also the upcoming regulations like GDPR/Srikrishna Committee recommendations, risk based capital regulations similar to Solvency 2/Basel 3 norms.
Any Other Developments You Would Like to Share?
Yes, certainly, at the broad level, I would say that few developments which is of strategic importance and which have made tangible difference to SBI Life’s operations were alignment to global Risk Standard/Framework like ISO 31000:2018 & COSO ERM 2017 Framework
With the vision of moving from risk centric ERM to objective centric ERM, we benchmarked our risk and control practices with COSO ERM 2017 framework and other global best practices. The benefit of adopting COSO ERM 2017 is that it embeds risk based strategy into the DNA of the organization and it integrates risk with strategy and performance.