“I think you’ll get two different schools of thought,” said Rachel Riley (pictured above).
Insurance Business had asked Riley if she thought the risk management regulations governing Australia’s financial services industry, including insurers, were up to speed compared to international counterparts?
The Sydney-based head of strategic operations for Ansarada, a firm that describes itself as offering a “digital governance framework,” has experience with risk management regulatory rollouts in both the UK and Australia.
“In terms of risk management and where APRA’s [Australian Prudential Regulation Authority] gone on operational resilience, they’ve done really well,” said Riley. “I think in some parts they’ve extended beyond some of the other global mandates.”
For an example, she pointed to APRA’s mandates and focus around third party relationships involving the industry’s service providers. Riley said these regulations in the UK under authorities like the Financial Conduct Authority (FCA) are not as detailed or specific.
However, in Riley’s opinion, Australia’s regulators are lagging behind in how they apply risk management practices to business, including insurers. She suggested APRA’s regulations still focus around quite old fashioned risk management methods.
“Firms have been doing risk management for a long time but risk management is really about resilience,” said Riley. “It’s about identifying what risks are out there that could impact your business from operating or being sustainable in terms of its future operations and then putting controls in place.”
However, she said, risk management today, “especially in Australia,” can still be “very archaic in its approach.”
“It’s that outside-in view but the world is changing at a very fast pace,” said Riley. She gave the examples of cyber and artificial intelligence (AI). Riley said local regulations relevant to cyberattack prevention have more focus on attacks to a third party.
“That’s no longer a good approach, in my opinion, to do archaic risk management in terms of looking at those silos from the outside in,” she said.
Riley said APRA’s CPS 230 regulation goes some way towards addressing this issue in terms of making firms like insurers look at their processes.
“But I think some countries, like the UK with the FCA standard, have gone a little bit further by saying this is the way to do risk management going forward,” she said.
Another point: the FCA’s equivalent to CPS 230 is already in place whereas this regulation is nearly two years away from implementation in Australia. Riley also said the Australian version is less “holistic” in its risk management ambitions.
“Then if you bring in the ESG [Environmental, social and governance] and sustainability factors then Australia’s lagging significantly compared to what our friends in the EU are doing where they are mandating the disclosures and the requirements for businesses to really take a deeper look into the impact of sustainability factors,” she said.
Riley said this “deeper look” involves Europe’s insurers and companies looking at both where their businesses impact the environment but also where the environment can impact business from “a risk and opportunity perspective.”
However, she added that some people and firms in Australia are bucking the local trend and “doing great things in sustainability reporting.”
“But the average company has just started on that track and they haven’t given it enough attention in terms of ‘where are my materials or areas and the opportunities and risks that this can bring to the business?’” said Riley.
She said CPS 230 goes a long way to “bridge the gap” and convert an existing BCP [business continuity plan] into a more proactive and “live” state.
“But they’ve stopped short and the new standard still has some aspects of a BCP,” said Riley.
Nonetheless, when IB asked if this new regulation could be a turning point for Australia’s approach to risk management, she agreed.
“I think it’s a turning point, not just for regulation but for businesses,” said Riley. “It’s also an opportunity for insurance companies and their boards to understand and say: ‘Here are my critical processes to do what I need to do and here are my risks, and we’ve tested them, and we know what our tolerance levels are.”
She said this has to bring “more comfort and ability” to bounce back from disruptive events.
How do you see risk management in Australia? Are we behind? Please tell us what you think below