Good Times and Bad
The trauma of the financial crisis needs to be remembered even as new threats become a growing concern.
- Howard Mills
- April 2019
The number and types of risks are unlikely to diminish in the near future.
“You still wake up sometimes, don't you? You wake up in the dark and hear the screaming of the lambs… And you think if you save poor Catherine, you could make them stop, don't you? You think if Catherine lives, you won't wake up in the dark ever again to that awful screaming of the lambs.”—Hannibal Lecter
In the movie, The Silence of the Lambs, Clarice Starling, the young FBI trainee played by Jodie Foster, discusses with serial killer Hannibal Lecter (played by Anthony Hopkins) a particularly traumatic incident from her early childhood that shaped who she had become.
Board members, like FBI agents, must protect their charges. Many have been shaped by the trauma of the financial crisis, yet things may have become even more difficult as the threats of the past are superseded by new and seemingly exponentially growing new concerns.
In the latest Deloitte Global Risk Management Survey my colleague Ed Hida notes, “Financial organizations face challenges from nonfinancial risks such as cybersecurity, model, third-party, and conduct risk—as well as looming economic dangers—that will require institutions to rethink their traditional risk management approaches.”
The survey finds that while some risks may be familiar, management of those risks is not yet at an effective level. For example, cybersecurity was cited as a top three risk by 67% of respondents, but only about half felt their institutions were either extremely or very effective at managing it.
While close to 90% of respondents felt their institutions were extremely or very effective in managing traditional financial risk, the number who felt the same about risk management for nontraditional financial risks was much lower. Only half felt the same about model risk management, 40% about third-party risk management, and 34% about data integrity risk management.
Board members who lived through the failure of risk management a decade ago might now be waking up in the dark and hearing the screaming of the lambs.
Fortunately, board members are stepping up their risk oversight game. Hida notes that “many institutions are following leading practices in board oversight.” The survey shows that a risk committee of the board—usually chaired and staffed by independent directors—has primary responsibility for risk oversight in a majority of companies. Capital and liquidity stress tests also are being used much more extensively for the board. This is good news, meaning the industry is moving to respond to changing regulatory governance requirements.
In February 2019, the International Association of Insurance Supervisors (IAIS) released its Application Paper on Proactive Supervision of Corporate Governance.
That paper, meant to guide supervisors and regulators worldwide, instructs them to “question an individual insurer's or the entire sector's directions or actions, in good as well as bad times, and not act only after things have gone awry. While it is important for the supervisor to be proactive in order to address governance issues, the insurer is ultimately responsible for having a sound corporate governance framework.”
The IAIS listed numerous red flags that should trigger supervisory interest, among them the inability of the board to clearly explain the strategy, risks and results to the supervisor.
That all points to a need for ongoing deep board involvement in risk oversight. The number and types of risks are unlikely to diminish in the near future, and as with Clarice's lambs when she tried to free them from the slaughter, standing still does not work. Boards that do not proactively oversee those risks may find themselves in an unpleasant spot at the regulatory buffet, served with fava beans and a nice Chianti.
Best’s Review columnist Howard Mills is global insurance regulatory leader at Deloitte LLP and a former superintendent of the New York Insurance Department. He may be reached at firstname.lastname@example.org.