Navigating new and emerging risk – an interview with Gard’s Chief Risk Officer

Torunn joined Gard in October 2016 and currently serves as Gard’s Chief Risk Officer and is a member of the Gard group leadership team. She came to us from the finance sector where she acted as a risk analyst for several banks and financial institutions and most recently as the leader for Enterprise Risk Management/Security in SPK, the Norwegian Public Service Pension Fund. As one facet of her job she and her team map risks that are known and on the horizon, facing Gard as a multiline marine insurer. She is a busy woman in these days of pandemic, and we are grateful for her time in sharing her insights about emerging risks.   

Torunn, you are responsible for three main functions, Actuary and Risk Capital, Compliance and Quality Management and Risk Management. What we would like to hear more about is Risk Management. How would you describe what you and your team do?

Gard’s role as an insurer is to help our Members and clients manage risk and its consequences and we all manage risk in our day-to-day work. My Risk Management function, however, is an assigned role in ensuring that all financial and non-financial risks are identified, assessed, managed, monitored and reported. Financial risks arise through uncertainty of claims, changes to the financial markets or default by our counterparties. We use Gard’s own risk and capital model to compute the capital requirements for the group and all insurance entities. We now have approval from Finanstilsynet (the Financial and Supervisory Authority of Norway) to use our internal model for calculating regulatory capital for insurance risk and market risk. This was a major recognition of the internal model team and a great achievement for Gard.   

Gard is a global company and is exposed to different regulations all over the world. Needless to say, knowing and complying with all regulations is essential for operating. Our compliance team puts a lot of effort in ensuring that we manage compliance risk through regular risk assessments, in-house training and communication with Gard employees and Board members.

My team also has a particular responsibility for information security and is central in establishing an information security management system in Gard. In addition, we take responsibility for identifying new, emerging risks that may hit Gard, and communicating this to the senior management and the Board.

Can you share some of the top emerging risks identified in 2019? 

Every year we try to identify emerging risks. For us, emerging risks could be risks that are considered immaterial at the time but can develop into major risks, where we lack history, or where there is a low probability of materializing. In 2019 our CEO defined “Geopolitical trends – Risks and opportunities” as a corporate initiative to help us approach complex issues that are affecting Gard one way or the other and to prepare ourselves for the risks or be able to grab opportunities that may arise in the medium or short term. We identified about 40 different scenarios across 4 axes (Environmental, Geopolitical, Socio-economical and Technological) and asked the Board and Gard managers to rank them. We then put together working groups from different functions and locations that were asked to recommend some further actions. Some recommendations are for immediate implementation. Other recommended actions are subject to “triggers” to account for future developments. These triggers are monitored by my team. 

We have so far been through the top three topics that had been identified last autumn. The top ranked “Cyber-attacks Towards Ships and Shipowners” project is looking into the direct and indirect effects of a spoofing attack, ransomware and attacks on the operational technology onboard ships. Next is the “Energy Transitions” project which focused on the impact on Gard as the world transitions towards more renewables. Finally, the “Clash of the Titans”, project looks at the increasing rivalry between USA and China and the consequences for sanction regimes, trade patterns and local vs. regional partnerships.

There are more projects in the pipeline. Next, we will look at international laws of shipping. Then we will look at storms and hurricanes as a consequence of climate change, followed by increased tension in the Middle East. A benefit of this way of approaching these complex issues is that we develop a methodology for longer term thinking about risk. For example – energy transition is a process that will take years, even decades. It is essential to be prepared and we need to start now to build competence to face the future. 

China reported the novel corona virus outbreak to the World Health Organization (WHO) on 31 December 2019. One month later, on 30 January, WHO declared the disease a Public Health Emergency of International Concern and on 11 February named the disease COVID-19. As the disease continued to spread exponentially and globally, on 11 March WHO declared COVID-19 a pandemic. What has your group been doing to factor in this new risk into the risk matrix?

We had a pandemic scenario amongst the 40 scenarios that we identified last year, but it did not make it to the twelve scenarios on the shortlist. We did not see it coming in the way it hit us this year!

We have been very busy over the last few months. We very early on picked up that something big was about to happen - first in Hong Kong and later in Singapore where we have offices. We understood quite quickly that this could affect Gard’s many operations, so I put together a task force on business operations in early February. The task force consists of members from claims, underwriting, loss prevention, investments, HR and communications. The group meets regularly, shares information and solves cross-functional issues as they arise. In the first meeting we drew a risk map, which we have used as our reference in the subsequent meetings. The risk map has of course changed over time as the situation developed.

Our CFO created a similar task force for finance and other task forces were created across our other business areas, such as communications and human resources. Frequent information to our employees has been particularly important over this period.

How has Gard’s management of the health risks to employees affected your work?

The COVID-19 crisis accelerated the shift to digital communication as all Gard employees transitioned to working from home. Our Technology department managed to turn around really quickly and provided home office equipment to all employees in a matter of days. The whole company was forced to work in new ways and responded impressively to new tools and ways of communicating. I feel that the frequent virtual meetings and conversations across the globe actually brought us closer together. We have had board meetings using Microsoft Teams, and last week we had our first ever virtual meeting with the Norwegian Financial Authorities from our own separate living rooms!

Now we are facing the opposite transition, as our colleagues in Arendal and Bergen and some branch offices slowly move back into their offices. It has to be done in a controlled and safe manner, in line with local government’s recommendations.

How does the COVID-19 pandemic relate to the emerging risks already identified?  For example, wouldn’t the risk of cyber attacks be increased with everyone working remotely? 

Our risk picture changed substantially over this period. An expanded remote workforce introduced heightened vulnerability to cyber crime. Security standards in a home-office environment are generally less robust than the typical office environment. We were made aware of a general uptick in cyber attacks taking advantage of the pandemic. Cyber risk was early on identified as an increased risk and we increased the attention to it on many levels. This resulted in a cyber awareness week with focus on employee awareness training.

Torunn, - we appreciate your time in sharing your insight into risk management and your interesting work with emerging risks

I think it is important to understand that risk management is not always about saying “no”. Risk management is about navigating through new and uncertain territories to make sense of an increasingly complex world. Our job is to look ahead, always keep focus on how known and emerging risks can affect us as a company as well as our members and customers. When we can anticipate risks, we can also look for solutions including new products and services. After all, for an insurer, where there is risk, there is also opportunity.