By Sucharita Banerjee Lodha, General Insurance International (GII) Business Resiliency and Operational Governance, AIG
Disclaimer: The views expressed here are those of Sucharita Banerjee Lodha and do not reflect those of the AIG.
Can you please tell the Risk Insights readers a little bit about yourself, your experiences and what your current professional focus is?
I am an avid advocate of ‘making regulations work for you’. I am also a firm believer that being able to foster the right risk culture can greatly enhance business performance. Having worked in IT and Financial Services industries in UK, US and India, I respect and value diverse perspectives and the positive impact that it can have on a resilient risk culture in an organization.
Since 2014, I have been with the AIG Enterprise Risk Management (ERM) team. In my current role as the lead for General Insurance International (GII) ERM Business Resiliency, Operational Controls and Governance function for entities outside of the US and Canada, I develop pragmatic operational/ resilient risk management strategies for GII in line with local regulatory and corporate governance requirements. My previous employers include TATA consultancy Services, Deloitte Consulting and American Express.
I am excited about the emerging cultural shift towards integration of operational risk, technology risk and business continuity management disciplines to build a truly resilient business model as it indeed unlocks significant opportunities for businesses to prioritize their focus areas and consumers to benefit from reliable services.
What, for you, are the benefits of attending a conference like Risk EMEA and what have attendees learnt from your session?
In today’s connected world, we are constantly playing catch-up with the latest innovation, regulation or disaster. We have access to a plethora of tools and information; however, we do lack the luxury of dedicated time to access these. Conferences like Risk EMEA are extremely insightful both for new joiners to our industry as well as for veterans. These sessions provide us with the unique opportunity to discover, debate and digest the new themes in risk management. It is a great opportunity to gain from the unique experiences of the practitioners and the strategists. It also enables a cross pollination of ideas across industry sectors.
I enjoyed the panel discussion on operational resilience. While the topic has always been risk practitioners’ favourite, the recent paper from the Bank of England, PRA and FCA has spurred the industry to re-evaluate their technology, operational risk and business continuity models and this was a great opportunity to discuss how the banks, insurance sectors, financial services and consultants are approaching this upcoming regulatory requirement.
You were speaking on operational resilience at Risk EMEA 2019; what in your mind remains to be done to build operational resilience and meet regulatory standards?
I am an avid advocate of ‘making regulations work for you’. The concept of operational resilience has always been a priority in a risk professional’s mind. However, over the years, with the focus on specialization we have somehow forgotten to integrate the main components of an effective resilient program: BCM, ORM, TRM and Risk culture. The recent paper has indeed motivated the industry to revisit the business priorities and truly focus on the key resilience parameters. I think this is the start of a very fruitful journey. The fact that the paper has been published jointly by the PRA, FCA and BOE indeed helps the industry to holistically think about the business resilience model.
Focusing on ownership, an end to end process, customer impact and the establishment of a healthy risk culture are some of the fundamental pillars of this programme.
What are the key considerations that need to be made when depending on third party technology?
Great question! Third parties and third-party technology is indeed the basis of our business model today. We benefit from the scale and combined experience from these arrangements. However, businesses need to enhance the risk assessment and monitoring for these kinds of arrangements. Business need to have stringent review on how the third-party manages and handles data. Consideration is also required on their business resiliency practices – are they really capable of providing the required level of service? How integrated are the applications? We need to think beyond contractual agreements only and focus on actual test results.
The other important consideration is related to turn-key technology solutions which provide very limited negotiation options on performance monitoring for individual businesses. An industry standard on resiliency may be an answer to address this emerging risk.
What challenges and opportunities could be associated with cyber risk and technological changes?
Awareness results in improvement. The sheer level of focus and awareness on the challenges related to cyber and technology awareness in itself is a great opportunity to develop better tools, processes and governance. Regulation and industry self- regulation can definitely help with making significant changes for turn-key technology solutions. Also, the emerging technologies related to AI can help us design more resilient systems. At the same time, the changing environment calls for nimble and agile risk and governance frameworks as we need to constantly adapt to the new risks that the benefits of new technology brings.
How do you see the impact of operational resilience evolving over the next 6-12 months?
I think it will definitely foster better business models across the industry.