Hilary Weaver, chief risk officer at Lloyd’s, spoke with StrategicRISK about major risk management and compliance challenges facing her business in 2018

20170116 lloyds 250

As risk manager positions go, Hilary Weaver’s role is unique. That is because, on the one hand, as Lloyd’s of London’s chief risk officer (CRO), she guards against risk at the Corporation of Lloyd’s, but on the other, because of the unique market structure, she also works hand in hand with all the firms – managing agents, syndicates, brokers and underwriting syndicates – that make up the Lloyd’s market.

Weaver (pictured) is quick to note that in her role at the insurance market she also serves as chief compliance officer, which includes heavy involvement in thinking about Brexit, regulatory, governmental and geopolitical matters, although she does not oversee the internal model of the business – vital for Solvency II capital calculation, the market’s Central Fund, and its broader underwriting discipline. This responsibility sits with the chief financial officer, John Parry.

“It is quite a big brief,” she says. “A lot of CROs own the internal model. I don’t, but I do have a big part in testing it out and making sure that it’s all stress and scenario tested. I’m an Accountant by background, not an Actuary,” notes Weaver.

Weaver has been at Lloyd’s since 2002, serving much of that period as Head of Internal Audit before stepping into the CRO role in April 2016. Before that she trained as a chartered accountant in the UK and later served in several banking and technology focused roles at KPMG, working in Sydney and California.

“When KPMG asked me to be part of their bid to do internal audit for Lloyd’s, I thought they meant Lloyd’s Bank, not Lloyd’s of London,” she says. “Then I enjoyed it so much I never left. Obviously, the move to the insurance sector meant I missed the banking crisis, which was perhaps a good career choice in hindsight.”

But what risks are on her radar. Weaver notes that the Lloyd’s market is unique because there are more than 80 different syndicates operating within it all with their own risk management departments. “If I had to boil it down to just three I would say; ‘sustainability of our business model’ is paramount; the ‘solvency situation’, including protecting the central fund against a one-in-200-year event; and the third is ‘operational risk’ which encompasses cyber risk, financial crime, and all of the regulatory and operational issues you might encounter.”

Cyber threats are an obvious concern after high profile attacks in 2017. “You can’t go through a risk list without mentioning cyber, it must be one of the top three risks. It doesn’t matter if you’re in financial services or elsewhere, it’s definitely at the forefront,” says Weaver.

Weaver notes trainings and presentations from the Chief Information Security Officer (CISO) designed to encourage good practice on a day-to-day basis. “They can scare the living daylights out of you, which is what they’re supposed to do as security officers.”

For example, like many organisations, Lloyd’s includes contact details for its chairman Bruce Carnegie-Brown, CEO Dame Inga Beale, as well as its CRO, on the company website. Phishing and social engineering ploys using such information try their luck all the time. “That happens a lot and the CISO and the email filters catch it very quickly. I’ve had an email from “Inga1.Beale”, which I looked at and thought, ‘hmm’,” she laughs.

Asked about Brexit, Weaver sees it within the context of broader geopolitical currents, and particularly access to markets internationally, vital for diversification of risk transfer through insurance.

“At the moment I worry more about man-made risk than I do about natural catastrophe risk. Geo-political risk is changing so quickly, whether it’s Brexit, US affairs or Catalonia, and we’re just not sure what’s going to happen next,” she says.

So what can you do? “You keep analysing,” says Weaver. “We talk a lot with governments, as Lloyd’s represents the whole insurance and reinsurance market. Part of my job is not just to consider risks step by step and tactically, but to look at the broader horizon and say, what could happen? And if something happens, what could the impact be either on us or on the broader financial stability of the market as a whole,” she says.

Stress testing and scenario analysis forms a lot of the work, Weaver says, particularly looking at compound effects of a chain of events, or several events coinciding together. “We’ve always done it, but I think the difference now is that we do far more compounding scenarios,” she says.

Last year the results were published of a major “market turning event” exercise, for which Lloyd’s worked with insurer Hiscox, advisory firm McKinsey, as well as involving UK regulators the Prudential Regulation Authority and the Financial Conduct Authority. It tested the effects of a huge hurricane, a cyber-attack on the US power grid blacking out 90m homes, a major stock market tumble, and a major reinsurer defaulting.

“Before, you might have taken one or two scenarios in combination. Now we’re considering the effects if we had a couple of big events in year one, and again in year two another one or two events, and then more major events in year three,” explains Weaver.

“How much pain can you take in the system and what does that tell you about the nature of risk and how we price risk in insurance products but also how much capital do you hold centrally to make sure that we can withstand anything that foreseeably could happen. What do you look like in three years’ time? Are you robust and stable? Or are there some changes and some things that you can plan for more thoroughly now?”

She notes that a lot of firms run in-house disaster recovery exercises, and that for cyber-attacks – rapidly becoming an inevitability – the speed and quality of the response is perhaps most important to ensure reputation and continuity afterwards. However, the nature of the Lloyd’s market – with its many brokers, managing agents and syndicates – makes such an exercise much more complex.

“Because of the subscription market level at which Lloyd’s operates, it becomes many more different actors and counterparties taking part. It’s big, not only in the market, but because of all the chains that fan out from that, to make sure that policyholders get valid claims paid,” says Weaver.

And how did the market do? “I think everybody felt they acquitted themselves well, which means the modelling across the market. We have our own central modelling at Lloyd’s and then every single Managing Agent has their own internal model. I think the fact that there weren’t any horrible lurking surprises meant the modelling is robust,” says Weaver.

Some lessons were drawn, to take forward for the next exercise. “On the capital side, the Central Fund performed well, as it did with recent real-world US windstorms, but there are always questions like what type of capital you bring in, whether tier one or tier two, and those kinds of finer points,” she says.

“And in more general terms, there were issues to make sure everyone has the right information at their fingertips on days one, two, and three. It’s been a long time since we had a huge event in the market, such as 9/11. I think everybody revisited their plans and, with the benefit of hindsight, there were areas where we might have been more efficient in how we responded and in our decision-making processes. But no show-stoppers, I’m glad to say,” Weaver adds.

For those “unknown unknown” risks, which lie beyond the scope of considered scenarios, Weaver suggests the fast-moving possibilities of disruptive technology. “Somebody, somewhere might come up with some wonderful business model that we haven’t even thought about yet, that affects sustainability of ours,” she says.

However, she tempers such fears with the exuberance she experienced working in Silicon Valley around the time of the Dot-com bubble. “My goodness, they were willing to go for it, and I think that quick-to-fail type mentality has come back again with the marvellous amount of insurtech investment – for every hundred start-ups, perhaps one truly succeeds,” says Weaver.

“But if that one is the future Google of insurance then actually those are the ones that you have to take note. It’s good that we do spend some time worrying about emerging risks, and it’s far better to try to disrupt ourselves with modernisation than to wait to be disrupted,” she adds.