The rise of Data Governance within insurance: SMEs vs large businesses

Recent years have witnessed an exponential rise in the data needs of organisations. Coupled with these needs have been the calls for improved data management and greater regulation; however only very recently has the need for data governance been formally defined. As we head into a fully automated and digital environment, organisations are now realising their future success, possibly even their survival, depends on their capacity to adapt and take control of their data.

This rising adoption of data governance is akin to that of vehicle safety features in the mid-20th Century– data practitioners now have the turbo engine and are realising the necessity of seat belts and air bags. As a Business Data Analyst, I am at the forefront of this newly defined data space, often wading into uncharted territories whilst keeping up to date with new regulations.

I’ve been working in data governance functions in the insurance sector for about a year now, so it’s a good time for some retrospective analysis. For those of you who don’t work in insurance there are a few common themes that I noticed in my first few months: due to many acquisitions there are many challenges surrounding legacy systems, the ever-evolving risk landscape means we need to benefit from using data and the effect of climate change on the way we write reinsurance risks. There is a three letter acronym for almost everything, a shocking lack of diversity, especially at the C-suite level, and if you don’t go into a meeting throwing out at least one useless piece of business jargon then you’re not sufficiently bought into the ‘paradigm shift’.

I am fortunate to have experience consulting in both a small and large insurer. As such I’ve seen the variation in data governance practices, the recognition and awareness of data needs and the various blockers and bottlenecks that may hinder data governance implementation in different sized organisations. So, let’s get our ducks in a row and use this article as a starter for ten for understanding the insurance landscape.

Does size matter?

Truly with greater power comes greater responsibility.

Officially an SME is an organisation with less than £40m turnover and fewer than 250 employees. As a result smaller organisations tend to implement more informal data governance methods that are sufficient to meet their needs. Larger organisations, those in the regulatory and public spotlight, risk significant fines proportional to 4% of their turnover or 20 million Euros (whichever is bigger). Naturally there is greater investment, resources and accompanying regulation around which to mould to a data governance implementation. Nonetheless, data governance is still an essential for SMEs in order to be scalable in the long term especially as we are yet to see how GDPR will be implemented in the future for SMEs as well as larger companies.

While the scope and extent of a data governance strategy is still being defined, it is interesting to look at whether the frameworks adopted by larger organisations are still applicable to an SME.

Three lines of defence

The three lines of defence model is designed to identify the roles and responsibilities of different business units to embed and sustain risk management. If applied appropriately, the three lines give oversight, preventing potential financial risks and helping an organisation to be proactive in managing emerging risk.

In the first line of defence are business owners who are directly responsible for assessing and controlling risk. The second line of defence is risk oversight i.e. a compliance or enterprise risk management team who monitor the implementation of controls around these risks. Finally, the third line consists of internal and external audit that would essentially provide oversight over the first and second line of defense where their scope should remain unrestricted and provide oversight over all areas of business. This approach is a mature, tested risk management model; smaller companies may not always consider it suitable for their needs, however, as there are fewer stakeholders involved.

I’ve found that roles and responsibilities can sometimes get lost, conflated or politicised in both small and large organisations. The need for adherence to roles and responsibilities is facilitated by regulatory pressures but in a lower risk environment precise accountability and ownership can be lost. Accountability is integral in every aspect of day to day data-facing activity and data governance practitioners must push for clarity and oversight around specific roles and responsibilities.

Accountability. Accountability. Accountability.

During my training at Kubrick we explored the DCAM model (Data Management Capability Assessment Model) which addresses the capabilities needed to create an effective data strategy. These include, inter alia, the business case, organisational support, the roles and responsibilities needed and, of course, the data itself - especially its quality. DCAM provides goals and objectives, artefacts and criteria for scoring.

A couple of my colleagues and I were in charge of performing a DCAM analysis on a small insurer to understand their data capabilities and maturity. As the organisation was relatively small, there was little in the way of a mature data management structure resulting from a lack of external pressures and fewer stakeholders to answer to. However for the organisation to scale it would be essential to implement a data governance strategy as early as possible in order to create an appropriate data landscape (encompassing data architecture, data quality, risk management and risk controls) to meet any increase in size, people, turnover and number of claims.

Culture: data centric decisions and remediation

The global risk landscape is evolving rapidly and unpredictably. Given major external factors such as climate change, automation and geopolitical instability, insurers and reinsurers must work hard to understand their global exposure otherwise, how will we make appropriate decisions? Lloyd’s of London, the oldest insurance marketplace in the world, opened its Innovation Lab in 2018, with InsurTech offerings ranging from AI models on historical claims to drones to inspect areas impacted by natural disasters. These are steps in the right direction.

We need a data–savvy workforce that uses analytics proactively and predictively to make better forward-looking decisions. What I found at the small insurer was an organisation with significant buy-in for this type of data strategy, including at the level of CEO and CFO. We saw this trickle down into business processes with less operational friction when implementing our data governance strategy.

That strategy consisted of the following core elements: assigning accountability; creating policies and data governance principles; promoting cultural and organisational change; creating a data glossary, defining process maps and measuring data quality. In retrospect, the needs of the company were relatively straightforward: in its infancy there was almost a blank slate to work with in terms of a data management strategy.

With a more developed and larger insurer there is an even stronger need for a defined data strategy but more retrospective remediation work to be done. Assessing historical and current data quality and process mapping is an obvious but non-trivial exercise, one which undoubtedly should have been done a long time ago. There are more people involved but given the historical acquisitions of the organisation and accompanying legacy source system landscape, the challenge is a lot more complicated than one would have liked!

Migration to cloud computing

In the small insurer, big data was not high priority. The data needs for each line of business varied but fundamentally they never worked with enough data to consider migrating to external cloud services.

In the large insurer, given the growth of the data team within the last three years and the scale of the data challenges it faces, the business case to migrate is stronger. Major reinsurance projects on the horizon can change the way we do business. The data team consists of data scientists, engineers, strategists and governance analysts who are all equipped to change the way we do business. But with progress comes challenge. As teams grow, they must answer to questions of accountability, budget to invest in high-tech solutions and the organisation’s insistence on continuing to use Microsoft Excel as its main tool of business.

The insurance industry is notoriously risk averse (it is, after all, the name of the game). With regulatory pressures, climate change and rising sea levels, competitors’ intensified usage of data analytics and rapid and unrelenting automation, the stark reality is that the risk landscape is evolving. To meet this, we need to evolve better pricing external risk and equally better managing our own - to avoid being left behind.

by Farah Bukhari

Posted on November 11, 2019