In the ever-changing world of insurance, challenges and opportunities abound, calling for a thoughtful response. From adapting to regulations and digital shifts to addressing cybersecurity threats, businesses are on the front lines of change. Join our exclusive conversation with Sunder Krishnan, Chief Risk Officer, Reliance Nippon Life Insurance Company, who speaks about finding the right balance between innovation and a strong risk management approach. He also highlights key industry trends and the importance of proactive measures in meeting evolving risk management needs in the insurance sector.
What are the key challenges and opportunities you’ve seen in the current risk landscape for the insurance industry?
There are a lot of regulatory changes, and each regulatory change brings with it lots of challenges—challenges to comply in the short term and the long run, and to comply in a systematic manner rather than manually. So, there are a lot of challenges in that sense because the business arena is also changing. There’s a lot of digital transformation that’s ongoing, and technologies are many; the acting cybersecurity threat is also very high. These are the broad challenges, and opportunities are plenty in the sense that there are a lot of solutions that many vendors, or rather, we call them partners, bring about, and they sort of change the culture, the systems, the processes, and technology.
As businessmen, we would like to automate controls, automate processes, and leave little to human intervention, so that there is robust control and a systemic process in place. So, these are the opportunities, and opportunities are plenty because there are lots of solutions that come up. And to face the challenges that we have, one of the recent changes is the PDP Act, which is the digital personal and privacy regulation. It has brought about a fine of 250 crore per offense and has imposed a responsibility on the organisation to have reasonable security practices and controls. This would mean that even if your vendor or a partner is non-compliant, then you are responsible for that. So, you will have to ensure your employees, your vendors, your customers, your partners are all compliant. Because as a data fiduciary, which is what a bank or an insurance company is, you are responsible for the data’s privacy and security. Therefore, this challenge cannot be overcome unless you have a culture of systems in place, automation in place, standards in place to meet it. And this is the opportunity and the path that we need to take in the next many months or years. The other challenge is that many things are political and reputational. We do not know the deep GDPR compliance time that would be given. Like the GDPR, which was there in Europe, gave a lot of time to comply, two years at least. We need that kind of time in India also because of the largeness of the country, complexity, cultural issues, systems, etc.
In your role as Chief Risk Officer, how do you balance the need for innovation and growth with maintaining a robust risk management framework?
It’s a sensitive cultural issue and the top management wants growth, but at the same time, wants absolute compliance. If there is non-compliance, there is a fine. If there is a regulatory issue, you are pulled up as a Chief Risk Officer because you have to ensure everybody complies, and there is no fine involved. In the last four or five years, we do not have a single warning or a fine from the regulator. So, this is very important for a company from a reputation perspective. And so, as a Chief Risk Officer, I’ll have to move with the business, the need to grow and the need to have more business. There is a lot of digital transformation that’s happening now to be part of that and also proactively ensure the systems processes that are newly introduced digitally comply with the regulations and culture. The systems are in place to ensure there are robust standards and compliance being ensured, and process people technology are strengthened and meet the emerging requirements. So, we’ll have to design the control process standard in a very efficient manner so that the compliance is effective. For instance, the PDP Act now requires databases, networks, employee vendor data, customer data all to be secure and private. Privacy is very important. Now, how do I ensure automated compliance so that is a tough challenge today? Very intelligent tools like settlers’ tool actually give digital Redmine at a file level, but I might need to do that at a desk database level or a holistic level. Organisations need to work on that. That’s why I need the time of one and a half years or two years, so that we are in strict compliance with the GDPR.
Can you discuss any notable trends or developments in the insurance industry that impact risk and how would your team address them?
Notable developments are the changes that regulators have come up with in cybersecurity, the Information Security Management, the connectivity management with the website, with the vendors and employees, and the digital transformation that they have pushed us to. Because today, everything is digitally handled, an employee actually meets a customer, and the customer fills the form digitally; there is no mechanical filling of forms, although that practice is still there in many parts of the country and in many companies also. Having said that the digital absorption has become higher in percentage. So, when we handle things digitally, you will have to think through, and therefore today, employees are forced to think through what are the controls they could have. Like we have introduced OTP, so each state’s customer is forced to think and answer questions on OTP. You have to give OTP for that, like a policy that I bought about last week, so I had to do six OTPs in that company. I was wondering why so many OTPs are required, but when I look at the way the processes were handled by the salesperson, it was quite effective and efficient, and at the same time, it’s all for the safety of the customer, that thought process is given to the customer. So, what is important is training awareness and a lot of process systems automation, which ensures a progressive path for customers, suppliers, vendors, employees, and all the stakeholders in the industry. So, the industry is going through lots of changes in cybersecurity products, then digitalisation, then the PDP ad compliance and many other regulations that have come recently. It’s not that they were done about 10 years back; it’s all happening as we speak. And so, the road journey is forced on you. As a company, I have to travel that journey. I cannot avoid it. That’s the challenge.