The insurance industry has been impacted heavily by COVID and extreme weather events. Insurers have had to respond and adapt to such issues as legal challenges to coverage of existing policy terms, unexpected claims across policy types such as travel, health, and business disruption, as well as cyber claims exacerbated by workforces becoming more distributed.

By necessity, insurers have had to invest in technology to enable improvement in digital interfaces with their customers, streamlined claims processes, enabling remote workforces, and addressing security. Unfortunately for many, digitization of their risk and compliance program hasn’t kept pace. The capability of risk and compliance management has not kept pace with the risk and compliance needs of the changed world, as highlighted in Deloitte’s recent 2022 Insurance Industry Outlook.

So what does it mean to digitize your enterprise risk management (ERM) program and what happens when we are slow to digitize? When you digitize and bring your risk and compliance management up to standard, how can you transition from your existing legacy systems?

What do we mean by digitization?

There isn’t much data that isn’t constructed of bits and bytes. Spreadsheets, Word documents and emails are digital artifacts. Digitization is transforming data into a consistent form by categorizing and recognizing relationships between that data, allowing insights to be gleaned. It is about automating manual processes through technology and using automated workflow to ensure the process operates with minimal human intervention. The combination of insights and automation improve the speed and accuracy of decision making. 

We are still surprised by the number of organizations that have large scale mature business processes and integration for their key services and products, but manage risk, compliance and related disciplines or processes through spreadsheets or point solutions that don’t talk to other systems or allow for those insights to be identified and turned into business enablers.

What are the risks associated with failure to digitize?

Spreadsheets are flexible tools for capturing risk and compliance data, yet quickly present challenges for understanding data relationships and interdependencies, and maintaining coherent information. There is limited version control, particularly if multiple people are required to make changes. By the same token there is a limited audit trail for who created, edited, or authorized data, or the ability to restore data to a previous version if required. In the case of certain documents like risk registers, there may be different versions for different business units or processes that become difficult to pull together or aggregate when needed.

Single point solutions usually address those issues, but don’t allow you to build consistent data relationships that allow for insights when looking at the bigger picture.

We’ve worked with clients whose trigger to pursue digitization was in response to:

  • Ineffectively controlled risks that people on the front lines knew about, but were not visible to top management until an incident occurred
  • Compliance obligations overlooked due to hidden rows in a spreadsheet
  • Emails inadvertently overlooked for renewal of a regulatory license which became overdue
  • Duplicated data across multiple risk registers that became misaligned, resulting in over-investment in controls that were already being addressed by another team
  • Consolidation of multiple single-point solutions in order to gain better insights while delivering cost savings

The results of Deloitte’s 2022 Insurance Outlook Survey also show that many respondents expect a rise in headcount in risk management personnel, while simultaneously being one of the roles they expect to have difficulty in recruiting. The efficiencies gained from digitizing your risk management activities can help alleviate this pressure.

Digitizing Risk Management

When risks and controls are managed manually across multiple business units and processes, it can become difficult to see the big picture. Reports that reach top management may be out of date by the time they are received, and there may be limited ability to find relevant detail without manual effort and follow-up. Digitizing risk management enables aggregation and categorization to identify key areas for improvement or that need addressing. Once embedded it also provides confidence to management that they have the information when they need it, enabling them to make decisions with eyes wide open.

Digitizing Compliance

Digitizing compliance attestations and control testing can automate much of this process, allowing the compliance manager to focus on more value-adding activities. Being a partner to the business and spending time providing them insights on upcoming change (whether driven internally or by regulatory change), is much more valuable than chasing down emails.

In an industry where regulatory change is the norm, automating and integrating that change directly into your compliance system via a regulatory newsfeed means you won’t overlook changes that are important to your organization.

Digitizing Incident Management

Incidents are an important learning opportunity for insurers, both from a general operations perspective as well as highlighting potential issues or improvements related to products or their delivery. Incidents might be well handled individually, but if they are captured in reports created in Word, it becomes challenging to identify trends and systemic issues, particularly identifying common causes, that can help shape the future and prevent reoccurrence.

Digitizing Third-Party Risk Management

Depending on the nature of the products offered, insurers may have a large stable of third parties that are critical to managing policies or claims. There has been an increased focus in recent years on ensuring that risks presented by third parties are managed effectively, which may include such elements as:

  • Obtaining assurance on their capability to manage cyber-related security and data privacy if they have access to customer data
  • Obtaining assurance on their ability to provide services in the face of disruption affecting their business
  • Seeking evidence that they have any licenses required to provide their services
  • Obtaining assurance that they understand regulatory obligations that apply to services they are providing

Manually collating and following up on this data can become a tedious task. Single point solutions can help but may not integrate with broader enterprise risk management to provide insights not just about individual suppliers, but about the effectiveness of the third-party processes.

Bringing it all together

A standardized framework with digitization allows for aggregation and reporting across all of the elements of a comprehensive enterprise risk management framework. This includes:

  • A single source of truth, ensuring everyone is using the same data and talking the same language
  • Automated workflows and escalation, improving efficiency and enabling people to act on what matters most
  • A single view of risks and the effect that control assessments, compliance attestations and audit findings have on the confidence that the risk is well managed
  • The ability to quickly identify and act on potential discrepancies across data sources and the ‘story’ they tell; for example, a risk rated low while having multiple control weaknesses or audit findings may warrant a challenge
  • Allowing for control optimization by aggregating their effect on multiple risks
  • Tracking of early warning indicators that enable corrective action before incidents occur
  • Clear accountability for risks and controls – and immediate insight when they are not being effectively managed
  • Provide insight into risk and compliance culture

How do you transform from your legacy systems?

Data transition can be a challenge if moving from legacy data storage to cloud-based systems, but it may be possible to transform your existing data to enable immediate insights. Some rough steps to transforming the data:

Determine what you have. Catalogue the types of data that you either intend to include in the transition or will form the basis of how information will be created in the new solution. For third-party risk management, this might include initial due diligence questionnaires, policies collected from the third party, and ongoing quality assessments.

Determine how much you need. Will the historical data serve a purpose in the planned solution? If yes, what continuity of data do you need? This will be driven by the insights you expect to gain. e.g. if you want to see 12 months of incident data, you may only need to consider transforming 12 months of data and archiving the rest. In short, don’t spend effort transforming data that won’t provide new insights.

Determine how it needs to be transformed. This step requires the most thought, giving consideration for the quality of the existing information and how you want to build relationships between the data moving forwards. For example, risk registers that include information about controls or treatments may require separation. It may also require the data to be in a particular format. If they aren’t required as part of your solution, you may still want to consider taxonomies or categorization that will help you gain intelligence from aggregation and analysis.

Transform the data. Once you know how it needs to be transformed, the next step is to reformat it or separate data against the defined criteria.

Upload the data. Most solutions will allow for direct import of the data once it is in the required format.

Start your insights journey. Now that the data is transformed you can start gaining intelligence driven by your solution and optimizing your processes.

The good news is that most solution providers will be able to provide guidance and assistance on these steps in terms of both good practice in what types of information and data relationships enable insights, and the steps you will need to take to transform your specific data.

It’s important to acknowledge change management as a critical part throughout the process, and the timing of the transition will need to be considered to ensure there is no disruption to processes and that there is continuity of data where required.


Is it time to digitize your enterprise risk management and bring it up to the standard expected to support the wider business in this changing world? Download our eBook on the Digitization of Risk Management today to find out more.

If you would like to know more about how Protecht can help your business achieve sustainable compliance and risk operations, request a demo of our Protecht.ERM system now.

Related Articles

feature image
Risk Management

Are topical Top 10 risk lists helpful?

The World Economic Forum recently released its Global Risks Report for 2023. My social networks were abuzz with summaries of the top risks – or...
Read more
feature image
Risk Management

Controls Design and Assurance webinar: Poll results and Q&A

Protecht held a webinar on Controls Design and Assurance earlier this month. The attendees completed several polls and asked a range of questions,...
Read more
feature image
Compliance Management

Compliance: The risk management crutch?

I often see the fields of risk and compliance confused and intermingled, but they are two different disciplines. I’ve observed assumptions that risk...
Read more