Managing risk and insurance for financial institutions


Financier Worldwide Magazine

December 2018 Issue

FW speaks with Ingrid Hernandez at Tokio Marine HCC about the process of managing risk and insurance for financial institutions.

FW: Could you provide an overview of some of the more pressing risks that financial institutions (FIs) typically face in today’s business world?

Hernandez: Due to their dependency on technology, cyber attacks pose an ever-mounting threat to financial institutions (FIs). A significant number of transactions are processed daily over the web and banks need to store sensitive user data as well as safeguard their monetary assets. Any cyber attack could seriously affect a bank’s ability to serve and protect its clients, and it would lose all credibility in the public eye. Hackers are extremely creative, and we have seen, in many different ways, how these people have taken advantage of any weakness in a bank’s controls. Social engineering is another concern for FIs. While all FIs compete to provide a faster and more efficient service, they face the challenge of keeping enough controls in place to verify the authenticity of their clients. Some, dealing with high net worth individuals, may suffer from a culture whereby, whenever possible, the staff should not bother clients with ‘trivial’ administrative requirements and, as such, internal procedures often get overlooked. Although regulation is not a risk for FIs, the highly-regulated environment in countries such as the UK, the US and Australia, among others, poses a big challenge. The amount of resources banks utilise to comply with regulators around the world is massive. Regulators are essential for customers’ needs and interests to be given priority. However, the increasing demands from regulation, particularly for institutions operating in many jurisdictions, do represent an increased chance of incurring regulatory sanctions.

FW: How should FIs go about identifying, understanding and measuring how insurance can help them mitigate the risks to their business?

Hernandez: The first step for any FI is to define the company’s risk framework before considering how much risk it can transfer to insurance. Every business activity in the company should be evaluated in terms of tolerance of risk appetite – meaning how much profit is generated by a business vs. the risk arising from it. The second phase is to treat the risk and reduce exposure through controls and processes so as to protect profitability. It is only after the company has worked out the previous steps that it can determine how much of the remaining risk it would like to transfer through buying insurance to further mitigate the risk.

FW: In your experience, do FIs demonstrate a sound ability to recognise risks and allocate sufficient resources to managing them? In what areas could they improve?

Hernandez: While most listed and regulated entities in the industry, post the global financial crisis, have a sound ability to recognise risks, SMEs might find risk mapping and resource allocation more challenging. In part, this could be because many are less regulated, and therefore less familiar with what is expected of them in terms of risk controls and compliance. Also, in a smaller company with less capital and resources, the risk management function may be delegated to other, non-dedicated resources in the company. Independently of the size of the company, there is always room for improvement. Companies should keep investing in training and educating employees to better recognise risks and escalations. If companies cannot count on internal resources, then outsourcing is always an option.

The biggest challenge for FIs when it comes to risk management is not the development but the implementation of risk processes.
— Ingrid Hernandez

FW: With cyber crime increasing in scale and sophistication, what can FIs do to mitigate and manage this particular threat?

Hernandez: Mitigating cyber crime boils down to good cyber resilience through training and education, not only applicable to board-level executives but to everyone in the organisation, as well as the supply chain, partners and customers. Many cyber incidents can be traced back to human error. Without training, employees will likely lack the skills and knowledge they need to adequately protect the company from cyber attacks. Investing in the best people is also very important. Having senior-level leaders, such as a chief privacy officer, data protection officer or chief compliance officer, there to improve customer trust in how personal information is handled by the organisation, will reduce churn and the cost of a breach. When budget is limited or investment too heavy to be carried by the company, or when the company has limited knowledge, again, outsourcing these services is a viable option. Outsourcing can help the company get a clearer picture and additional comfort around the data flow and structure.

FW: With regulatory changes and increasing volatility impacting the financial environment, what can FIs do to adapt their internal processes and operating models to more effectively control risks?

Hernandez: FIs need to ensure that risks are correctly identified and then embodied in a risk management framework that operates across the entire entity. This should be sufficiently developed so that appropriate processes are put in place and the right information gathered to continue effectively monitoring those risks. This system should also be flexible enough to incorporate new risks as they come to light. In doing so, the risks are addressed in a timely and effective manner. When developing processes, companies should try and avoid an excess of information by simplifying internal guidelines and making them more effective. However, internal controls will never be effective enough without the collaboration of employees, again highlighting the importance of training and education.

FW: Why is it important for the board and senior management to view risk governance and insurance coverage as priority issues?

Hernandez: Sound corporate governance is critical to the long-term viability of any company. Without effective risk governance, FIs cannot guarantee the quality, independence and reliability of the internal processes adopted by the entity to manage its risk. This is not only the governance of financial risks but also the governance of non-financial risks – operational, compliance and conduct risks. Even though banks invest heavily in risk governance, there are still risks that are not fully mitigated and this is where insurance coverage can help. It can help by diminishing the potential losses from any material gap in the risk framework.

FW: What essential advice would you offer to FIs on developing and implementing an effective risk management framework? How important is it to align risk management strategies with operational realities?

Hernandez: The biggest challenge for FIs when it comes to risk management is not the development but the implementation of risk processes. There are plenty of theories around risk management and development, but the real challenge lies in employees at all levels of the organisation understanding and embracing its importance. It is key for FIs to clearly articulate the ‘minimum’ standards of the company’s policies, processes and operating procedures to which all business units must adhere. Adequate training is also key. Without clear guidelines and effective monitoring, there is always the risk of employees prioritising profit generation or performance over internal controls. It will always be a challenge to align risk management strategies with operational realities. Some of the risk processes and internal controls might slow the efficiency of other processes, such as client service or new business projects. Nevertheless, employees must not overlook the importance of risk management.

FW: What key trends and developments do you expect to see emerge in the risk and insurance landscape in the years ahead? Do you expect FIs to focus on improving their ability to forecast and manage risk?

Hernandez: In the years to come, continued consolidation is to be expected in the insurance sector. This will come on the back of the extended soft pricing environment and excess capital in the market. Furthermore, we will continue to witness digital adoption and transformation. Artificial intelligence, machine learning and Big Data analytics will help insurers better understand risk and build robust predictive models. Blockchain, smart contracts and robotic process automation will most certainly have an impact on efficiency.


Ingrid Hernandez joined Tokio Marine HCC in 2016 as underwriting manager for financial institutions. She has extensive experience in the insurance industry, having worked for Zurich Insurance in Spain and the UK, as well as Euler Hermes in Mexico, prior to joining Tokio Marine HCC. Ms Hernandez has a Bachelor’s Degree in Business Management and Finance from Instituto Tecnológico Autónomo de México and an MBA from ESADE Business School. She speaks Spanish and English. She can be contacted on +44 (0)20 7648 1306 or by email:

© Financier Worldwide


Ingrid Hernandez

Tokio Marine HCC

©2001-2019 Financier Worldwide Ltd. All rights reserved.