“It's nice to see that you've bundled together not only ESG but also data,” said Nick Wailes (pictured immediately below). “Two enormous issues which are really shaping business today.”
Wailes, director of the University of NSW’s (UNSW) graduate school of management was introducing an online symposium: Rising to the ESG Risk Data Challenge.
Insurance companies are arguably at the epicentre of this challenge. A current government review into the Privacy Act that covers issues like how personal information is collected, used and disclosed, is just one area of activity in this evolving arena.
Wailes said ESG is causing organizations to “increasingly think about their social licence to operate, the constraints of their environment and the importance that investors and customers are placing on those matters.”
Data, he said, is the critical component of the technology delivering services to customers “but it also carries with it huge amounts of risk.”
The reason for the “huge amounts of risk” these days was neatly summarised by Kate Carruthers (pictured above): in the old days data was static, today it is flowing.
“Not so long ago, data was static, it wasn't properly managed as an asset, it sat in a bunch of silos, it was really hard to connect up and really, apart from reports and transactional systems, it didn't really have much actual use,” said Carruthers, who is UNSW’s chief data and insights officer.
“Nowadays, what we find is that data flows,” she said. “So it's starting to be managed as an asset in many organizations and it drives key business processes, often automated [ones].”
None of that is probably news to insurers, but Carruthers’ conclusions could be. As a result of this data transformation, Carruthers is urging a rethink of the traditional Three Lines of Defense model used in enterprise risk management (ERM).
“Across our Three Lines of Defense model we need to make sure we incorporate cybersecurity, information security, privacy and data and information governance – and call it data protection,” she said. “That's the message I'd like you to take back to your folks.”
Carruthers said the two big cyberattacks last year on Medibank Private and Optus have pushed other organizations towards approaching data protection as “the key” risk management function.
One major reason for this shift in the data space, she said, is artificial intelligence (AI). “AI changes everything,” said Carruthers. “If anybody hasn't had a play with ChatGPT, you must be Robinson Crusoe.”
This IB journalist immediately left the island to take a look. ChatGPT launched late last year and is an artificial intelligence chatbot that can mimic human conversation, write articles, plays, even poetry and songs.
According to some news reports, by January this year, the free online program had more than 100 million users, making it the fastest growing internet application ever made.
Carruthers said this astonishing program is “just a little bit of AI.”
She explained what this AI “umbrella” covers.
“AI is about machines thinking like people and making decisions,” she said. “We've got machine learning – stats on steroids is what I call it – which is how we can predict the future and how we can make decisions.”
Then there is deep learning which she described as “unsupervised learning” in the AI space. ChatGBT, she said, is an area of this computer/data space called generative AI.
“Now we have the ability to make decisions and predictions in an unsupervised way – so with no human beings in the loop,” she said. “It's a pretty interesting time to be in data.”
However, she said, the old ERM model needs to embed data protection.
“That model doesn't have any cognizance of the need to put things like cybersecurity, information security, privacy and data governance across all of that [the Three Lines of Defense],” she said. “I genuinely think that those practices need to sit across all three lines.”
Carruthers said organizations cannot protect data if it’s not embedded into internal control measures and management controls. “We really need to start to think about that from an ESG perspective,” said Carruthers.
She said that involves thinking about data from a climate perspective but also a governance perspective and also how to incorporate the so-called Internet of Things (IoT).
“It's going to be super challenging for your data teams, about how they incorporate that into their reporting because it's a really different cadence,” she said. “Typically, they're working in data that updates [in] near time, not real time, and finding a fixed point to report on so that all [the] reports line up is stuff that we're all going to have to work out.”
How are you dealing with your firm’s data challenges? Please tell us below.