Episode 102: Risk Management - Part 3 - Live With The Maverick

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome to episode one or two of the Live with
a Maverick podcast.

Speaker 2 (00:04):
The theme for today's question is.

Speaker 1 (00:06):
Risk Management Part three, and we're very excited to have
with us our guests, Monica Shakrai. Monica is head of
business Risk and Insurance for Google Cloud. Also in twenty
twenty two, Monica was honored as a Business Insurance Woman
to Watch.

Speaker 2 (00:23):
So welcome Monica.

Speaker 3 (00:24):
Thank you so much, thanks for having me.

Speaker 1 (00:27):
Pleasure to have you and just love to give you
an opportunity to introduce yourself.

Speaker 3 (00:32):
Absolutely, I'm Monica Shakrai. Thank you for the intro. I
lead risk and insurance at Google Cloud. I also lead
Alphabet's actuarial team. I'm part risk manager, part actuary, part product,
part program manager. There's a lot of different things that
cover which we can get into. Prior to Google, I
worked at Berkshire Hathaway. I led global pricing there and

(00:56):
then prior to that, I worked at Willis Towers Watson.
When I joined, it was Tower's parents, so I kind
I kind of saw the the journey there and I
did actual reserving.

Speaker 1 (01:09):
And Monica mentioned Willis Towars Watson. One thing I always
mentioned if your Monica remembers is Monica actually has signed
me my very first P and C project way back
in I won't even stay the year. A little while back,
you know, when I was working in Miami, I was
on the retirement side, so I remember Monica assigned me
like a very small reserving project.

Speaker 2 (01:29):
So that was my first intro too.

Speaker 3 (01:31):
That's such a great memory for you to bring up.
I had forgotten about that, So that's awesome, very cool.

Speaker 1 (01:36):
Yes, yeah, so you know, I think this is a
really cool theme, risk management. When I think of my
Maverick Actuary brand, I think of it in terms of
some of the focus here is of course actual science
risk management, and then I say advance analytics. And to
your point, you know, risk management, there's clearly some overlap.
They say, they say insurance and risk management, so the
two terms certainly at times overlap, but there's a little

(01:59):
bit of a supper tending piece. So I'm looking forward
to exploring that piece today, the risk management side in particular.
So the first thing I wanted to ask is when
we think of the term risk management, Honestly, the average
person perhaps a bit of an esoteric and ambiguous term.
So if you were you know, what does risk management
mean to you if you're to describe that to someone
in very simple terms.

Speaker 3 (02:20):
Yeah, So when I think of risk management, I think
about how do you protect the company from the downside
of a potential business opportunity, let's say, without holding back
the upside. So what can you do to help mitigate
any risk that might be present by a certain decision.

(02:41):
Insurance is one of those measures, but also there's a
bunch of other measures, whether it's contractual terms or just
safe putting safeguards in place. So it's a pretty broad category.
I think that risk management can apply in a lot
of different areas, but generally speaking, it's how do you
protect the company while still enabling innovation?

Speaker 1 (03:02):
Excellent, And honestly, I I don't like to insert myself
in the conversation, but you know, I did actually make
an attempt at this on a LinkedIn post. I'm just
going to kind of share briefly with you. I never like,
I just kind of tried to present like a three
step kind of framework towards risk management.

Speaker 2 (03:21):
So I think of it in terms of three things.

Speaker 1 (03:22):
First is identification is what risks exists very broadly speaking,
whether it's like you said, a company or an individual
The second thing is what I call dimensionalize, and that's
essentially like categorizing the risk, but also acknowledging that there
could be things like our relations aggregations and then quantifying
them to the extent that you can. And then the

(03:43):
third thing, the third piece of my framework is strategized.
So to your point, it's not just about insurance. You
can avoid the risk, you can fully retain the risk,
and then there's a spectrum of things in between. You
can do, you can mitigate, you can transfer. So that's
how I think of it. I've been just trying to
find ways to simplify it because I know when we
speak to people, one of the things I like to

(04:04):
do is explain to people in the broader society who
are not into space what we're doing. So I just
wanted to share that with UNC if you had any
thoughts on that.

Speaker 3 (04:13):
Yea, I think that's great. I think it encompasses all
different parts of it, which is awesome. Oftentimes, just in
my day to day work, you'll see people focus on
a certain area. So maybe a certain team will focus
on a risk taxonomy, which is more identifying the risk.
You might have a different team that's trying to quantify it.
Our actual old team could be an example. And putting

(04:33):
those all together as a holistic framework I think is
pretty important because people have different skill sets and they'll
naturally lean towards one or the other when really it
encompasses everything that you've out in. So that's great. I'll
have to check out that post.

Speaker 1 (04:47):
Yeah, sure, I'll try to find it into It was
a few months ago, and I did many different drafts
because I could just sometimes it's just tough to get
that technical part just into simple terms. Now, when we
took a step back, we talked a bit about risk management.
When you take a step back and look at the
broader risk landscape, how would you describe the risk landscape today?
So you know, you're at the company, you're at the
tech company, you're focused on risk management not only for

(05:10):
the company themselves, but I know Google does have cloud
solutions that other companies use.

Speaker 2 (05:15):
So just when you think a look at that broader macropiece.

Speaker 1 (05:18):
And we'll get into more details on the cloud piece,
but just when you think of the risk landscape, how
do you describe the risk landscape today?

Speaker 3 (05:25):
Yeah, and I'll speak a little bit more broadly than
just Google, just kind of many companies are facing this,
I think at the moment, but from a risk landscape perspective,
I think it feels like the rate of change of
risk in general and what we're facing is increasing over time.
So I think that we're in an environment where, whether

(05:45):
it's through cyber risk or AI risks that are emerging
and how that affects our society and our businesses right
or whether it's through climate change and increasing hurricanes or
fire wildfires, we're seeing a constantly changing risk landscape in
many different areas, even casualty. I understand settlement values and

(06:08):
social inflation are increasing pretty sharply, and so just broadly speaking,
I think we're all under We're all operating in a
time at which we have to be aware of what
risks are emerging, what's the state of them today, where
do we predict them going in order to protect our

(06:30):
companies and ourselves from the impact of those risks over time.

Speaker 1 (06:35):
And what you said, what I'm hearing there, the RATO change,
that's one of that's a key theme in terms of
landscape itself and personally, I think that's what makes it
exciting not just to be an actuary, but a broader
risk professional today, is that risk is evolving a few
years ago and did the STATSTOT talk, I talked about
the fact that actuaries that when you think of how

(06:56):
what actual science is predicated on is historical data square
looking at things like organizing data in triangles, looking at
loss development patterns because you're using history to learn from
the past of projecting to the future. But what happens
when the history doesn't exist or the histories entirely disconnected
with what we're seeing today? So I think personally that
that makes it exciting to be, you know, in the

(07:18):
broad in insurance and risk management space.

Speaker 3 (07:21):
Definitely, Yeah, I agree. And then you've become really good
at assumptions, like coming up with assumptions, testing those assumptions,
trying to understand the impact of them. But the quantification
piece is changing as the risk landscape changes as well.

Speaker 2 (07:37):
For sure.

Speaker 1 (07:39):
Now Google, let's let's get to Google's excite one of
the exciting parts. So you spent no I think currently
if I'm around the last six years or the past
six years at Google in various roles, So how would
you describe the I know you've focused very heavily on
risk management in a few of those roles. So, how
do you just describe the risk management roles that you've
held at Google.

Speaker 3 (07:59):
Yeah, so I started just for context. I was an
actual prior to joining Google, and Google was my big
shift into risk management. And I started at Google in
what we call a risk consulting role. And so the
concept here is that Alphabet is such a big company.
We do all of these different things, and so it's

(08:19):
really easy for the insurance department to be in a
situation where they might not be aware of everything that's
going on in the business because it's just such a
big company. There's so much happening, right, And so we
split the team up and we had three different risk consultants.
We still have them today that will integrate with the
business units and really understand the risks inside and out

(08:41):
so that we can then make sure that we're transferring
that to our insurance program. So I started out as
a risk consultant. When I started out, I had all
other bets. So you have Alphabet as the parent company,
you have Google, and then underneath Alphabet they we do
a lot of different things. Way Moo's an example with
self driving cars. Verily as an example that is in

(09:02):
the health Space, So I had all other bets at
Google Cloud and Google Cloud as well, and then throughout
the past six years, I've kind of segmented my portfolio
over time. It's like those roles are like your risk
manager for that section, right, and currently I have Google Cloud, Workspace,

(09:23):
and Chrome. And it's really just everything from working on
the contract terms to advising the business on risk management
more broadly, to thinking about different product development or different
ways that we can leverage insurance in our in our
product portfolio. And so I can talk to you a
little bit about the risk Protection program, which is one

(09:45):
of those examples at some point in this talk. But
it's been interesting. And then two and a half three
years ago, I took over the actuarial team. So I
run a team, it's a smaller team within Alphabet's insurance
group that will quantify all of the risks that we
have so that we can then have an internal view

(10:05):
on those risks both for the business to help make decisions,
but also to try to evaluate the insurance quotes that
we're getting and try to make insurance decisions excellent.

Speaker 1 (10:17):
So you know, something that people may ask because you're
you're an fcuz I'm sure you and previously you were
an insurance and you also did consulting. Sure you had
many other alternatives on opportunities. What is it that drew
you to Google specifically anything?

Speaker 3 (10:31):
Yeah, so that's I think that's that changed once I
got into the company. So we'll start to what drew
me and then and then what I love about it.
What drew me here was really having a different experience, right,
So I think as in actuary, I'm a big proponent
of actualis trying out different areas within insurance. I think
they do a really good job. Often when you when

(10:54):
you understand the quantify the numbers side of the business
and then you go to a lot data driven side
of the business and you can bring that data driven approach.
I think it really adds a lot to insurance. There's
so many successful CEOs or chief underwriting officers that really
came from an actual background. And so what drew me
to Google was this idea that I could move into

(11:15):
risk management and leverage my actual skill set. Because Lauren Nickel,
who runs Alphabets, whose Alphabet's risk manager runs Alphabet's insurance team,
was it actually himself. So I knew that I'd become
joining a group driven by a leader that had that understanding.
What keeps me at Google is that the company, and

(11:36):
I think many tech companies can be like this is
really focused on innovation and how can we do things
differently and how can we do things better? And when
I often say, I forgot exactly how I phrase this,
but I often say that innovation lies at the intersection
of two different subject matters or industries, right, And so
if I can come into Google and bring the mindset

(11:59):
that everything I've learned from being in insurance and being
an actuary, and then merge that with a tech mindset,
I think we come out with a better outcome. And
so I work a lot with the business to think
about how do we use the principles that we've used
for many years in insurance, like quantifying risk, and then
apply that to help our.

Speaker 1 (12:20):
Customers excellent, And I ask someone who is in software
so very close to the tech world or overlapping with
the tech world, can certainly reiterate that, you know, I'm
a big fan of actuaries trying different things, So you know,
thanks for modeling the way there, and just just excited
to have you speak to that experience now You've made

(12:43):
this transition, so you're an actuary. You've gone from the
traditional world into Google in a risk management role. So
what is it like working in risk management as an actuary?
You know, what are some of the similarities. Difference is
you know, some of the exciting things.

Speaker 2 (12:56):
I know you mentioned.

Speaker 1 (12:56):
Innovation, but just thinking of that transition, you know, as
you're going into a world's very different, what is it like?

Speaker 3 (13:02):
Yeah, I think I think I'll start with how actualis
can bring their skill set or how I'm bringing my
skill set into a risk management role, and how it's
helping me. I think at a tech company there's a
lot of everything's data driven, and there's a lot of
interest in utilizing data in a meaningful way to make
a decision. And coming in as an actuary and having

(13:24):
that background of being very comfortable with how to quantify risk,
whether it's an established risk like autoliability that has a
lot of history, or whether it's a newer risk, I
feel like we all learn a framework for how to
go about that, and so that's been one of the
things I've leaned on actually more than anything, even if
I'm not in an actuarial role all the time, working

(13:46):
to try to bring numbers to the conversation and whether
it's insurance purchasing decisions or whether it's trying to convince
a business unit why they should implement certain risk controls.
If you can tie it to numbers, I think it's
a it's a better story. So that's been one of
the ways that I've kind of brought actual mindset into

(14:10):
risk management.

Speaker 1 (14:13):
And what are some of the things that they are different? Like,
I know, you know, Google is obviously a tech company,
so I imagine the culture may be different, but just fundamentally
from being in like a risk management role.

Speaker 2 (14:23):
What's something that may be different.

Speaker 3 (14:25):
From risk management to actual or respect.

Speaker 1 (14:27):
Sorry that the way around it from like the traditional
space into risk management, So you know, going from like
working as an actuary and like a regular insurance classic
pricing or observing role to know being in Google and
risk management.

Speaker 3 (14:38):
Yeah. So one of the biggest things I think is
that people people think that, oh, it's Google, you have
like a bunch of data and there's so much that
you can do, And there's definitely truth to that, But
I think what people miss is that we're just one company, right,
So when you're at an insurance company, you have a
whole portfolio that you can pull from of losses and

(14:59):
exposures and underwriting information and all of that, whereas with us,
we're just one company. So I think that was a
big shift in terms of in terms of moving from
one side to the other. We use a bunch of
different data sources from within the company, of course, and
then outside, so we'll leverage different data sources. It's not

(15:21):
that we're doing things without data, but we're still when
you compare it to the insurance world, we're still one company.
So that's been been a big shift. The other shift
is a lot of people will ask me just for
career advice of should I move into risk management, And
I generally say it's really good to have a good
footing in the insurance world before you move into risk management,
because when you're in risk management, you are the insurance

(15:42):
expert for the company and so and typically it's a
small group, right, and so there's not a lot of
people that you can look to for advice upwards, like
you become that person that everybody in the company is
coming to for advice in the insurance space, and so
it's good to have a good foundation so that I
think is pretty different as well. And then working as

(16:07):
a risk manager, you're really your whole mission becomes whatever
the company's mission is, right, And so I might be
in insurance, my background might be an actuary, but I'm
spending my time getting up to speed on all things tech,
understanding like how what's going on with Google, how that
compares to some of our competitors, and what's happening in

(16:29):
that space. Whereas when I was in the insurance space,
You're really more focused on the insurance industry and what's
happening with the insurance industry. So I'll often get asked
to speak on panels about the trends and insurance, and
really I'm more focused in my day to day time
on the trends in artificial intelligence and cloud computing and
cloud security and other things. And so it really shifts

(16:51):
your focus. So those that are going to go into
risk management think about what the company's actually doing and
if that's something you're passionate about.

Speaker 1 (17:00):
When you talk about so breath is a FEMA I'm
picking up on when you just differentiate the broader risk
management world from simply insurance. Yeah, so in that vein
what are some specific examples of risk management projects that
you've worked on that again might be different from what
you may see as an actuary and insurance company definitely.

Speaker 3 (17:19):
So I'll just start with the basics to ground us,
and then I'll talk about the differences. So our team
will do captive pricing, captive reserving, so those are very
similar to what you'll get in a normal insurance company.
Will also provide analytics for all of our insurance decisions
that we make. And then we'll also are responsible for

(17:39):
all the systems that we use. So whether it's like
making sure that a risk management information system is working
well or that a chatbot is working well, our team
will oversee all of that. Now, what's very different and
those are I think you could say somewhat traditional when
you compare it to a normal insurance company. What's very
different is the partnership with the business. Examples are cybersecurity

(18:04):
is a field which there's a bunch of data, there's
a lot of data, there's a lot of alerts, and
generally speaking, a lot of professionals, cybersecurity professionals are really
looking to try to understand how to better quantify that data.
One of the things that we work on at Google
is partnering with that team to apply actual principles to
what they're doing to help improve their modeling and their

(18:29):
understanding of their own data. And then I think over time,
and this is something that we're working on, but over
time you'll then have a model that benefits them at
a very detailed level and that also benefits the insurance
purchasing decisions. And in side that sort of exposure I
think is hard to get elsewhere where you're really like
in the weeds with another group and understanding the details

(18:51):
of their risk at a base level. We we do
that across the board with a lot of different business units.
So how do we think about out how to help
drive a better model that can drive business decisions in
addition to insurance purchasing decisions. And I think that's probably
the most different piece of what we work on.

Speaker 1 (19:14):
So you talked about kind of bringing it back to
something you mentioned earlier as being more of a risk
manager and looking at that broader, you know, enterprise piece
and the risks as an organization. So what are some
of the key ones that you know that you've been
focused on, that you've been.

Speaker 2 (19:29):
Exposed to, the key the key risks yeah.

Speaker 1 (19:33):
Like in terms of specifically in terms of your role
that you that you're you know you're looking at as
a risk manager at Google.

Speaker 3 (19:39):
Yeah, so all tockle, I think if you think this
is the right moment, I'll talk a little bit about
the risk protection program because I think that encompasses a
lot of it. So one of the main things that
I work on being leading risk and insurance for Goal
Cloud is of course cyber cyber risk, right, cyber risk
for the company, cyber risk for our customers. Trying to
understand how do we drive better security to drive down

(20:03):
cyber risks generally. And one of the projects that we
started working on I've been working on it for six years,
but it's been live since twenty twenty one. Is there
a way where we can help drive the cyber insurance
industry forward by providing analytics similar to how auto insurance

(20:24):
went from how many miles are you driving? To usage
based insurance and telematics in your car? Can we do
the same thing in the cyber insurance space? Now? If
we can do that in the cyber insurance space, we
can get to a place where the more secure customer
is and the more secure the cloud provider is the
better insurance you're getting as a result through pricing and

(20:47):
through coverage. And so that's an area where it's definitely
not a traditional risk management project, but it is an
area that a risk management department can provide a lot
of insight to the business and ultimately help come up
with a kind of industry breaking new product that will

(21:10):
help the risk of ourselves and of our customers. So
that's maybe one example let me think of. Let me
think if there's other examples of I definitely am involved
in a lot of like insurance placement that will include
a bunch of different risks, but typically my expertise lies

(21:31):
on the cyberside and the cybersecurity side.

Speaker 2 (21:34):
Yeah.

Speaker 1 (21:36):
No, within the context of cyber risk, which you mentioned.
I know we'll get into that a bit more. You
talked about the cloud, which I'm glad that you brought
that up, and I know you've become an expert in
this area. Like you said, I've seen you speak at
conferences on it. I remember I think at Risk World
you gave a joint presentation with a couple of folks
from Google.

Speaker 2 (21:55):
On the cloud, and this is very relevant.

Speaker 1 (21:58):
I'm in to software space and customers talk about all
the time they're modernizing, they're moving to the cloud, and
you know there may be actuaries and other risk professionals
we're not as close to that conversation, but perhaps they're
not as close to technology. So the cloud is that
term that's very common today in the technology world. Now,
how do you describe the cloud on White's relevant.

Speaker 3 (22:19):
Yeah, so the cloud is a global network of remote
servers that like store and manage data, run applications, deliver
content and services over the Internet, and it's it's basically
a lot of companies have what we call on premise infrastructure,
so they have all of their data servers and computers
within their own maybe even on their own floor, right

(22:43):
within their own space. The cloud is just shifting that
to another organization who, in theory and many and many
different examples, can run and manage that better. It will
allow customers to scale more quickly. They can scale up,
they can scale down. There's a bunch of different benefits
of why to move to the cloud. But I think

(23:04):
the term the cloud seems it seems makes it seem
a little bit more elusive. But it's just providing services
through compute services for customers.

Speaker 1 (23:20):
I remember one example and Curt me if I'm wrong.
I think I think it might have been at risk.
Cirl one of the panels you're on, I think you
mentioned like Gmail is like an example of is like
a cloud application.

Speaker 2 (23:29):
Would that be a fair to.

Speaker 3 (23:29):
Say, yes, Yeah, so Gmail is cloud based, so that
is that's definitely true. But when I'm buying cloud services,
it so Workspace is the enterprise version of Gmail. So
if I was a company and I would want a
Gmail for my company, I'd buy Workspace. That's more like

(23:50):
software application at the end of the day. Whereas cloud
computing services you could build your whole IT environment in
the cloud, so there's a there's a range of infrastructure
as a service, platform as a service, and software as
a service, and then the cloud can encompass all of that,
whereas Gmail's a single application. That makes sense. But I

(24:15):
think what we probably this is maybe a tangent, but
I think probably what came up there is that and
we can talk more about this, is that when you
have a cloud based application that, in my opinion, there's
a direct link to security of that service. And the
reason why is that when you need to patch something

(24:35):
or update something, if it's cloud based and there's a
vulnerability that's found, the time between when the vulnerability is found,
how to fix it and when it's patched is very short.
But if it's not cloud based, you really need a
human to go into the your IT infrastructure and fix

(24:56):
it and make the patch, and so oftentimes there's a
longer lag, and that creates a bigger window for attackers
to get in. And that's probably the context in which
I was talking about Gmail. There's the workspace has gotten
a lot of recognition for their leadership and security, and
we tend to talk about it when it makes sense, and.

Speaker 1 (25:16):
That's actually a good segue I was just going to
ask about that is security when we think of the cloud.

Speaker 2 (25:21):
Certainly there's for various reasons.

Speaker 1 (25:24):
Scalability, flexibility with security, of course, and when we think
of cyber risk and security itself, cybersecurity that's always a concern,
I think for customers. So when you think of the
cloud versus on prem you just mentioned that when there's
that issue with the detection, it sounds like the lag
between detection and resolution is lower when it comes to

(25:47):
the cloud. Are there any other considerations when you think
of the ways in which cloud versus on prem whether
cloud may be more or less secure.

Speaker 3 (25:56):
Yeah, definitely. So there's an article that we put out
that maybe we can link to when you when you
send this out, that is called nine security Mega trends
that drive Cloud adoption between and it talks about the
widening gap between security from a cloud environment in an
on prem environment, And just to highlight two examples of that.

(26:20):
One of them is that in an on prem environment,
I'm a single company, I own the entire IT infrastructure,
for example, and the cost of implementing really high end
security features is going to be higher than if I
am a cloud company who's amortizing that cost across a

(26:40):
whole fleet of servers, right, And so the marginal cost
of security goes starts to be driven downwards when you're
scaling in a cloud environment as opposed to an on
prem environment. And the more companies that shift to cloud,
the more that that marginal cost of security is driven down.
And so there's naturally an incentive. You're always kind of

(27:02):
thinking about how much do I invest in security, and
you're thinking about the return and the cost when it's
a lot cheaper to do so you're doing you're investing
much more right. And so that's one really non technical
example that just shows the forces that are at play
that are helping drive better security for the cloud. Another
one is a concept of a digital immune system. So,

(27:25):
just like us from a health perspective, when you get sick,
you build out immunity and then you know how to
fight that. There's a similar concept within the cybersecurity space
and kind of fighting attackers and fighting different vulnerabilities. And
the scale of cloud providers allows them to invest in
a lot of different teams that are researching this stuff.
So whether it's a threat research team or a red team,

(27:50):
or a team trying to find bugs in our own products,
whatever it might be, there's a lot of knowledge that
then gets captured and then scaled across for all all
of our customers. And so developing a stronger digital immune
system is something that will allow cloud providers to be
more and more secure over time. Whereas companies with an

(28:11):
on prem infrastructure, you're really just relying on the security
professional as you're hiring, which is going to naturally be
smaller than a company that's job is to provide these services.
So there's nine of those. I think they vary in
technical complexity. I picked the ones that are a little
bit easier to understand, but they generally are written in

(28:32):
business terms so that a non security professional can understand them.
And I think that it makes a compelling case for
why to make why security on the cloud is going
is trending in the right direction?

Speaker 2 (28:47):
Great, that was helpful.

Speaker 1 (28:49):
So we talked a bit about cybersecurity, of course, is
instrumental when we think about the cloud itself, when we
take a step back and think of things more high level. So,
given the importance of the cloud, what specific risks do
companies face when adopting cloud solutions and how can they
be managed? So we talked a little bit again about cybersecurity.
I can think of even to my company, there's hosted

(29:10):
managed services, you know, when you're hosting somebody in your cloud.

Speaker 2 (29:15):
Microsoft Azure does that.

Speaker 1 (29:16):
There's various companies Google, of course, there's various companies that
will do provide those types of services. But outside of
the cybersecurity or adjacent to that, you know, are there
any other risk to consider when companies are adopting cloud solutions.

Speaker 3 (29:30):
Yeah, I think I think companies will be thinking about
a variety of things. So security is definitely one of them.
Reliabilities another one. So how how do I make sure
that the service is reliable? In certain industries, there's a
really big need for constant reliability. So think about like
companies that are trading, like trading platforms. Right from a

(29:52):
financial perspective, the if there's a two second delay or
three second delay oftentimes that matters. So trying to stand
the reliability of a cloud provider and a partner that
you're working with to make sure that your business won't
be impacted as a result in what we call slas,
what service level agreements can you agree to? That's another

(30:14):
thing they're looking at. Third party risk more broadly is
something that companies will be thinking about just in terms
of right now with a lot of recent attacks, there's
a focus on who's in your supply chain, what's the
quality of their own security, but also reliability. Right the
CrowdStrike event, as an example, was not a security incident,

(30:36):
but it affected a lot of customers. So just trying
to understand that more broadly. And then of course there's
questions and I'm not the best person to go to
do a deep dive into this, but there's questions like
data residency that often come up when you're thinking about
what cloud provider to select, So trying to make sure
that your data stays in the same country that it's

(30:59):
in if that's important to you for one reason or another,
there's a government regulation and then yeah, there we have.
We have a lot of trust and safety teams too
that are just embedded throughout Google that often answer a
lot of questions for customers on things like that.

Speaker 2 (31:17):
Sure.

Speaker 1 (31:17):
Now shifting back to cybersecurity at a high level, you know,
what does cyber risk quantification I imagine. Of course you're
very focused on cybersecurity, and quantification is very important for
risk management in general.

Speaker 2 (31:31):
So what does cyber risk quantification involve?

Speaker 3 (31:35):
Yeah, so, and be similar when you think about cyber
risk quantification to regular quantification. You're trying to identify, okay,
what's the frequency of an event, what's the severity of
that event, and then and then putting it together, modeling
it through let's say a mont A Carlo simulation and
coming up with a distribution. But when we were to
double click on that, oftentimes, when you're thinking about the

(31:57):
frequency of an event, you want to take into account
all the different security products and tools and security by
design that you have within your infrastructure to make sure
that if we're deploying something like MFA is a very
easy example that you're taking that into a into account

(32:19):
and the modeling, because there is going to be a
difference of account that a customer that uses MFA or
a customer that doesn't. So I think what's harder about
cyber risk quantification is that there's a lot of different
variables that are at play, and it's it's not yet
known within the industry. I'd say, to try to identify
what variables matter most. There was recently I didn't anticipate

(32:43):
speaking about this, so I'm a little rough on it.
But there was recently a study that was put out
by Scientia and I saw it on LinkedIn about how
within the cyber insurance space or yeah, cyber risk space,
there's there's not a single metric that matters. It's really
the the correlation between a bunch of different metrics that matter,
almost coming up with like a score type of framework.

(33:05):
And so I think there's a lot to look at,
but generally speaking, it split it into the frequency and severity,
and then it also split it into security and then
reliability because business interruption is a big loss that occurs
that's not always driven by a security incident. Again, as
you could see from the CrowdStrike event.

Speaker 1 (33:26):
Great, So it would be fair to say that, like
an insurance and we have a common metrics like loss ratios,
it sounds like when it comes to cybersecurity, there's a
series of general things that people look at, but it's
really more proprietary in nature in terms of how it's
kind of measured unmanaged. Would that be fair to say, Yeah, that's.

Speaker 3 (33:42):
Fair to say. I think loss ratios is almost like
the result, right, it's what it's a KPI. I guess
what's similar is it loss ratio? Is the KPI that
insurance company is working towards. A cybersecurity team doesn't have
as straightforward of a single KPI. Yeah, I think I'm

(34:02):
just talking out loud now and thinking out loud to
respond to your question. They do have a bunch of
different metrics that they're tracking, and I think that's true.
But it's an evolving space. You're seeing a lot of
interest in the cybersecurity community about better quantifying risk. There's
a framework called fare that came out that is I

(34:23):
think very friendly towards the cyber security community because it'll
define distributions for you and then you just put in
a couple of metrics and then it'll help you model
out that risk. And yeah, there's a lot of companies
also popping up in this space.

Speaker 2 (34:38):
Okay, interesting, Yeah.

Speaker 1 (34:40):
No, something that you're known for publicly is you're using
your expertise, sorry, is your expertise or using something called
inside out data services through a Google partnership. So can
you tell us a little bit to hold you describe
inside out data services?

Speaker 3 (34:56):
Yeah? Absolutely, so inside out data what we often use
that term for is metrics from within a company's IT environment.
So this concept of a firewall of what's inside the
firewall and then what's outside the firewall is where this
term came from. Now what's happening today and that's very

(35:18):
widely prevalent in cyber insurance is this idea of an
outside in scan and what that means is that from
the outside you can scan a company and you're essentially
seeing what a hacker sees and you're trying to say, okay,
they have an open port here, or they have this
Gmail group is publicly available, or whatever it is. You're

(35:39):
scanning from the outside. You don't have to talk to
anyone within the company. You can Many insurers and cybersecurity
firms are doing this without any consent right now. The
difference is that a lot of times things might be
public for a reason. Right There might be a reason
that this port is open, or this thing is public,
or whatever it might be. And so you can't really

(36:01):
tell whether a company has good cybersecurity from that scan alone,
because there might be reasons that it is that way,
and it doesn't mean it's unsafe in those exceptions. So
there's this trend that's happening, and I was early on
in this trend, but it's definitely more than just the
risk protection program at this point in time. There's a
trend that's happening that's trying to say, Okay, how can

(36:23):
we get metrics from within a company's cloud environment and
use that to rate and underwrite cyber insurance. And so
that's this concept of inside out data. It's the same
metrics that a security team is using to manage their
own risk, and how do we bring that into the
pricing process such that we have a better process for all?

Speaker 1 (36:46):
And would it be fair to say the scope of it.
You mentioned cybersecurity. Is it primarily for cybersecurity purposes or
is that data used for any other use cases.

Speaker 3 (36:54):
The scope of the inside out data, Yes, so it's
a good question. You could actually use inside out data
for any right, So inside out data could be like
one example in the reliability space might be what what
data centers are you using? What products are in each
data center? Right, there's there might be some of that

(37:15):
you can get from the outside in, but the nuance
of it you'd have to talk to someone to try
to or do a scan to try to get So
it could be beyond just security. It could be reliability.
But we at this point in time are using it
more from a security perspective because I think it's a
little bit more straightforward.

Speaker 1 (37:36):
No, when I think of your role, they're you know,
just trying to think of how you're adding value specifically.
I imagine, of course the analysis quantification, some of the
qualitative analysis. Any are there any specific areas where you'd
say that you're adding value gifts given your backgrown and
being in this role as it relates inside out.

Speaker 3 (37:54):
Datail, Yeah, I think we're we're adding value. Is bringing
this to the insurance industry for the first time and
working with our partner Insurance to try to understand how
they can incorporate this into their pricing models. I think
that's a big change. It hadn't been done before, and
it's really leveraging our position as a cloud provider that

(38:18):
has we have I mean, we have I guess good
integration with a lot of companies and a lot of
trust with those companies such that it makes it easier
for them to run a scan within Google Cloud, then
maybe get a third party product to incorporate. They're already

(38:38):
using Google Cloud for their day to day and so
I think that that's where value is added to the program,
is that it's already in their day to day environment.
They just click a button, run a scan, understand those metrics,
and then share them and so it just streamlines the process.

Speaker 2 (38:55):
Okay, well that sounds interesting.

Speaker 1 (38:58):
Value added services technology and we're talking about technology.

Speaker 2 (39:03):
Of course Google's at technology firm.

Speaker 1 (39:06):
So host technology being utilized to add value in the
risk management suies. I Alwa's a very broad question. We've
probably addressed some of these things. What when you think
of just specifically technology, I guess the inside outs is
actually maybe one example of how you're extracting information and
helping with with quantification of risk. But you know, can
you think of any other ways from a technology perspective,

(39:27):
how it's being used to utilize to add value in
the risk management space.

Speaker 3 (39:32):
Yeah, So this one, I'm actually going to diverge a
little bit from Google because it was just such a
good question. For another thing that I'm involved in, I'm
an advisor at a company called vauxhol Ai, and what
they do is they use AI powered security cameras to
detect hazards and inefficiencies, uh in real time within an environment.

(39:53):
So let's say you're working at a manufacturer, you deploy
Vauxolai and it will detect when somebody doesn't have a
hard hat on, or they're not bending the right way,
they're not bending forward the right way, or they forgot
to do something that is very important from a security perspective.
In these cameras will identify these things and then in

(40:14):
real time drive a stronger safety and security culture by
talking by showing I guess, illuminating to managers what's happening,
showing the near misses that happened, and trying to develop
that feedback loop and so I think it's a great
example of how technology is being used to add value

(40:36):
in risk management. Risk managers are benefiting from that. Their
losses are going down as a result, then ideal of
their insurance goes down as a result. So that's one
that's big in the casualty world. In the cybersecurity world,
it's similar to what we're doing. There's technology that's automating that.
And I think just more broadly, we're seeing more and

(40:56):
more across all different lines of business areas where technology
can help with underwriting in a way that we hadn't
really seen before. Although I think the insurance industry still
has a way to go to really develop and lean
on technology to the full extent.

Speaker 1 (41:15):
Now, technology and innovation go hand in handen Earlier on
in the conversation, actually you talked about I like technology
used with innovation. You mentioned that bringing that actuarial background
from the insurance space now into the technology space, you
can get innovation by combining a few of those domains. Now,
more broadly speaking, you know, how can actuaries help tech
companies to innovate the better manage risk. You know, they're

(41:38):
of course they're bringing some of that domain knowledge but
you know specifically anymore can Is there anything more specific
you can say about that?

Speaker 3 (41:46):
Yeah? I think the there's two ways. There's two things
that come to mind. One is just helping equip the
business with better quantification. I think that that is an
area where once you start to quantify some of the
things that they're doing, they'll they'll be able to It
fuels innovation a little bit more because they'll be able

(42:08):
to have the data and the numbers behind a decision
they're making. The other one is using analytics to support
to support sales in a way. So this one, if
you think about Volvo for example, Volvo is very well
known as one of the safest brands right within from

(42:29):
a car perspective, and I think there was a lot
I haven't done a case study on Vulvo, but I
think there was a lot of intention in that. Not
only did they focus on safety, but I think at
one point in time they were very outspoken about how
much they're investing in safety and security. That mindset hasn't

(42:50):
yet been adopted in the technology space of trying to
compare one technology provider to another where one is a
lot more safe, like a Volvo versus is a jeep,
but in the technology space, not necessarily comparing providers in
that same way. I think an area where actuaries can
help and really drive better innovation is by starting to

(43:11):
put numbers behind things like the security of different vendors.
You'll see two companies, Coalition and at Bay Cyber Insurance
companies that started to do this that show and I
can't quote the exact numbers here, but show something like
Google Workspace is x amount more secure than another competitor

(43:32):
and therefore will drive down premium. I think as soon
as you start to put numbers to that, then it
becomes a business selling point. And so that's one area
where I think we can help companies innovate in a
way that wasn't expected in the past.

Speaker 1 (43:49):
That's It's funny you mentioned that because I was going
to ask a more specific question, certainly from me. For instance,
being in the software space, there's a concept which I'm
I'm sure you've heard of called value engineering. So it's like, okay,
I purchase is software?

Speaker 2 (44:04):
What do I get?

Speaker 1 (44:05):
So if you think of it maybe in insurance terms,
you know, am I going to reduce my total cost
of ownership? Am I going to improve my combined raceio,
my lost ratio.

Speaker 2 (44:14):
Et cetera.

Speaker 1 (44:15):
So when we think of technology more broadly, you know,
how do you think of how do you think of
measuring or how do you measure the effectiveness of technology
utilized in risk management? I think that it sounded like
a little bit of a similar example or similar concept.

Speaker 2 (44:31):
You know, any thoughts on that in terms of that?

Speaker 3 (44:33):
One's hard? How do you measure how do you measure technology?
Say this the question again?

Speaker 1 (44:38):
Yeah, how do you measure the effectiveness of technology utilized
in risk management? So, for instance, if you purchase technology
to address a particular area of risk management, you know,
how do you measure that effectiveness? Because in some cases
things are easy to quantify, but in other cases they
may not, just because they rely on that risk management spectrum.

Speaker 2 (44:57):
So any thoughts on just that?

Speaker 3 (44:59):
Yeah, I mean I taught. I think what you're getting
at is almost like a return on investment or an
ROI of Yeah, yeah, yeah, And I think I think
about that often. I think it's hard, It's there's not.
It depends on the situation, right, But through coming up
with these models, whether they're based off of your actual losses,

(45:20):
which would be a clear ROI on an investment or
based on a model, at least you can help to
better quantify how that has how that technology adoption has
helped you from a from a risk perspective. But I
don't have an easy answer, but I definitely think that
without the existence of risk models, you can never really

(45:41):
develop that ROI because it's random, right, One customer might
invest in technology and have no change in losses and
another might have a drastic decrease, and it might just
be because of random volatility. It might not actually be
because maybe it reduced the risk and both situation. So
I think the existence of a risk model is pretty important,

(46:05):
even though every model is going to be wrong in
many cases, it's just hopefully on the average.

Speaker 1 (46:12):
That's definitely a good point, and it's certainly a challenge
that I'm seeing that I see certainly in the insurance
space of software is like, how do you like I'll
use I'll use. An adjacent example is banking. I think
banking is a bit more straightforward because the business model
is a bit more linear. So for instance, if you
can process a certain amount of applications in a certain
amount of time, then you're going to have more revenue

(46:33):
if you can more easily detect fraud, not for fraud,
repayment repayment risk, you know, defaultler sorry, default risk. If
you can project that better, then you're probably going to
you know, have less default, so you're going to be
able to have more recovery.

Speaker 2 (46:50):
So I think in banking it's a.

Speaker 1 (46:51):
Little bit more linear, but when we get to insurance,
it's a little bit more complicated because, like you said,
there's many different library drivers of loss other than you know,
just experiences this, you know.

Speaker 3 (47:03):
So Yeah, and the more the more complicated the risk is,
the more unique the company is. I think it gets
harder and harder. But if you don't start, if you
don't start coming up with a model, then you'll never
really get to the place where you're understanding the risk
in detail.

Speaker 2 (47:22):
Sure.

Speaker 1 (47:23):
Now, as an actuary, whether you work, you know, whether
you work an insurance company, consulting firm, wherever, you work
with different stakeholders and collaboration, cross functional collaboration is important
to be successful in any role, but specifically in tech,
who would you say are your primary business partners?

Speaker 3 (47:43):
Yeah, So in tech as a risk manager, it's legal
and finance. I always I never thought about insurance this
way before I joined a company, But I always now
say that insurance is the intersection of legal and finance. Right.
It's a legal contract, but it's ultimately a financial product
in terms of trying to mitigate volatility of your balance sheet.

(48:04):
And so those are when you're working as a traditional
risk manager, those are your two main groups. Of course,
there's the safety groups and the risk groups that you
will also be collaborating with, but from a strict business perspective,
those are the two. In my role because of the
uniqueness of the risk protection program and other things we're
doing on the cybersecurity space, I often work with the

(48:27):
CSOs team as well the chief Information Security officer. I
work with product teams, so companies that are sorry business
units that are developing different products right and want to
understand the risk of those. And then at Google we
have a lot of distributed risk teams. So maybe another

(48:47):
company might have a single chief risk officer and everyone
every risk roll rolls up into them. We have risk
people embedded into all different parts of the business and
so there's a lot of collaboration with them. But when
I first joined and I was less on the innovation
front and more on the insurance placement front. It was
mostly legal in finance.

Speaker 1 (49:09):
Interesting, now, what have you phone to be you know,
keysey effective collaboration, you know, as you work with with
legal and finance.

Speaker 3 (49:18):
Yeah, so I like this a lot because I actually
spend a lot of time working cross functionally at Google.
There's this Harvard Business Review article that was created and
I think it was the title was about managing a
company that has a lot of different silos, and one
of the things that they brought up is this idea
of cultural brokers, which are people who excel at at

(49:42):
collaborating across different cultures and developing relationships that's that span
a lot of different areas. And to me, that's probably
one of the most important things with regards to collaboration
is when you're thinking about designing your team or when
you're thinking about you as an a individual, making sure
that you can that you're putting people in roles that

(50:05):
are specifically focused on that cross functional collaboration. And in
this case, they use a cultural broker as the name
for that role, but it could just be spending time
to think about, oh, I need to actually not just
stay in my silo and work with different areas expanding
on that, There's two things that I think have helped

(50:26):
me a lot. One is making sure that you're always
shifting your perspective. So you could you could come to
the table and say, hey, this is a risky thing
to do, we should never do it. Right, the other
person on the other side of the table is going
to say, like, this is going to drastically transform the
future of the company, and the upside is tremendous, right,

(50:47):
and are you really going to stop them because of
because of the risk of it. So making sure you're
wearing the different hats and thinking about, Okay, this actually
is really good for the company in these ways, it
might be risky these other ways, So how do we
think about a middle ground? And so that shift in
perspective is important. The second thing, which I've already touched

(51:09):
upon a little bit, is focusing on what's best for
the company. So rather than just focusing on what's best
for your division, if you always anchor to here's where
we're going as a company, and here's what's best, whether
it's through mitigating the risk or enabling innovation, I think
you'll get to a better place over time, and you'll
strengthen those relationships cross functionally.

Speaker 1 (51:33):
One thing I'll just quickly add to that as someone
who's in a space that's non traditional as well, is
I think it's important to be and you did kind
of allude to this, is to be a trusted advisor,
So to develop a relationship because when you're not working
in a place like insurance, you know, when you're working
kind of outside of the space, you know.

Speaker 2 (51:51):
People rely very heavily on you.

Speaker 1 (51:53):
You know, when you're in a place where people don't
me not understand insurance and risk management as much, you
are the expert people like, for instance, I said, I
started my career working at a company with two hundred
plus actuary. So there are diamond dozen, there's lots of
people to rely on. But relatively speaking, when you go
outside of that comfort zone, you know, you're there's a
lot more reliance placed on you. So work to become

(52:14):
a trusted advisor and develop good relationships. I think that
can serve you in role.

Speaker 3 (52:19):
So yeah, I think you've You've put it succinctly, and
that's exactly kind of what I'm pointing to. So that's great.

Speaker 1 (52:26):
Great, So you know we've touched on quite a bit today,
Monica We've talked about risk management, what it means, the
risk landscape itself, what the risk management role looks like,
and how that may be different fro an actuary. Moving
from a traditional space the cloud and cybersecurity, and it's
it's you know, it's prevalence in the technology world. We've

(52:48):
talked about technology and using that to add value for
risk management, and finally just the importance of collaboration. So
I think this will be, you know, a great episode
for the community and just looking forward to sharing it
and want to thank you so much for your time
and sharing your expertise.

Speaker 3 (53:06):
Excellent. Thank you so much. I'm very happy to be
here and I'm very excited to be part of this,
so thank you.

Speaker 2 (53:13):
You're welcome. Have a great weekend you too,

All Episodes

Episode 102: Risk Management - Part 3

Episode Transcript

Popular Podcasts

Stuff You Should Know

Cardiac Cowboys

The Joe Rogan Experience

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Episode 102: Risk Management - Part 3