Episode 2: Steve Keogh - Disruption All Over the Place
Steve Keogh, chief administrative officer for Commercial Risk Solutions at Aon, talks with Phil about how technological disruption is changing risk management. An example: there are hundreds of billions of dollars between what is recorded as a cyber loss and what is recorded in cyber premiums—and Aon wants to narrow that gap.
Steve also details how cyber risk has evolved beyond retail and healthcare to essentially all sectors—and how there’s a glaring lack of uniformity regarding who within companies should be on point when it comes to cyber risk management.
Welcome to Intelligence That Works. I'm Phil Rowley, executive director and chief revenue officer of global consulting firm, BRG.
Intelligence That Works is more than the name of this podcast. It's what makes BRG tick. We're questioners, challengers, even truth seekers, committed to uncovering the substance beneath the surface of the biggest issues and challenges facing business leaders today. We meet some innovative individuals along the way, and in each episode, I'll speak with one of them about change, leadership, and the possibilities that lie ahead. This podcast, like BRG itself, is about harnessing our collective expertise to deliver inspired insights and practical strategies that help organizations stay ahead of what's next.
In this episode, I'm very excited to speak with Steve Keogh, chief administrative officer for commercial risk solutions at Aon. I've had the great fortune to know Steve for many decades. We have both congratulated each other and commiserated with each other on certain developments throughout our careers. We're speaking with Steve from BRG’s offices in downtown Chicago. Steve, thanks for being here.
Well, thanks for including me. It's great to be here, and I look forward to our discussion.
Two observations. One, many people can't even fathom staying at one employer for thirty years in today's market, which is definitely a change. But you also started in a much different role as a financial analyst. As your job has changed and progressed, how have your views on leadership evolved?
So I've thought about it. I should first start off and say that I've been extremely privileged to serve under and with many leaders at Aon over my career, so I've had some great opportunities in being exposed to great leadership. But if I break this down into sort of almost decades, so right when I was out of school, within my 30s, my 40s, and my 50s today, I would say when I first started out of school, I was not really aware of leadership or what it required. But I did grow up caddying, and I was caddying for titans of industry at the time, which I wasn't really aware of. I just knew he was a CEO of something, rather.
And that helped me realize two things when I got into the working world. One is they were human beings. And two, they really cared about people, even the teenager who was carrying their golf bag at the golf club.
So really interesting perspective, again, when you look back. When I moved into my 30s, probably my first role in leading people, that was leaning on some of the things that really resonated to me from a leadership perspective. And it started with our CEO at the time, and that was Pat Ryan. Everything from Pat was about being visible, and really, everything came through a client perspective or a client lens. That's what mattered. So leading from his perspective of always thinking through a client lens.
Moving into my 40s, probably the part of the time where I was most influenced as a developing leader, critical to my path of development. And we had a new CEO come in: Greg Case. And Greg was really about listening and servant leadership. Again, all with that client lens, building on what I had learned the net decade of my 30s.
That's how I try to serve and lead today, is through that same type of lens of client first, moving then towards servant leadership, and then being a terrific listener.
Then when you get into your 50s, today, boy, with changing business dynamic, with disruption all over the place, I think in addition to the skills that I mentioned earlier, you really have to embrace strategic decisions through the use of data analytics and information that's at your fingertips today to sort of help drive the future and drive the vision of your firm. And so those are the things I think that today is, sort of leadership has evolved too as the business has changed to what I think is really important. And thanks for the question. It's actually fun to sort of look back on your career and think through those different stages.
And being a caddie is one of the toughest jobs one can have, so I commend you on that. And well said on that idea of empathy and listening, and then if you can combine that with more of the data analytics. Very, very powerful.
You talked about some of the evolution in the marketplace. Let's talk about how risk itself has evolved just in general. And I think the audience would be very interested to hear about cyber in particular.
Sure. Well, we have a very established substantial business today in the cyber world, everything from assessing to testing and quantifying to transferring risk and to responding to incidents of all shapes and sizes with our digital forensics and breach response capabilities.
But focusing on the insurance angle for a minute, cyber is unlike many traditional property and casualty insurance products in that the past is not indicative of the future. In very traditional insurance, you model out what's out there, and you can sort of predict how long someone's going to live or how many accidents there might be or what workers' comp is going to look like.
In cyber, we're so evolving and so rapidly changing. You don't actually have the ability to model it. It's sort of forward thinking to some extent. Twenty years ago, cyber risk was associated with an online presence, right, sort of dating ourselves. But it was online, so it was more around retail or healthcare or financial institutions with information and data. Moving through today, every organization has some form of technology or cyber touchpoint within their firm. The fact that the largest transportation company in the world doesn't have any vehicles, the largest hospitality firm in the world doesn't own any property—all enabled through technology. So things are changing so dramatically in terms of what we're seeing.
Nowadays, you're seeing it more in the traditional sectors like shipping, and they're tracking their goods all over the world. Manufacturing plants having a software malfunction and creating a product challenge for them. Cyber is continuing to move through all industries and all sectors, as it was where it started twenty years ago, in sort of a really finite area. And then you have the explosive growth of connected devices or the internet of things. It's fun. In this world, I mean, you read new things. I read stuff this morning—that I'm actually sort of talking about now—that I wasn't aware of twenty-four hours ago.
But in the internet of connected things, companies understand now—really, not fully understand, but understand how to deal with the cloud. But when you're talking internet of things, you're talking about now technology around the edge, right, where the decisions are made closer to the device itself, or the fog that's sort of sitting in-between the edge in the cloud of making decisions about where things actually should be processed. And those are just unique characteristics of working through cyber risk. So as technology is a great tool for efficiency and collaboration, it does change the threat landscape for companies, dramatically.
Yeah. And I think [we] both found what you said, that as you historically have underwritten risk, you were looking at historical results or impacts. That's how you're able to price it, etc., and assess the risk versus now there isn't that clear documentation.
Yeah. Interesting. I read one of your articles, and there was a great quote that you have, which is that organizations must continue to push. And you were talking specifically about brokers, about their markets around process and around product innovation—kind of building on what you just talked about with cyber. The article didn't go much into detail on what you meant by that. Would you mind just commenting?
We conduct a biennial survey of both private and public companies around the world to find what is on the top of minds of our clients. It's called the Aon Global Risk Management Survey. So they go through, and they pick what their highest risks are. So of the ten risks that they list as the top ten, many of them are underinsured or uninsurable today. So when you think about product innovation, right, we're talking about how do we bring capital to solve those risks? And those risks are things like economic slowdown. Damage to brand and reputation is an underinsured risk, not an uninsurable risk. You work through increasing competition, regulatory and legislative changes.
And one example I like to use is there's such a disparity of billions of dollars of value between what is recorded in cyber premiums and what is recorded as a cyber loss around the world. Hundreds of billions of dollars in disparity between the two. Our goal is, we want to challenge ourselves to narrow that gap. And the ways to narrow that gap are—it can be a little bit challenging because of the nature, again, harder to model risks, and [we] don't want to make it sound easy, that it's insurance capital that just needs to step up and provide solutions here, because it's, again, very unique. We talked earlier. The unique attributes around cyber risk.
When you want to spread risk from a property portfolio, you look at your portfolios and you say, "I'm only going to write certain property values in certain zip codes." And then you can say, "I'm only going to write certain amounts in this zip code." So you can spread your risk around catastrophes. You can spread your risk around this. But in cyber, you can't contain cyber risk. I mean, cyberattacks, right, are pervasive. They move quickly through an organization. It might start in the United States and go all over the world. So it's really difficult to contain and control cyber as a risk. So we're getting our arms around, as much as we can, how to bridge the gap between the disparity of those billions of dollars and try to bring more insurance solutions to close those gaps.
Steve, has there been a similar risk like cyber from the standpoint of that disparity or that difference between the actual premiums versus losses? Is there something historically that you could reference, or how has the process changed to deal with that?
It's just so new. I can't think of anything throughout my insurance career that creates that type of disparity.
Yeah. That's very, very interesting.
Then you asked about the—
That was sort of the product side of it. More on the process side—
On the process side. Yeah.
It's sort of pivot to what you hear today and see in Insurtech, right? So different things, similar to Fintech, similar to other types of technologies. But the firms are trying to change the way the industry works, right—the processes we use, how we engage with clients. And we need to continue to innovate as an industry to keep up with what our clients expect in their personal lives where they have instant access to everything. They have data analytics, and we can't be an industry that's lagging behind in our solutions.
So some of the efforts that you see today are driving efficiency in some of the more archaic practices that are still prevalent in the insurance industry, enhancing global connectivity through more productive collaboration with our clients, and simplifying kind of user access to data analytics, as just a few examples.
But one excellent example that sort of encompasses both product and process is addressing the needs of the digital economy, and you think about the gig economy. So on-demand insurance, right? It's not uncommon as you think today that you may be a consultant by day or night, and you may be driving for a ridesharing company to fill in other working hours. You may be a freelance writer filling in other working hours. And insurance needs to respond to that changing business model or changing employee model, again, providing some type of a capital solution that adheres to that new business model, which requires almost on-demand insurance. You need insurance as a rideshare driver. You might need insurance as a consultant, and you might need insurance as a freelance writer. And when I say on demand, sort of on and off, right? You don't buy it for when you're not using it. You buy it for when you're actually engaged. So that's sort of bringing together product, innovation, as well as process innovation from an on-demand perspective.
Steve, conceptually, how do you define risk management? As leaders, that's one of the things that all boards ask us about. How do you really define it?
Ten years ago, for us, risk management was just insurance. Now, the management of risk is front and center in all organizations these days, right, far more than just insurance purchasing as I suggested. But as companies look to enter new markets, launch new products, change business models, risks associated with any of those endeavors, any of those decisions is front and center as to whether they go or no go, certainly as it respects to launching products. And with the prevalence of cyber risk these days, the decisions on how to handle them span across two or three or even four individuals or departments inside organizations.
And I want to quote some stats. So a recent study by the Ponemon Institute posed a question to 2,400 individuals either in risk management or enterprise risk management that simply asked who in your company is most responsible for cyber risk management and requesting their top two choices. And they gave a list.
Amazingly, not one position garnered more than 25 percent of the votes, right, or of the nominations. Line of business leaders and CIOs were the two highest at 23 and 22 percent, respectively. Rounding it out were risk managers, CCOs, procurement, CFO, general counsels, and audit and compliance professionals. So not one garnered more. So when you go to our clients, and we want to talk about cyber risk, right, it's multiple entry points of trying to bring them together.
Yeah. With whom you should be speaking. Right.
But in reality, it is a collaborative decision at these firms. There is no blueprint, right, for any of these firms. So we want them to come in and understand, and everyone has a finite amount to invest in cyber risk. You could use it all to buy insurance. You could use it all to assess your firm or quantify your risk or go through testing exercises.
But we look to say the most efficient resource allocation related to your cyber money that you want to invest through that whole process without any real blueprint, but that sits across three or four departments sitting in most of our clients today.
Steve, that's interesting: the survey and not necessarily understanding who would manage that cyber risk and nobody having the dominant position. Talk about a career in risk management then, because I wouldn't have necessarily thought that it could be in four different divisions or departments, and who would find? Talk about a career in risk management. What does that mean now?
So the way we look at it is, there'll always be opportunities in the field of risk management. You go dating back to the 1600s, right, when insurance all started. And as businesses now continue to evolve, risk will remain a key enabler of driving business. Whether it be a risk manager or a broker consultant, advising in the field of risk will remain a high opportunity area for any professional.
With the spotlight on management of risk inside organizations today, risk advisors will be gaining insight to all various corners of the business. Where it used to be limited—they were the insurance buyer—now, they're actually at the table for key business decisions, again, launching product, changing business models. They're front and center in that, so gaining far greater insight.
And so as we continue to innovate and streamline the processes and datas that are key to risk management, it also opens up the opportunity to transition from a transactional nature to play an even more strategic role in your firm as a risk advisor. And that, we continue to see as really a key part of any future organization or risk management professional as we would look at it.
Yeah. To use that to your advantage, not sort of a necessary evil—with all due respect—but it's to use it to your advantage.
Yeah. Great. Steve, if we can, I want you to be a little bit of a futurist but also talk about another risk that you and I have spoken about, which is intellectual property. And obviously, we see—whether it's the issues in China, you just said Qualcomm and Apple as an example around licensing. A: talk a little bit about intellectual property, what that means from a risk management or an investment standpoint; and then, if you will, a little bit of a futurist perspective on what you see happening in the next decade.
If you had asked me in 1988 about cyber business, right, I probably would have not come close. I probably would've had to look at the Back to the Future movie series or a franchise or The Jetsons cartoons to think about what cyber actually might look like, let alone with such innocence, that it would ever be used for a crime or even terrorism. Really incredible from thirty years.
So asking me to think thirty years out—but intellectual property is a terrific one. Really has come on to our radars in the past twelve months. And when I say intellectual property, really talking sort of about that IP stack, trademarks, patents, copyrights, know-how, and trade secrets. But as an idea and as a concept, intellectual property goes back centuries, right? You only have to look at the history of patents in the United States that have accelerated. Ten million patents issued in the United States; half have been in the last forty-two years. A million have been in the last three years. So really, an acceleration.
But intellectual property is something that's always existed alongside business and innovation, but it's never really been considered as part of a firm's intrinsic value. That concept's starting to take hold. You're seeing a historical rotation from tangible assets to intangible assets in the firms.
If you go back thirty years, in the 1980s, the most valuable companies in the world all created or sold tangible goods, ExxonMobil, IBM, GE. And you fast-forward today, and our most valuable companies include the likes of Microsoft, Alphabet, Facebook, those who generally do not sell tangible goods. Of course, they have some, but they generally do not sell tangible goods.
And that of itself is a challenge for insurers and companies alike trying to protect their intellectual property, trying to protect their intangible assets. Goods like barrels of oil or microchips, you actually can put a value on them. We sort of know what the value is. We can determine what the value is. But figuring out what software code is worth, sort of a really different dynamic when trying to address that from an insurability standpoint. And as a result, you have one of the most significant asset classes in business today that's not well understood or adequately considered in business operations or transactions like M&A, legal, finance, insurance, etc. And so we're left with an inefficient and an inaccurate conclusion on pricing, risk, opportunity, and other factors.
And this is a global issue, right? This is in the European Patent Office. This is in China as much as it's in the United States. Every country approaches it a little bit differently. They actually do work together, but everyone does approach it a little bit differently with different laws and different regulations, which only adds to our complexity.
And so we've made quite a few investments, both on the M&A side and on the organic side, to address what we see as one of tomorrow's challenges and opportunities that businesses will face. We're very uniquely positioned today to advise firms on IP as a business strategy, from startups to pre-IPO to IP-rich firms. Building solutions to help them drive greater value out of their IP set. We've already seen damage from intellectual property matters such as litigation over patent or trade secret infringement, as you well know. This type of litigation is only expected to grow both in impact and in frequency. We are currently seeing significant activity in placing insurance solutions to assist with IP liability. We're also seeing strong interests in helping organizations protect and even insure their highly valued trade secrets. We see a day where there'll be an opportunity to drive a lending solution with IP used as collateral.
But IP, as an asset class, will continue to grow, and we believe that insurance capital and flexibility will be required to drive solutions in the IP space.
That's powerful. When you think about transfer pricing, when you think about tax regimes, yeah, incredible. Incredible.
Well, Steve, absolutely enjoyed our conversation. I think some of my takeaway is around empathy. At the same time, you're very analytical. The taking the time to put into place a great process and sticking to that process and then trying to really think about it, being client serving. I think those are just very powerful lessons. Thank you so much for your time. Really appreciate it.
It's great to be here, and thanks for having me.
Thanks. This podcast is brought to you by BRG. You can find episodes wherever you get your podcast or on our website, thinkbrg.com. And please don't forget to give us a review on iTunes. I'm Phil Rowley. Thanks for listening.
The views and opinions expressed in this podcast are those of the participants and do not necessarily reflect the opinions, position, or policy of BRG, its employees or affiliates.