Global Insurance CRO Survey 2016
How the risk function could ultimately form the organizational backbone of successful insurers
Risk functions have evolved from “check-the-box” compliance to being a key enabler for business decision-making. This change has provided CROs with a seat at the table in the highest levels of the organization.
2016 has been a year of black swans, characterized by prolonged low interest rates, political uncertainty in key markets and increasing competitive forces challenging insurers’ business models. Together with the rise of risk-based capital regimes across the globe, these factors are tending to align the CRO and CFO agendas, establishing a tighter link between risk, capital and value.
The CRO role will always have a strong regulatory-driven rationale. But as the role evolves, we see an opportunity in ERM to take stock of teams, toolkits and processes -- and utilize them to achieve greater effectiveness.
This shift is occurring at different rates in different regions, but the direction is clear. Our survey explores five key themes around the risk function and CRO role:
There has been a high degree of operationalization in prudential regulation around the globe:
We are seeing a sharper focus on consumer-conduct regulation:
Governance models are now largely converging to reflect the three lines of defense principles.
Although differences exist across geographies, CROs are consistently seeking to strengthen risk accountability and understanding across the workforce. In particular, while we are seeing an increased awareness that risk ownership starts with the first line, there still are opportunities to strengthen risk accountability and improve communication to help everyone understand risk appetite and consequences.
Risk functions are becoming more involved in producing and monitoring risk metrics.
Larger insurers subject to Solvency II and now required to obtain approval of their internal economic capital models are partly behind this shift in risk functions.
Beyond Europe, other jurisdictions have a variety of approaches. For example, US insurers subject to Federal Reserve regulation are required to utilize more extensive stress and scenario testing in their internal capital management processes (with the eventual requirement to publicly disclose the results).
In general, even where there is no regulatory mandate, CROs and their risk teams are increasingly involved with stress testing and more advanced financial models to quantify risk.
CROs are aware of the potential for improvement in operational risk management.
While businesses generally understand the “known knowns,” risk plays an important role in emphasizing the need for a systematic approach to the full spectrum of exposures. Cyber risk in particular is one of the biggest areas of concern for most CROs, who consider it a key focus area of operational risk.