night and star scene of stone arc in wadi rum jordan

Five areas for insurance CROs to focus on during transformation

The inaugural EY/IIF insurance risk management survey shows how CROs are strengthening core capabilities and serving as strategic advisors.

In brief

  • Proliferating and interconnecting threats that transcend traditional risk management categories have made insurance CROs’ jobs more difficult than ever
  • CROs must balance protecting the enterprise with ensuring the organization takes on sufficient risk to prompt innovation and growth.
  • The results of our global survey present a useful baseline for understanding industry standards and identifying emerging best practices.

Chief risk officers (CROs) in the insurance sector have never had a more diverse or more urgent set of priorities on their plate than they do today. The job description goes far beyond protecting the enterprise from proliferating risks today and preparing for emerging threats tomorrow. CROs are increasingly involved with business and technology transformations designed to promote innovation and growth and will be on point to provide timely and insightful perspectives across a range of risk management and regulatory topics.

The results of the first annual EY/IIF survey of insurance CROs reveal the many dimensions of the position today and the many hats CROs must wear. Our study confirms specific areas where they can – and already – provide timely insights and guidance to the C-suite, the board and leaders on the front lines of the business. CROs are well-suited to this strategic role, given that they have one of the broadest, big-picture views of insurance companies.

Download the Risk management in a time of transformation.

Participating insurance companies were fairly diverse in terms of asset size, geographic reach and line of business (property and casualty, life, health, reinsurance and specialty). Regionally, those companies were headquartered in Asia-Pacific (18%), Europe (54%), Africa (6%) and North America (22%).

Risk is one of the few seats that truly looks across the organization and has one of the broadest views of the enterprise

For CROs to contribute strategically, they must first establish a foundation of robust and effective risk management practices that protect the core assets of the business and the brand. Our survey findings illustrate the progress insurers have made on the journey to fully mature, high-performance risk management functions.

From our research, we have identified five strategic aspects of the CRO role in insurance today, reflecting key areas where they can help the organization identify risks accurately and proactively, manage them effectively and grow sustainably.

1. Focusing on the future: identifying emerging risks and devising strategies to stay ahead of them

Seeing around corners has always been part of CROs’ jobs, but never before have they had to consider such a wide variety of threats, each of which is massively complex and highly dynamic. Cyber, geopolitical, technology and climate risk – these emerging risks are all evolving rapidly and can pose severe threats to insurers on multiple fronts.

We can’t be sure what the next ‘big thing’ will be, but we know to expect it as a risk function going forward.

The intersections between these risk categories make CROs’ jobs that much harder. Consider how geopolitical risks have led to more cyber attacks and created more macroeconomic volatility. Similarly, the rising uptake of GenAI may lead to larger talent gaps, while also disrupting the workforce.

2. Engaging on technology transformation: supporting the digitization of the business for sustainable growth

CROs in insurance have long sought to overcome the common perception that they are innovation inhibitors. Our research participants made clear that they want to enable growth and innovation and engage – even lead – on the company’s most important transformation initiatives. From large-scale technology upgrades and extensive process automation to new product development and omni-channel customer engagement models, these transformation efforts touch every part of the organization, including front-office processes and back-office functions.

We might be too risk averse as it relates to innovation. Are we willing enough to fail and learn, versus trying to avoid risk?

Engaged CROs can provide vital inputs in cost-benefit analyses, evaluation of alternative strategies and sourcing models, assessment of regulatory impacts and other areas. The good news is that the vast majority of CROs are involved in some capacity. But there’s ample opportunity to contribute value to every step of the process, from design and testing through implementation.

3. Leading on AI: setting the stage for innovation with strong governance models

The heightened risks AI presents call for a robust approach to governance and oversight. CROs understand the need to strengthen existing standards for data security and privacy and adopt new standards to address concerns about ethics and biased outputs, among other regulatory concerns.

The risk that insurers don’t do enough to embrace GenAI to drive innovation and business transformation should also be on CROs’ radars.

Our results highlight the need for CROs to be assertive in leading the development of new governance frameworks and policies to manage risks associated with all forms of AI and machine learning. Only 28% of insurers have established AI governance structures, roles or responsibilities, according to our survey respondents, though 60% say their firms are investigating or are in the process of implementing such structures. Similarly, only 26% of CROs say their companies have established controls to ensure responsible use of AI and machine learning in decision-making, with 50% of CROs saying their companies are investigating or have implementations underway.

Oversight of AI
Proportion of insurers that have established AI governance structures
Oversight of AI
Proportion of insurers that have established controls to ensure responsible use of AI/ML in decision-making

4. Driving efficiency and effectiveness in the risk management function: the pursuit of operational excellence

In taking tangible actions to address both financial and non-financial risks, CROs must constantly ask themselves if they are dedicating time and resources to the right risks. Extending automation to incorporate more processes will help establish lean, highly efficient and productive operations and streamline traditional tasks.


CROs currently see inefficiencies in several key areas today, including reporting and monitoring according to 58% of survey respondents), control testing (48%) and risk assessment (42%). Looking ahead, CROs are looking to advance analytics and AI to enhance several critical risk management activities.

Highly efficient processes at the core of risk management operations help CROs deliver outstanding returns on investments in sophisticated risk modeling, threat detection, data visualization and other advanced capabilities. They also create time and capacity to focus on strategic matters, including advising business leaders and the board.

5. Instilling a strong risk culture across the business: promoting a higher risk IQ

Building strong risk cultures may be the most important task CROs undertake. More than half (55%) of our survey respondents cited it as the number-one way their role will evolve in the next five years, followed by serving as a strategic advisor to the business (52%).

The evolution of the CRO role
Proportion of CROs who cite embedding a strong risk culture across three lines of defense as a significant way their role will evolve

While the insurance business has always been about risk management, CROs must ensure the organization has a nimbler mindset and agile approach to identifying risks and moving quickly to get ahead of them. That means engaging their counterparts in the business.

Strengthening risk cultures will need to be a priority in the future, given that our results show relatively few firms actively prioritize and encourage risk-informed thinking and action across the entire organization. When CROs and business leaders work together to embed risk mindsets into the business, firms will be better positioned to deliver safe innovation and sustainable growth.

A strong risk culture is very important, especially if there are conflicts between the first and second lines. The key is to make sure all voices are heard.

In conclusion

As complex as insurance CROs’ jobs have become in recent years, they won’t be getting any easier anytime soon. Cyber, climate and regulatory risk all look to be more challenging in the years ahead, as will maintaining operational resilience. Geopolitical risks, macroeconomic volatility and demographic shifts add to the backdrop of unpredictability. CROs can serve as beacons, providing insight to C-suites and boards across the industry and helping them navigate the challenging road ahead. Even as they make a greater strategic contribution, CROs can continue to strengthen the core of technical and tactical risk management capabilities. We look forward to charting their progress in future insurance CRO surveys with the IIF.


Chief risk officers in the insurance sector have never had a more diverse or more urgent set of priorities on their plate than they do today. There are many challenges ahead and they won’t be getting any easier anytime soon.

The inaugural EY/IIF insurance risk management survey shows how CROs, even as they make a greater strategic contribution, can continue to strengthen the core of technical and tactical risk management capabilities.

Related articles

How increased trust and transparency can unlock growth

Explore the EY Global Insurance Industry Outlook. Learn more.

29 Nov 2023 Isabelle Santenac + 3