Skip to content
a person is standing in front of a large screen with a colorful display

Why operational resilience is a strategic priority for insurance CROs

Authors

Contributors

9 minute read 14 May 2025
Related topics
Insurance

The second annual EY/IIF insurance risk management survey highlights the importance of resilience and how CROs aim to instill it.

In brief

  • Intensifying cyber, geopolitical and third-party risks, as well as evolving regulation, force insurance CROs to think multi-dimensionally across risk stripes. 
  • Beyond preparing for proliferating and interconnected risks, CROs are engaging in transformation initiatives designed to drive growth in a turbulent market. 
  • With more threats to ongoing operations, operational and financial resilience are key objectives for multiple risk management strategies and tactics.

The job of chief risk officers (CROs) in the insurance sector continues to grow more complex and challenging. With a huge range of threats facing the industry, many CROs are playing a larger strategic role, providing insights and guidance to the C-suite and the board and engaging business leaders on transformation programs. They are also prioritizing all forms of resilience – including operational and financial – to ensure the organization is ready for a broad range of potential developments.

Our survey results, along with our ongoing engagement with risk leaders across the industry, confirm that resilience is a focal point because of its close links to cyber, technology, third-party and regulatory risk. But broad industry trends – including new regulatory requirements for resilience, rising customer expectations for always-on services, increased reliance on third parties and the need to upgrade legacy technology – are other factors driving the focus on resilience. Because the intersection of traditional risk categories amplifies disruptive threats to the business, resilience has moved up the CRO agenda.

Findings from the second annual EY-IIF survey of insurance CROs show how resilience is both a critical concern for multiple types of risks and a key objective for much of the work risk management teams do. With our study confirming the need for CROs to prepare the business for anything, it’s no wonder that some firms are tailoring their overall risk management approaches to be resiliency-led. 

Download the EY/IIF global insurance CRO survey

PDF (14 MB)

Risk management has become a vital partner not only in measuring
impacts but also in enhancing the company's resilience through
understanding and evaluating potential future risks.

Why CROs are focusing on resilience now

There are multiple reasons for the renewed emphasis on resilience. Regulatory shifts are one factor.

Authorities in Europe, the UK and Australia have mandated stricter resilience requirements for insurers with the goal of maintaining critical services through disruptions. The Operational Resilience Objectives set out by the International Association of Insurance Supervisors are another example of higher standards. In our survey respondents cited enterprise resilience regulations as raising the greatest concern regarding compliance, well ahead of capital and solvency requirements and cyber and data protections.

Considering the spectrum of existing and forthcoming regulations that impact your organization, please rank the following regulatory focus areas based on your organization's level of concern for ensuring compliance.

ey iif insurance cro survey1

The financial crisis and pandemic have attuned regulators to the many potential sources of risk. As a result, insurers must now demonstrate they can withstand, adapt to and recover from operational disruptions such as cyber attacks, natural disasters, or system failures.

Related Services

But regulation only partly explains why resilience is a focal point for CROs. The fundamental goal of keeping the business up and running properly in support of customers is every bit as important. While this is an objective for regulators, the reputational risk is significant for those firms that fail to meet basic customer obligations. Further, with customers expecting insurers to deliver the same rich, personalized experiences and anytime-anywhere access to critical services that businesses in other sectors provide, resilience is a baseline for growth.
 

When it comes to potential disruptions, cyber attacks top the list: 66% of respondents to our latest survey this year, up from 53% last year, said cyber threats will require the most attention in the next 12 months. That increase is a function of intersecting risks. Consider how CROs must ensure the business is protected and prepared for increasing cyber attacks that originate from geopolitical tensions and armed conflicts.
 

Third-party risks may also increase vulnerabilities to cyber attacks. Resilience is a critical consideration here, too, as more carriers rely on ecosystems to enrich service offerings, promote innovation and expand distribution. Regulators are also focused on the resilience implications of increased connectivity across the industry.
 

The same is true of technology risk: insurers can’t allow major systems implementations that replace legacy systems or cloud migrations to disrupt the business. This is an increasing concern with ongoing digitization of claims processing, increased automation in underwriting, the widespread use of cloud infrastructure and connectivity with third-party data sources. Failures of any component in increasingly complex IT environments can directly impact customers, raising the risk of operational breakdowns, reputational hits and penalties for non-compliance.
 

Because of these dynamics, increased operational resilience is now widely viewed as a target outcome – a key goal in setting strategies and tactics to manage many other types of risks. That helps explain why CROs are acting on multiple fronts to enhance resilience. 

How CROs aim to instill resilience

CROs are taking a multi-dimensional approach to enhance resilience capabilities. Governance and oversight (cited by 33% of CROs) and cyber (21%) top the list of enhancements to operational resilience. That shows the strategic importance of resilience across the business, while the next priorities, including critical business services frameworks, show the tactical dimensions of resilience.

What level of priority would you assign to each of the following areas of operational resilience for enhancements over the next five years?

ey iif insurance cro survey2

Disaster recovery, business continuity, and crisis and incident management plans have been refreshed recently at many insurers, resulting in their relatively low level of priority in our results. But there is opportunity – and indeed a need – for CROs to push their teams to build on the strong foundations that have been laid. In our discussions with CROs and other industry executives, we have seen growing interest in principle-based approaches to operational resilience. Firms are working to develop frameworks, including formal definitions and rankings of critical services based on customer impacts. They are also mapping processes to services and defining specific impact tolerances.

Related Services

  • Finance, risk and actuarial change

    We help insurers meet new regulatory and compliance accounting standards while managing costs, operational efficiencies, and the integration and implementation of systems and data across the finance, risk and actuarial functions.

    Read more

Two-thirds of survey respondents said that operational resilience is addressed within organizational risk appetite indirectly (either through qualitative statements/analysis and supporting commentary within risk appetite reporting or via inclusion of related non-financial quantitative board risk appetite metrics). The good news is that only 5% of CROs say operational resilience is not addressed in the risk appetite.

 

How is operational resilience addressed within the organizational risk appetite?

ey iif insurance cro survey3

Financial resilience is also a concern given widespread macroeconomic uncertainty. It’s likely that these results would have been an even greater priority (particularly for large global players, specialty carriers and reinsurers) had our survey taken place in the Spring of 2025.

What key enhancements is your company planning for financial risk management (e.g., credit, market, liquidity) over the next 12 months?

ey iif insurance cro survey4

Certainly, operational resilience can be viewed in terms of minimizing the financial impacts of unexpected events. Some firms are revisiting their “recession playbooks” to ensure financial resilience in the event of an economic downturn. For CROs, it’s a reminder that capital management, liquidity and contingency plans must remain up to date at all times. 

CROs recognize the importance of human talent to effective risk management – and they’ve aligned their hiring priorities to the resilience imperative. Operational resilience skills are important for both the first and second lines of defense, according to our survey.

What are the most important skill sets required over the next five years?

First line:
ey iif insurance cro survey5

Second line:
ey iif insurance cro survey6

Looking ahead, there’s little doubt that CROs will continue to prioritize resilience in the future. And our research suggests that many risk management teams will be well positioned to advance from the solid foundation of capabilities they’ve established. As one CRO told us, “Now that we've matured core disciplines, the focus has shifted to embedding risk into strategy and in support of moving the organization forward.” Another said, “We have to show we are a connected part in deriving business value.” By strengthening resilience within their organizations, they will contribute significant strategic value to the business. 

In conclusion

The rise of resilience-led risk management strategies reflects the need for CROs to continually focus their time, people and resources on the right and most impactful risks. The emphasis on maintaining operations for customers shows that CROs are increasingly business-oriented, rather than compliance-centric as was much more common in the past. To put it another way, resilience is important to insurers because it’s important to customers. Without resilience, insurers can’t fulfill the basic promise to be there for their customers in times of need.

The primary contributors for this article are Eamon McGinnity, UK Insurance Risk & Regulation Leader, EY LLP and Pierre Santolini, Europe Insurance Risk & Regulation Leader, Ernst & Young Advisory.

Download the EY/IIF global insurance CRO survey

PDF (14 MB)

Summary

The second annual EY-IIF survey reveals that chief risk officers (CROs) in the insurance industry must engage more deeply in business operations and take bold actions to mitigate diverse risks. The findings emphasize the importance of CROs in driving organizational transformation and growth, positioning risk management as an enabling force. Amid regulatory and macroeconomic uncertainties, CROs have a unique opportunity to enhance their leadership roles. Recent events in early 2025 underscore the critical function of CROs in navigating an increasingly turbulent landscape, addressing concerns related to geopolitical, strategic, and market risks.

Related articles

Five ways banking CROs are increasing agility

The EY/IIF bank risk management survey highlights the need for increased agility against diversifying risks. Find out more.

18 Feb 2025 Nigel Moden + 2

Five areas where insurance CROs can provide strategic leadership

The inaugural EY/IIF insurance risk management survey shows how CROs are strengthening core capabilities and serving as strategic advisors. Learn more.

18 Mar 2024 Stu Doyle + 1

Why today’s banking CRO must be master of many trades

The EY/IIF global risk management survey results surface new challenges faced by today’s CRO as their strategic and tactical remit expands. Read more.

06 Feb 2024 Jan Bellens + 2

    About this article

    Authors

    Contributors

    Related topics
    Insurance

    EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
    You are visiting EY us (en)
    us en