EY’s seventh annual survey of chief risk officers in the insurance industry confirms that companies are starting to move on from the post-crisis era of defensive risk management. While some CROs speak of works in progress or continuing improvements to their company’s risk management efforts, more CROs report they are comfortable with functioning frameworks that provide “defense” for the company.
There is continued maturation and increasing sophistication of the role. Some CROs are spending more of their time engaged on high-priority strategic and business-driven issues, such as disruption, innovation and emerging threats, including cybersecurity.
See also: The State of Risk Oversight in 2017
CROs are starting to move to offense. They see their roles less in terms of organizational compliance with enterprise risk management (ERM) policies. Nor are they reacting to regulatory requirements. For almost all companies surveyed, Own Risk Solvency Assessments (ORSA) are “job done.” Even CROs at companies that faced challenges related to federal regulation or
Solvency II report that such issues are largely behind them.
Many of this year’s discussions involved consideration of “what comes next?” As the CRO agenda evolves, significant transitions are underway (see figure 1):
- From relative stability to disruption
- From clear and well-understood threats to emerging and unknown risks
- From serving as a control function to partnering with the business
- From focusing on the risks of action to promoting innovation and avoiding the risk of inaction