Tag Archives: chief risk officer

Cognitive Dissonance and the CRO

Could F. Scott Fitzgerald have had chief risk officers (CROs) in mind when he wrote, “The test of a first rate intelligence is the ability to hold two opposed views in the mind at the same time and still retain the ability to function”?

Probably not. But, based on recent discussions with some leading insurance CROs and my own experience in the industry, there are a surprising number of circumstances where a CRO needs to accommodate two opposing views. Exploring these circumstances can shed some interesting light on how the CRO role has evolved over the last several years and where it may be heading.

CROs’ early focus was on the development and implementation of economic capital and a concerted effort to meet enhanced regulatory expectations. It is now more nuanced.

Economic capital: A rule that needs to be followed and a model that needs to be questioned

The development and utilization of economic capital (EC) is a good starting point to explore the CRO’s cognitive dissonance. Economic capital is a powerful and indispensable concept; arguably the most powerful weapon in the CRO’s arsenal. It allows insurers to quantify many of their most important risks in precise monetary terms that can be translated into precise actions. Like, “add this much to the product price to accommodate its risks” or “buy this asset not that asset because it has a better risk-adjusted return.”

For economic capital to do its work, it needs to be a rule that is followed. From its most comprehensive manifestation – the expected level of capital that the insurer should hold – to the tolerances and limits that inform pricing decisions and individual asset transactions, insurers need to build economic capital values into their decision-making fabric.

At the same time, the CRO recognizes that the economic capital values are model output. They depend on a lot of assumptions. And the underlying methodology, that risk is best quantified as the upper bound of a high confidence interval such as 99% or 99.5%, is only one of many meaningful options. The CRO should develop insight into how other assumptions and methodologies would affect business decision making. Furthermore, risk managers also need to employ completely different tools, like stress testing. And these could lead to new and conflicting insights that the CRO needs to reconcile with economic capital’s definitive outcomes.

The dissonance engendered by economic capital presents a particular challenge for CROs with long experience in insurance ERM. More than any other development, economic capital was the progenitor of enterprise risk management (ERM). Before economic capital, ERM consisted primarily of risk lists and heat maps. Economic capital provided a solid foundation to decision making, particularly related to credit and market risks in the period leading up to and during the last recession. But, as the industry evolves, and credit and market risk taking has stabilized and often declined, new risk and new ways of managing risk need more attention. CROs who grew up with economic capital as the defining feature of their job may need to exert special effort to champion non-EC tools’ decision making potential.

See also: Insurance CROs: Shifting to Offense  

As Isaiah Berlin noted in “The Fox and the Hedgehog,” “A fox knows many things but a hedgehog one important thing.” Considering the importance of EC in the emergence of ERM, it is reasonable to think of the risk function as a very quant-oriented one. Calculating EC is a complex undertaking requiring a high level of mathematical and financial acumen. Certainly it is a great example of “one important thing.”

However, other, equally important aspects of the CRO role need a much broader vision. In keeping an eye out for emerging sources of risk and new challenges, it would be good to know “many things.” We have noticed that successful operational risk management efforts feature a multifaceted mindset when helping businesses recognize and manage these risks. Contrast this with model risk management where a more singled-minded focus is required.

Even within the narrow world of some traditional risk thinking, taking a broader view could yield innovative and profitable outcomes. For example, mortality and longevity risk is almost universally viewed one way: from a retrospective experience perspective, with mortality rates varying by age and gender. Risk values are generated by shocking these rates; upwards for mortality (representing the impact of a pandemic) and downward for longevity (representing significant medical advances in treating deadly diseases). But broader, informed thinking by someone or a group could find an alternative, likely one that looks at underlying fundamentals and uses advanced analytics to develop better and more actionable insight.

As ERM continues to develop, both hedgehogs and foxes are necessary. And the CRO needs to be able to effectively communicate with and manage both.

Putting a price on priceless information

In a business that is all about taking risk, most senior management teams certainly would rank good information about risk as essential to the effective management of their business. To call this information “priceless” would not be an exaggeration.

The last recession put great pressure on regulators and, through them, on insurance companies to quickly upgrade their risk capabilities. For many regulators, the cost of achieving these upgrades was much less of a concern than thoroughness and completeness. Both of these forces, business need and regulatory pressure, put significant demands on the risk function. Faced with these demands, it has been fairly easy to put programs and people in place that address acute needs without being unduly constrained by program price.

However, the absence of price constraints has obvious negative implications. Any business has limited resources. And, for much of the insurance industry, the trends in customer demands and purchase/service platforms is away from high-margin options. Furthermore, the lack of spending discipline can easily lead to maintaining a status quo that overspends on some areas and ignores others. As priceless as good risk information can be, some is more valuable than others, and some can be produced with the same value but at a lower cost.

Implications: Where is ERM heading and how can CROs prepare?

The CRO’s role has evolved significantly over the last several years. CROs’ early focus was on the development and implementation of EC and a concerted effort to meet enhanced regulatory expectations.

See also: Major Opportunities in Microinsurance  

The trend now is more nuanced. CROS are trying to address more qualitative risks and incorporate a business-centric focus. With this in mind, we offer some suggestions:

  1. CROs would do well to take stock of their current ERM program inventory. What are the approximate costs of different programs? Are they meeting objectives and are those objectives still as important as when the programs were initially established? Is there an overlap? For example, does stress testing address only the same risks EC already covers effectively, and if so, would it make sense to deploy resources in a different way?
  2. In taking stock of current benefits, ERM efforts that enhance shareholder value should be receiving high priority. Considerations focused on pricing and new business challenges present a good opportunity to use risk knowledge to add value, not just conserve it.
  3. Lastly, consider if reshaping emphasis across the program portfolio requires some ERM team members to alter their orientation, e.g. behave more like “foxes.” Or, if there’s a need, consider adding new team members with the required skills and mindset.

As ERM continues to develop, both hedgehogs and foxes are necessary.

2018 Predictions on Cybersecurity

As cyber attacks increasingly threaten every aspect of business and grow in volume and scale, companies will be forced to take new measures to address cybersecurity risk holistically, integrating it more aggressively into their enterprise risk management, according to our cyber solutions industry specialists in the 2018 Cybersecurity Predictions report. The report outlines a number of specific actions that Aon believes companies will take in 2018 to address cyber threats, as well as other cyber trends that we anticipate in the New Year.

“In 2017, cyber attackers created havoc through a range of levers, from phishing attacks that influenced political campaigns to ransomware cryptoworms that infiltrated operating systems on a global scale. With the growth of the Internet of Things (IoT), we have also witnessed a proliferation of distributed denial-of-service (DDoS) attacks on IoT devices, crippling the device’s functionality,” said Jason J. Hogg, CEO, Aon Cyber Solutions. “In 2018, we anticipate heightened cyber exposure due to a convergence of three trends: first, companies’ increasing reliance on technology; second, regulators’ intensified focus on protecting consumer data; and third, the rising value of non-physical assets. Heightened exposure will require an integrated cybersecurity approach to both business culture and risk management frameworks. Leaders must adopt a coordinated, C-suite-driven approach to cyber risk management, enabling them to better assess and mitigate risk across all enterprise functions.”

The 2018 predictions look at the ways in which the increasing scale and impact of cyber attacks, coupled with companies having to accept more liability and accountability over cyber attacks, will lead to significant changes in the corporate landscape. The report predicts an expanding role for the chief risk officer (CRO), the importance of implementing multi-factor authentication, the increased threats from insiders and an expansion of bug bounty programs in new sectors.

See also: How Good Is Your Cybersecurity?  

Highlights of the report include:

  • Businesses adopt standalone cyber insurance policies as boards and executives wake up to cyber liability. As boards and executives experience and witness the impact of cyber attacks, including reduced earnings, operational disruption and claims brought against directors and officers, businesses will turn to tailored enterprise cyber insurance policies, rather than relying on “silent” components in other policies. Adoption will spread beyond traditional buyers of cyber insurance, such as retail, financial and healthcare sectors, to others vulnerable to cyber-related business disruption, including manufacturing, transportation, utility and oil and gas.
  • As the physical and cyber worlds collide, chief risk officers take center stage to manage cyber as an enterprise risk. As sophisticated cyber attacks generate real-world consequences that affect business operations at increasing scale, C-suites will wake up to the enterprise nature of cyber risk. In 2018, expect CROs to have a seat at the cyber table, working closely with chief information security officers (CISOs) to help organizations understand the holistic impact of cyber risk on the business.
  • Regulatory spotlight widens and becomes more complex, provoking calls for harmonization. EU holds global companies to account over GDPR violation; big data aggregators come under scrutiny in the U.S. In 2018, regulators at the international, national and local levels will more strictly enforce existing cybersecurity regulations and increase compliance pressures on companies by introducing new regulations. Expect to see EU regulators holding major U.S. and global companies to account for GDPR violations. Across the Atlantic, big data organizations (aggregators and resellers) will come under scrutiny on how they are collecting, using and securing data. Under the burden of significant and ever-increasing regulatory pressures, industry organizations will push back on regulators, calling for alignment of cyber regulations.
  • Criminals look to attack businesses embracing the Internet of Things, in particular targeting small to mid-sized businesses providing services to global organizations. In 2018, global organizations will need to consider the increased complexities when it comes to how businesses are using the IoT in relation to third-party risk management. The report predicts large companies will be brought down by an attack on a small vendor or contractor that targets the IoT, using it as a way into their network. This will serve as a wake-up call for large organizations to update their approach to third-party risk management, and for small and mid-sized businesses (SMBs) to implement better security measures or risk losing business.
  • As passwords continue to be hacked, and attackers circumvent physical biometrics, multi-factor authentication becomes more important than ever. Beyond passwords, companies are implementing new methods of authentication – from facial recognition to fingerprints. However, these technologies are still vulnerable, and, as such, the report anticipates that a new wave of companies will embrace multi-factor authentication to combat the assault on passwords and attacks targeting biometrics. This will require individuals to present several pieces of evidence to an authentication instrument. With the new need for multi-factor authentication and consumer demand for unobtrusive layers of security, expect to see the implementation of behavioral biometrics.
  • Criminals will target transactions that use reward points as currency, spurring mainstream adoption of bug bounty programs: Companies beyond the technology, government, automotive and financial services sectors will introduce bug bounty platforms into their security programs. As criminals target transactions that use points as currency, businesses with loyalty, gift and rewards programs –such as airlines, retailers and hospitality providers– will be the next wave of companies implementing bug bounty programs. As more organizations adopt the programs, they will require support from external experts to avoid introducing new risks with improperly configured programs.
  • Ransomware attackers get targeted; cryptocurrencies help ransomware industry flourish. In 2018, ransomware criminals will evolve their tactics. The reports predicts that attackers utilizing forms of benign malware—such as software designed to cause DDoS attacks or launch display ads on thousands of systems— will launch huge outbreaks of ransomware. While attackers will continue to launch scatter-gun-style attacks to disrupt as many systems as possible, the report predicts an increase in instances of attacks targeting specific companies and demanding ransomware payments proportional to the value of the encrypted assets. Cryptocurrencies will continue to support the flourishing ransomware industry overall, despite law enforcement becoming more advanced in their ability to trace attacks, for example through bitcoin wallets.
  • Insider risks plague organizations as they underestimate their severe vulnerability and liability while major attacks fly under the radar. In 2017, businesses underinvested in insider risk mitigation strategies, and 2018 will be no different. According to the report, a continued lack of security training and technical controls, coupled with the changing dynamics of the modern workforce, mean the full extent of cyber attacks and incidents caused by insiders will not become fully public. Many companies will continue to respond to incidents behind closed doors and remain unaware of the true cost and impact of insider risk on the organization.

To download the full report, click here.

Insurance CROs: Shifting to Offense

EY’s seventh annual survey of chief risk officers in the insurance industry confirms that companies are starting to move on from the post-crisis era of defensive risk management. While some CROs speak of works in progress or continuing improvements to their company’s risk management efforts, more CROs report they are comfortable with functioning frameworks that provide “defense” for the company.

There is continued maturation and increasing sophistication of the role. Some CROs are spending more of their time engaged on high-priority strategic and business-driven issues, such as disruption, innovation and emerging threats, including cybersecurity.

See also: The State of Risk Oversight in 2017  

CROs are starting to move to offense. They see their roles less in terms of organizational compliance with enterprise risk management (ERM) policies. Nor are they reacting to regulatory requirements. For almost all companies surveyed, Own Risk Solvency Assessments (ORSA) are “job done.” Even CROs at companies that faced challenges related to federal regulation or
Solvency II report that such issues are largely behind them.

Many of this year’s discussions involved consideration of “what comes next?” As the CRO agenda evolves, significant transitions are underway (see figure 1):

  • From relative stability to disruption
  • From clear and well-understood threats to emerging and unknown risks
  • From serving as a control function to partnering with the business
  • From focusing on the risks of action to promoting innovation and avoiding the risk of inaction

See also: Key Misunderstanding on Risk Management  

Where CROs mostly played defense in focusing on compliance and regulatory activities after the crisis, many have started to move on to a more active, business-driven posture, with greater emphasis on adding value through the efficient delivery of ERM.

You can find the full EY report here.

Global Insurance CRO Survey 2016

Risk functions have evolved from “check-the-box” compliance to being a key enabler for business decision-making. This change has provided chief risk officers (CROs) with a seat at the table in the highest levels of the organization.

2016 has been a year of black swans, characterized by prolonged low interest rates, political uncertainty in key markets and increasing competitive forces challenging insurers’ business models. Together with the rise of risk-based capital regimes across the globe, these factors are tending to align the CRO and CFO agendas, establishing a tighter link between risk, capital and value.

The CRO role will always have a strong regulatory-driven rationale. But as the role evolves, we see an opportunity in ERM to take stock of teams, toolkits and processes — and use them to achieve greater effectiveness.

See also: The Myth About Contractors and Risk  

This shift is occurring at different rates in different regions, but the direction is clear. Our survey explores five key themes around the risk function and CRO role:

1. There has been a high degree of operationalization in prudential regulation around the globe:

  • In Europe, in response to Solvency II demands
  • In the U.S., as a consequence of the NAIC’s ORSA requirement and for the larger insurers, SIFI demands from the Federal Reserve Board
  • In Asia-Pacific, with the implementation of risk-based capital regimes (e.g. C-ROSS in China, LAGIC in Australia, ORSA requirements in Singapore and ICAAP in Malaysia)

2. We are seeing a sharper focus on consumer-conduct regulation:

  • The U.S. Department of Labor is shaking up focus on the advice model.
  • The European Parliament is debating significant advances in policyholder communications, and various European home regulators are demanding redress for past failings in sales process, transparency of charges and continuing product suitability.
  • Depending on the region, it is more or less common for CROs to have compliance report through to them.

3. Governance models are now largely converging to reflect the three lines of defense principles.

Although differences exist across geographies, CROs are consistently seeking to strengthen risk accountability and understanding across the workforce. In particular, while we are seeing an increased awareness that risk ownership starts with the first line, there still are opportunities to strengthen risk accountability and improve communication to help everyone understand risk appetite and consequences.

4. Risk functions are becoming more involved in producing and monitoring risk metrics.

Larger insurers subject to Solvency II and now required to obtain approval of their internal economic capital models are partly behind this shift in risk functions.

Beyond Europe, other jurisdictions have a variety of approaches. For example, U.S. insurers subject to Federal Reserve regulation are required to use more extensive stress and scenario testing in their internal capital management processes (with the eventual requirement to publicly disclose the results).

See also: Minority-Contracting Compliance — Three Risks  

In general, even where there is no regulatory mandate, CROs and their risk teams are increasingly involved with stress testing and more advanced financial models to quantify risk.

5. CROs are aware of the potential for improvement in operational risk management.

While businesses generally understand the “known knowns,” risk plays an important role in emphasizing the need for a systematic approach to the full spectrum of exposures. Cyber risk in particular is one of the biggest areas of concern for most CROs, who consider it a key focus area of operational risk.

Download the full North American report here.

Download the full EMEIA report here.

Key Misunderstanding on Risk Management

Bob Kaplan deserves our respect. Famous for his contribution to management with the balanced scorecard, he is now senior fellow and Marvin Bower professor of leadership development, emeritus at the Harvard Business School. (I have never had the privilege of meeting him.)

His colleague, Anette Mikes, was with him at Harvard, and she is now professor of accounting and control at the University of Lausanne (HEC). I am in a network of risk practitioners and thought leaders that includes her. (I have heard her speak but have never met her one-on-one.) She has made important contributions to the academic study of risk management that includes a case study of John Fraser’s Hydro One and a similar case study on Lego.

I have shared my thoughts with her on the narrow and highly limiting view that risk management is about mitigating potential harm from adverse events. Unfortunately, I have not been persuasive.

Kaplan and Mikes recently published a Harvard Business School working paper, “Risk Management – the Revealing Hand.”

While there is some value in the paper — such as its insistence that risk management must be continuous as well as its discussion of overreliance on models — it demonstrates very clearly why so many board members and executives do not see how the management of risk enables their organizations to set and deliver on objectives and strategies. For example, the ERM Initiative at North Carolina State University, in its 2016 survey of the state of risk management, found that only 4% of organizations feel their risk management is very mature (up from 3.4% in 2010). In 2013, a Deloitte survey found only 13% of executives believe risk management supports their ability to develop and execute on business strategy very well.

See also: How to Remove Fear in Risk Management

How can risk management practitioners demonstrate value and significantly contribute to the success of an organization when they:

  • Focus on a list of potential harms;
  • Don’t focus on enabling intelligent and informed decisions from strategy to tactics; and
  • Talk in technobabble instead of the language of the business?

I see risk management as about the following:

  • Enabling informed and intelligent decisions that consider what might happen, both good and bad. Those decisions include setting the vision for the organization (including its strategy, plans and objectives) as well as the decisions made every day across the extended enterprise as people at all levels direct and manage the organization toward its objectives.
  • Thinking about what lies between where we are and where we go, how it might affect our ability to achieve or exceed our objectives and what (if anything) we need to do about it.
  • Taking the right level of the right risks. We cannot survive, let alone thrive, if we do not take risk. The concept that we must mitigate all risks is absurd. Risks need to be assessed in the context of achieving objectives, not in a silo.
  • Knowing how to evaluate the potential for any event or situation to have good, bad or a combination of good and bad effects — and providing a structured process for making decisions about the path forward.
  • Promoting intelligent and effective management that enables the organization to succeed.

Kaplan and Mikes say there has been no credible academic study that demonstrates that risk management delivers tangible value. (Note: EY and Aon have released studies that say that organizations with better risk management obtain better long-term financial results.)

Is the conclusion by Kaplan and MIkes because they don’t understand what risk management should be, that it is not about managing a list of potential harms (what Jim DeLoach calls “enterprise list management”)? Focusing on what could go wrong will not help you do what is needed for everything to go right. If you were greeted at your front door by someone with a list of all the bad things that might happen, would you ever go out, or, would you dismiss the pessimist with disdain?

Here are just a few quotes to support my view:

  • “Enterprise risk management helps an entity get to where it wants to go.” – COSO (the acronym for the Committee of Sponsoring Organizations of the Treadway Commission, which published “Internal Control—Integrated Framework” in 1992).
  • “[Risk management enables] a greater likelihood of achieving business objectives [and] more informed risk-taking and decision-making.” – COSO
  • “The purpose of managing risk is to increase the likelihood of an organization achieving its objectives by being in a position to manage threats and adverse situations and being ready to take advantage of opportunities that may arise.” – National Guidance on Implementing ISO 31000:2009 from NSAI in Ireland
  • “We believe a paradigm shift in risk management is beginning, which is tied to the increasingly complex world in which companies now operate; based on the awareness that uncertainty is embedded in [and affects] everything we do; [and] focused on both capturing upside opportunities as well as protecting the business.” – EY
  • “You need [risk management] to become part of the rhythm of the business — meaning within the flow of strategic and business planning, operations, oversight and monitoring that runs from the board to the line.” – EY
  • “The job of risk (management) is to make … executives more confident to take strategic risks; to demand objectivity in decision-making; and to focus on value added, not just value preserved.” – Deloitte

I can tell you that the risk management programs at Hydro One and Lego do not limit their work to potential harms. They consider the potential for reward as well as harm and work to help management succeed.

See also: Moving to Real-Time Risk Management

So how is it that Kaplan and Mikes have such a narrow view? Perhaps it is because the great majority of practitioners limit risk to the negative and their practice to a periodic review of a list of top risks (enterprise list management).

That narrow view inevitably creates a disconnect with the desire of management to lead their organization to success.

How do you expect a CEO to believe risk management enables success when all the chief risk officer (CRO) gives him is a list of what could go wrong? The CEO needs help to see what might happen, both good and bad, and what to do about it. In other words, the CEO needs to see risk management as helping him or her get where he or she needs to go.

Do you share my view?

If so, how do we convince both the practitioner and academic community? How can we move the practice forward so that it is recognized by leaders of every organization as contributing to their success?

I welcome your views.

This article was originally posted here.