Tag Archives: cro

Cognitive Dissonance and the CRO

Could F. Scott Fitzgerald have had chief risk officers (CROs) in mind when he wrote, “The test of a first rate intelligence is the ability to hold two opposed views in the mind at the same time and still retain the ability to function”?

Probably not. But, based on recent discussions with some leading insurance CROs and my own experience in the industry, there are a surprising number of circumstances where a CRO needs to accommodate two opposing views. Exploring these circumstances can shed some interesting light on how the CRO role has evolved over the last several years and where it may be heading.

CROs’ early focus was on the development and implementation of economic capital and a concerted effort to meet enhanced regulatory expectations. It is now more nuanced.

Economic capital: A rule that needs to be followed and a model that needs to be questioned

The development and utilization of economic capital (EC) is a good starting point to explore the CRO’s cognitive dissonance. Economic capital is a powerful and indispensable concept; arguably the most powerful weapon in the CRO’s arsenal. It allows insurers to quantify many of their most important risks in precise monetary terms that can be translated into precise actions. Like, “add this much to the product price to accommodate its risks” or “buy this asset not that asset because it has a better risk-adjusted return.”

For economic capital to do its work, it needs to be a rule that is followed. From its most comprehensive manifestation – the expected level of capital that the insurer should hold – to the tolerances and limits that inform pricing decisions and individual asset transactions, insurers need to build economic capital values into their decision-making fabric.

At the same time, the CRO recognizes that the economic capital values are model output. They depend on a lot of assumptions. And the underlying methodology, that risk is best quantified as the upper bound of a high confidence interval such as 99% or 99.5%, is only one of many meaningful options. The CRO should develop insight into how other assumptions and methodologies would affect business decision making. Furthermore, risk managers also need to employ completely different tools, like stress testing. And these could lead to new and conflicting insights that the CRO needs to reconcile with economic capital’s definitive outcomes.

The dissonance engendered by economic capital presents a particular challenge for CROs with long experience in insurance ERM. More than any other development, economic capital was the progenitor of enterprise risk management (ERM). Before economic capital, ERM consisted primarily of risk lists and heat maps. Economic capital provided a solid foundation to decision making, particularly related to credit and market risks in the period leading up to and during the last recession. But, as the industry evolves, and credit and market risk taking has stabilized and often declined, new risk and new ways of managing risk need more attention. CROs who grew up with economic capital as the defining feature of their job may need to exert special effort to champion non-EC tools’ decision making potential.

See also: Insurance CROs: Shifting to Offense  

As Isaiah Berlin noted in “The Fox and the Hedgehog,” “A fox knows many things but a hedgehog one important thing.” Considering the importance of EC in the emergence of ERM, it is reasonable to think of the risk function as a very quant-oriented one. Calculating EC is a complex undertaking requiring a high level of mathematical and financial acumen. Certainly it is a great example of “one important thing.”

However, other, equally important aspects of the CRO role need a much broader vision. In keeping an eye out for emerging sources of risk and new challenges, it would be good to know “many things.” We have noticed that successful operational risk management efforts feature a multifaceted mindset when helping businesses recognize and manage these risks. Contrast this with model risk management where a more singled-minded focus is required.

Even within the narrow world of some traditional risk thinking, taking a broader view could yield innovative and profitable outcomes. For example, mortality and longevity risk is almost universally viewed one way: from a retrospective experience perspective, with mortality rates varying by age and gender. Risk values are generated by shocking these rates; upwards for mortality (representing the impact of a pandemic) and downward for longevity (representing significant medical advances in treating deadly diseases). But broader, informed thinking by someone or a group could find an alternative, likely one that looks at underlying fundamentals and uses advanced analytics to develop better and more actionable insight.

As ERM continues to develop, both hedgehogs and foxes are necessary. And the CRO needs to be able to effectively communicate with and manage both.

Putting a price on priceless information

In a business that is all about taking risk, most senior management teams certainly would rank good information about risk as essential to the effective management of their business. To call this information “priceless” would not be an exaggeration.

The last recession put great pressure on regulators and, through them, on insurance companies to quickly upgrade their risk capabilities. For many regulators, the cost of achieving these upgrades was much less of a concern than thoroughness and completeness. Both of these forces, business need and regulatory pressure, put significant demands on the risk function. Faced with these demands, it has been fairly easy to put programs and people in place that address acute needs without being unduly constrained by program price.

However, the absence of price constraints has obvious negative implications. Any business has limited resources. And, for much of the insurance industry, the trends in customer demands and purchase/service platforms is away from high-margin options. Furthermore, the lack of spending discipline can easily lead to maintaining a status quo that overspends on some areas and ignores others. As priceless as good risk information can be, some is more valuable than others, and some can be produced with the same value but at a lower cost.

Implications: Where is ERM heading and how can CROs prepare?

The CRO’s role has evolved significantly over the last several years. CROs’ early focus was on the development and implementation of EC and a concerted effort to meet enhanced regulatory expectations.

See also: Major Opportunities in Microinsurance  

The trend now is more nuanced. CROS are trying to address more qualitative risks and incorporate a business-centric focus. With this in mind, we offer some suggestions:

  1. CROs would do well to take stock of their current ERM program inventory. What are the approximate costs of different programs? Are they meeting objectives and are those objectives still as important as when the programs were initially established? Is there an overlap? For example, does stress testing address only the same risks EC already covers effectively, and if so, would it make sense to deploy resources in a different way?
  2. In taking stock of current benefits, ERM efforts that enhance shareholder value should be receiving high priority. Considerations focused on pricing and new business challenges present a good opportunity to use risk knowledge to add value, not just conserve it.
  3. Lastly, consider if reshaping emphasis across the program portfolio requires some ERM team members to alter their orientation, e.g. behave more like “foxes.” Or, if there’s a need, consider adding new team members with the required skills and mindset.

As ERM continues to develop, both hedgehogs and foxes are necessary.

2018 Predictions on Cybersecurity

As cyber attacks increasingly threaten every aspect of business and grow in volume and scale, companies will be forced to take new measures to address cybersecurity risk holistically, integrating it more aggressively into their enterprise risk management, according to our cyber solutions industry specialists in the 2018 Cybersecurity Predictions report. The report outlines a number of specific actions that Aon believes companies will take in 2018 to address cyber threats, as well as other cyber trends that we anticipate in the New Year.

“In 2017, cyber attackers created havoc through a range of levers, from phishing attacks that influenced political campaigns to ransomware cryptoworms that infiltrated operating systems on a global scale. With the growth of the Internet of Things (IoT), we have also witnessed a proliferation of distributed denial-of-service (DDoS) attacks on IoT devices, crippling the device’s functionality,” said Jason J. Hogg, CEO, Aon Cyber Solutions. “In 2018, we anticipate heightened cyber exposure due to a convergence of three trends: first, companies’ increasing reliance on technology; second, regulators’ intensified focus on protecting consumer data; and third, the rising value of non-physical assets. Heightened exposure will require an integrated cybersecurity approach to both business culture and risk management frameworks. Leaders must adopt a coordinated, C-suite-driven approach to cyber risk management, enabling them to better assess and mitigate risk across all enterprise functions.”

The 2018 predictions look at the ways in which the increasing scale and impact of cyber attacks, coupled with companies having to accept more liability and accountability over cyber attacks, will lead to significant changes in the corporate landscape. The report predicts an expanding role for the chief risk officer (CRO), the importance of implementing multi-factor authentication, the increased threats from insiders and an expansion of bug bounty programs in new sectors.

See also: How Good Is Your Cybersecurity?  

Highlights of the report include:

  • Businesses adopt standalone cyber insurance policies as boards and executives wake up to cyber liability. As boards and executives experience and witness the impact of cyber attacks, including reduced earnings, operational disruption and claims brought against directors and officers, businesses will turn to tailored enterprise cyber insurance policies, rather than relying on “silent” components in other policies. Adoption will spread beyond traditional buyers of cyber insurance, such as retail, financial and healthcare sectors, to others vulnerable to cyber-related business disruption, including manufacturing, transportation, utility and oil and gas.
  • As the physical and cyber worlds collide, chief risk officers take center stage to manage cyber as an enterprise risk. As sophisticated cyber attacks generate real-world consequences that affect business operations at increasing scale, C-suites will wake up to the enterprise nature of cyber risk. In 2018, expect CROs to have a seat at the cyber table, working closely with chief information security officers (CISOs) to help organizations understand the holistic impact of cyber risk on the business.
  • Regulatory spotlight widens and becomes more complex, provoking calls for harmonization. EU holds global companies to account over GDPR violation; big data aggregators come under scrutiny in the U.S. In 2018, regulators at the international, national and local levels will more strictly enforce existing cybersecurity regulations and increase compliance pressures on companies by introducing new regulations. Expect to see EU regulators holding major U.S. and global companies to account for GDPR violations. Across the Atlantic, big data organizations (aggregators and resellers) will come under scrutiny on how they are collecting, using and securing data. Under the burden of significant and ever-increasing regulatory pressures, industry organizations will push back on regulators, calling for alignment of cyber regulations.
  • Criminals look to attack businesses embracing the Internet of Things, in particular targeting small to mid-sized businesses providing services to global organizations. In 2018, global organizations will need to consider the increased complexities when it comes to how businesses are using the IoT in relation to third-party risk management. The report predicts large companies will be brought down by an attack on a small vendor or contractor that targets the IoT, using it as a way into their network. This will serve as a wake-up call for large organizations to update their approach to third-party risk management, and for small and mid-sized businesses (SMBs) to implement better security measures or risk losing business.
  • As passwords continue to be hacked, and attackers circumvent physical biometrics, multi-factor authentication becomes more important than ever. Beyond passwords, companies are implementing new methods of authentication – from facial recognition to fingerprints. However, these technologies are still vulnerable, and, as such, the report anticipates that a new wave of companies will embrace multi-factor authentication to combat the assault on passwords and attacks targeting biometrics. This will require individuals to present several pieces of evidence to an authentication instrument. With the new need for multi-factor authentication and consumer demand for unobtrusive layers of security, expect to see the implementation of behavioral biometrics.
  • Criminals will target transactions that use reward points as currency, spurring mainstream adoption of bug bounty programs: Companies beyond the technology, government, automotive and financial services sectors will introduce bug bounty platforms into their security programs. As criminals target transactions that use points as currency, businesses with loyalty, gift and rewards programs –such as airlines, retailers and hospitality providers– will be the next wave of companies implementing bug bounty programs. As more organizations adopt the programs, they will require support from external experts to avoid introducing new risks with improperly configured programs.
  • Ransomware attackers get targeted; cryptocurrencies help ransomware industry flourish. In 2018, ransomware criminals will evolve their tactics. The reports predicts that attackers utilizing forms of benign malware—such as software designed to cause DDoS attacks or launch display ads on thousands of systems— will launch huge outbreaks of ransomware. While attackers will continue to launch scatter-gun-style attacks to disrupt as many systems as possible, the report predicts an increase in instances of attacks targeting specific companies and demanding ransomware payments proportional to the value of the encrypted assets. Cryptocurrencies will continue to support the flourishing ransomware industry overall, despite law enforcement becoming more advanced in their ability to trace attacks, for example through bitcoin wallets.
  • Insider risks plague organizations as they underestimate their severe vulnerability and liability while major attacks fly under the radar. In 2017, businesses underinvested in insider risk mitigation strategies, and 2018 will be no different. According to the report, a continued lack of security training and technical controls, coupled with the changing dynamics of the modern workforce, mean the full extent of cyber attacks and incidents caused by insiders will not become fully public. Many companies will continue to respond to incidents behind closed doors and remain unaware of the true cost and impact of insider risk on the organization.

To download the full report, click here.

How to Drive More Quotes

Like a stool that is most stable when it’s on three legs, driving business results from digital customer experience stands on traffic, engagement, and conversion activities. When the three are done in conjunction with one another, you’ll see the strongest results.

Traffic-driving activities through organic and paid efforts, and establishing content marketing strategies to ensure engagement take up a lot of investment and resources. The last thing you would want is for visitors to land on or engage in an experience that’s not fully optimized for them. That’s where conversion rate optimization (CRO) comes to the rescue. CRO is a data-driven, results-focused approach to taking the user experience to a higher level to transform more site visitors into paying customers. The insurance industry is perfect for taking advantage of CRO strategies, especially in driving quote submissions.

Today, everything starts with a Google search. For shoppers who are in the market for new insurance, the journey usually starts from search with a goal in mind. Let’s say that is finding a new auto insurance. This search for auto insurance will expose available options to the shopper, after which he or she will decide which option looks the most fitting and then visit the insurance company web/mobile site. Once a potential customer lands on that insurance company’s website, it has very limited time to get the person’s attention and funnel the person into the quote process.

See also: Insurtechs: 10 Super Agents, Power Brokers  

For insurance companies, web and mobile sites play an important role in driving quote generation. Optimizing these platforms to drive higher conversions is critical. Here are three ways to best use CRO tactics on insurance sites:

1. Connecting the right user to the right product: There are multiple tests we can conduct to figure out how much information about the site visitor we can capture in advance and make sure that the person sees the most relevant content up-front in a visit. For example, if everything we know about the visitor suggests that he may be interested in homeowners insurance, should you be showing him the other 20 product options? The conversion goal here would be to connect this prospect to a homeowners insurance company as quickly as possible and get him to engage in the quote process as fast as possible.

2. Highlight the main call-to-action (CTA): If the user is faced with multiple engagement points, different product options, or various next step alternatives, the result would be increased confusion, and the user potentially leaving the site. To get the insurance customers to the quote process more effectively you need to offer easy to follow designs, clear messaging, and clear call-to-action for the next step. Use CRO to determine how best to display your main key performance indicators from a visual design and placement standpoint. For example:

  • Testing “sense of urgency” on the CTA language: “Get A Quote Today!”
  • Testing visual treatments for quote start CTA: Usually darker, bolder colors that contrast well with the rest of the page design and content work the best.
  • Testing placement: Place your quote start CTA always in the same section of the site to train users’ expectations. Test placing it as a part of the global navigation or as a part of the hero banner.

3. Optimize the quote process: One of the most important steps in the insurance customers’ journey is the quote submission process. Getting users to fill in the quote process is what seals the deal. You would think that anyone who came that far along would be likely to fill out the form, right? Why else have they been through that much work to get to this page? There is some truth in that but the fact that your site visitors made the journey all the way to the form doesn’t guarantee that they would not leave without completing it.

See also: FinTech: Epicenter of Disruption (Part 2)  

Luke Wroblewski, a product director at Google, wrote an amazing book titled, “Web Form Design,” which discusses ample approaches to testing forms, design, placement, labeling, orientation, single versus multiple steps, progress bars, etc. Do an analysis and understanding how users are going through your form pages first. From there, start a series of tests and play with various elements that can impact form submissions. Here are a few strong starters to prioritize:

  • test number of form fields
  • test single versus multiple (2-3) steps
  • test CTA button on the form submission

These CRO tactics will help any insurance company get to a better conversion rate on their sites and start seeing immediate results.

Happy testing!

Insurance CROs: Shifting to Offense

EY’s seventh annual survey of chief risk officers in the insurance industry confirms that companies are starting to move on from the post-crisis era of defensive risk management. While some CROs speak of works in progress or continuing improvements to their company’s risk management efforts, more CROs report they are comfortable with functioning frameworks that provide “defense” for the company.

There is continued maturation and increasing sophistication of the role. Some CROs are spending more of their time engaged on high-priority strategic and business-driven issues, such as disruption, innovation and emerging threats, including cybersecurity.

See also: The State of Risk Oversight in 2017  

CROs are starting to move to offense. They see their roles less in terms of organizational compliance with enterprise risk management (ERM) policies. Nor are they reacting to regulatory requirements. For almost all companies surveyed, Own Risk Solvency Assessments (ORSA) are “job done.” Even CROs at companies that faced challenges related to federal regulation or
Solvency II report that such issues are largely behind them.

Many of this year’s discussions involved consideration of “what comes next?” As the CRO agenda evolves, significant transitions are underway (see figure 1):

  • From relative stability to disruption
  • From clear and well-understood threats to emerging and unknown risks
  • From serving as a control function to partnering with the business
  • From focusing on the risks of action to promoting innovation and avoiding the risk of inaction

See also: Key Misunderstanding on Risk Management  

Where CROs mostly played defense in focusing on compliance and regulatory activities after the crisis, many have started to move on to a more active, business-driven posture, with greater emphasis on adding value through the efficient delivery of ERM.

You can find the full EY report here.

Global Insurance CRO Survey 2016

Risk functions have evolved from “check-the-box” compliance to being a key enabler for business decision-making. This change has provided chief risk officers (CROs) with a seat at the table in the highest levels of the organization.

2016 has been a year of black swans, characterized by prolonged low interest rates, political uncertainty in key markets and increasing competitive forces challenging insurers’ business models. Together with the rise of risk-based capital regimes across the globe, these factors are tending to align the CRO and CFO agendas, establishing a tighter link between risk, capital and value.

The CRO role will always have a strong regulatory-driven rationale. But as the role evolves, we see an opportunity in ERM to take stock of teams, toolkits and processes — and use them to achieve greater effectiveness.

See also: The Myth About Contractors and Risk  

This shift is occurring at different rates in different regions, but the direction is clear. Our survey explores five key themes around the risk function and CRO role:

1. There has been a high degree of operationalization in prudential regulation around the globe:

  • In Europe, in response to Solvency II demands
  • In the U.S., as a consequence of the NAIC’s ORSA requirement and for the larger insurers, SIFI demands from the Federal Reserve Board
  • In Asia-Pacific, with the implementation of risk-based capital regimes (e.g. C-ROSS in China, LAGIC in Australia, ORSA requirements in Singapore and ICAAP in Malaysia)

2. We are seeing a sharper focus on consumer-conduct regulation:

  • The U.S. Department of Labor is shaking up focus on the advice model.
  • The European Parliament is debating significant advances in policyholder communications, and various European home regulators are demanding redress for past failings in sales process, transparency of charges and continuing product suitability.
  • Depending on the region, it is more or less common for CROs to have compliance report through to them.

3. Governance models are now largely converging to reflect the three lines of defense principles.

Although differences exist across geographies, CROs are consistently seeking to strengthen risk accountability and understanding across the workforce. In particular, while we are seeing an increased awareness that risk ownership starts with the first line, there still are opportunities to strengthen risk accountability and improve communication to help everyone understand risk appetite and consequences.

4. Risk functions are becoming more involved in producing and monitoring risk metrics.

Larger insurers subject to Solvency II and now required to obtain approval of their internal economic capital models are partly behind this shift in risk functions.

Beyond Europe, other jurisdictions have a variety of approaches. For example, U.S. insurers subject to Federal Reserve regulation are required to use more extensive stress and scenario testing in their internal capital management processes (with the eventual requirement to publicly disclose the results).

See also: Minority-Contracting Compliance — Three Risks  

In general, even where there is no regulatory mandate, CROs and their risk teams are increasingly involved with stress testing and more advanced financial models to quantify risk.

5. CROs are aware of the potential for improvement in operational risk management.

While businesses generally understand the “known knowns,” risk plays an important role in emphasizing the need for a systematic approach to the full spectrum of exposures. Cyber risk in particular is one of the biggest areas of concern for most CROs, who consider it a key focus area of operational risk.

Download the full North American report here.

Download the full EMEIA report here.