Risk functions have evolved from “check-the-box” compliance to being a key enabler for business decision-making. This change has provided chief risk officers (CROs) with a seat at the table in the highest levels of the organization.
2016 has been a year of black swans, characterized by prolonged low interest rates, political uncertainty in key markets and increasing competitive forces challenging insurers’ business models. Together with the rise of risk-based capital regimes across the globe, these factors are tending to align the CRO and CFO agendas, establishing a tighter link between risk, capital and value.
The CRO role will always have a strong regulatory-driven rationale. But as the role evolves, we see an opportunity in ERM to take stock of teams, toolkits and processes — and use them to achieve greater effectiveness.
See also: The Myth About Contractors and Risk
This shift is occurring at different rates in different regions, but the direction is clear. Our survey explores five key themes around the risk function and CRO role:
1. There has been a high degree of operationalization in prudential regulation around the globe:
- In Europe, in response to Solvency II demands
- In the U.S., as a consequence of the NAIC’s ORSA requirement and for the larger insurers, SIFI demands from the Federal Reserve Board
- In Asia-Pacific, with the implementation of risk-based capital regimes (e.g. C-ROSS in China, LAGIC in Australia, ORSA requirements in Singapore and ICAAP in Malaysia)
2. We are seeing a sharper focus on consumer-conduct regulation:
- The U.S. Department of Labor is shaking up focus on the advice model.
- The European Parliament is debating significant advances in policyholder communications, and various European home regulators are demanding redress for past failings in sales process, transparency of charges and continuing product suitability.
- Depending on the region, it is more or less common for CROs to have compliance report through to them.
3. Governance models are now largely converging to reflect the three lines of defense principles.
Although differences exist across geographies, CROs are consistently seeking to strengthen risk accountability and understanding across the workforce. In particular, while we are seeing an increased awareness that risk ownership starts with the first line, there still are opportunities to strengthen risk accountability and improve communication to help everyone understand risk appetite and consequences.
4. Risk functions are becoming more involved in producing and monitoring risk metrics.
Larger insurers subject to Solvency II and now required to obtain approval of their internal economic capital models are partly behind this shift in risk functions.
Beyond Europe, other jurisdictions have a variety of approaches. For example, U.S. insurers subject to Federal Reserve regulation are required to use more extensive stress and scenario testing in their internal capital management processes (with the eventual requirement to publicly disclose the results).
In general, even where there is no regulatory mandate, CROs and their risk teams are increasingly involved with stress testing and more advanced financial models to quantify risk.
5. CROs are aware of the potential for improvement in operational risk management.
While businesses generally understand the “known knowns,” risk plays an important role in emphasizing the need for a systematic approach to the full spectrum of exposures. Cyber risk in particular is one of the biggest areas of concern for most CROs, who consider it a key focus area of operational risk.
Download the full North American report here.
Download the full EMEIA report here.