2017 bermuda insurance cro survey - mobilemobile.royalgazette.com › assets › pdf ›...

2017 Bermuda Insurance CRO Survey

Adding value in a rapidly evolving risk landscape

2017 Bermuda Insurance CRO Survey | 1 www.ey.com/bermuda

About this reportThis report is the second edition of EY’s Bermuda Insurance Chief Risk Officer (CRO) Survey, aimed at gaining insights into the current structure and role that risk functions play in their organizations.

In particular, the survey is aimed at:

► Understanding how risk functions and CROs are addressing emerging challenges, and how their role is changing in response to a rapidly evolving risk landscape

► Identifying key trends in risk management practices observed among participants, drawing a comparison particularly between newly established risk functions (i.e., within first five years of being set up) and those previously established

Our participantsOur CROs include a wide range of long-term and property and casualty insurers, in particular:

EY sincerely thanks the CROs and companies that shared their time and insights for this year’s survey.

Introduction

28%

22%

33%

6%

11%

Groups

Class E

Class 4

Class 3A

Captive

2017 Bermuda Insurance CRO Survey | 2

Key themes

Innovation and cyber are shaping the CRO agenda, posing both threats and opportunities

CROs are confident in the value they can bring to the business

The role of the CRO in 2018 and onward

Evolution and background of the CRO: CROs find their role shifting as the risk function matures

2

3

1

4


1

Evolution and background of the CRO


► In line with the results of last year’s survey, we continue to see an increasing footprint of risk functions within the CROs’ individual organizations.

► About 40% of our CROs have only recently transitioned to a full-time role in risk management, often to address the need for a more “stand-alone” function to provide independent challenge.

► Only two of our CROs are currently “double-hatting” with CFO or CEO roles, with all other CROs having a clear and dedicated mandate around risk management.

► While we see a clear trend in the risk function becoming a “stand-alone” function, we continue to see CROs carefully considering headcount within the function, with lean structures observed across most of our participants.

Startup vs. established risk functions

► The CRO’s roles and responsibilities differ depending on the risk function’s maturity.

► Newly appointed CROs, particularly where the risk function has only recently been created, are dedicating greater focus to the design elements of the risk management framework.

► In contrast, where the risk function is more mature, the focus is clearly around achieving efficiencies and identifying opportunities to streamline existing processes.

39%

46%

15%

≤ 2

3 to 5

> 5

Key accomplishments and challenges for the CRO

When exploring key accomplishments and challenges, we have identified common themes among our CROs in line with the risk function’s level of maturity.

► “Resourcing effectively to ensure the risk function is standalone as the business grows”

► “Resourcing: Given the small size of the team, it is difficult to anticipate when increasing headcount will be required, and, in addition, this needs to be balanced with budgeting constraints”

► “Getting the right balance between being a risk function and not doing what’s been done elsewhere”

► “Keeping pace with how the first line is developing the strategy in response to regulatory change”

► Resistance to change and “reversion to the mean”

► Establishing risk management framework and strengthening risk governance

► Fostering a more open risk culture, with a focus on boosting efficiency and streamlining the risk function

► Aligning enterprise risk management (ERM) on a group-wide basis, with greater operational risk focus

Key accomplishments

Challenges

Average risk function headcount

MaturityStartup Established

CROs find their role shifting as the risk function matures


We have seen far more consistency and clarity among CROs in terms of “what they own,” and it is in those areas where risk has only ever been an influencer that we have seen the involvement of risk increase in this year’s survey.

Our results show that the background of CROs drive their level of involvement in key business processes.

Includes statistics, actuarial, mathematics, etc.

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

ERM–installation/maintenance of risk framework

Risk appetite setting

Risk tolerance/limits setting

Risk measurement and reporting

Stress testing–design

Stress testing–performance and reporting

Model risk management

Model validation

Capital management

Reinsurance program design

Reinsurance program execution

Risk mitigation (please specify activity)

Development of business strategic plans

Product design and pricing

Strategic decision-making (e.g., M&A)

Underwriting

Setting of asset strategy

Oversight of reserving/valuation

2017 CRO’s role and responsibility by process

Process owned by risk/CRO Influence/approve Limited involvement

We note that CROs with a quantitative background are typically more involved in the following business processes:

► Product design and pricing

► Strategy

► Underwriting

► Capital management

69%

31% Quantitativebackground

Qualitativebackground

Includes accounting, risk management, internal audit, etc.


2

Innovation and cyber are shaping the CRO agenda, posing both

threats and opportunities


Cybersecurity is on the CRO agenda, with a number of different approaches being taken

While only 17% of our CROs typically see themselves as being accountable for cyber risk management, all participants have had some sort of involvement with cyber.

Other insights

CROs noted a number of strategies to manage cyber risk:

► Strengthening controls surrounding cybersecurity

► Attack and penetration testing

► Some participants noted use of third parties to manage cybersecurity and IT infrastructure

► Use of cloud storage

Going forward, CROs planned to focus on:

► Investing in tools and skill sets to quantify and measure cyber risk

► Capturing “silent” exposures, with one CRO asking “have we identified it and are we pricing it?”

► Regulatory developments, including General Data Protection Regulation (GDPR)

What do CROs say?“If you have zero tolerance for cyber risk then all your time and effort should be in focusing on not being exposed to cyber risks. However, that’s impossible to do.”

“Cybersecurity is kind of an arms race. An area that concerns me. An area to invest in.”

“My main responsibility regarding cyber risk is to create awareness.”

“Cyber underwriting and cybersecurity are very different skill sets.”

What did our US survey find?

► Similar to Bermuda, in the US there has been an uptick in awareness and concern around cybersecurity across 2016 and 2017.

► Cyber risk appetite and risk tolerances were at an elementary state at most companies, with measurement techniques not yet “advanced.”

► 44% have some form of cyber risk appetite statement in place, while 28% were working on inserting cyber into their risk appetite.

► 1/3 of US CROs cited National Institute of Standards and Technology (NIST) as being referenced by their firms – but few US companies have developed cyber risk measurement.

► The National Association of Insurance Commissioners (NAIC) and the New York State Department of Financial Services (NYDFS) new cyber regulation already in force and influencing companies' approach. NAIC model law being finalized but remains 0 - 2 years before enacted at the state level.

22%

17%61%

Managing cyber as partof operational risk

Directly own cyber risk

Other/various

► Establishing an IT governance framework► Raising awareness throughout the organization► Reviewing cybersecurity/risk policies ► Challenging the activities performed by the

third party vendor


What do CROs say?“The risk team looks across the whole organization. Risk can see the implications, consequences and secondary impacts.”

“We want to make sure that not everybody gets ahead of themselves.”

“If you’re a good CRO you won’t be perceived as a constraint. A good CRO helps the first line, provides assistance and acts as a sounding board.”

“The big role played by risk on emerging technologies is to make sure the R&D team is on point and remains at the forefront of the latest developments and conversations.”

“You have to look at where innovation will work in order to be able to divert resources to it.”

“The main objective is to keep everybody involved and up to date with the pace of the business and the emerging trends.”

CROs are looking to innovate, although foundations still need to be built

► In an expansion of their role as “strategic advisors” within the organization, some CROs have dedicated significant time in exploring how new technologies can be harnessed to drive efficiency, both within the risk function and across the organization as a whole.

► However, the majority of our CROs see their role as that of raising awareness over the wider risk implications arising from increasing the use of technology across the organization.

Investment in innovation

This CRO is making steps to keep ahead of technological change by:

► Investing in insuretech and participating in consortia

► Establishing an insuretech initiative that helps the board determine which technologies to invest in

The key objectives of this CRO:

► To understand where insuretech is going and how it can be leveraged

► To keep up and have a voice in technological change

The CRO’s key role is to make sure that the research and development (R&D) team is “on point” and remains at the forefront of the latest developments.

Data and automation focus

This CRO is focusing on how technology can be used to foster better collaboration with the business by:

► Investing in tools aimed at increasing data quality and availability

► Understanding automation opportunities and use of AI

The key objectives of this CRO:

► To generate data, interpret it and provide insights

► To enhance data clarity to assist in problem solving

► To assess risks where data was not previously available

Two of our participants have greater involvement in innovation

Cas

e st

udie

s

“In the next few years, there are going to be major disruptions in our model, brought

about by new technology.”

We need to “become much more nimble and experiment with data.”


3

CROs are confident in the value they can bring to

the business


CROs took pride in the role that robust risk management played in preparing for emerging risks and the catastrophic events of 2017, which was facilitated by a number of enablers

Key enablersEmerging risk identification and escalation

Formalizing risk appetite Robust stress and scenario testing framework

While all our CROs have an emerging risk management process in place, the design varies across participants, largely as a result of meeting the needs of individual boards and senior management.

Most of our CROs are planning to review the risk appetite framework over the next 12 months. Where risk appetite is established, CROs have taken pride over its effectiveness.

Stress and scenario testing is considered a key risk management tool by all CROs in order to identify “what if” events and further strengthen the relationship with the business.

What do CROs say?

“Providing training to the board and keeping business managers up to date with risks from industry developments like blockchain.”

“The risk team provides the board with reports on the implications and impacts of emerging risks.”

“When all of the emerging risks are collated, the risk team assesses if the emerging risks are immediate or remote and a risk owner is assigned. After further evaluation, the emerging risk will be included in the risk register or on the watch list.”

“We do learning studies, which prepare us for emerging risks. These studies are scenario-based where we analyze the implications of different scenarios.”

“The cat events of Q3 2017 were a good test of risk appetites—losses were not out of line with appetites/expectations.”

“Focus in the next 12 months will be building a risk appetiteframework from the top down, focusing on the development of a formal risk appetite, risk tolerance and limits and risk reporting.”

“We do have appetites set out, but they are evolving.”

“One of the reasons for the rebuild of the internal capital model is to build and expand on the stress tests on the portfolio.”

“Stress and scenario testing is a collaborative effort between the first and second lines.”

“Stress and scenario testingsare developed with the board. My role is to do deep dives and create ad hoc scenarios on specific areas that may be a concern.”


► CROs were generally happy with the CISSA/ORSA process, as it provides a summary of stress and scenario testing results on the most relevant metrics driving decision-making.

► Rather than fundamental changes, more focus was on streamlining and increasing efficiency by “linking and integrating internal risk reporting with the CISSA.”

CROs have varying opinions on the use and value of the Commercial Insurers’ Solvency Self-Assessment/Own Risk and Solvency Assessment (CISSA/ORSA); some see it as a regulatory exercise, but most CROs see it adding strategic value

While some consider the CISSA/ORSA a regulatory compliance exercise …

► “Unfortunately, it is more of report deadline/ tick-box exercise.“

► “CISSA was mostly treated as a requirement for regulatory compliance, however some components of it are being used to form strategy.”

… 79% use it as a strategic planning tool

► “I think it is useful to us. I see it as a useful tool, which is now embedded in our DNA and drives the risk culture. I think the culture itself is more useful than the documentation.”

► “The ORSA is heavily used and can definitely be seen as a strategic planning tool.”

► “I see the CISSA as one of the few reference points that can be seen as fact … and is a valuable process that we go through.”

► “It’s a repository for our whole risk management framework, therefore it’s a helpful document.”

► “We use the report to inform our review of capital adequacy … and to inform strategic decisions.”

► “I think it’s a blend—it started as a regulatory report but is currently moving toward being a management tool.”

Views from CROs on the CISSA/ORSA process:

50%

17%

33%

What is the primary metric that drives “own solvency”?

Rating agency'scaptial requirements

Internal modelcapital requirements

Regulatory capitalrequirements


4

The role of the CRO in 2018 and onward


While current priorities vary between CROs, future investment is driven by common goals and challenges

How do you envisage the budget dedicated to supporting CRO activities to change in the next year?

Budget

This year more CROs saw their budget increase compared to last year (34%). Interestingly, all startup risk functions in our survey anticipate increasing budget for 2018, whereas the responses were more varied among responses from established risk functions.

How many have highlighted automation?

62% of our participants have mentioned investing in automation, which will be a focus going forward. The areas where we typically see automation for the risk function are surrounding compliance tools and reporting mechanisms.

What do CROs say?“We keep an eye out on the increasing regulation and its impact on our strategy. We would like to be and stay nimble, which is harder to achieve with increasing regulations.”

“The CRO’s role and focus area has changed and shifted to strategic decision-making and I believe this will gain momentum. This is definitely true for our company.”

“We will invest in automation processes and tools going forward. Especially with the goal to attain a more robust and efficient approach to reporting.”

61%

31%

8%

Increasing

Static

Decreasing


► “I expect my role to evolve more toward active risk management and perform as an advisory function instead of a report-producing function.”

► “I believe, in a broader sense, that the CRO will have a holistic overview of the company and its directions. The holistic view provides CROs with the unique ability to advise key strategic decision-makers. However, (the CRO’s) success is ultimately dictated by the one who is in charge.”

► “I don’t think my role will evolve as it is already fully integrated within the decision-making process, including strategy-making. However, as a general perspective, I believe the CRO will evolve with where the industry will take him/her. An example is the development of AI: as AI becomes more prevalent, CROs will need to focus more closely on cyber attacks and their impact.”

► “It comes down to the function being adaptable to being used in different situations. The challenge is how do you take people from doing one part of the risk function and apply them to different tasks?”

Embedding the risk function and evolving toward bringing more strategic value to the organization.

Looking into future industry changes and demonstrating flexibility.

What are CROs focused on going forward and how do they see their role evolving?

While innovation and the outlook on new technologies have emerged as key themes in this survey, regulatory developments still remain a key consideration for CROs.

MaturityStartup Established

While the priorities of CROs vary between startup and established risk functions, looking forward, CROs face common challenges

BrexitSIMR

US tax reform

Accounting changesIDDG GDPRBermuda anti-bribery and corruption regulationsInternational capital standards changes

BMA BSCR rule changes

Stand Re FINMA


Questions for consideration

What should the role of the CRO be when it comes to cyber risk?

How should the CRO role evolve to respond to the increased use of technologies and innovation in your organizations?

How can you demonstrate the risk function’s value-add? Should you have to?

Given the potential difficulty in quantifying cyber exposures, how should appetites be defined?

What changes can you still make to the CISSA to embed it as a strategic risk management tool?

What steps can you take to make sure risk appetite is understood and actively used in business decisions?

As CRO, how much does your background impact your role in the organization?

As CRO, how does your background influence what business processes you are involved in?

What is the optimal balance of skill sets within a risk team?

As well as mitigating cyber risk, what is the role of the CRO in the wider innovation agenda?


The bottom line

In line with the trend observed in last year’s survey, risk functions are increasingly playing a critical role in supporting the board in driving their strategic agenda.

While regulation has surely been a key driver in elevating the role of the CRO to become a key contributor to the decision-making process, it is often a business need that led organizations to better formalize and structure their risk management frameworks.

As the insurance industry continues to embrace innovation, CROs are closely monitoring how technological developments across the organization may impact the overall risk profile; in parallel, CROs are continuing to focus on ways to improve the effectiveness of their frameworks through automation and streamlining of existing processes.

Looking ahead, it is clear that CROs expect their role to continue to evolve. As one CRO put it, the success of the risk function going forward will depend on the adaptability of the function to be able to respond to different business challenges as they arise and make sure they continue to be seen as a valued partner by business stakeholders.


Contacts

Chris MaiatoPrincipalAdvisory Services LeaderBermuda+1 441 294 [email protected]

Paolo FiandesioSenior ManagerInsurance RiskBermuda+1 441 294 [email protected]

David PaulExecutive DirectorInsurance Risk New York+1 212 773 [email protected]

David BrownPartnerInsurance Sector LeaderBermuda+1 441 294 [email protected]

EY | Assurance | Tax | Transactions | Advisory

About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.

About the EY region of Bahamas, Bermuda, British Virgin Islands, Cayman IslandsThe region of member firms in the Bahamas, Bermuda, British Virgin Islands and Cayman Islands is operationally aligned with our Americas Financial Services Organization, headquartered in New York. We serve the banking and capital markets, insurance, and wealth and asset management sectors providing a full suite of advisory, assurance, transaction advisory and tax services and focus on providing seamless, exceptional client service.

EY is a leader in serving the global financial services marketplaceNearly 43,000 EY financial services professionals around the world provide integrated assurance, tax, transaction and advisory services to our asset management, banking, capital markets and insurance clients. In the Americas, EY is the only public accounting organization with a separate business unit dedicated to the financial services marketplace. Created in 2000, the Americas Financial Services Organization today includes more than 6,900 professionals at member firms in over 50 locations throughout the US, the Caribbean, Bahamas, Bermuda and Latin America.

EY professionals in our financial services practices worldwide align with key global industry groups, including EY’s Global Wealth & Asset Management Center, Global Banking & Capital Markets Center, Global Insurance Center and Global Private Equity Center, which act as hubs for sharing industry-focused knowledge on current and emerging trends and regulations in order to help our clients address key issues. Our practitioners span many disciplines and provide a well-rounded understanding of business issues and challenges, as well as integrated services to our clients.

With a global presence and industry-focused advice, EY’s financial services professionals provide high-quality assurance, tax, transaction and advisory services, including operations, process improvement, risk and technology, to financial services companies worldwide.

© 2018 EY Bermuda Ltd.All Rights Reserved.

ED None

2017 bermuda insurance cro survey - mobilemobile.royalgazette.com › assets › pdf ›...

Documents