2017 insurance cro survey - ernst & young · 2017 insurance cro survey | 3 introduction cros...
Post on 27-May-2018
214 Views
Preview:
TRANSCRIPT
2017 Insurance CRO Survey | A
life insurers or groups
health insurers or composites
property and casualty (P&C)companies
55%33%
12%
About the surveySince 2011, EY’s annual North American insurance CRO survey has served as a lens on the current state of enterprise risk management in the industry and the shifting role of chief risk officers (CROs).
The 2017 survey featured the largest ever group of participants (40 companies) answering more detailed questions about disruption and cybersecurity, which have emerged as key issues for many CROs.
CRO survey participants work for:
EY sincerely thanks the CROs and their risk teams who participated. Their time and insights are what make the survey valuable.
2017 Insurance CRO Survey | 2
Table of contents
Introduction CROs starting to shift from reactive, regulatory defense to business-enabling, strategic offense ................................... 3
Four critical transitions
From relative stability to disruption ................................ 5
CROs and cybersecurity: Where they stand in 2017............................................ 7
From clear and well-understood threats to emerging and unknown risks .......................................... 17
From serving as a control function to partnering with the business ........................................... 21
From the risks of action to the risks of inaction in promoting innovation ................................................. 23
This year’s report highlights the continuing evolution of the CRO role in light of several important transitions. Beyond leading their risk teams, more CROs are also starting to play key roles as the entire enterprise comes to terms with a turbulent marketplace and rising cyber risks. For all the progress they have achieved, CROs and their risk teams have not reached an endpoint.
Rather, they see constant pressure and opportunity to reorient their approach toward greater alignment with the business and, in doing so, to enhance the value they bring to the enterprise.
1
2
3
4
2017 Insurance CRO Survey | 3
Introduction
CROs starting to shift from reactive, regulatory defense to business-enabling, strategic offenseEY’s seventh annual survey of chief risk officers in the insurance industry confirms that companies are starting to move on from the post-crisis era of defensive risk management. While some CROs speak of works-in-progress or ongoing improvements to their company’s risk management efforts, more CROs report they are comfortable with functioning frameworks that provide “defense” for the company.
There is continued maturation and increasing sophistication of the role. Some CROs are spending more of their time engaged on high-priority strategic and business-driven issues, such as disruption, innovation and emerging threats, including cybersecurity.
CROs are starting to move to offense. They see their roles less in terms of organizational compliance with enterprise risk management (ERM) policies. Nor are they reacting to regulatory requirements. For almost all companies surveyed, Own Risk Solvency Assessments (ORSA) are “job done.” Even CROs at companies that faced challenges related to federal regulation or Solvency II report that such issues are largely behind them.
Many of this year’s discussions involved consideration of “what comes next?” As the CRO agenda evolves, significant transitions are underway (see figure 1):
• From relative stability to disruption
• From clear and well-understood threats to emerging and unknown risks
• From serving as a control function to partnering with the business
• From focusing on the risks of action to promoting innovation and avoiding the risk of inaction
2017 Insurance CRO Survey | 4
A brief history of insurance CROs: the strategic trajectory Where CROs mostly played defense in focusing on compliance and regulatory activities after the crisis, many have started to move on to a more proactive, business-driven posture, with greater emphasis on adding value through the efficient delivery of ERM.
• Embedding ERM
• Strategic
• Value-adding
Insurers with a CRO
2000 20172007 2027
Financial crisis
CRO focus From defense To offense
Control
Mitigating risks
Disruption
Emerging risks
Partnering
Promoting innovation
A brief history of insurance CROs
0%
100%
• Installing ERM
• Regulatory-focused
• Measurement and mitigation
Known risks
Stabilization
Risk team and CRO adoption based on survey responses
Formalization of risk teams
and processes Insurers with
a ris
k team
Figure 1: the strategic trajectory of CROs
2017 Insurance CRO Survey | 5
From relative stability to disruption
The reorientation of the CRO role is a function not only of internal progress, but also of external forces and the new normal in the insurance market, with its widespread disruption and imperative to innovate. Even CROs who see opportunity to become more proactive and add more value to the business speak of swimming faster to keep pace with a stronger current. If new challenges — especially those related to disruption — are not met, they fear the consequences for their companies.
Survey respondents characterized the implications of the “age of disruption” in terms of rapid market change, increasing unpredictability and rising cyber risks.
Rapid market change
CROs are looking into the impacts of rapid change in markets where their companies are successful. Specifically, they are scoping the vulnerabilities and devising contingency plans to sustain profitability in the event of massive market reconfigurations.
For instance, CROs at automotive insurers report having plans ready for autonomous vehicles. CROs at life insurers are thinking about “pay as you live” products, wearable technology and their impact on customer relationships and manual processes.
Looking at these uncertainties, some CROs are evaluating both evolutionary and revolutionary paths forward. They are running scenarios for exiting some markets and entering new ones. The key question: if one market is closed, how does the CRO make sure the company is seeking out new markets and finding other sources of growth?
“The CRO should make sure the board and senior executives have a risk point of view when making strategic choices.”
“CROs should provide transparency into the risk/return trade-off of various growth options.”
CRO remarks
1
2017 Insurance CRO Survey | 6
Increasing unpredictability
From politics to weather patterns, there is broad consensus among CROs that the future is less predictable than it used to be. Therefore, CROs are continually challenging themselves and their organizations by asking:
• How well prepared is the company for unexpected political and macroeconomic events?
• Are stress and scenario testing broad enough to anticipate events?
• Do stochastic models embrace the true extent of risk, especially relative to the tails of distributions and correlations between risk types?
• Within shorter-term business planning and longer-term strategic planning, does the company have sufficiently detailed response readiness plans and sufficiently robust horizon-spotting capabilities?
Rising cyber risks
Some CROs have assumed major roles in the fight against cybersecurity threats, which all CROs regard as a severe disruptor given the potential for:
• Business interruption halting sales and service to customers
• Financial cost to the organization
• Reputational damage, including long-term and possibly irreparable harm
A serious breach involving customers’ personal data is viewed as a greater risk by life and health CROs, given the large volumes of sensitive data and personally identifiable information (PII) held by their firms. However, CROs at all types of insurers report cyber threats as a top-five risk. For more on this topic, see “CROs and cybersecurity,” pages 7-15.
Thanks to an increasing pace of disruption, the future seems less predictable than it used to be.
2017 Insurance CRO Survey | 7
CROs and cybersecurity: where they stand in 2017
ybersecurity has beco e one o the ost se ere threats to cor orations in a wide range o sectors. It is no wonder, then, that insurance industry R s rate it as a to concern as I and business e ecuti es surely do, too. hat is sur rising, howe er, is that any sur ey res ondents re orted their cybersecurity e orts as being in a state o u .
Survey results reveal that many companies have yet to adopt a formal “three lines of defense” approach for cyber ris . he result is considerable ariety in the le els o R in ol e ent and res onsibility or cybersecurity and in the ethods or easuring cyber ris , as well as the relationshi s to chie in or ation o ficers I s and chie in or ation security o ficers I s .
o e R s in the sur ey stood out as laying a or leadershi roles with cybersecurity, but these were in the inority. ore R s re orted laying a assi e role, though a ew had ser ed as te orary A ea
leaders, troubleshooting in urgent situations and spearheading change management and remediation efforts as circumstances required .
CROs and cybersecurity: the evolution continues
PassiveSecond-line role not established or second-line responsibility doesn’t reside with CRO
Cybersecurity resides in second line with CRO providing leadership
CIO, and IT responsible
CRO observes committees and governance
CRO reports on cybersecurity to senior leadership or board
Limited co-working between ERM and information security teams
CRO troubleshoots or leads urgent remediation efforts te porari y acts as ot first ine and second ine
Cybersecurity management independent of IT
CRO reports on cybersecurity to CFO or CEO (parallel with reporting line of CIO)
CISO may report to CRO
y er ris c assified in ris ta ono y alongside operational risks
tensi e co- or in and tea in between information security and ERM personnel
Active
Temporary “SWAT team” leadership
Cybersecurity
Governance
Collaboration
Figure 2: CROs and cybersecurity – the evolution continues
2017 Insurance CRO Survey | 8
he dis arity in a roach e tends well beyond R , into the real o I de art ents and o erall anage ent o cybersecurity. o anies are clearly e eri enting with di erent organi ational structures to find the best fit to manage their cyber risks .
No one model has emerged as the leading practice, and different structures are likely to suit different situations, de ending on organi ational odels, lines o business, culture and other actors. R s co ented that co any cultures, a ailable e ertise and indi idual ersonalities also sha e the organi ational choices or cybersecurity.
hile co anies are trending toward or ali ation o three lines o de ense, so e sur ey artici ants said that their fir s are not or ali ing now and see unli ely to in the uture.
Several CROs described evolving structures regarding operational and governance functionality:
• Operational — more commonly managed by IT groups: user I and assword anage ent, data anage ent and protection, threat detection and monitoring, protective measures, staff training on alertness
• Governance — more commonly overseen by CROs and ERM teams: setting and monitoring cybersecurity olicies and standards inclusion o cyber ris s in ris register or R go ernance, ris and co liance
so tware establishing cyber ris a etite and tolerances and introducing cyber ris etrics uantitati e and ualitati e onitoring and re orting re aration and re iew o ost breach reco ery lans
Among the observations from survey participants:
• In a ew cases, R tea s and R s ha e been hea ily in ol ed with cyber ris s in recent years si ly because the R alone has the in uence and inde endence to raise the urgency le el across the organi ation.
• uring 201 , one co any o ed res onsibility or o erational in or ation security unctions into the firstline I de art ent, while R retained cyber go ernance unctions. his ste re resented aturation in cyber
re aredness and the R elt the se aration o roles would be ore e ecti e going orward.
• ne R was uni uely laced to dri e a cybersecurity trans or ation rogra between 201 and 2017. he R set the in or ation security standards or any s all and globally dis ersed business entities with
independent IT departments and then provided operational information security services, as required by those standards, ia a centrali ed shared ser ices odel.
Figure 3: management and reporting structures for cybersecurity
Property &casualty
Life &health AllCISO reports to CRO
CRO has oversight role; CISO on reporting line within IT
CRO less involved: cyber is one additional risk for consideration
13%27%
60% 50% 54%
27% 23% 24% 22%
2017 Insurance CRO Survey | 9
Board-CRO interaction on cyber risk
oards ha e been aware o cyber threats or se eral years, but 201 and 2017 saw significant increases in organi ational awareness and concern or nearly all R s who artici ated in the sur ey. As cybersecurity o es u the risk agenda of boards across the industry, there is more demand for detailed, accurate and frequent reporting ty ically uarterly on s ecific ris s. As with go ernance structures o erall, board e ectations relati e to the role
of the CRO on cyber risk vary considerably:
• Proacti e cybersecurity c ar a ointed and e owered by the board in a ew cases
• A iddle ground o o ersight and re orting ore co on
• Passi e roles, where I leaders or a I er or s both first line and second line unctions and reports on cybersecurity to the board
ut e en with I de art ents and I s ta ing the lead on technical as ects, it is increasingly co on or the
board to loo to the R or inde endent, second line onitoring and re orting, in ull and close collaboration with I s or I leaders.
Measuring cyber risk
yber ris easure ent techni ues are not ad anced, according to the sur ey results. y ically, co anies count breaches and so e ha e started to gauge the sco e o financial da age, although they ac nowledge that o erational and re utational i acts ay be ore se ere than financial loss. uch basic trac ing is hel ul, though largely bac ward loo ing, by R s own ad ission.
o e R s are loo ing orward, howe er
• At one co any, cyber ris s ha e been se arated ro o erational ris s and are iewed as eriting s ecial treat ent. he R tea er or ed an assess ent and ro ided a score based on co liance and ga s.
he cyber ris a etite is set erha s a bitiously to ero roble s. hough co lete eli ination o roble s was not ossible, the a etite ocused uch o the wor being done to ini i e roble s at the
ne t assess ent and re scoring. ost other sur ey res ondents had targets o a ew s all e ents o li ited agnitude.
• Another co any uses a third arty assessor that ro ides a cyber security score, which leads to targets and rioriti ations o e orts to i ro e the scores across di erent areas o the business. he lan is to conduct
annual assess ents and grading.
The survey also found that cyber risk appetite and risk tolerance are in an elementary state at most companies . nly one third o R s rely on e ternal re erence ra ewor s or cyber ris easure ent. he
only one entioned was that o the National Institute o tandards and echnology NI .
CROs and cybersecurity: where they stand in 2017 (continued)
CROs and cybersecurity: where they stand in 2017 (continued)
Company risk appetite statements did not reference cyber at all
Cyber risk is established within the risk appetite, though usually qualitatively and in some cases amounting to little more than a statement of aspiration
Inserting cyber into risk appetite is a work in progress
28%
44%
28%
Figure 4: state of risk appetite and risk tolerance
NIST Cybersecurity Framework
Anomalies and events
Accesscontrol
Asset management
Responseplanning
Recoveryplanning
Security continuous monitoring
Awareness and training
Businessenvironment Communications Improvements
DetectionprocessesData securityGovernance Analysis Communications
Information protection processes
and proceduresRisk
assessment Mitigation
MaintenanceRisk management strategy Improvements
Protective technology
Identify Protect Detect Respond Recover
i I it a o
Source: NIST “Framework for Improving Critical Infrastructure Cybersecurity,” February 2014
2017 Insurance CRO Survey | 10
i i a i nt o I an t
2017 Insurance CRO Survey | 11
The regulatory effect and backdrop to cyber
he increasing in ol e ent o regulators was cited by so e co anies as a ecting their a roach to cybersecurity. or e a le, co anies ay see to establish go ernance structures that align to uture cybersecurity regulations at the state le el. R s are ery ind ul o the National Association o Insurance
o issioners NAI cybersecurity odel law rocess, e en though that rocess has not co leted and will re uire ado tion and enact ent by state legislatures across the . .
owe er, otential da age and e en the e istential threat ro a cyber e ent is a uch ore ower ul dri er than regulatory co liance. he a ount o resources allocated to cybersecurity ay not ha e been greatly a ected by regulatory in uences. ut R s re ort that regulatory considerations do a ect co anies
riorities and the anner o their res onses.
As insurers eye the ath orward, they ust consider e isting and uture laws and regulation regarding data rotection, consu er ri acy and cybersecurity. A strong regulatory thrust is co ing ro the NAI which is
nearing co letions o its Insurance ata ecurity odel aw, with a final e osure dra t issued in August 2017. he finali ation o the odel aw will enable indi idual states to enact cyber regulation aligned with NAI guidance by 201 or 2020. New or tate did not wait or NAI and introduced regulation 2 N RR Part
00 in arch 2017 with transitional eriods through arch 201 .
Regulation by the ederal Reser e oard a lying directly to ban s, as well as to insurance grou s that contain a ban or are designated as non ban syste atically i ortant financial institutions is also in uential in the or o the Ad ance Notice o Pro osed Rule a ing ANPR .
An ANPR was issued in ctober 201 by the ederal e osit Insurance or oration I , the fice o the o troller o the urrency and the ederal Reser e oard R . Insurers that interact with custo ers o ban s will ha e to regard the re uire ents o the ANPR, e en where the insurer itsel is not directly ed regulated. ee chart on age 12 or an o er iew o NAI , New or tate and ANPR lans.
Survey participants also cited:
• he ra each illey Act o 1 as the defining legislation or custo er ri acy
• Recent requirements on customer rights to privacy promulgated by the NAIC
• he uro ean nion s PR eneral ata Protection Regulation as it a ects grou s with any custo er oot rint
CROs and cybersecurity: where they stand in 2017 (continued)
i i a i nt o I an ti i a i nt o I an t
Similar requirements from NAIC, NYSDFS and the ANPR
CROs and cybersecurity: where they stand in 2017 (continued)
2017 Insurance CRO Survey | 12
Governance Technical• Cybersecurity policy and program
• CISO and appropriately trained personnel
• Periodic ris assess ent
• Incident response plans
• Third-party service provider policy
• Limitation on data retention e.g., destruction o ersonally identifiable
in or ation
• Formal process to report breach to regulator
• Penetration testing
• Access privileges
• ulti actor authentication
• Encryption
• Systems must leave audit trail
• Application security
National Association of Insurance Commissioners (NAIC):Insurance Data Security Model LawThe Cybersecurity Working Group was established in late 2014 to work towards an Insurance Data Model Security Law; the first dra t was released or consultation in arch 201 the current dra t is final dra t si .
OCC, FDIC, FRB: Advance Notice of Proposed Rulemaking (ANPR) on CyberThe ANPR for Enhanced Cyber Risk Management Standards was published in October 2016 and the consultation period ended January 2017. In totality, the cyber ANPR would set significantly higher standards for US institutions. The ANPR signals the level of concern within the regulatory community.
a t nt o inan ia i o tat a t o it
has set re uire ents or New or do iciled insurers ahead o finali ation o the NAI odel law. N Part 00 beca e e ecti e ro arch 2017.
2017 Insurance CRO Survey | 132017 Insurance CRO Survey | 13
2015
$996million
$1.341billion
2016
Packaged
Stand-alone policies
$677 million
$319million
Source: NAIC public disclosure supplement for US-domiciled insurers providing US and global coverage
$911 million
$430 million
35% growth in a single year
in an o o t nit an a n
CROs and cybersecurity: where they stand in 2017 (continued)
Figure 6: the rise of the cyber insurance market – premium by policy type
In 201 , the NAI introduced a ublic disclosure su le ent which a es it ossible to e a ine yearon year growth in the olu e o cyber insurance at co anies. etween 201 and 201 , standalone and ac aged re iu s are disclosed se arately under the ac aged classification, insurers ha e esti ated the ro ortion o cyber related co erage sitting within co ercial liability, business interru tion or directors and o ficers olicies .
otal direct re iu s written in 201 were 1. 1 billion, u ro illion in 201 . It is worth noting that insurers own cyber insurance co erage is one way to itigate cyber ris .
Source: NAIC public disclosure supplement for US-domiciled insurers providing US and global coverage
Insurers’ own cyber insurance is one way to mitigate cyber risk.
2017 Insurance CRO Survey | 14
CROs and cybersecurity: where they stand in 2017 (continued)
The bigger players in cyber insurance are moving to stand-alone policies and avoiding “silent” cyber coverage by clari ying e clusions or other ty es o olicies. o e industry analysts, including A. . est o any, ha e
ro ected that, by 2020, cyber re iu s will reach 7. billion to 20 billion.
he cyber insurance ar et is concentrated, relati e to other roduct lines. he to 20 co anies constitute 7 o ar et share, while the largest fi e by ar et share account or 2 .
A wide range o co erages are o ered or stand alone cyber olicies
Additional ser ices o ered by insurers include instant access to e ert res onse ser ices and crisis anage ent.
yber insurance is clearly a growth o ortunity, but ris e osures increase when insurers see to underwrite in the absence o historical data. Indeed, ulti le ratings agencies ha e indicated that e cessi e growth and concentration in cyber insurance would be dee ed credit negati e.
Costs associated with privacy and data breaches(not necessarily limited to the US)
Intellectual property theft Cyber extortion
Business interruption following a cyber attack
Consequent third-party liabilities (e.g., regulatory or legal)
Consequent first-party costs in responding to breach (e.g., IT forensics, crisis management, individual notifications, credit monitoring)
$
The big players are avoiding “silent” cyber coverage by clarifying exclusions.
2017 Insurance CRO Survey | 152017 Insurance CRO Survey | 15
CROs and cybersecurity: where they stand in 2017 (continued)
CRO remarks
“If something big happens, the C-suite expects CRO and CISO to take leading roles.”
“We’ve had little discussion on cyber risk appetite and know this is a gap.”
“The ERM team is tasked with managing the overall resiliency of the business and this includes cyber.”
“I defer most of the discussion on cyber risk to our CISO, who provides regular updates to the executive committee and board.”
2017 Insurance CRO Survey | 16
CROs and cybersecurity: where they stand in 2017 (continued)
The cybersecurity bottom lineThe increasing severity of cyber risks has been at the forefront of risk
anage ent discussions during the last fi e years. o e artici ating R s entioned that their co anies are still reorgani ing and ste ing
u the urgency o their res onse lans. o e insurers continue to change where ri e res onsibilities or cyber ris s reside, in so e cases i acting on the R and the role o the ris tea .
2017 Insurance CRO Survey | 17
From clear and well-understood threats to emerging and unknown risks
In res onse to sur ey uestions about ensuring their organi ations are ade uately ositioned or e erging trends,” CROs highlighted:
• heir reliance on e erging ris s ra ewor s, with considerable assurance ta en ro the thoroughness and frequency of the process
• ecti eness in co iling e erging ris s, with dyna ic rocesses to ca ture new ris s and integrate the into ris registers or go ernance, ris and co liance R databases, so that they ight be addressed, mitigated and measured
• he in ol e ent o first line business unit anage ent at roduct, ar et and sector le els
• A broader rocess that identifies and collates e erging o ortunities, rather than ocusing solely on e erging adverse risks
hile ost R s see e erging ris s rocesses as clearly necessary, they also ad it to shortco ings. usinesses trying to deliver against 2017 and 2018 short-term performance targets may be too busy to spend much time loo ing toward the li ely ris s o 2020 or 2022.
o e R s es ecially those with ore organi ational in uence ta e on the challenge or the sel es and their ris tea s, ensuring that hori on scanning is conducted with rigor and i agination. ne R obser ed that business units ay be e ui ed to s ot their local ris s and res ond incre entally to e ternal change, but ay not be ca able o s otting or res onding to sudden and acro changes that i act the total co any.
A nu ber o R s, howe er, re orted their roles e tending considerably beyond the con entional e erging ris s rocess. In act, so e R s belie e they need to be roacti e to a e sure the organi ation is inno ating and e aluating otential changes in direction. his grou sees such acilitation not as an add on or o tional res onsibility, but rather at the core o their ob descri tion.
For all the variation across individual companies, there is consensus that the universe of emerging risks is e anding, with R s acing a broader range o ore se ere ris s in 2017 and the years to co e .
The global nature of emerging risks means potential disruption appears in every sector of the CRO radar.
2
2017 Insurance CRO Survey | 18
Economic
Legal
The global nature of emerging risks means potential disruption appears in every sector of the CRO radar
Political
Social
Environmental Technological
Heightened threats Continuing threatsNew opportunities
CRO
Nanotechnology
Wearable devices
Risingsea levels
International operations restrictions
Tort reform
Anti-Westernsentiment
Instability of foreign
governments
Tax reform
Inflation
Stock market
volatility
Infrastructureinvestment
Near-zerointerest
rates
Cyberattacks
Energy over-or under-supply
Disrupted weather patterns
Pandemic
Autonomous vehicles
Data theft
Regulatoryreform Changing
wealthdistribution
Digitized consumer behavior
Labor lawreform
Global talent crunch
Agingpopulation
Antibioticresistance
Cyber
Stock Stock
International International
Figure 7: a typical emerging-risks radar for CROs
Source: Based on PESTEL analysis (covering political, economic, social, technological, environmental and legal factors), this illustration includes emerging risks cited by CROs during the 2017 Survey
2017 Insurance CRO Survey | 19
CROs in a conventional emerging-risks process
Challenged by disruption, CROs see emerging-risks processes as necessary, even as many feel a stronger onus to ro ote inno ation. erging o ortunities ay erit ust as uch attention as the e erging downside ris s that are ty ically the ocus .
ithin con entional rocesses, R s create and own the e erging ris s olicy, which sets out how the e erging ris s rocess o erates. y ically, such a olicy
• efines and se arates e erging ris s ro already anaged ris s
• ictates how each newly e erged ris will be integrated into business as usual ris anage ent
R s will also acilitate the in ol e ent o the business leaders and tea s in the rocess. or instance, they may design and distribute questionnaires to guide businesses through assessments of emerging ris s. hey ay also dri e results gathering and discussion, as well as the collation and analysis o business unit res onses to create an enter rise le el iew o e erging ris s.
Within conventional emerging-risk processes, CROs also:
• Report to the risk committee or board
• Pro ide eedbac to the business units at a ro riate le els o granularity and re uency or each audience
• Serve as a link to business and strategic planning, to ensure these processes are responsive to emerging risks
2017 Insurance CRO Survey | 20
CROs will also facilitate the involvement of the business leaders and teams in the emerging-risks process.
i on i i iti in a on ntiona in i o
Conventional CRO role inemerging risks process
Policy
Creates and owns the emerging-risk policy, separating emerging
risks from already managed risks and
dictating how emerging risks are managed
and measured
Process
Guides businesses to do their own risk
assessments and facilitates discussion
to create an enterprise-level view
of emerging risks
Reporting
Reports to the risk committee or board
and also provides feedback to each business unit as
appropriate
Strategy
Provides the link to business and strategic
planning, assuring that these processes
are responsive to emerging risks
2017 Insurance CRO Survey | 21
From serving as a control function to partnering with the business
The move from defense to offense parallels a general maturation of the ERM function. Today, CROs spend less time on “fire-drill” activities and more time trying to design, establish and refine sustainable processes for the long term. CROs report that essential defensive elements of ERM are in place. At many companies, they have been for quite some time.
However, CROs express concerns that processes are not yet sustainable and see improvement opportunities in two areas.
Some CROs admit that ERM continues to be viewed by some risk takers as burdensome or even as an imposition. They aspire for their risk teams to be “invited to the table” to facilitate more-effective and risk-informed business development. Other CROs proudly report they are already engaged with senior leaders or are on the front lines of the business.
To boost efficiency, CROs are:
• Repairing or enhancing ERM data, processes and reporting
• Removing inconsistencies and standardizing approaches
• More closely integrating risk teams with other control functions (e.g., legal, compliance, SOX teams, internal audit)
• Improving how risk processes interface with finance and operations
Successfully embedding ERM into the business
depends largely on effective communication and
organizational commitment. At some insurers, ERM
mechanisms are in place, but CROs are:
• Establishing a transparent risk appetite statement that the entire organization embraces and uses
• Seeking to overcome resistance to ERM adoption in some parts of the enterprise
• Addressing shortfalls in risk culture
• Working incrementally to engage senior leadership or board
Efficient delivery of ERM Embedding ERM across the enterprise1 2
3 From serving as a control function to partnering with the business
Limitations of CRO influence
Some CROs report practical constraints on their role relative to innovation:
• Cases where strategic planning does its work without involving risk
• Lack of skills and language to play a large role with strategy
• Reliance on strategy, marketing, product development teams or underwriters to drive innovation
• Excessively strict interpretations of the three-lines-of-defense model that limits any CRO involvement in product development or other activities
2017 Insurance CRO Survey | 22
Partnering with business leaders and strategy teams
The survey found considerable variety in the extent to which the ERM function partners with the strategy function. In some cases, CROs have little or no involvement and there is no expectation that they should. Other CROs described very close and successful co-working relationships between strategy and risk functions.
A few common characteristics are notable at companies where there is strong risk-strategy partnership:
• CROs in senior leadership positions
• An ethos for the ERM function to promote transparent innovation, rather than constrain it, in interactions between risk and first-line functions
• CRO focus on communication between businesses, sideways to senior leadership and upward to boards
Several CROs regard themselves as uniquely placed in the development of company strategy. They have the greatest independence and, with their second-line positioning, are able to take a broad, holistic and enterprise-wide view.
For partnering to be successful, these same CROs are highly conscious of the need for broader skill sets:
• Technical ERM skills: understanding how to integrate sophisticated ERM frameworks directly into first-line operations
• Interpretive skills: the ability to work with businesses, actuaries, statisticians, modelers and investment professionals
• Nuanced business knowledge: applying deep insights into their company’s existing books of business, reconciling innovation with the complicated legacies with which many companies must contend
Several CROs cited rotation as key to broadening skills. Many risk teams rotate first-line personnel into and out of the second line, bringing deep business knowledge to the second line and then embedding an ERM mentality and risk intelligence back into the businesses.
Embedding ERM across the enterprise
Launching products with limited data
The survey covered how CROs and their teams handle specific types of innovation, such as covering new risks and launching new products with little or no data. CROs who addressed the topic were staunch in enabling and supporting controlled risk-taking, and saw clear dangers of ERM acting as a blocker. A number of survey participants referred to “partnerships” to overcome lack of data, knowledge or expertise, with specific steps including:
• Hiring new personnel for expertise lacking inside the organization
• Working with external firms and consultants with specialist knowledge
• Engaging with external reinsurers and/or brokers
• Liaising with international siblings or other parts of global enterprises
• Limiting the volume of new product offerings
Reinsurance partners are seen as bringing expertise and data, as well as opportunities to experiment with coverages and products in new markets, while passing off risks via reinsurance which could take various forms (e.g., quota, excess of loss). Several CROs reported product development where a full 100% of the insurance risk was borne by the reinsurer. This contained the financial risk, at a cost, while enabling both innovation and the acquisition of new corporate knowledge.
Innovation and especially speed to market are central to insurers’ long-term business plans, which CROs recognize. However, the survey addressed whether CROs, by the nature of their role, may inhibit innovation. CROs were very alert to this potential conflict, as their survey responses indicated.
• Most CROs are now formally involved in the product development process.
• They often have a veto over developments, but most expressed a dislike of using a veto.
• They see their role as “ensuring all of the risks are considered” and that innovation and product development are “thoughtful.”
• They focus on ensuring that developers include necessary risk metrics in their launch plans to ensure that risks are fully understood and quantified. Some CROs take the approach that establishing transparency on risk is more effective than an unseen hand of the CRO veto.
• CROs embed ERM team members as “risk representatives” or “delegates” within businesses, provide analytical tools for development projects and collaborate throughout innovation processes to avoid the risk of “us vs. them” thinking.
From risks of action to the risk of inaction in promoting innovation
2017 Insurance CRO Survey | 23
4
One CRO described particular success in engaging with developers early to clarify what was required by ERM at each phase of the development process.
Several CROs elevated the discussion to a conceptual level, saying their role was not to stand in the way of development, but rather to ensure their organization has transparency and understands the risk implications of various strategic choices. A consideration of all risks is seen as essential, although it heightens the danger that the CRO earns a reputation as naysayer.
CROs referred to capital management as part of their role relative to innovation programs. For example, CROs might ask if investment in a particular innovation can be justified, given the availability of capital and the risks involved. Conversely, the CROs might point out situations where excess capital is not being used and should be re-deployed elsewhere in the enterprise to foster innovation.
CROs also are looking for ways to promote risk-taking and innovation, and to avoid inhibiting it. For example, a high-risk innovation could be pursued, but simultaneously with taking steps to prevent material damage at the enterprise level. (See sidebar: Launching products with limited data)
One CRO saw ERM as having a formal responsibility to ensure future developments are within the organization’s risk appetite and tolerances. Again, CROs must see both sides of the innovation equation and validate that businesses take on the full amount of risk allotted them in their pursuit of innovation. (See sidebar: CROs, surplus capital and innovation)
CROs, surplus capital and innovation
CROs at companies with very strong capital positions are increasingly encountering the particular situation of their firm’s inability to use that capital in traditional, well-understood markets. That leads to a set of choices, each with its own risks:
• Returning capital to shareholders or paying as a dividend to a parent entity (perhaps outside the US) may not be as low risk as commonly assumed. For example, the associated failure to grow and contraction in volume bring the risk of inflating fixed central costs that have to be paid for by a diminishing customer base.
• If capital is deployed to drive innovative new products or entry into new markets, CROs may ask if the company has the expertise to compete and if it can attain the critical mass to match the efficiencies of first movers.
CROs should assist with the navigation of these issues, where greater innovation is inevitably associated with greater risk. However, they must also recognize the considerable risk associated with inaction, stagnation and failure to innovate.
2017 Insurance CRO Survey | 24
2017 Insurance CRO Survey | 25
The bottom line: more innovation means more risk — and more for CROs to doAs disruption becomes a dominant theme in so many parts of the business, R s are ensuring that insurers ha e su ficient de ense and rotection ro e ternal threats o disru tion.
ut the 2017 sur ey results a e clear that so e R s are going urther laying o ense and ushing their co anies orward to inno ate and disru t or business ad antage. hese
early-adopting CROs are building on their traditional role of rotecting against e cessi e ris ta ing. Indeed, they
are wor ing to ensure that traditionally ris a erse insurers are aggressi e enough in dri ing inno ation.
The strategic evolution of the CRO role in the insurance industry re ects not ust the ar et s recent ast, but also its i ediate uture. Insurance R s can no longer be seen solely as air tra fic control, as one uro ean R ut it, whose ri ary ob is to a oid collisions. Rather, they are increasingly ser ing as co ilots with business leaders, focused on getting insurance companies to their destinations on ti e and in rofitable ashion.
he good news ro this year s R sur ey is that an increasing nu ber o R s are ad ancing boldly toward such a orward loo ing and business enabling ca acity.
2017 Insurance CRO Survey | 25
2017 Insurance CRO Survey | 262017 Insurance CRO Survey | 26
ContactsChad Runchey PrincipalErnst & Young LLP+1 212 773 1015 chad.runchey@ey.com
Richard Marx PrincipalErnst & Young LLP+1 212 773 6770 rick.marx@ey.com
David Paul Executive Director Ernst & Young LLP+1 212 773 8904 david.paul1@ey.com
Douglas French PrincipalErnst & Young LLP+1 212 773 4120 doug.french@ey.com
EY | Assurance | Tax | Transactions | Advisory
About EYEY is a global leader in assurance, tax, transaction and advisory services.The insights and quality services we deliver help build trust and confidencein the capital markets and in economies the world over. We developoutstanding leaders who team to deliver on our promises to all of ourstakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of themember firms of Ernst & Young Global Limited, each of which is a separatelegal entity. Ernst & Young Global Limited, a UK company limited byguarantee, does not provide services to clients. For more information about our organization, please visit ey.com.
© 2017 EYGM LimitedAll Rights Reserved.
EYG no. 05390-171US ED None
This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for specific advice.
ey.com
top related