role of a chief risk officer

Enterprise Risk Advisory, LLC

May 11 2007

Bob LautensackHenry McMillanMichel RochetteSim Segal

Role of the CRO

Enterprise Risk Advisory, LLC 2

(1)Main Roles of a CRO:

CRO is NOT the Risk Manager of the Risk Managers!

Leader, facilitator, integrator, coordinator of risk rather than a manager of risk.

Create a culture risk awareness within the organization.

Formally bring consideration of risk into the strategic decision making.

Develop a center of excellence for managing risk using the skills sets of individual risk managers.

Communicate to all stakeholders – internal and external – about risk.

Bring the BIG PICTURE PERSPECTIVE!


(1)Main Responsibilities of a CRO:

Develop, maintain, and update risk governance framework: Risk policies, risk appetite and risk limits. Risk infrastructure, process and reporting. Risk integration and links between risks.

Coordinate with business line: Risk training Risk assessment and action plans Incorporate risk elements in performance metrics Ensure lines of business have risk capacity both in

personnel and risk systems.


(1)Main Responsibilities of a CRO:

Senior management: Advice on risk issues in strategic decision making Provide aggregated and detailed reports on risk in

line with risk appetite and limits Keep management appraised of industry standards

Committees: ALM, Credit, Operational, IT, Security

External Party liaison New regulatory risk initiatives: Ex. NAIC Corporate

Governance for Risk Management Act.


(1)Skills Required:

Some quantitative skills but not be a polymath: analytical, understands the models and bright!

Excellent understanding of the supply value chains of your organization: See the links between risks that the risk silos don’t see!

Strategic and tactical thinker. Ability to understand business issues. Ability to compare risk and reward. Leader/ educator in terms of promoting a risk culture. Project manager of risk initiatives. Ability to synthesize a lot of data and see trends and potential

impact on company. Communication skills are a priority because a

CRO is a C-level Executive: written and oral.


(1)Differences between Actuaries and CRO

Actuaries: Emphasize high

quantitative skills Specialize in a field:

Valuation, pricing, risk…

Risk field: focus on measurement of risk

Communication with peers

Usually function with other actuaries in actuarial departments.

CROs: An analytical background is

sufficient Overall view of the

businesses: Integrative view. Can see the links.

Some risk can’t be quantified but doesn’t mean that they can be managed.

Communication to a broad audience, internal/external.

Build links with business units where risks are managed.


(2)Internal: Interaction with the Board

Once a month

Once a quarter

Twice a year

Once every year

Other

Do not formally report 8%

1%

11%

15%

53%

12%

TP 2006 ERM Survey

92% report on risk to their Board of Directors at least annually


(2)Internal: Interaction with Senior Management

Once a month

Once a quarter

Twice a year

Once every year

Other


5%

6%

8%

35%

39%

More frequent than with the Board, about 40% monthly

TP 2006 ERM Survey


(2)External: Interaction with Shareholders

Once a month

Once a quarter

Twice a year

Once every year

Other


4%

27%

8%

18%

4%

TP 2006 ERM Survey

The majority (61%) of respondents indicate they report on risk to shareholders at least annually


(2)External Interaction with Regulators

Once a month

Once a quarter

Twice a year

Once every year

Other


5%

32%

3%

18%

4%

62% of the participants formally report on risk to regulators

TP 2006 ERM Survey


(2)External Interaction with Rating Agencies

Once a monthOnce a quarter

Twice a year

Once every year

OtherDo not formally report 37%

3%

48%

6%

6%

0%

63% report on risk to the rating agencies at least annually

TP 2006 ERM Survey


(2)Internal Communication of Risk

Regular reports to executive committee/board of directors

On an ad hoc, as-needed basis

Regular reports to CRO

Risk “dashboards” at the risk category, business or corporate

level

Regulatory reporting formats

Other 4%

25%

29%

32%

45%

75%

(75%) provide reports on key risk exposures and risk management activities to the executive committee or Board of Directors

TP 2006 ERM Survey


(2)External Communication

Provide separate information to rating agencies

Separate section devoted to risk management in annual report

Provide supplementary information to regulators

Use regulatory reporting formatsProvide separate information to financial

analystsDo not externally communicate with

stakeholdersHold focus groups with key

customers/suppliers/communityOther 4%

3%

14%

18%

31%

32%

45%

59%

More common with European insurers (68%)North America (26%)

TP 2006 ERM Survey


(3)Decision Making by CROS: Risk/Control

High Level position => High level involvement

Oversight role, not a cop!

Must exist at the same level as CFO.

Areas of focus: Risk identification, particular emerging risks Risk approval process of new initiatives making sure that all

risks are taken into account Risk exception authorization Risk prioritization and escalation. Risk mitigation strategies and alternatives Risk compliance and business continuity. Risk communication


(4) Risks under CRO’s Purview Now

Financial risks: Interest rate (97%) Equity(81%) Credit (asset default/migration) (80%) Liquidity (41%)

Demographic risks: Mortality (92%) Lapse ( 84%) Longevity (73%) Policy holder behavior (58%)

Operational risks (70%)TP 2006 ERM Survey


(4)Risks under CRO’s Purview: Emerging

Reputational Risk(52)

Regulatory Risk(40)

Human Capital Risk(40)

IT RISK(35)

Financial, Market, Credit and Insurance Risk(30)

Crime, security, political, natural hazard, FX, Terrorism, Country Risk(20)

Source: Economist Intelligence Unit, 2005

Max Scale: 100


(5) TOP RISKS

Economic risks: Credit losses are at historical lows: Risk of downturn is

increasing. No spill over yet from SubPrime meltdown. Political risks are increasing everywhere. Liquidity risk: private equity, structured deals. Thus: Scenarios and Stress tests still RELEVANT.

Compliance with the new regulatory environment: NAIC Corporate Governance For Risk Management Act Solvency II. Principles-based Others: AML

Monitoring and identifying emerging risks: Longevity risk. Impact of new lifestyles, drugs on health. Extreme events: Avian Flu, terrorism and business continuity Concentration of risks and links between risks.


(6)Reporting relation of the CRO

Responsible for Risk Management To Whom Primarily Reports

The person responsible for risk management most often reports to the CEO (45%)

Chief Risk Officer

Chief Fin. Officer

Risk Management Committee

Chief Actuary

Head of Internal AuditOther 14%

1%

8%

16%

18%

43%CEO

CFO or Financial Director

Board of Directors

COO

Risk Committee

Other 6%

4%

4%

17%

24%

45%

TP 2006 ERM Survey


(7)ERM Culture

Evolutionary process: Must see a trend in a company from:

Existing risk identification in silos. Start establishing links between risks: Ex. Natural Hedge

between life and annuity operations. Start being proactive in risk assessment: Forward looking, not

just reporting on existing situation. Embed risk analysis in new initiatives – new product, new IT

system, M & A, Communicate internally and externally about your risk

situation.


(7) ERM Culture: Enshrined in organizations when:

Business lines takes the initiative on risk issues: Behaviors have changed.

Prevention: Scanning for risks, consciously choosing the risks we want to retain, then managing them proactively.

Detection: Early identification of risks from internal or external sources.

CRO focuses only on emerging risk.

Recovery after risk occurrence and learn quickly: continuous improvement.

Risk analysis becomes as important as revenue generation: activities are evaluated on a risk-adjusted basis.

Compensation becomes tied to risk.


(8) Risk Appetite:

Definition: Risk appetite is defined as the organization’s willingness to accept risk in pursuit of its strategic objectives.

Risk appetite is assessed against the organization’s key drivers of success: financial and non financial.

The establishment of the statement on risk appetite is intended to guide employees in their actions and ability to accept and manage risks.

Preferable if determined from top down rather than bottom up.

Define metric: Debt rating, earnings volatility.


(8) Risk Appetite:

Link with overall strategic goal. Ex. Insurance financial strength rating or desired debt rating -

which implies a desired capital to keep that rating over a given time horizon-.

Translate into day-to-day management: Allocate risk appetite to each type of risk by setting up

appropriate limits including the zero tolerance risk.. Ex. Fraud.. Allocate risk appetite even for the non quantifiable risk: Ex.

Reputation risk. Firm not willing to compromise its reputation. Define risk tolerances around that risk appetite. Communicate internally and externally: Build expectations

about risk. When risk materializes within limits, markets will not react as they have already built it into their pricing.


(9) Challenges of the CROs

Ensuring that the organization is in compliance with the ever changing regulatory environment.

Informing the Board about significant risk issues.

Assuring business continuity and prepare for crisis: crisis management and fight inertia to do so.

Monitor emerging risks: Operational, reputation, environmental.

Get an integrated picture of risk: Establish links.

Embed risk management in day-to-day operations.

Linking risk management in capital management.


(9) Challenges of the CROs

Improving the risk measurement and quantification processes

Acting to manage the risk profile of your organization

Improving internal risk reporting processes

Ensuring that risk management considerations are explicitly factored into decision making

Improving the risk identification and prioritization processes

Establishing a risk framework and/or risk policy

Improving education and internal communication of risk management principles and approach

Establishing a risk management organization and governance structure

Improving external communicationsIncorporating risk management considerations into

incentive compensationOther 1%

8%

14%

42%

46%

53%

54%

59%

63%

64%

77%

TP 2006 ERM Survey


Thanks

Ellen Bull, Librarian at the SOA for useful references and help for my two presentations