Increasing authority and higher organizational … | Increasing authority and higher organizational...

Increasing authority and higher organizational profiles2014 insurance CRO survey

Ernst & Young LLP’s annual survey of chief risk officers (CROs) highlights the ongoing evolution of the role and confirms the increasing impacts of regulations that resulted from the financial crisis of 2008–09. The events of a few years ago are still shaping the agendas of many CROs, even as their activities focus to a greater extent on the effectiveness of risk management policies and processes. Further, they are spending more time with their boards and senior business leaders — a fact that underscores the increased impact of many CROs on the business and that industry leaders have become more aware of CRO capabilities. That CROs are involved with more types of business issues is testament to the value they have been adding to their organizations in the last several years and a harbinger of the opportunities that lie ahead.

The survey was conducted via interviews from October through December 2013 against the backdrop of increasing calls for coordinated regulatory regimes at national and international levels. As such, the answers reflect many of the mega-trends and major developments that were taking place in the broader sector during that time. It is particularly important to note that the majority of surveys were conducted before the release of the most recent report from the National Association of Insurance Commissioners (NAIC) regarding the content recommended for inclusion in

Executive summary

| Increasing authority and higher organizational profiles 2

32014 insurance CRO survey |

the Own Risk and Solvency Assessment (ORSA) reports. Similarly, the Federal Insurance Office (FIO) released its report about the modernization of insurance regulation after most of the surveys were completed. It is likely that insurance CROs may be rethinking their views on critical regulatory issues.

Several major themes can be seen in this year’s results:

1. The expansion of CRO authority CROs are spending more time interacting with boards and senior management. This higher organizational profile shows that insurers have on their radars a broader range of issues — including emerging risks such as cyberterrorism and data privacy. More important, it seems that these risks are more clearly perceived and considered more significant by the highest levels of executive leadership. That is certainly true when 2014 survey results are compared with those from past years. This may be evidence of CROs’ success in identifying such risks and clarifying their potential impact on the business. There is a growing recognition that CROs bring a forward-looking perspective and a unique set of analytical tools that can help leadership understand the implications of emerging risks. In other words, CROs have seized the opportunity highlighted in survey results from 2013 and the trend of rising CRO prominence has continued.

2. The seismic shift in both domestic and international regulations It’s difficult to overstate the potential impact of regulatory changes. Survey respondents described their effects as “tsunamis.” CROs are clearly spending a lot of time thinking about the new regulatory regimes. As such concerns move up the corporate agenda, CROs are being asked to lead preparations and organize broad frameworks for the cumulative and interrelated effects of different layers of regulations. Efforts to comply with the ORSA recommendations are ongoing, but most companies are confident they have adequate plans in place and will meet the deadline. There is also a shared belief that the long-discussed international capital standards and group supervision will soon be an everyday reality. On the domestic front, there is a small but growing group of companies that want to upgrade the state-based regulatory system in the US, perhaps through a hybrid model. These themes are being echoed across the industry. For instance, in an August 2013 report, the Financial Stability Board (FSB) criticized the state-based regulatory system and called upon the federal government to assume a greater role. The partial convergence of US and international regimes is increasing the urgency of finding a common framework.

3. Shifts in the CRO focus — from survival to effectiveness While low interest rates remain an issue, risk-management dialogues have shifted away from an urgent focus on survival (which was common in the immediate aftermath of the financial crisis) toward a more strategic and longer-term view of effectiveness and decision support. There is a sense that balance sheets have been mostly de-risked to their desired level and investments are performing as expected. Thus, CROs can invest a higher proportion of their time and energy in other areas, such as enterprise risk management (ERM) effectiveness. For example, CROs are seeking ways to embed more data-driven and analytics-based practices within their operations. The key question for many CROs has shifted from “are we doing the right things?” to “are we doing things right?”

Overall, the results make clear that the ongoing “risk journey” has entered an important new phase and that CROs will continue to have a seat at the table as their specific agendas and charters evolve along with the industry.

| Increasing authority and higher organizational profiles 4

In Q4 2013, EY insurance risk analysts conducted interviews with chief risk officers and senior risk executives from more than 20 North American insurance companies. Collectively, the companies have significant business operations in all major sectors of the insurance industry, including property and casualty, life, and commercial lines of business. Further, respondents came from both mutual insurance and stock companies and from organizations under different regulatory regimes. Tabulated responses for each question are contained in the sections that follow.

About EY’s CRO Survey


Sect

ion

1 Overview


ERM

Regulatory/ORSA

23% Economiccapital

More managementinvolvement

23%

17%

13%

17%

7%

Risk appetite

Other

In the recent past (as seen in previous CRO surveys), insurers needed to establish core risk management capabilities, particularly in the areas of ERM and economic capital. Today, with a solid foundation in place, the focus is on making these core processes and tools work better. Specifically, that means embedding necessary analytical capabilities within the business, which always serve as the first line of defense when it comes to risk management. There is clear and increasing recognition that, when done correctly, a risk appetite framework with detailed tolerances and limits at the corporate and business-unit levels can be an extremely effective way of communicating and tracking how company strategies and operations impact the risk profile. A risk appetite framework has also promoted a greater link between a company’s business objectives and its risk taking.

In 2013, less time was devoted to regulatory issues, especially when compared with increased engagement with the business and the board, though there is expected to be increased focus on regulatory issues in the coming year (as captured in the answers to the next question). CRO engagement is centered on playing an advisory role and helping to inform strategic decision making. This is an unsurprising result, given both the inevitability and huge scope of the changes to come, as well as the considerable progress that has been made toward ORSA compliance in the last year.

1 Because some questions had multiple answers, the percentages of responses were calculated and rounded for a total of 100%.

What CROs say

“We made a lot of progress in 2013 around modeling, in terms of both technical improvements and awareness and appreciation by the business.”

“We have taken our company to a new level of maturity where there is a rhythm of regular calculations and quarterly updates, which are integrated into a risk-appetite framework.”

“We are a couple of months away from including economic capital in pricing, but we are getting there.”

“A more formalized ERM framework is gaining traction, with a reviewing governance structure and more quantitative analytics.”

Q1 What was your most important accomplishment over the past year?1

8 | Increasing authority and higher organizational profiles

Q2 To which area will you devote significantly more attention in the next 12 months, compared with the last 12?

ORSA

Risk appetite/governance

Economic capital/measurement

Other/operationalrisks

10%22%

Integration withmanagementactivities

14%

14%

16%

12% 12%

Regulatory —Terrorism RiskInsurance Act

(TRIA)

ERM

The diversity of answers reflects the full plate many CROs face on a daily basis, as well as the evolution of their role in the last year. One respondent’s comment that the “use of economic capital is well defined” suggests that for many companies, the urgent activities of the recent past have reached a stable and largely sustainable state. The focus on ERM must be viewed in light of the ongoing preparations for ORSA; although there is work left to do, specific compliance concerns have subsided because CROs believe that they have “gotten their arms around” ORSA plans.

The elevated importance of “doing things right” has led to greater focus on operationalizing ERM by embedding it into the business, creating a more direct role for risk management in the overall management of the business and creating a “risk management culture.” The clear trend is toward more sophistication in ERM practices and policies, as well as closer alignment to, and involvement with, the business.

The sharp increase in regulatory concerns reflects the sense that various regulations and guidelines that have been so long discussed as “coming soon” are nearly “here and now” concerns. Several participants believe TRIA needs to be extended and the federal government is moving slowly. A significant number of CROs view the timely passage of this legislation as a test of the federal government’s ability to have a meaningful role in insurance regulation.

What CROs say

“Moving risk appetite, which is currently at firm level, down to segment and business-unit level is a goal.”

“Pushing the risk concepts through a risk network in the company — ultimately getting out to the business lines — will be an area of focus.”

“Risk measurement, specifically for risk limits and tolerances to be more widely adopted in the industry, is an area of importance.”

“We will devote more time to clarifying the role of risk committees in the business.”

Section 1: Overview


Q3 What do you think are the biggest risks/challenges facing the insurance industry?

Low interestrates/economicconditions

Emerging risk

Regulation/accounting

23%12%

53%

6%6%Competition

Other

The improving economy, stock prices and margins of many insurers have allowed the CROs to move their attention from immediate-term issues to improving the effectiveness of processes and boosting engagement with the business. Regulatory changes — and the many challenges associated with compliance — have become the top-of-mind issue. They were mentioned by nearly every survey participant. Specific responses reflect the general outlook for CROs, some of whom lamented the “tsunamis” of change to come, the “blind application of banking regulation to insurance” and the “ever-increasing regulatory hurdle.”

Concerns about the economy in general — low interest rates in particular — were mentioned substantially less frequently compared with last year’s survey. To be clear: some CROs recognize low interest rates as an issue (especially at those firms with large variable annuity or long-term care businesses) but see them in less pressing terms than they saw them a year ago.

A myriad of regulatory concerns have replaced previously urgent concerns, such as the imperatives to mitigate balance sheet risks and establish basic economic capital risk assessment capabilities. As such, it represents a major shift in how CROs allocate their time and energy. Interestingly, no single issue dominates, but rather spans a wide variety of concerns running from ORSA and group-wide supervision, to the role of the FIO and supervisory

What CROs say

“There is a tsunami of regulatory and accounting changes that may be impossible to meet.”

“I get the sense that regulators feel so much pressure that they have to do something.”

“Regulatory risk remains the big one, but cybersecurity is also a key risk.”

“It’s not so much interest rates at this point, but morbidity expectations for our long-term care business.”

“Interest-rate risk is reaching an inflection point.”

colleges, to global systemically important insurers (G-SII) and systemically important financial institution (SIFI) classifications.

Lastly, emerging risks — particularly cyberterrorism, fracking and nanotechnologies — are more prominent on CROs’ radars. Constant change and growing complexity of global businesses and financial markets means these concerns (and the abiding uncertainty they present) are something like the “new normal.”


Integrated intodecision making

Nature of the dialoguewith board and management

21%

8%

Increasedeffectiveness*

15%

18%

15%23%

Reaction byregulators and

rating agencies

Visibilitywith the

board

Other

This question, new to the 2014 survey, generated some of the most revealing discussion and considerable introspection on the part of respondents. Despite the obvious importance of demonstrating value, there are no common answers across the industry. The diversity of answers attests to the many varied responsibilities of CROs across the industry. The simple answer is that CROs are beholden to, and must satisfy, many different stakeholders, including:

• Business-unit line managers

• Corporate leadership

• Board of directors

• Regulators

• Rating agencies

• Policyholders

Putting aside the tangible demonstrations of the risk management function — identification, measurement, mitigation and reporting — the end goal is the improvement of management decision making. As seen in the results of questions one and two, this has been a key objective for many CROs. Almost 25% of the participating CROs said that integration into management decision making is one of the most important value contributions from the risk management function.

* Includes hedging, asset liability management (ALM), product design and pricing, and reduction in operational losses

Even as their profile and involvement with the board increases, survey respondents acknowledge that they could do a better job articulating the value of the risk function and pointing out the successes. As CROs focus more on the effectiveness of their capabilities and their engagement with the business, there will be a greater premium on the ability to communicate, persuade and even influence key strategic business decisions.

That is especially true since many of the metrics that could be used to gauge value will be distinctly qualitative; for example, many respondents spoke of the need for business management to “speak the language of risk management” or “understand the risk vocabulary.” Similarly, respondents emphasized risk management’s influence over decision making as an essential measure of value. One respondent mentioned that the business units at his company are actively recruiting staff away from the risk management department — a surefire sign that the risk function is adding value.

Q4 How do you know your risk function is creating value?

What CROs say

“It’s a matter of decision making: the more that the concept/framework becomes part of the discussion on business decisions, the more you know you’ve won.”

“I don’t feel a lot of pressure to prove the value. I don’t have a standalone risk management department, but rather a lot of people very engaged in risk management and good committees at the board and management levels.”

Section 1: Overview


Q4 (continued)

What CROs say

“There are several different ways to show value, such as actual results for the product design and product mix (such as variable annuities and reinsurance deals), all of which are developed with the work of the risk department.”

“We can show value via the risk appetite framework, build-out of the earnings-at-risk framework, missing earnings volatility and preparation for ORSA.”

“We create value by helping the organization take ‘good’ risks with pricing and investments, and approaching decision making using a consistent risk management approach and thought process.”

“It’s a hard question, but it really comes down to whether risk management is about simple compliance with rules or about improving dialogue to help drive decisions. One test is how many people in management know the risk vocabulary.”

Regulation

Sect

ion

2


ORSA

Combination group-wide supervision andsupervisory colleges

9%

Solvency II/G-SII; SIFI

IFRS22%

16%

16%

15%

22%Capitalregulations/ComFramefrom IAIS

Other

Q5 What specific regulations, actual or pending, will present the biggest implementation challenge?

Here again, the big story is the diminishment of ORSA as a regulatory concern. However, answers must be considered in light of the fact that the survey was conducted before the results of the NAIC’s second pilot were released. Specifically, the NAIC provided more guidance on the types of information that could be included in ORSA reports from individual carriers.2 Their suggestions raised the bar in terms of the amount, substance and detail of information regarding:

• Actual risk limits and tolerances

• Explanations for changes in risk appetite

• Risk mitigation

• Scenario analysis, including liquidity scenarios and combined scenarios

As a result of this new NAIC guidance, we believe that survey participants would have rated ORSA as a greater challenge. Not surprisingly, respondents cited a broad range of concerns, reflecting the nature of their businesses and operations. “Other” was a popular answer and includes the Affordable Care Act (ACA) and health care reform, state-level regulations and “constantly changing” capital requirements. It’s more the cumulative and interrelated impact of regulations, rather than one specific regulation, that’s keeping CROs awake at night. The imposition of “banking-centric” regulations also presents a concern, most notably in the form of data aggregation regulations and requirements for real-time data, which are viewed by many CROs as impractical or incongruous.

International standards are increasingly on the radar. This includes group-wide supervision (GWS), supervisory colleges and common capital regulation, such as the Common Framework (ComFrame) for the Supervision of Internationally Active Insurance Groups (IAIGs), which is being developed by the International Association of Insurance Supervisors (IAIS). The IAIS is the international standard-setting body for the prudential supervision of the insurance industry.

2 NAIC, 2013 Own Risk and Solvency Assessment (ORSA) Feedback Pilot Project; November 6, 2013.


What CROs say

“ORSA and reporting are the big ones, but how NAIC and regulators view companies with foreign parents and how much coordination there will be are also important.”

“It’s the lack of global standards and the 50 different state requirements that are most difficult.”

“Trying to comply with changes in regulatory and accounting/actuarial environments at the same time is impossible. There is no one regulation that presents the biggest challenge, but rather the combination of all at the same time that makes this a hugely challenging process.”

“The developing regulation is banking-centric, and insurance companies are being pushed into that model, whereas the business model differs.”

Q5 (continued)

For some of these regulations, the completion dates have been determined and companies affected by the regulations need to prepare for the change (see table below).

Timeline of confirmed regulation changes3

Deadline Requirement Application

2013 Development of the basic capital requirement

G-SIIs, possible application to IAIGs

2014 Testing and endorsement of the basic capital requirement

Endorsement by IAIS, FSB and G20

2015 Development of higher loss absorbency

S-SIIs

2016 Development of insurance capital standards

IAIGs

2019 Implementation of higher loss absorbency and the insurance capital standard

G-SIIs and IAIGs

3 Source: EY and the Tapestry Networks, Toward global standards for group supervision, January 2014.

Section 2: Regulatory


What CROs say

“The road map has been built, and we are following it.”

“Responsibilities for ORSA development have been allocated, and a project plan is under development. A first-step regulatory model for capital will be used, with an improvement plan embedded in the ORSA document.”

“We are working on it and don’t think it will be a big deal.”

“We feel pretty well versed in the requirements. We have external feedback from consultants and conferences and have conducted an internal gap analysis.”

“We were part of the second pilot and are now customizing it and aligning with our European parent.”

Q6 Do you currently have specific plans in place for meeting NAIC’s ORSA requirements?

The majority of respondents reported that they have plans in place for ORSA compliance and are confident that they will be able to complete the report by the required deadline. Overall, the attitude of respondents toward ORSA could be summarized as “no big deal.” Many had already completed their road maps and were focused on “enhancing” or “customizing” reports for their organizations. Notably, survey respondents included both participants and non-participants in the NAIC pilot programs.

Collectively, this year’s results mark a dramatic change from the 2013 survey results, which highlighted more serious concerns — especially from CROs at mid-sized carriers — about ORSA compliance.


International

24%

Federal charter/level playing field

18%35%

23%

Work with thestates to improve

consistency anduniformity

Limited orno role

The depth and breadth of coming regulatory change — both on the national and international level — has become a firm reality for CROs. As such, more companies are open to a greater role for the FIO, mostly because of the potential benefits of more standardized regulations nationally or a “level playing field.” Another idea was for the federal government to replace the state-based regulatory regime and thus eliminate “regulatory shopping” across state lines.

However, a significant percentage of respondents believe that the status quo of state-based regulations is sufficient or even attractive. As such, they fear “duplicative regulation.” An alternative view sees the potential for the FIO to serve as a sort of international ambassador for the industry.

As previously discussed, since the release of the NAIC’s report, it is likely that many CROs are rethinking the nature and scope of the ORSA reports. Similarly, the survey was largely conducted before the release of the FIO report titled How to Modernize and Improve the System of Insurance Regulation in the United States (the Report). The Report summarizes perceived weaknesses the FIO observed in its review of the current state-based regulatory

system. While the FIO gives credit to the modernization efforts being led by the NAIC, it also clearly indicates that Congress should seriously consider greater federal involvement if further meaningful change is not made in a reasonable timeframe.

The Report specifically mentions the following:

“The absence of uniformity in the U.S. insurance regulatory system creates inefficiencies and burdens for consumers, insurers and the international community. ... The need for uniformity and the realities of globally active, diversified financial firms compel the conclusion that federal involvement of some kind in insurance regulation is necessary. Regulation at the federal level would improve uniformity, efficiency and consistency, and it would address concerns with uniform supervision of insurance firms with national and global activities.”4

Compared with last year’s results, respondents are open to some sort of regulatory role for the FIO in cooperation with the states. More than a third of the participants believed that the FIO should work with the states to improve consistency and uniformity of the state-based system. This lack of consensus relative to the FIO is similar to last year’s survey finding. In fact, the ongoing ambiguity among CROs toward regulation can be seen in both the 2013 and 2014 survey results. Many CROs remain undecided about the FIO’s involvement and are watching the issues closely.

4 Federal Insurance Office, How to Modernize and Improve the System of Insurance Regulation in the United States; page 13.

Q7 What should be the role of the FIO?

Section 2: Regulatory


Q7 (continued)

What CROs say

“The FIO should be a voice for the insurance industry in the international community, but there doesn’t seem to be a lot of outreach to carriers.”

“A federal charter may make things easier.”

“I would love to see the FIO constructively get its arms around a more level playing field in insurance regulation nationally, but I’m not sure how that will look.”

“If the FIO is going to be involved, it should focus on the larger items, such as governance, capital, etc.”

“There is no other industry without some level of federal oversight.”

“I am not sure what problem FIO can solve or what value it can or will provide.”

Organization

Sect

ion

3


CEO

Other

COO

38%

38%

14%

5%

5%

Chief actuary/head of internal

audits

CFO

Compared with last year, there has been a dramatic change in the reporting structure for many CROs. The most profound shift is away from direct chief financial officer (CFO) reporting. An equal number of CROs now report directly to the chief executive officer (CEO). This is perhaps the most tangible evidence of the increasing responsibilities and authority of the CRO and the continuing separation of the CRO position from the CFO position. Interestingly, despite greater board interaction generally, no respondents report directly to the board — a noticeable dip from 10% in the 2013 survey results. Increasingly, CROs are being asked to serve on the executive management committee and to chair critical risk management committees.

Respondents also described various alternative reporting arrangements, such as dotted-line relationships to the CEO or other areas, most commonly actuarial groups or business-unit risk leaders. As risk management becomes more distributed or embedded across the enterprise, those dotted lines may proliferate.

Taking a historical perspective, participants in the 2010 CRO survey predicted that within three to five years, the CRO position would be on par with the CFO. Several years later, that prediction is largely coming true, even if at a more gradual pace than initially expected.

What CROs say

“Because we have a distributed risk function, risk management is the responsibility of the whole organization, with a Governance Council and activity spread across three leaders and an emphasis on transparency.”

“I report to the CFO but want to report to the CEO.”

Q8 To whom do you report?


What CROs say

“Our work is done by many people in the business, and effort will continue to grow even if we don’t have any dedicated people.”

“We have a large team of 200 people, which includes model validation and actuarial modeling.”

“There is a mix of risk staff in the corporate office and business units.”

Q9 How many direct and indirect reports do you have?

There remains disparity in the number of direct reports for individual CROs, spanning 5 to 50, with indirect reports totaling anywhere from 10 to 200. This range reflects the differences in roles and responsibilities. As reported in the last survey, some CROs are in the traditional mode, whereby their role is largely seen as a traffic cop monitoring and controlling risk taking by the business. More broadly, critical work is taking place across the organization via tiered committees and with different sets of business stakeholders. Therefore, the growing authority of CROs does not necessarily translate into larger numbers of direct reports. Given the strong evidence of the expansion of CROs’ roles and responsibilities, we expect that the number of both direct and indirect reports will continue to increase for those companies that are continuing to build their risk management function.

Section 3: Organization

1–5

6–10

11–50

Morethan 50

35%

25%

20%

20%


What CROs say

“The main responsibility is to make sure that there is a framework to manage all of the risks.”

“Operational and investment risk are managed through committee. All of the ERM risks also go through committee.”

“I have responsibility for reporting on all risks, while some others have accountability for assessing. Credit risk sits with investment.”

“We are at least partially accountable for everything that can result in risk failure.”

Q10 Other than the four main risk categories (credit, market, insurance and operational risks), what risk management areas are you responsible for?

Although continuously evolving, CRO responsibilities are becoming more consistent across the industry. All respondents indicated that they are responsible for all second-line-of-defense duties for the four major risk types — credit, market, insurance and operational. As one CRO summarized, “Oversight for all; ownership for none.”

About 24% of the participants reported that they were responsible for most of the risk modeling, tolerance and limit setting around the risk appetite. About a quarter of respondents were directly in favor of developing and executing the enterprise-wide risk framework. Other CRO responsibilities include hedging oversight, underwriting, ALM and TRIA. Despite the consistency in second-line responsibilities, it is not always easy to specifically define ultimate responsibility. One CRO remarked that he “partially owns everything that can become a risk failure and therefore a failure of the CRO.”

To an increasing degree, they are also responsible for emerging and technology risks as well. In some cases, CROs have a role to play in product design, hedging of annuity risk or setting guardrails as the business considers new opportunities or investments.

Here again, the full spectrum of risks demonstrates how the CRO agenda has broadened during the past several years. Similarly, as the interrelated nature of this great variety of risks becomes clearer, CROs must aim for more integrated frameworks for monitoring risks, a point emphasized by several respondents. The answers also

ERM risk/framework

Measurement/limit setting

Chair riskcommittee(s)

Underwriting

Other24%24%

16%

24%

12%

highlighted how the CROs are involved with many other committees focused on specific types of risks (e.g., market, credit or IT security risks). It’s also important to note how many CROs have oversight or reporting responsibilities, rather than actual accountability or “ownership” of specific risks. This finding is in keeping with the separation between the first and the second lines of defense.


The good news is that all respondents reported that regardless of their formal responsibilities, they had complete access to the board if they needed it. Another interesting theme from this year’s survey is how the frequency of access depends upon the reporting relationship. CROs who report to the CFO generally reported less board access than CROs reporting directly to the CEO. Most CROs responded that board access is available if needed. Several respondents reported “great access” or “unfettered access,” with a majority describing regular sessions.

Many CROs interact with board audit committees or board risk committees on a quarterly basis, with annual sessions with the full board. Increasingly, companies are forming a board risk committee that is separate from the audit committee because of the specialized nature of the mandates the board risk committee needs to review. It’s also worth noting that many boards seek regular interactions with the CROs and their teams; in other words, it’s not just a one-way street. CROs are also being called upon to appear in front of other board committees to discuss key issues, such as risk-adjusted compensation (HR committee) and IT risks (technology committee).

Q11 What is your access to the board?

What CROs say

“Every board meeting has a standard update, with a focus on the hot topics through a standing meeting. We don’t have much ad hoc interaction, but we could likely get to the board if necessary.”

“We speak to the risk and finance committee every quarter, but we have access to the full board or anyone as needed on an unfiltered basis.”

“We haven’t taken full advantage of our access since the risk is within the audit committee of the board.”

Section 3: Organization

No formalaccess

Formal access

27%

73%


What CROs say

“A centralized model could be effective, but key risk people must have business experience.”

“The CFO can more actively manage the direction of the program and provide more coaching. We are also looking at how to map risk oversight to business decisions and, potentially, how risk reports to the board.”

“A couple of areas should probably move into risk management. Compliance risk management is one example. It shouldn’t be just in legal, but coordinated more broadly.”

“I think the key is to improve dialogue with the board and key stakeholders on risk, and increase board knowledge of risk management. Then, an overall build-out of the second line with risk professionals. Long term, internal audit will move away from CRO.”

Q12 How can organizational and reporting structure be improved?

There was no shortage of ideas on how to improve the organizational and reporting structure. Among the most straightforward suggestions were to report directly to the CEO and/or gain greater board access. Others saw membership on the executive management committee and increased involvement in strategic planning as critical improvements. Acknowledging the “distributed nature” and complex reporting lines at many carriers, some respondents were thinking in terms of “strengthening the matrix approach” (e.g., by risk type or product line) and clarifying roles and responsibilities.

Appropriately, a number of responses focused on “opening up lines of communication” and how refinements to the organizational structures can add value to ERM. In most cases, that meant getting more risk management resources and expertise closer to the business.

Risk quantification

Sect

ion

4


What CROs say

“Economic capital, based upon statutory accounting rules and long-term run-off models, is the most common way. This is corporate-driven with tight coordination around scenarios and distributions.”

“We use economic capital and stress testing, primarily in investments.”

“It’s a group-wide aggregate measurement of economic capital based on risk the company is exposed to, not SII or market consistent.”

Q13 How do you quantify risks?

Most companies responded that they use a fairly standard set of risk quantification tools, including:

• Stress testing

• Economic capital

• Scenario analysis

• Key driver analysis

• Stochastic modeling

Interestingly, their risk quantification programs — especially in the areas of economic capital and stress testing — are used in a variety of different ways (see next question). Compared with surveys in previous years, there was emphasis on having more robust and sophisticated models (highlighting that foundational capabilities are now well established). Customized approaches and scenarios featuring “black swan” events are evidence of this trend.

The bottom line is that risk quantification is critical to the business and among the most important tasks for CROs to be involved with. And there are clear business drivers, including the need to better understand product profitability, identify and evaluate growth opportunities, and project future revenue in uncertain and volatile interest rate and economic environments. This is consistent with results from previous surveys, and there is every reason to expect continued development and sophistication of quantification approaches in the future.


Quantification continues to be directed primarily toward capital allocation and optimization, though there are some variations and a trend toward using risk quantification as an input to strategic decision-making processes. Interestingly, one respondent highlighted risk quantification as an important means to understand how the carrier performed in terms of “promises made and promises kept.”

Many companies recognize economic capital programs to be a fundamental building block to risk-adjusted pricing and for business-unit performance management. Other quantitative techniques growing in importance are stress testing and scenario planning. With the recent suggestions by the NAIC that stress tests assume a larger role in the ORSA report, this trend is expected to continue. Many companies are using risk quantification tools and data to set and test limits and tolerances of the different components of risk appetite.

Q14 How are the results of your risk quantification used?

Capitalallocation/adequacy

23%

8%

Pricing/newproduct approval

5%

5%

12%

12% 35%

Risk-adjustedperformance

Reinsurance

Rating agencies

Risk appetite/limit setting

Other

What CROs say

“We use them for decisions on reinsurance, rating agencies, ORSA and to drill down for deeper understanding of risk.”

“Currently, we use them for capital adequacy to gain a macro view of how much capital is in the company. Another use is for internal capital allocations for GAAP financial reporting — specifically, how assets are funded to product lines.”

Section 4: Risk quantification


Q14 (continued)

What CROs say

“Primarily we use risk quantification for limit setting and risk appetite, and for forward-looking risk taking in areas of opportunity.”

“Allocating capital to the business, tracking capital adequacy and free surplus, setting profitability goals, and pricing are the primary ways we use risk quantification, but not for new product approvals.”

“It’s an input into the risk appetite-setting process, and for related strategic planning cycles, and as an input for business decisions, e.g., regarding a global hedge.”

Future outlook

Sect

ion

5


What CROs say

“We anticipate no change in staffing levels. However, are will redeploy staff into broader ERM work.”

“Staffing levels will stay the same with different resourcing. For example, we are developing an actuarial rotation program.”

“Staffing in the risk function has increased by about 50% over the past year.”

Q15 Compared with a year ago, has the size of your department increased, decreased or stayed the same?

Most CROs expect their departments or teams will maintain roughly the same number of full-time equivalents. More than a third expect their staffing levels to increase over the next year. However, as CRO responsibilities evolve, the skills composition of their staff will change and likely expand. Specifically, they are looking to acquire more capabilities in risk quantification, model governance, stress testing and change management. These shifts are likely due to the impacts of pending regulations.

Part of the skills expansion is being driven by the business, which is actively seeking more risk management capabilities, according to several participants. In terms of accessing talent, several respondents described the difficulty in finding the right resources, as highlighted.

Increased

Decreased

37%

5%

58%Same


Most of the participants reported that finding qualified staff is increasingly difficult. Insurers are in competition for talent with other financial services companies and consulting firms. The talent shortage is particularly acute in actuarial sciences.

The 2013 Risk Management Compensation Survey, conducted by The Risks and Insurance Management Society, found that at all levels compensation for risk managers within the insurance industry continues to increase sharply. Combined with budget pressures and the increasing difficulty of recruiting qualified risk staff, companies face a real constraint in expanding their risk management capabilities. To meet their increasing responsibilities, CROs will need to cross-train existing staff and make greater use of technology.

Q16 Compared with a year ago, would you say that hiring and retaining good talent is harder, easier or about the same?

What CROs say

“We are interested in getting more staff at the business-unit level.”

“Hiring is getting more difficult due to a shortage of talent.”

“We may stay the same in terms of headcount but are looking at different resourcing options.”

“Staffing levels will be the same, but it is difficult to retain talent in the US, though it is easier in Europe.”

Section 5: The future outlook


What CROs say

“The CRO role is changing from being a ‘brake’ to being a ‘copilot.’ More knowledge of capital management and financial management will be required for CROs as they become a decision making member of the executive suite.”

“The CRO role will be more defined and consistent across organizations, as a result of either evolution or regulatory guidance.”

“The future will be less involved with compliance and more actively involved with the business decisions.”

“We will be more forward-looking and much more integrated with strategic decision making.”

Q17 Looking three to five years out, what do you think will be the biggest differences in the CRO role then compared with now?

There is broad consensus among respondents that the trend toward greater responsibility, authority and presence — especially among the executive management committees and the board — will only continue. If the economy weakens or there are significant waves of market turbulence, this trend will accelerate and intensify.

There is little doubt that the CRO role will also grow in importance, likely becoming more of a strategic advisor to the C-suite, as well as to stakeholders and decision makers across the business. In the view of one respondent, the CRO role is becoming more analogous to that of a “copilot” to the business, whereas in the past, the CRO role was more like a “brake” on the business. Other illustrative comments highlighted that CROs will be proactively involved in areas such as business planning and portfolio design and optimization.

There were several comments predicting that there will be less focus on “playing defense” in terms of risk reduction and more attention paid to risk as opportunity.

As ERM becomes more embedded in the business units, risk management considerations will have more influence over more decisions — a direct result of the drive by CROs to make ERM more effective.

Lastly, respondents also expect there will be a more explicit separation of responsibilities between the CRO and the CFO.

The continued evolution of the role of the CRO demonstrated in the CRO surveys seems certain to continue. A diversified set of responsibilities and increasing priorities will place a premium on communication and lead to more direct engagement with the board and senior business leadership. The proliferating risks faced by insurers are likely to fuel the expansion of authority for CROs, as well as influence the ways they interact with the business.

At the same time, it is impossible to overestimate the profound impacts of regulatory change. There can be no doubt that CROs have a larger role to play — as well as more value to add — in shaping the conversation with regulators as well as helping their companies prepare for compliance with these new demands. Despite the turbulence and shifts that CROs face in their daily jobs, it is no coincidence that their increased focus on the effectiveness of their efforts resulted in raising the organizational profile of the risk management function and increasing its value contribution to the business.

Conclusion


Thank youEY wishes to express its appreciation to the CROs who took the time to participate in this year’s survey.

For more information about the survey and findings, please contact:

Bill Spinard Executive Director, Financial Services Ernst & Young LLP +1 301 648 4170 [email protected]

EY | Assurance | Tax | Transactions | Advisory

About EYEY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.

Ernst & Young LLP is a client-serving member firm of Ernst & Young Global Limited operating in the US.

EY is a leader in serving the global financial services marketplace Nearly 35,000 EY financial services professionals around the world provide integrated assurance, tax, transaction and advisory services to our asset management, banking, capital markets and insurance clients. In the Americas, EY is the only public accounting organization with a separate business unit dedicated to the financial services marketplace. Created in 2000, the Americas Financial Services Office today includes more than 6,500 professionals at member firms in over 50 locations throughout the US, the Caribbean and Latin America.

EY professionals in our financial services practices worldwide align with key global industry groups, including EY’s Global Asset Management Center, Global Banking & Capital Markets Center, Global Insurance Center and Global Private Equity Center, which act as hubs for sharing industry-focused knowledge on current and emerging trends and regulations in order to help our clients address key issues. Our practitioners span many disciplines and provide a well-rounded understanding of business issues and challenges, as well as integrated services to our clients.

With a global presence and industry-focused advice, EY’s financial services professionals provide high-quality assurance, tax, transaction and advisory services, including operations, process improvement, risk and technology, to financial services companies worldwide.

© 2014 Ernst & Young LLP.All Rights Reserved.

SCORE No. CK07561402-1200552 NYED 0115

This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for specific advice.

www.ey.com

Increasing authority and higher organizational … | Increasing authority and higher organizational...

Documents

Transcript of Increasing authority and higher organizational … | Increasing authority and higher organizational...