2017 insurance cro survey - ernst & young · 2017 insurance cro survey | 3 introduction cros...

2017 Insurance CRO SurveyShifting from defense to offense

2017 Insurance CRO Survey | A

life insurers or groups

health insurers or composites

property and casualty (P&C)companies

55%33%

12%

About the surveySince 2011, EY’s annual North American insurance CRO survey has served as a lens on the current state of enterprise risk management in the industry and the shifting role of chief risk officers (CROs).

The 2017 survey featured the largest ever group of participants (40 companies) answering more detailed questions about disruption and cybersecurity, which have emerged as key issues for many CROs.

CRO survey participants work for:

EY sincerely thanks the CROs and their risk teams who participated. Their time and insights are what make the survey valuable.

2017 Insurance CRO Survey | 2

Table of contents

Introduction CROs starting to shift from reactive, regulatory defense to business-enabling, strategic offense ................................... 3

Four critical transitions

From relative stability to disruption ................................ 5

CROs and cybersecurity: Where they stand in 2017............................................ 7

From clear and well-understood threats to emerging and unknown risks .......................................... 17

From serving as a control function to partnering with the business ........................................... 21

From the risks of action to the risks of inaction in promoting innovation ................................................. 23

This year’s report highlights the continuing evolution of the CRO role in light of several important transitions. Beyond leading their risk teams, more CROs are also starting to play key roles as the entire enterprise comes to terms with a turbulent marketplace and rising cyber risks. For all the progress they have achieved, CROs and their risk teams have not reached an endpoint.

Rather, they see constant pressure and opportunity to reorient their approach toward greater alignment with the business and, in doing so, to enhance the value they bring to the enterprise.

1

2

3

4


Introduction

CROs starting to shift from reactive, regulatory defense to business-enabling, strategic offenseEY’s seventh annual survey of chief risk officers in the insurance industry confirms that companies are starting to move on from the post-crisis era of defensive risk management. While some CROs speak of works-in-progress or ongoing improvements to their company’s risk management efforts, more CROs report they are comfortable with functioning frameworks that provide “defense” for the company.

There is continued maturation and increasing sophistication of the role. Some CROs are spending more of their time engaged on high-priority strategic and business-driven issues, such as disruption, innovation and emerging threats, including cybersecurity.

CROs are starting to move to offense. They see their roles less in terms of organizational compliance with enterprise risk management (ERM) policies. Nor are they reacting to regulatory requirements. For almost all companies surveyed, Own Risk Solvency Assessments (ORSA) are “job done.” Even CROs at companies that faced challenges related to federal regulation or Solvency II report that such issues are largely behind them.

Many of this year’s discussions involved consideration of “what comes next?” As the CRO agenda evolves, significant transitions are underway (see figure 1):

• From relative stability to disruption

• From clear and well-understood threats to emerging and unknown risks

• From serving as a control function to partnering with the business

• From focusing on the risks of action to promoting innovation and avoiding the risk of inaction


A brief history of insurance CROs: the strategic trajectory Where CROs mostly played defense in focusing on compliance and regulatory activities after the crisis, many have started to move on to a more proactive, business-driven posture, with greater emphasis on adding value through the efficient delivery of ERM.

• Embedding ERM

• Strategic

• Value-adding

Insurers with a CRO

2000 20172007 2027

Financial crisis

CRO focus From defense To offense

Control

Mitigating risks

Disruption

Emerging risks

Partnering

Promoting innovation

A brief history of insurance CROs

0%

100%

• Installing ERM

• Regulatory-focused

• Measurement and mitigation

Known risks

Stabilization

Risk team and CRO adoption based on survey responses

Formalization of risk teams

and processes Insurers with

a ris

k team

Figure 1: the strategic trajectory of CROs


From relative stability to disruption

The reorientation of the CRO role is a function not only of internal progress, but also of external forces and the new normal in the insurance market, with its widespread disruption and imperative to innovate. Even CROs who see opportunity to become more proactive and add more value to the business speak of swimming faster to keep pace with a stronger current. If new challenges — especially those related to disruption — are not met, they fear the consequences for their companies.

Survey respondents characterized the implications of the “age of disruption” in terms of rapid market change, increasing unpredictability and rising cyber risks.

Rapid market change

CROs are looking into the impacts of rapid change in markets where their companies are successful. Specifically, they are scoping the vulnerabilities and devising contingency plans to sustain profitability in the event of massive market reconfigurations.

For instance, CROs at automotive insurers report having plans ready for autonomous vehicles. CROs at life insurers are thinking about “pay as you live” products, wearable technology and their impact on customer relationships and manual processes.

Looking at these uncertainties, some CROs are evaluating both evolutionary and revolutionary paths forward. They are running scenarios for exiting some markets and entering new ones. The key question: if one market is closed, how does the CRO make sure the company is seeking out new markets and finding other sources of growth?

“The CRO should make sure the board and senior executives have a risk point of view when making strategic choices.”

“CROs should provide transparency into the risk/return trade-off of various growth options.”

CRO remarks

1


Increasing unpredictability

From politics to weather patterns, there is broad consensus among CROs that the future is less predictable than it used to be. Therefore, CROs are continually challenging themselves and their organizations by asking:

• How well prepared is the company for unexpected political and macroeconomic events?

• Are stress and scenario testing broad enough to anticipate events?

• Do stochastic models embrace the true extent of risk, especially relative to the tails of distributions and correlations between risk types?

• Within shorter-term business planning and longer-term strategic planning, does the company have sufficiently detailed response readiness plans and sufficiently robust horizon-spotting capabilities?

Rising cyber risks

Some CROs have assumed major roles in the fight against cybersecurity threats, which all CROs regard as a severe disruptor given the potential for:

• Business interruption halting sales and service to customers

• Financial cost to the organization

• Reputational damage, including long-term and possibly irreparable harm

A serious breach involving customers’ personal data is viewed as a greater risk by life and health CROs, given the large volumes of sensitive data and personally identifiable information (PII) held by their firms. However, CROs at all types of insurers report cyber threats as a top-five risk. For more on this topic, see “CROs and cybersecurity,” pages 7-15.

Thanks to an increasing pace of disruption, the future seems less predictable than it used to be.


CROs and cybersecurity: where they stand in 2017

ybersecurity has beco e one o the ost se ere threats to cor orations in a wide range o sectors. It is no wonder, then, that insurance industry R s rate it as a to concern as I and business e ecuti es surely do, too. hat is sur rising, howe er, is that any sur ey res ondents re orted their cybersecurity e orts as being in a state o u .

Survey results reveal that many companies have yet to adopt a formal “three lines of defense” approach for cyber ris . he result is considerable ariety in the le els o R in ol e ent and res onsibility or cybersecurity and in the ethods or easuring cyber ris , as well as the relationshi s to chie in or ation o ficers I s and chie in or ation security o ficers I s .

o e R s in the sur ey stood out as laying a or leadershi roles with cybersecurity, but these were in the inority. ore R s re orted laying a assi e role, though a ew had ser ed as te orary A ea

leaders, troubleshooting in urgent situations and spearheading change management and remediation efforts as circumstances required .

CROs and cybersecurity: the evolution continues

PassiveSecond-line role not established or second-line responsibility doesn’t reside with CRO

Cybersecurity resides in second line with CRO providing leadership

CIO, and IT responsible

CRO observes committees and governance

CRO reports on cybersecurity to senior leadership or board

Limited co-working between ERM and information security teams

CRO troubleshoots or leads urgent remediation efforts te porari y acts as ot first ine and second ine

Cybersecurity management independent of IT

CRO reports on cybersecurity to CFO or CEO (parallel with reporting line of CIO)

CISO may report to CRO

y er ris c assified in ris ta ono y alongside operational risks

tensi e co- or in and tea in between information security and ERM personnel

Active

Temporary “SWAT team” leadership

Cybersecurity

Governance

Collaboration

Figure 2: CROs and cybersecurity – the evolution continues


he dis arity in a roach e tends well beyond R , into the real o I de art ents and o erall anage ent o cybersecurity. o anies are clearly e eri enting with di erent organi ational structures to find the best fit to manage their cyber risks .

No one model has emerged as the leading practice, and different structures are likely to suit different situations, de ending on organi ational odels, lines o business, culture and other actors. R s co ented that co any cultures, a ailable e ertise and indi idual ersonalities also sha e the organi ational choices or cybersecurity.

hile co anies are trending toward or ali ation o three lines o de ense, so e sur ey artici ants said that their fir s are not or ali ing now and see unli ely to in the uture.

Several CROs described evolving structures regarding operational and governance functionality:

• Operational — more commonly managed by IT groups: user I and assword anage ent, data anage ent and protection, threat detection and monitoring, protective measures, staff training on alertness

• Governance — more commonly overseen by CROs and ERM teams: setting and monitoring cybersecurity olicies and standards inclusion o cyber ris s in ris register or R go ernance, ris and co liance

so tware establishing cyber ris a etite and tolerances and introducing cyber ris etrics uantitati e and ualitati e onitoring and re orting re aration and re iew o ost breach reco ery lans

Among the observations from survey participants:

• In a ew cases, R tea s and R s ha e been hea ily in ol ed with cyber ris s in recent years si ly because the R alone has the in uence and inde endence to raise the urgency le el across the organi ation.

• uring 201 , one co any o ed res onsibility or o erational in or ation security unctions into the firstline I de art ent, while R retained cyber go ernance unctions. his ste re resented aturation in cyber

re aredness and the R elt the se aration o roles would be ore e ecti e going orward.

• ne R was uni uely laced to dri e a cybersecurity trans or ation rogra between 201 and 2017. he R set the in or ation security standards or any s all and globally dis ersed business entities with

independent IT departments and then provided operational information security services, as required by those standards, ia a centrali ed shared ser ices odel.

Figure 3: management and reporting structures for cybersecurity

Property &casualty

Life &health AllCISO reports to CRO

CRO has oversight role; CISO on reporting line within IT

CRO less involved: cyber is one additional risk for consideration

13%27%

60% 50% 54%

27% 23% 24% 22%


Board-CRO interaction on cyber risk

oards ha e been aware o cyber threats or se eral years, but 201 and 2017 saw significant increases in organi ational awareness and concern or nearly all R s who artici ated in the sur ey. As cybersecurity o es u the risk agenda of boards across the industry, there is more demand for detailed, accurate and frequent reporting ty ically uarterly on s ecific ris s. As with go ernance structures o erall, board e ectations relati e to the role

of the CRO on cyber risk vary considerably:

• Proacti e cybersecurity c ar a ointed and e owered by the board in a ew cases

• A iddle ground o o ersight and re orting ore co on

• Passi e roles, where I leaders or a I er or s both first line and second line unctions and reports on cybersecurity to the board

ut e en with I de art ents and I s ta ing the lead on technical as ects, it is increasingly co on or the

board to loo to the R or inde endent, second line onitoring and re orting, in ull and close collaboration with I s or I leaders.

Measuring cyber risk

yber ris easure ent techni ues are not ad anced, according to the sur ey results. y ically, co anies count breaches and so e ha e started to gauge the sco e o financial da age, although they ac nowledge that o erational and re utational i acts ay be ore se ere than financial loss. uch basic trac ing is hel ul, though largely bac ward loo ing, by R s own ad ission.

o e R s are loo ing orward, howe er

• At one co any, cyber ris s ha e been se arated ro o erational ris s and are iewed as eriting s ecial treat ent. he R tea er or ed an assess ent and ro ided a score based on co liance and ga s.

he cyber ris a etite is set erha s a bitiously to ero roble s. hough co lete eli ination o roble s was not ossible, the a etite ocused uch o the wor being done to ini i e roble s at the

ne t assess ent and re scoring. ost other sur ey res ondents had targets o a ew s all e ents o li ited agnitude.

• Another co any uses a third arty assessor that ro ides a cyber security score, which leads to targets and rioriti ations o e orts to i ro e the scores across di erent areas o the business. he lan is to conduct

annual assess ents and grading.

The survey also found that cyber risk appetite and risk tolerance are in an elementary state at most companies . nly one third o R s rely on e ternal re erence ra ewor s or cyber ris easure ent. he

only one entioned was that o the National Institute o tandards and echnology NI .

CROs and cybersecurity: where they stand in 2017 (continued)


Company risk appetite statements did not reference cyber at all

Cyber risk is established within the risk appetite, though usually qualitatively and in some cases amounting to little more than a statement of aspiration

Inserting cyber into risk appetite is a work in progress

28%

44%

28%

Figure 4: state of risk appetite and risk tolerance

NIST Cybersecurity Framework

Anomalies and events

Accesscontrol

Asset management

Responseplanning

Recoveryplanning

Security continuous monitoring

Awareness and training

Businessenvironment Communications Improvements

DetectionprocessesData securityGovernance Analysis Communications

Information protection processes

and proceduresRisk

assessment Mitigation

MaintenanceRisk management strategy Improvements

Protective technology

Identify Protect Detect Respond Recover

i I it a o

Source: NIST “Framework for Improving Critical Infrastructure Cybersecurity,” February 2014


i i a i nt o I an t


The regulatory effect and backdrop to cyber

he increasing in ol e ent o regulators was cited by so e co anies as a ecting their a roach to cybersecurity. or e a le, co anies ay see to establish go ernance structures that align to uture cybersecurity regulations at the state le el. R s are ery ind ul o the National Association o Insurance

o issioners NAI cybersecurity odel law rocess, e en though that rocess has not co leted and will re uire ado tion and enact ent by state legislatures across the . .

owe er, otential da age and e en the e istential threat ro a cyber e ent is a uch ore ower ul dri er than regulatory co liance. he a ount o resources allocated to cybersecurity ay not ha e been greatly a ected by regulatory in uences. ut R s re ort that regulatory considerations do a ect co anies

riorities and the anner o their res onses.

As insurers eye the ath orward, they ust consider e isting and uture laws and regulation regarding data rotection, consu er ri acy and cybersecurity. A strong regulatory thrust is co ing ro the NAI which is

nearing co letions o its Insurance ata ecurity odel aw, with a final e osure dra t issued in August 2017. he finali ation o the odel aw will enable indi idual states to enact cyber regulation aligned with NAI guidance by 201 or 2020. New or tate did not wait or NAI and introduced regulation 2 N RR Part

00 in arch 2017 with transitional eriods through arch 201 .

Regulation by the ederal Reser e oard a lying directly to ban s, as well as to insurance grou s that contain a ban or are designated as non ban syste atically i ortant financial institutions is also in uential in the or o the Ad ance Notice o Pro osed Rule a ing ANPR .

An ANPR was issued in ctober 201 by the ederal e osit Insurance or oration I , the fice o the o troller o the urrency and the ederal Reser e oard R . Insurers that interact with custo ers o ban s will ha e to regard the re uire ents o the ANPR, e en where the insurer itsel is not directly ed regulated. ee chart on age 12 or an o er iew o NAI , New or tate and ANPR lans.

Survey participants also cited:

• he ra each illey Act o 1 as the defining legislation or custo er ri acy

• Recent requirements on customer rights to privacy promulgated by the NAIC

• he uro ean nion s PR eneral ata Protection Regulation as it a ects grou s with any custo er oot rint


i i a i nt o I an ti i a i nt o I an t

Similar requirements from NAIC, NYSDFS and the ANPR



Governance Technical• Cybersecurity policy and program

• CISO and appropriately trained personnel

• Periodic ris assess ent

• Incident response plans

• Third-party service provider policy

• Limitation on data retention e.g., destruction o ersonally identifiable

in or ation

• Formal process to report breach to regulator

• Penetration testing

• Access privileges

• ulti actor authentication

• Encryption

• Systems must leave audit trail

• Application security

National Association of Insurance Commissioners (NAIC):Insurance Data Security Model LawThe Cybersecurity Working Group was established in late 2014 to work towards an Insurance Data Model Security Law; the first dra t was released or consultation in arch 201 the current dra t is final dra t si .

OCC, FDIC, FRB: Advance Notice of Proposed Rulemaking (ANPR) on CyberThe ANPR for Enhanced Cyber Risk Management Standards was published in October 2016 and the consultation period ended January 2017. In totality, the cyber ANPR would set significantly higher standards for US institutions. The ANPR signals the level of concern within the regulatory community.

a t nt o inan ia i o tat a t o it

has set re uire ents or New or do iciled insurers ahead o finali ation o the NAI odel law. N Part 00 beca e e ecti e ro arch 2017.

2017 Insurance CRO Survey | 132017 Insurance CRO Survey | 13

2015

$996million

$1.341billion

2016

Packaged

Stand-alone policies

$677 million

$319million

Source: NAIC public disclosure supplement for US-domiciled insurers providing US and global coverage

$911 million

$430 million

35% growth in a single year

in an o o t nit an a n


Figure 6: the rise of the cyber insurance market – premium by policy type

In 201 , the NAI introduced a ublic disclosure su le ent which a es it ossible to e a ine yearon year growth in the olu e o cyber insurance at co anies. etween 201 and 201 , standalone and ac aged re iu s are disclosed se arately under the ac aged classification, insurers ha e esti ated the ro ortion o cyber related co erage sitting within co ercial liability, business interru tion or directors and o ficers olicies .

otal direct re iu s written in 201 were 1. 1 billion, u ro illion in 201 . It is worth noting that insurers own cyber insurance co erage is one way to itigate cyber ris .

Source: NAIC public disclosure supplement for US-domiciled insurers providing US and global coverage

Insurers’ own cyber insurance is one way to mitigate cyber risk.



The bigger players in cyber insurance are moving to stand-alone policies and avoiding “silent” cyber coverage by clari ying e clusions or other ty es o olicies. o e industry analysts, including A. . est o any, ha e

ro ected that, by 2020, cyber re iu s will reach 7. billion to 20 billion.

he cyber insurance ar et is concentrated, relati e to other roduct lines. he to 20 co anies constitute 7 o ar et share, while the largest fi e by ar et share account or 2 .

A wide range o co erages are o ered or stand alone cyber olicies

Additional ser ices o ered by insurers include instant access to e ert res onse ser ices and crisis anage ent.

yber insurance is clearly a growth o ortunity, but ris e osures increase when insurers see to underwrite in the absence o historical data. Indeed, ulti le ratings agencies ha e indicated that e cessi e growth and concentration in cyber insurance would be dee ed credit negati e.

Costs associated with privacy and data breaches(not necessarily limited to the US)

Intellectual property theft Cyber extortion

Business interruption following a cyber attack

Consequent third-party liabilities (e.g., regulatory or legal)

Consequent first-party costs in responding to breach (e.g., IT forensics, crisis management, individual notifications, credit monitoring)

$

The big players are avoiding “silent” cyber coverage by clarifying exclusions.



CRO remarks

“If something big happens, the C-suite expects CRO and CISO to take leading roles.”

“We’ve had little discussion on cyber risk appetite and know this is a gap.”

“The ERM team is tasked with managing the overall resiliency of the business and this includes cyber.”

“I defer most of the discussion on cyber risk to our CISO, who provides regular updates to the executive committee and board.”



The cybersecurity bottom lineThe increasing severity of cyber risks has been at the forefront of risk

anage ent discussions during the last fi e years. o e artici ating R s entioned that their co anies are still reorgani ing and ste ing

u the urgency o their res onse lans. o e insurers continue to change where ri e res onsibilities or cyber ris s reside, in so e cases i acting on the R and the role o the ris tea .


From clear and well-understood threats to emerging and unknown risks

In res onse to sur ey uestions about ensuring their organi ations are ade uately ositioned or e erging trends,” CROs highlighted:

• heir reliance on e erging ris s ra ewor s, with considerable assurance ta en ro the thoroughness and frequency of the process

• ecti eness in co iling e erging ris s, with dyna ic rocesses to ca ture new ris s and integrate the into ris registers or go ernance, ris and co liance R databases, so that they ight be addressed, mitigated and measured

• he in ol e ent o first line business unit anage ent at roduct, ar et and sector le els

• A broader rocess that identifies and collates e erging o ortunities, rather than ocusing solely on e erging adverse risks

hile ost R s see e erging ris s rocesses as clearly necessary, they also ad it to shortco ings. usinesses trying to deliver against 2017 and 2018 short-term performance targets may be too busy to spend much time loo ing toward the li ely ris s o 2020 or 2022.

o e R s es ecially those with ore organi ational in uence ta e on the challenge or the sel es and their ris tea s, ensuring that hori on scanning is conducted with rigor and i agination. ne R obser ed that business units ay be e ui ed to s ot their local ris s and res ond incre entally to e ternal change, but ay not be ca able o s otting or res onding to sudden and acro changes that i act the total co any.

A nu ber o R s, howe er, re orted their roles e tending considerably beyond the con entional e erging ris s rocess. In act, so e R s belie e they need to be roacti e to a e sure the organi ation is inno ating and e aluating otential changes in direction. his grou sees such acilitation not as an add on or o tional res onsibility, but rather at the core o their ob descri tion.

For all the variation across individual companies, there is consensus that the universe of emerging risks is e anding, with R s acing a broader range o ore se ere ris s in 2017 and the years to co e .

The global nature of emerging risks means potential disruption appears in every sector of the CRO radar.

2


Economic

Legal

The global nature of emerging risks means potential disruption appears in every sector of the CRO radar

Political

Social

Environmental Technological

Heightened threats Continuing threatsNew opportunities

CRO

Nanotechnology

Wearable devices

Risingsea levels

International operations restrictions

Tort reform

Anti-Westernsentiment

Instability of foreign

governments

Tax reform

Inflation

Stock market

volatility

Infrastructureinvestment

Near-zerointerest

rates

Cyberattacks

Energy over-or under-supply

Disrupted weather patterns

Pandemic

Autonomous vehicles

Data theft

Regulatoryreform Changing

wealthdistribution

Digitized consumer behavior

Labor lawreform

Global talent crunch

Agingpopulation

Antibioticresistance

Cyber

Stock Stock

International International

Figure 7: a typical emerging-risks radar for CROs

Source: Based on PESTEL analysis (covering political, economic, social, technological, environmental and legal factors), this illustration includes emerging risks cited by CROs during the 2017 Survey


CROs in a conventional emerging-risks process

Challenged by disruption, CROs see emerging-risks processes as necessary, even as many feel a stronger onus to ro ote inno ation. erging o ortunities ay erit ust as uch attention as the e erging downside ris s that are ty ically the ocus .

ithin con entional rocesses, R s create and own the e erging ris s olicy, which sets out how the e erging ris s rocess o erates. y ically, such a olicy

• efines and se arates e erging ris s ro already anaged ris s

• ictates how each newly e erged ris will be integrated into business as usual ris anage ent

R s will also acilitate the in ol e ent o the business leaders and tea s in the rocess. or instance, they may design and distribute questionnaires to guide businesses through assessments of emerging ris s. hey ay also dri e results gathering and discussion, as well as the collation and analysis o business unit res onses to create an enter rise le el iew o e erging ris s.

Within conventional emerging-risk processes, CROs also:

• Report to the risk committee or board

• Pro ide eedbac to the business units at a ro riate le els o granularity and re uency or each audience

• Serve as a link to business and strategic planning, to ensure these processes are responsive to emerging risks


CROs will also facilitate the involvement of the business leaders and teams in the emerging-risks process.

i on i i iti in a on ntiona in i o

Conventional CRO role inemerging risks process

Policy

Creates and owns the emerging-risk policy, separating emerging

risks from already managed risks and

dictating how emerging risks are managed

and measured

Process

Guides businesses to do their own risk

assessments and facilitates discussion

to create an enterprise-level view

of emerging risks

Reporting

Reports to the risk committee or board

and also provides feedback to each business unit as

appropriate

Strategy

Provides the link to business and strategic

planning, assuring that these processes

are responsive to emerging risks


From serving as a control function to partnering with the business

The move from defense to offense parallels a general maturation of the ERM function. Today, CROs spend less time on “fire-drill” activities and more time trying to design, establish and refine sustainable processes for the long term. CROs report that essential defensive elements of ERM are in place. At many companies, they have been for quite some time.

However, CROs express concerns that processes are not yet sustainable and see improvement opportunities in two areas.

Some CROs admit that ERM continues to be viewed by some risk takers as burdensome or even as an imposition. They aspire for their risk teams to be “invited to the table” to facilitate more-effective and risk-informed business development. Other CROs proudly report they are already engaged with senior leaders or are on the front lines of the business.

To boost efficiency, CROs are:

• Repairing or enhancing ERM data, processes and reporting

• Removing inconsistencies and standardizing approaches

• More closely integrating risk teams with other control functions (e.g., legal, compliance, SOX teams, internal audit)

• Improving how risk processes interface with finance and operations

Successfully embedding ERM into the business

depends largely on effective communication and

organizational commitment. At some insurers, ERM

mechanisms are in place, but CROs are:

• Establishing a transparent risk appetite statement that the entire organization embraces and uses

• Seeking to overcome resistance to ERM adoption in some parts of the enterprise

• Addressing shortfalls in risk culture

• Working incrementally to engage senior leadership or board

Efficient delivery of ERM Embedding ERM across the enterprise1 2

3 From serving as a control function to partnering with the business

Limitations of CRO influence

Some CROs report practical constraints on their role relative to innovation:

• Cases where strategic planning does its work without involving risk

• Lack of skills and language to play a large role with strategy

• Reliance on strategy, marketing, product development teams or underwriters to drive innovation

• Excessively strict interpretations of the three-lines-of-defense model that limits any CRO involvement in product development or other activities


Partnering with business leaders and strategy teams

The survey found considerable variety in the extent to which the ERM function partners with the strategy function. In some cases, CROs have little or no involvement and there is no expectation that they should. Other CROs described very close and successful co-working relationships between strategy and risk functions.

A few common characteristics are notable at companies where there is strong risk-strategy partnership:

• CROs in senior leadership positions

• An ethos for the ERM function to promote transparent innovation, rather than constrain it, in interactions between risk and first-line functions

• CRO focus on communication between businesses, sideways to senior leadership and upward to boards

Several CROs regard themselves as uniquely placed in the development of company strategy. They have the greatest independence and, with their second-line positioning, are able to take a broad, holistic and enterprise-wide view.

For partnering to be successful, these same CROs are highly conscious of the need for broader skill sets:

• Technical ERM skills: understanding how to integrate sophisticated ERM frameworks directly into first-line operations

• Interpretive skills: the ability to work with businesses, actuaries, statisticians, modelers and investment professionals

• Nuanced business knowledge: applying deep insights into their company’s existing books of business, reconciling innovation with the complicated legacies with which many companies must contend

Several CROs cited rotation as key to broadening skills. Many risk teams rotate first-line personnel into and out of the second line, bringing deep business knowledge to the second line and then embedding an ERM mentality and risk intelligence back into the businesses.

Embedding ERM across the enterprise

Launching products with limited data

The survey covered how CROs and their teams handle specific types of innovation, such as covering new risks and launching new products with little or no data. CROs who addressed the topic were staunch in enabling and supporting controlled risk-taking, and saw clear dangers of ERM acting as a blocker. A number of survey participants referred to “partnerships” to overcome lack of data, knowledge or expertise, with specific steps including:

• Hiring new personnel for expertise lacking inside the organization

• Working with external firms and consultants with specialist knowledge

• Engaging with external reinsurers and/or brokers

• Liaising with international siblings or other parts of global enterprises

• Limiting the volume of new product offerings

Reinsurance partners are seen as bringing expertise and data, as well as opportunities to experiment with coverages and products in new markets, while passing off risks via reinsurance which could take various forms (e.g., quota, excess of loss). Several CROs reported product development where a full 100% of the insurance risk was borne by the reinsurer. This contained the financial risk, at a cost, while enabling both innovation and the acquisition of new corporate knowledge.

Innovation and especially speed to market are central to insurers’ long-term business plans, which CROs recognize. However, the survey addressed whether CROs, by the nature of their role, may inhibit innovation. CROs were very alert to this potential conflict, as their survey responses indicated.

• Most CROs are now formally involved in the product development process.

• They often have a veto over developments, but most expressed a dislike of using a veto.

• They see their role as “ensuring all of the risks are considered” and that innovation and product development are “thoughtful.”

• They focus on ensuring that developers include necessary risk metrics in their launch plans to ensure that risks are fully understood and quantified. Some CROs take the approach that establishing transparency on risk is more effective than an unseen hand of the CRO veto.

• CROs embed ERM team members as “risk representatives” or “delegates” within businesses, provide analytical tools for development projects and collaborate throughout innovation processes to avoid the risk of “us vs. them” thinking.

From risks of action to the risk of inaction in promoting innovation


4

One CRO described particular success in engaging with developers early to clarify what was required by ERM at each phase of the development process.

Several CROs elevated the discussion to a conceptual level, saying their role was not to stand in the way of development, but rather to ensure their organization has transparency and understands the risk implications of various strategic choices. A consideration of all risks is seen as essential, although it heightens the danger that the CRO earns a reputation as naysayer.

CROs referred to capital management as part of their role relative to innovation programs. For example, CROs might ask if investment in a particular innovation can be justified, given the availability of capital and the risks involved. Conversely, the CROs might point out situations where excess capital is not being used and should be re-deployed elsewhere in the enterprise to foster innovation.

CROs also are looking for ways to promote risk-taking and innovation, and to avoid inhibiting it. For example, a high-risk innovation could be pursued, but simultaneously with taking steps to prevent material damage at the enterprise level. (See sidebar: Launching products with limited data)

One CRO saw ERM as having a formal responsibility to ensure future developments are within the organization’s risk appetite and tolerances. Again, CROs must see both sides of the innovation equation and validate that businesses take on the full amount of risk allotted them in their pursuit of innovation. (See sidebar: CROs, surplus capital and innovation)

CROs, surplus capital and innovation

CROs at companies with very strong capital positions are increasingly encountering the particular situation of their firm’s inability to use that capital in traditional, well-understood markets. That leads to a set of choices, each with its own risks:

• Returning capital to shareholders or paying as a dividend to a parent entity (perhaps outside the US) may not be as low risk as commonly assumed. For example, the associated failure to grow and contraction in volume bring the risk of inflating fixed central costs that have to be paid for by a diminishing customer base.

• If capital is deployed to drive innovative new products or entry into new markets, CROs may ask if the company has the expertise to compete and if it can attain the critical mass to match the efficiencies of first movers.

CROs should assist with the navigation of these issues, where greater innovation is inevitably associated with greater risk. However, they must also recognize the considerable risk associated with inaction, stagnation and failure to innovate.



The bottom line: more innovation means more risk — and more for CROs to doAs disruption becomes a dominant theme in so many parts of the business, R s are ensuring that insurers ha e su ficient de ense and rotection ro e ternal threats o disru tion.

ut the 2017 sur ey results a e clear that so e R s are going urther laying o ense and ushing their co anies orward to inno ate and disru t or business ad antage. hese

early-adopting CROs are building on their traditional role of rotecting against e cessi e ris ta ing. Indeed, they

are wor ing to ensure that traditionally ris a erse insurers are aggressi e enough in dri ing inno ation.

The strategic evolution of the CRO role in the insurance industry re ects not ust the ar et s recent ast, but also its i ediate uture. Insurance R s can no longer be seen solely as air tra fic control, as one uro ean R ut it, whose ri ary ob is to a oid collisions. Rather, they are increasingly ser ing as co ilots with business leaders, focused on getting insurance companies to their destinations on ti e and in rofitable ashion.

he good news ro this year s R sur ey is that an increasing nu ber o R s are ad ancing boldly toward such a orward loo ing and business enabling ca acity.



ContactsChad Runchey PrincipalErnst & Young LLP+1 212 773 1015 [email protected]

Richard Marx PrincipalErnst & Young LLP+1 212 773 6770 [email protected]

David Paul Executive Director Ernst & Young LLP+1 212 773 8904 [email protected]

Douglas French PrincipalErnst & Young LLP+1 212 773 4120 [email protected]

mailto:chad.runchey%40ey.com?subject=

mailto:rick.marx%40ey.com?subject=

mailto:david.paul1%40ey.com?subject=

mailto:doug.french%40ey.com?subject=

EY | Assurance | Tax | Transactions | Advisory

About EYEY is a global leader in assurance, tax, transaction and advisory services.The insights and quality services we deliver help build trust and confidencein the capital markets and in economies the world over. We developoutstanding leaders who team to deliver on our promises to all of ourstakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of themember firms of Ernst & Young Global Limited, each of which is a separatelegal entity. Ernst & Young Global Limited, a UK company limited byguarantee, does not provide services to clients. For more information about our organization, please visit ey.com.

© 2017 EYGM LimitedAll Rights Reserved.

EYG no. 05390-171US ED None

This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for specific advice.

ey.com

2017 insurance cro survey - ernst & young · 2017 insurance cro survey | 3 introduction cros...

Documents