EY recently conducted a first-of-its-kind “Insurance CRO (Chief Risk Officer) survey” for the Asia-Pacific (APAC) region. The survey has been undertaken with the aim of gaining insights into the role that CRO/Risk functions play in their organisations, the key priorities of CROs in the short and medium term and the manner in which the CRO role is evolving. Mr Pierre Santolini and Mr Sumit Narayanan of EY elaborate.
EY spoke to 12 group or regional CROs covering a spectrum of leading life and non-life insurance companies, reinsurers and prominent groups headquartered in APAC.
The survey has also been conducted in Europe and North America. In a nutshell, when comparing results for the APAC region to the more mature regions, the main differences are as follows:
- Access to talent
- Lack of familiarity of local boards with enterprise risk management (ERM)
- A less developed “three lines of defence” model
- A strong need for cultural change
- Still-forming operational risk management models
- Lack of formality around model risk
Also there are some differences within the APAC region as a whole: Australia seems most mature compared to ASEAN and Greater China.
We have identified the following seven key themes when we analysed the responses at an APAC level:
1. CRO/Risk function has become highly relevant at the executive table
Financial market volatility in the first half year, ongoing regulatory and strategic pressures on insurers’ business models demand that the CRO/Risk function is a visible contributor at the executive table.
Yet whilst the CRO/Risk function plays a leading role in “traditional” processes (eg risk appetite and tolerance setting) there are still many processes where Risk only has an influence over the decisions such as model governance and validation.
We observe a greater maturity in Europe in this area and would expect the role of insurance CROs in the region to evolve in that direction too (See Figure 1).
On 29 November 2016, EY organised a webcast dedicated to the findings of the APAC region. More than 100 insurance professionals attended the webcast and actively participated in the live polling session. Results for the first question are shown in Pie Chart 1.
Question 1: “How does risk support the strategic planning process in your organisation?”
Almost all Risk functions seem to be involved in the strategic planning process. However only 28% of them are instigating the strategic dialogue and are involved from the start.
2. CROs are increasingly defining their role as a “strategic enabler”
There is no single position taken on the fundamental role of Risk. This is partly driven by the Board, CRO and regulator’s attitude, but it is mainly a reflection of a business’s level of maturity. However there is still much focus on the downside risks.
A common theme arising from CROs’ responses is the need to be a close strategic partner to both the Board and the business…
What did some CROs say:
“When Risk gets too far away from the business, it loses its relevance. Risk needs to be the backbone and challenge the first line, although ensuring appropriate independence is maintained.”
“As a CRO, I am a second line function accountable for actively promoting a strong risk culture that reinforces risk management as core to strategy, business operations and providing guidance and support to the senior leadership team in all matters pertaining to risk management within insurance.”
“To optimise the return or risk trade-off, avoid risk concentrations and ensure compliance with relevant regulatory requirements: Risk is ultimately responsible to build the appropriate infrastructure to enable this.”
3. …however CROs are still grappling with demonstrating how they add value
Many CROs mention a “seat at the table” as the only key indicator of value created that Risk brings, but this is a question that the business often asks and it is more important than ever that a strong case is made to attract investment.
During the webcast we asked Risk participants: “Do your colleagues in the business share your view of the role of risk?” As shown by the results below, 70% of them do think so (Pie Chart 2).
We see other functions (including Internal Audit) applying clear metrics to the value they bring to the organisation. This is not about personal performance metrics. Instead, it is about the CRO/Risk function articulating a positive impact on the business direction, strategy and decision making, which ultimately will have an impact on the bottom line.
CROs of leading insurers globally are developing Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs), enabling them to demonstrate how they add value. In the next few years we expect insurers in APAC to go on the same journey.
4. Now that the “lines of defence” are established, the focus is on efficiency and effectiveness
Although a lot of work has been done to evidence compliance with the “three lines of defence” principles, more work is needed to ensure the model works in practice. Key practical challenges include:
- Buy-in by and “education” of board and management
- Clarification of roles and responsibilities among the three lines
- Lack of ownership by the first line
CROs are becoming increasingly aware that these challenges demand they work in the coming years on optimising the risk governance and fostering the risk culture within their companies. There is a slight gap with Europe in that space, which should be closed in the coming years.
5. Strengthening risk accountability and understanding of risk appetite across all risks is still a challenge for CROs
There is a general sense that senior management understands their risk accountability, though there is still more work to be done to cascade an understanding or accountability across the entire workforce.
Unsurprisingly, regulatory capital and liquidity remain the most common metric used within corporate risk appetite statements (See Figure 2).
Whilst the survey results below indicate APAC insurers have put in place more quantitative limits than European insurers, we observe a greater level of maturity within the European market.
European insurers have enhanced their approach over time to better suit their environment. We observe many APAC insurers only having recently established quantitative limits and expect these to continue to be enhanced over time (See Figure 3).
What are Risk functions doing in practice to make it work?
- Improve education among board and management on risk topics
- Identify overlaps and areas of inefficiencies across second and third line functions when scoping and performing assurance activity
- Link regularly with other control functions where interdependencies exist, such as the compliance function
- Continually reiterate ownership in first line through training and by setting the right tone at the top
- Define the timing of CRO/Risk’s involvement in key decisions and improve understanding of accountabilities across the three lines
6. CROs recognise shortcomings particularly in operational risk management and seek to improve its effectiveness
A growing emphasis on personal accountability and the complexity of insurance operations are driving the need for the adoption of a systematic approach to operational risk management – but what is the right level of focus? (See Figure 4)
The majority of insurers adopt both a top-down and a bottom-up approach to risk and control assessment with recognition that this needs to align to broader risk management activities such as scenario analysis and risk appetite setting (See Figure 5).
A large proportion of respondents to the survey mentioned cyber and conduct as some of their biggest concerns and they should be a key area of operational risk focus, even more so in markets with strong conduct regulators.
During the EY webcast, insurance professionals were asked “Do you feel there should be more focus from risk on operational risk and cyber in particular?” Only a few more than half responded they are not doing enough when it comes to operational risk and cyber (Pie Chart 3).
7. In the battle between investment in people and in technology, it is people that win every time
CROs recognise the need to continuously improve their existing IT capability; however we see CROs being hesitant to increase their investment in new technologies. There are many stages of maturity still required in headcount, structure and wider skills of second line teams (See Figure 6).
The focus of our respondents remains on ensuring multidisciplinary skills are in place within their function, ranging from actuarial competence to data analytics, in order to manage complex risks such as cyber and other risks in light of the impact of appropriate data governance, evolving regulatory requirements and ethics (See Figure 7).
Investment in people means much more than just headcount but “weightier” individuals. The time has come to instil professionalised development programmes for individuals, and to address the structural deficiencies that are holding some people back from their potential. And even if the main focus is on talent, it is also important that someone is tasked with establishing the “RiskTech” strategy.
New priorities and challenges are lying ahead of CROs.
Based on our discussions with insurance CROS across APAC and globally, we think the CRO of the future
- A strategic adviser to the board by being actively involved in business and strategy decisions
- Fully engaged with the business and aligned to Finance, Actuarial and Compliance, taking business responsibility when necessary and empowering the first line at the same time
- Digitally aware and actively involved in digital transformation programs aiming at automating processes in the Risk function, effectively using data and analytics to improve quality and timeliness of reporting
- On top of operational risk management, more specifically an increased focus on conduct and cyber risks
In the meantime, in order to progress toward this goal, CROs should ask themselves these eight questions listed here.
Mr Pierre Santolini is the EY Singapore Insurance Risk Leader and Mr Sumit Narayanan is the EY ASEAN Insurance Leader, both at EY.
|This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Member firms of the global EY organization cannot accept responsibility for loss to any person relying on this article.