The role of a Chief Risk Officer (CRO) within a (re)insurance business is critical. That is an axiom. However, it is arguable that the scope of the role requires regulare re-examination, as the range of issues which (re)insurers have to face in managing their businesses and portfolios continues to expand.
To enumerate a few:
- Continuing pandemic consequences
- Low interest rate environment and asset price volatility
- Risk aggregations and correlations
- Geopolitical shifts
- Still inflexible cost bases
- Climate change- in (re)insurance claims, regulatory and investment terms
- Legacy systems…
- One could go on.
In fact, one could argue that the role is a lynchpin, without whose informed input executive management and directors are essentially “flying blind”, and not in a position to judge the continuous risk/reward calculations which any complex business faces in any structured or effective way.
The role of CRO came into greater prominence in the wake of the Great Financial Crisis, and its scope was initially defined in terms of the “Enterprise Risk Management” concept (of which the rating agencies and regulators were and are so fond) as the means to provide necessary control(s) and limit downside risks.
All that, of course, remains important and necessary, but is no longer sufficient. The role has become one that should provide both perspective and guidance on strategic business risks, rather than on “tactical minutiae”, to ensure that financial, reputational and overall organizational health and viability issues are both known and addressed in a timely and proactive manner. In some ways, the CRO has to be able to “play red team” as well as “blue team” in order to be most effective; and is essential to the ability of any (re)insurance business to achieve sustainable and consistent growth, rather than just try to avoid negative outcomes.
To achieve this, an effective CRO will need to have the ability to create, monitor, manage and communicate the output of iterative high-frequency stress tests across a (re)insurer’s entire portfolio and business model, incorporating relevant economic data and scenarios, including leading rather than lagging indicators. This must include both sides of the balance sheet, as well as profitability metrics. Some may argue that this is more the province of a CFO. However, while responsibilities need to be defined in a way that avoids unnecessary duplication, conflict and confusion, a CRO should provide a broader perspective, not one that is more focused on “meeting the numbers”.
As the pandemic has demonstrated the effectiveness of what are distributed workforces, it has also emphasized the need for robust, flexible and layered defences against malfeasance, cyber-attack and fraud. So, CROs will need to design processes that create protections, while at the same time avoiding stifling creativity and productivity. This is no easy task, but fits with the shift from a reactive “compliance” approach to one which promotes growth.
Underlying all these tasks is ensuring that a business’ decision-making and governance frameworks are fit for purpose, tempering speed and agility with consideration of all relevant factors. If an organization’s risk culture and governance are not appropriate for its environment, the existence of beautifully-designed controls, models and systems is all rather pointless!
So, to sum up, without an experienced and effective CRO, particularly now, a (re)insurer is vulnerable to becoming becalmed and rudderless is a sea of risks, with any “life vests” merely providing a false sense of security.
The Awbury Team