Empowering Chief Risk Officers: challenges of today

In an era defined by rapid change and unforeseen challenges, the role of Chief Risk Officer (CRO) has never been more critical for any business. The insurance industry has been at the forefront of risk management for many years and Insurance CROs offer a fantastic example for all those looking to juggle the volume and complexity of work required to effectively manage the risks of a business.

In our new series of articles, we draw on our experience and insights from working with Insurance CROs to empower others, helping you maximise the power of your Risk function and build the capabilities required of the role. In part one, we explore the challenges CROs are facing today.

Within insurance companies, the CRO’s mandate has grown far wider than the traditional Enterprise Risk Management (ERM) framework. Today, CROs are integral to strategic decision-making, tasked with navigating a labyrinth of regulatory requirements, and expected to lead a Risk function which takes a proactive and comprehensive approach to risk, anticipating future challenges and embedding strong risk management principles in the organisation’s DNA.

Below, we outline four principle challenges every CRO will be facing in 2024 and beyond.

Jump to

• Ever-increasing expectations

• Juggling stakeholders

• An ever-evolving risk universe

• Expected to help "steer the ship"

Ever-increasing expectations

In the insurance sector, the CRO and the Risk function are mandated to comprehensively supervise the principal risks affecting their business environment, both current and foreseeable. This regulatory directive is enshrined in legislation, notably the FCA SYSC 21.1 Risk Control requirements and the Bank of England’s Supervisory Statement SS21/15. These legislative frameworks set in stone the expectations for risk control within insurance firms, emphasising the necessity for a proactive approach to risk management that aligns with current standards and anticipates future challenges.

While this may sound relatively straightforward, the Risk function must be integrated across the entire organisation, understanding every facet of the business. The CRO needs to not only be aware of potential risks, but understand them enough to challenge business thinking. Unlike other roles within the organisation, as the CRO you will need to have a more in depth and detailed knowledge of all areas of the business, so focusing solely on your strengths and expertise is not an option.

Moreover, the CRO must anticipate how these risks might evolve over time. Having some knowledge of the business simply isn’t enough - the CRO must actively question how industry dynamics and the broader external environment could shift.

Juggling stakeholders

Within the organisational structure of an insurance firm, the role of a CRO is at the nexus of varying expectations from a broad spectrum of stakeholders, including the Chief Executive Officer (CEO), the Board, regulators, and the Chair of the Risk Committee. Each of these brings a distinct set of demands and perspectives upon the CRO’s role which must be delicately balanced. 

While the overarching aim is the success of the organisation, the pathways each entity envisions to achieving these goals is likely to vary significantly, requiring a CRO to build trust and foster open dialogues with each stakeholder. Adept stakeholder management is a requirement, allowing CROs to retain the confidence and support which are fundamental to the viability of the CRO’s position.

The relationship between a CRO and the regulator may also be particularly nuanced, with the regulators viewing CROs as crucial conduits between themselves and insurance firms. In essence, one the CROs many hats is that of the regulators’ representative within the boardroom, a position requiring them to effectively challenge and temper front-line risk taking activities when they clash with the firm’s risk appetite or exceed its capacity to bear such risks.

An ever-evolving risk universe

The risk landscape faced by CROs is dynamic and ever-shifting. While traditional risks (insurance, investment and operational risks) are part and parcel of doing business, the risk profile of organisations will be constantly evolving, so continuous learning needs to become the new normal.

Over the last few years, we have seen new risks such as Covid-19, geopolitical uncertainty and technology risks, that CROs will have had to tackle head on. These risks can emerge with little to no warning, so the preparation time will be minimal, necessitating a proactive and pre-emptive approach to risk management.

In additional to staying abreast of new and emerging risks, it’s a necessity that CROs continuously refine existing strategies for managing traditional risks. For example, the Bulk Purchase Annuity (BPA) sector offers a vivid illustration of the dynamic nature of risk management challenges:

• Inflation risk: recent volatility in inflation rates has exposed the inadequacies of existing hedging strategies, uncovering a form of model risk where scenarios leading to poor hedge performance were not adequately anticipated.
• Liquidity risk: the trend towards higher allocations in illiquid assets, coupled with the growing demands of hedging strategies, has amplified liquidity risks. 
• Credit risk: there is a noticeable, steady increase in credit risk-taking within Matching Adjustment (MA) investment portfolios, reflecting a broader trend of seeking higher yields amidst a low-interest-rate environment. 
• Counterparty risk: changes in reinsurance strategies have led to heightened counterparty risk exposures, necessitating more nuanced risk assessment and management strategies.
• Regulatory risk: the landscape of regulatory risk is also shifting, with reforms and changes in supervisory attitudes responding to the evolving risk environment highlighted above. This includes adjustments to regulatory frameworks that impact how insurance companies manage and report risks.

Expected to help “steer the ship”

Strategic risks are taken by a company every single day, whether it is the decision to pursue a merger or acquisition or simply the decision to do nothing at all. The relationship between strategy and risk has not always been well defined and has evolved significantly over the last decade. However, CROs now find that their position - historically a second thought – has now been elevated to being a core component in strategic decision making. 

The role of the CRO in strategic decisions is a delicate balancing act. If you are seen as a hurdle to overcome, people may sidestep or withhold information. However, the CRO’s duty lies in preventing the business from making decisions without understanding the risk-reward payoff. And this is where culture becomes essential: creating a culture where risk is integral to strategy bridges the gap between vision and risk management. But achieving this transformation remains a challenge. 

Consider a hypothetical scenario in an insurance company: an enticing acquisition proposal is on the table, promising to significantly expand the company’s market share. However, upon thorough risk assessment, the CRO raises substantial concerns about the potential for latent claims and potential regulatory issues at the target company, which could jeopardise the financial stability and reputation of the acquiring firm. By influencing the decision-making process, the CRO ensures that the company reevaluates the acquisition’s viability, ultimately deciding against it to avoid unforeseen liabilities. 

This example underscores the CRO's pivotal role in aligning strategic incentives with risk appetite, demonstrating how risk considerations can decisively shape business strategy in the insurance sector.

Conclusion 

These examples provide a glimpse into the nature of the CRO role for insurers, but also capture the challenges faced by risk professionals across any dynamic industry. The most important question is clear - how can any one person succeed in a role with so many hurdles to overcome? And that’s where insurance CROs offer a great insight in success - insurance companies are at the forefront of managing and embracing risk and should be held as an example of how such challenges can be faced and embraced. 

In the following two articles, we look to present insights gathered from across the insurance industry on just how to tackle the role of a CRO. We are sharing this in the hope of inspiring both risk professionals today and the CROs of the future to seize the opportunities and embrace effective risk management.