Ernst & Young's (EY) sixth annual survey of North American insurance chief risk officers (CROs) provides an overview of current enterprise risk management (ERM) capabilities, practices and organizations.

This year's survey revealed a spectrum of maturity levels of ERM programs — from firms employing very impressive frameworks that are integral to and influential in how the business is run, to others that are limited in scope and formality. To a degree, this variety reflects the inclusion of a broader and more diverse group of participants in the 2016 survey, compared with past years'.

The survey also featured a broader set of questions this year, with increased focus on insurers' experience with cybersecurity issues, as well as the first round of Own Risk and Solvency Assessment (ORSA) submissions, required by most state regulators in 2015.

The 2016 CRO survey results show clear trends toward expanding ERM scope and maturity, rising CRO influence and increasing "operationalization." The key themes or concerns that emerged from this year's survey results include: regulatory issues; the evolving role of the CRO; ORSA; risk appetite; model risk management (MRM) and model governance; and cybersecurity.

Regulatory issues

Regulatory issues remain atop the agenda for many insurance CROs. It's no surprise that the ORSA requirement from the National Association of Insurance Commissioners (NAIC) was the most frequently cited regulatory concern. However, respondents cited a broad range of topics on their regulatory agendas, from Federal Reserve Board (FRB or Fed) oversight to evolving NAIC standards for cybersecurity.

Beyond ORSA, the urgency in relation to regulatory issues depends on the nature of the insurer. For example:

  • The largest insurers are focused on developments from the FRB.
  • Overseas regulation and global International Association of Insurance Supervisors (IAIS) developments are a higher priority for multinational insurers.
  • Insurers that distribute qualified investment products are evaluating the potentially significant impacts from the U.S. Department of Labor (DOL) ruling regarding fiduciary responsibilities.

Interestingly, most respondents — including those from companies not likely to be regulated by the Fed — report paying close attention to FRB actions, given the likelihood that federal standards will inform and influence those imposed by state regulators.

The role of the CRO

While most CROs report directly to either the CFO or the CEO, in a few cases, the CRO reports through another position, such as the chief actuary or COO. EY's 2016 highlighted that the CRO role is trending toward larger roles and increasing responsibility. In fact:

  • 29 percent of CROs surveyed have more than five direct reports.
  • 56 percent had team headcount exceeding 10.

The results revealed that half of CROs reported that they have been given new responsibilities in the previous 12 months, with some expecting to take on more within the next few years. In terms of CRO responsibilities, there are varying degrees of influence across a range of activities.

CROs reported their greatest involvement in stress and scenarios, model validation, risk appetites, model governance. This aligns with the second line of defense's increasing role as an "effective challenge" to decisions made by the first line.

Risk Management

Survey respondents generally expressed a strong desire to expand stress testing and modeling capabilities in the future. (Photo: iStock)

ORSA

In late 2015 and early 2016, many insurers submitted their ORSA filings to their state regulators for the first time. The survey findings show that most respondents saw reasonable value in completing their first mandatory submission. Notably, firms that had completed ORSA pilots in previous years perceived more value from the process, likely because ORSA was now embedded into regular operations and more parts of the business.

A few respondents viewed ORSA purely as a compliance exercise or reported that it did not bring value, although this was a minority view. The survey results and comments from participants indicate that regulators are also coming to terms with ORSA — no surprise given that this was the first official year for submissions.

Risk appetite

CROs' focus on risk appetite is not surprising given that nearly three-quarters of survey respondents own the process. Virtually all respondents commented that their company's risk appetite references both "economic" internal views of capital and regulatory requirements.

There was considerable variation in the internal view being used, with "economic capital" being defined in various ways by different companies. Strictly defined, market-consistent economic approaches are not common: the survey found fully developed market-consistent balance sheets, with corresponding risk metrics, at only a few of the companies surveyed.

External credit ratings are the third-most-common metric referenced by risk appetites. This is particularly important in situations where insurers' potential customers (especially large corporate customers through broker channels) place their business largely based on the rating of the carrier.

Stress testing and modeling

Overall trends from earlier CRO surveys held, as companies expanded the scope and extent of their stress testing and continued to refine their capital models. Of CROs surveyed, 78 percent of participants cited use of stress testing and modeling in business planning processes. Survey respondents generally expressed a strong desire to expand stress testing and modeling capabilities in the future. Several CROs highlighted that greater board attention meant stress tests and models needed to be more reliable — which in turn required much better governance over methodology and assumptions.

The survey also asked participants to list the areas of their company involved in setting assumptions and stresses for risk quantification. Half reported some form of centralized role in these activities, such as an enterprise-level risk committee, chaired by the CRO, with representatives from all the first-line functions in the company.

Outside of this centralized function, 29 percent of participants reported finance. Risk owners (29 percent) and actuarial (14 percent) as the other areas with direct involvement in setting assumptions or generating stress tests.

Rosl doagra,

The 2016 CRO survey results show significant advances in the area of model risk management when compared with 2015 survey results. (Photo: iStock)

Model risk management (MRM) and model governance

The 2016 CRO survey results show significant advances in the area of MRM when compared with 2015 survey results. A full 73 percent of CROs reported that formal MRM programs are in place, up from 50 percent in 2015.

However, there is considerable disparity in the implementation approaches among different insurers. In general, greater formality is found at companies that are Fed-regulated (by virtue of their status as systemically important financial institution or savings and loan holding companies), where MRM is mandatory and scrutinized by the Fed. At the other end of the spectrum, a few survey participants reported having no formal MRM.

  • 59 percent indicated that their model risk management framework now requires independent model validation, a continuation of trends identified in previous surveys.
  • 32 percent of respondents had MRM teams exceeding five in headcount.
  • 27 percent reported having no dedicated team for MRM.

As regulators, senior management and boards continue to increase their scrutiny of the accuracy and reliability of model outputs used in business decision-making, MRM will remain an area of sharp focus for CROs.

Cybersecurity

Most CROs participating in the 2016 survey reported that their companies faced a real risk of suffering a serious cyberattack or data breach. The quantity and personalized nature of the data that insurers hold make them highly attractive targets for hackers and cyber thieves. In regard to cyber threats, some CROs currently serve as liaisons to IT divisions, which typically own these risks. However, several respondents believe more must be done.

From the survey responses, there is reason to believe that CRO involvement in cybersecurity will increase. As boards and CEOs have greater visibility into the issue, it seems inevitable that they will ask CROs to engage in the evaluation and decision-making processes, even if CIOs and IT groups continue to own them.

In some cases, CEOs have already requested that CROs serve as an independent check (or second line of defense) relative to cyber issues.

Rick Marx is a principal in the Business Advisory Services practice with Ernst & Young LLP, focusing on financial and risk management in the insurance industry. He can be reached at rick.marx@ey.comDoug French is the managing principal of the Insurance and Actuarial Advisory Services practice with Ernst & Young LLP. In addition, he is responsible for all advisory services for the insurance sector within the firm's New York Financial Services Office. He can be reached at doug.french@ey.comChad Runchey is a principal in the Insurance Advisory and Actuarial Services practice with Ernst & Young LLP. He can be reached at chad.runchey@ey.comDavid Paul is an executive director in the Insurance and Actuarial Advisory Services practice with Ernst & Young LLP. He can be reached at david.paul@ey.com.

NOT FOR REPRINT

© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.