Have an appetite for risk-taking? Take a tip from these CROs

By Warren S. Hersch

December 24, 2016 at 02:00 AM

Share & Print

Could another credit crisis like the one that nearly bankrupted American International Group in 2008 happen today?

Perhaps not, if authorities overseeing the industry have anything to say about it.

Bankrupt-proof financial institutions are, more to the point, what lawmakers and regulators hope to create by requiring that insurers and big banks have enough assets in reserve should the unthinkable happen. In the wake of the near-meltdown of industry behemoths during the Great Recession, state and federal regulators have thought long and hard about processes, controls and capital requirements strong enough to guard insurers — and their policyholders — against a financially catastrophic event.

Whether they're now sufficiently well insulated is an open question. This much is clear: There's been a lot of speculation as to how insurers are grappling with an increasingly stringent regulatory environment, and the impact this regime has on their competitive positioning and financials.

The prognosticating has been especially pronounced since the National Association of Insurance Commissioners' Risk Management and Own Risk and Solvency Assessment (ORSA) Model Act took effect on January 1, 2015. Guidelines for establishing an "enterprise risk management framework," a process by which insurers' determine their current and future solvency under "normal and severe stress scenarios," ORSA now governs large and mid-size insurers in about a dozen states that have adopted the model law (#505 in the NAIC's numbering system).

Though the most frequently cited concern, ORSA is not the only regulatory issue that's front-and-center for insurers. Many also are contending with federal regulations imposed by the Federal Reserve; overseas regulations of the International Association of Insurance Supervisors (IAIS) and the European Union's Solvency II law; and, most recently, the Department of Labor's conflict of interest or fiduciary rule.

How well are insurers adapting to the regulatory overhang? One result of ORSA's enactment, according to a new study from Ernst & Young, has been a "formalizing" of risk management assessments at life and property & casualty (P&C) insurers. That shift has enhanced the power and authority of a key executive in the C-suite: the chief risk officer.

A common perception of the CRO — a lower-rung executive on the leadership hierarchy who "checks the boxes" of compliance forms and functions as a naysayer in management meetings — is today far from reality. Thanks in part to ORSA, CROs are now at many insurers co-equal with their C-level piers: a top-tier exec fully involved in major corporate initiatives, their role focusing on how proposed actions might impact the insurer from a risk perspective.

By enabling carriers to make "better and more informed" decisions, the CRO can help produce superior outcomes —greater revenues and profits, reduced costs, better managed and more financially resilient organizations. (Photo: Thinkstock)

More power to the CRO

By enabling carriers to make "better and more informed" decisions, says Chad Runchey, a principal of insurance advisory services at Ernst & Young and a contributing author of the survey, the CRO can help produce superior outcomes — greater revenues and profits, reduced costs, better managed and more financially resilient organizations.

That conclusion aligns with a recent report from the Deloitte Center for Financial Services, which asked insurers' chief compliance officers to rate their companies' "maturity" on key ethics, compliance and spending parameters. The Deloitte report's conclusion, as reported by LifeHealthPro in a December 15 feature, is that well-designed compliance architecture is "an asset" to carriers. Investments in processes and controls to ensure adherence to regulators' rules of the road yield "increased top and bottom lines, as well as a lowered danger of reputational and other risk."

It's no surprise, then, that insurers are increasingly empowering their CCOs. Ditto in respect to CROs, to whom the former generally report. As the Ernst & Young study reveals, half of CROs say their companies have given them new responsibilities during the prior 12 months; and some anticipate taking on more tasks "in the next few years." Between 5 in 10 and 8 in 10 of the CROs surveyed say they "own" (as opposed to having a limited responsibility for) the following functions:

- - - Stress and scenario design (80 percent);
    - Model validation (75 percent);
    - Risk appetite-setting (71 percent);
    - Model governance (71 percent); and
    - Risk tolerance and limits-setting (56 percent).

The CROs also play a role (albeit less influential) in insurers' other risk-related functions. These range from risk mitigation, reinsurance and capital deployment to business strategy, product approval, investments, valuation/reserving and strategic decisions, such as whether acquire or merge with a competitor.

To learn more about the chief risk officer's evolving role at life and P&C insurers (CROs at these carriers represent 35 and 55 percent, respectively, of the survey's respondents, the remaining 10 percent being a "composite"), LifeHealthPro interviewed Ernst & Young's Runchey during an insights-filled 45-minute phone conversation. The following are excerpts.

Ernst & Young has observed a marked shift in reporting lines: Many CROs now report directly to the CEO and the board of directors. That's a big change from EY's 2010 survey. (Photo: Thinkstock)

Evolution of the field

LHP: How have your research findings changed since Ernst & Young's first survey of CROs in 2010?

Runchey (pictured at right): CROs in 2010 were relatively new so we wanted to do a high-level survey, focusing on their responsibilities, the key issues they face and the position's changing scope. The field has significantly evolved. Insurers today have more formalized approaches to risk management than they did 6 years ago.

LHP: Did this year's survey findings align with your expectations?

Runchey: They generally did. To the extent they departed from prior years, the results reflected in part an expanded number of participants. In 2016, we had a lot more small and regional insurers; so there was a greater diversity of CROs.

Many of them are further down on the maturity scale in terms of capabilities. While risk management is becoming more embedded at the carriers, business practices vary widely, mirroring the size, complexity and risk profile of the insurer.

One factor driving insurers to adopt more formalized risk management practices is the NAIC's 2015 model act, ORSA, which requires insurers to document their risk management framework, taking account of current and future risks to the companies.

ORSA is driving a convergence of the industry's disparate processes and controls. The changes are particularly notable among small and regional carriers that have less mature risk management practices. The ORSA self-assessments must include: (1) an overview of the company's risk management framework; (2) an assessment of risk exposures; plus (3) a group capital assessment and a forward-looking assessment of solvency.

LHP: In light of the new regulatory requirements, how you do see the CRO position evolving?

Runchey: In corporate C-suites, CROs are increasingly being brought to the table to discuss key decisions, whether it's about products, risk mitigation strategies, capital deployment or investments. The unique perspective CROs bring in assessing risk exposure and the potential business impact of decisions is very valuable to senior management.

As a result, we've seen a marked shift in reporting lines: Many CROs now report directly to the CEO and the board of directors. That's a big change from our first survey.

In senior management meetings, they're not just imposing a veto from the sidelines. They're playing a meaningful role by indicating how a proposed action will affect the insurer's risk profile. The CRO is now a full partner in executive-levels decisions; it's no longer just about providing a compliance check on the decisions of others.

Nearly 8 in 10 (78 percent) of the CROs Ernst & Young surveyed say they use stress testing and modeling in business planning. (Photo: iStock)

Variables, tools & methodologies

LHP: Regulation aside, what business or economic factors are more prominent than in past years in a CROs' risk analysis?

Runchey: What the CRO has helped to accelerate within insurers is stress-testing: looking at the company's results under adverse conditions; and understanding how risks will manifest themselves in the future. Two stress scenarios commonly examined are the impact of sustained low interest rates and a repeat of the stock market crash of 1929.

Based on the risk assessment, the CRO will help the executive team navigate key questions. For example, "Are we comfortable with the stress test results or do we want a better outcome? Are we holding too much capital in reserve or too little? Can we achieve them same objectives with a different strategy or time horizon that entails less risk to the business?"

By raising these questions, the CRO adds value to executive-level conversations. They bring to the table what-if scenarios, quantify their potential impact and suggest alternatives when the strategy in question is deemed outside certain risk limits. At a P&C insurer, for example, these limits may apply to exposures, risk retention and PMLs — probable maximum losses — resulting from a natural or man-made catastrophe.

LHP: What tools and methodologies are available to the CRO to assess risk?

Runchey: Most insurers are able to forecast their financials, such as changes to the balance sheet, the income statement or the cash flow statement in light of their strategic plans, the economic outlook, the business environment and competitive factors. What we're seeing now is the overlay of stress tests onto these forecasts.

Nearly 8 in 10 — 78 percent — of the CROs we surveyed say they use stress testing and modeling in business planning. These risk quantification techniques are also used, albeit among fewer than half of our respondents, in ORSA reporting, capital and liquidity management, reinsurance program optimization, asset-liability matching, equity allocation and return on equity [ROE] reporting. The industry has also developed advanced economic capital modeling; this comes in various forms, as there's no standard definition of economic capital.

Some insurers base their stress-testing on economic capital models that encompass all material risks and are based on Solvency II [a directive of European Union law that, since January 1, 2016, has codified and harmonized EU insurance regulation. The legislation mostly concerns the amount of capital EU insurers must hold to reduce the risk of insolvency].

Other guidelines and benchmarks are also used for defining economic capital. ORSA lets insurers decide on a capital measure that makes sense for their business and risk profile, then use that yardstick to quantify the impact of what-if events.

Insurers are starting to combine finance, risk and actuarial capabilities, enabling the carriers to achieve better risk-adjusted outcomes, and do so on an enterprise-wide basis. (Photo: Thinkstock)

Technology and cultural issues

LHP: Are you seeing technology improvements that let CROs better assess risk?

Runchey: At the core of the modeling are actuarial software tools; these are constantly being upgraded and enhanced to allow for more detailed and insightful analysis of hypothetical scenarios. But there's no silver bullet that can comprehensively assess enterprise risk; it's a complex, multifaceted exercise.

LHP: Understood. Are there nonetheless gaps in risk assessment software functionality that need to be filled?

Runchey: The tools in the marketplace today can get the job done. What hasn't happened yet is an industry-wide adoption of automated and efficient business processes, controls and governance mechanisms around these tools.

Risk analysis shouldn't require a Herculean effort. With the right enterprise risk management framework, it doesn't have to be.

LHP: Does this framework also entail greater cross-disciplinary work — bringing together insurance executives and seniors managers in different departments to work through issues on a collaborative basis?

Runchey: Yes. Insurers are starting to combine finance, risk and actuarial capabilities — rather than, as was the previous practice, undertaking separate projects within each discipline. Such teamwork lets companies achieve better risk-adjusted outcomes, and do so on an efficient, enterprise-wide basis. This cross-disciplinary risk analysis is gaining traction throughout the industry.

LHP: To what degree are risk management best practices being adopted reflect the insurer's the corporate culture?

Runchey: The corporate culture at insurers is generally very cognizant of risk, as the business of insurance involves risk-taking. So CROs who provide greater transparency about these risks, can quantify them and assess their potential impact, fit very well into most insurers' corporate cultures.

Among the vast majority of CROs we interview for our annual survey, the relationship with other C-level executives isn't adversarial, but strong, productive and healthy. And for good reason: Policyholders expect insurers to be around for the long-term to make good on claims. So appropriately taking account of risk exposures aligns with the carrier's corporate objectives and culture.

LHP: Point noted. But I imagine there are more than a few instances of tension within the C-suite. Given carriers' increasing need to innovate and distinguish themselves from competitors — among them tech-start-ups that are threatening to "disrupt" the marketplace — might CROs at times feel compelled to resist the inclination of other C-level executives who want to push the envelope?

Runchey: Yes, there is a healthy tension that exists — and should exist — within senior management. And in contributing to such tension, CROs add value.

But it's not a matter of saying, "No, you can't do this." It's about being transparent as to the risks the organization faces in pursuing a course of action. The CRO needs to ensure that everyone in the C-suite is making a decision with eyes wide open as to the potential impact.

Insurers have risk appetite statements, which get approved by their boards. If a company should consider an action that would potentially violate those statements, then there's an escalation process involving senior management and, ultimately, the board.

These statements provide a way to facilitate an escalation in an orderly, deliberate fashion. The executive team can either agree to work within the bounds of the statement or, if the potential benefits outweigh the risk, go beyond the prescribed limits. It's the CRO's job to alert the executive team members to risk exposures and help them come to a well-considered decision.

Insurers are in broad agreement with the Fed regarding the central bank's principals respecting capital planning and general management, but tensions among the parties have arisen over how the carriers are to abide by them. (Photo: iStock)

Squaring off against the regulators

LHP: What about tensions between the CRO and regulators? Do you see an alignment between what the carriers are doing from a risk perspective and what the regulators expect of them?

Runchey: State insurance commissioners and the NAIC take very seriously carriers' development of formalized risk management frameworks consistent with ORSA. The carriers generally feel very good that their ORSA reporting is consistent with the states' regulatory objectives.

At the national level, the Federal Reserve has mainly focused on determining whether the insurers' risk profiles are consistent with the central bank's principals respecting capital planning and general management. The insurers are in broad agreement with the Fed regarding these principals, but tensions among the parties have arisen over how the carriers are to abide by them.

LHP: Have you observed better risk management best practices among life or P&C insurers, or among carriers of, say, a certain size or business structure?

Runchey: In general, the companies that are further along in instituting best practices are federally regulated, either because they've been labeled as systemically important financial institutions [SIFIs] or because they own federally regulated banks. Some insurers are also subject to Solvency II requirements, such as U.S. subsidiaries of European insurers. So all of these carriers fall under federal and/or international regulation.

LHP: Might the fact that these insurers are more heavily regulated place them at a competitive advantage or disadvantage?

Runchey: There's clearly an advantage in having a robust risk management framework, though it's difficult to determine whether the regulations may offset some of the benefits. My view is that the ability to make better and more informed decisions should lead to better outcomes.

LHP: What should our readers, life insurance agents and financial advisors, take away from the study?

Runchey: As risk management becomes more formalized, and as stress-testing gets more widely adopted, insurers will gain a better view of their risk exposures and be able to take action to mitigate those risks. That will result in more resilient insurers capable of sustaining a financial crisis. Advisors can take comfort in knowing the companies are doing the right things to assure they'll be around for the long term to meet their obligations to policyholders.

Read Ernst & Young's 6th annual survey of North American insurance CROs, "Charting the evolving role and authority of the CRO," here.

Trump, GOP could torpedo DOL rule, Dodd-Frank

One consequence of the DOL rule: more risk-averse advisors

4 versions of the Best Interest Contract Exemption

How the insurance industry is saying goodbye to pragmatic regulation

Join us and Like us on Facebook.

NOT FOR REPRINT