2017 bermuda insurance cro survey - mobilemobile.royalgazette.com › assets › pdf ›...
TRANSCRIPT
2017 Bermuda Insurance CRO Survey
Adding value in a rapidly evolving risk landscape
2017 Bermuda Insurance CRO Survey | 1 www.ey.com/bermuda
About this reportThis report is the second edition of EY’s Bermuda Insurance Chief Risk Officer (CRO) Survey, aimed at gaining insights into the current structure and role that risk functions play in their organizations.
In particular, the survey is aimed at:
► Understanding how risk functions and CROs are addressing emerging challenges, and how their role is changing in response to a rapidly evolving risk landscape
► Identifying key trends in risk management practices observed among participants, drawing a comparison particularly between newly established risk functions (i.e., within first five years of being set up) and those previously established
Our participantsOur CROs include a wide range of long-term and property and casualty insurers, in particular:
EY sincerely thanks the CROs and companies that shared their time and insights for this year’s survey.
Introduction
28%
22%
33%
6%
11%
Groups
Class E
Class 4
Class 3A
Captive
2017 Bermuda Insurance CRO Survey | 2
Key themes
Innovation and cyber are shaping the CRO agenda, posing both threats and opportunities
CROs are confident in the value they can bring to the business
The role of the CRO in 2018 and onward
Evolution and background of the CRO: CROs find their role shifting as the risk function matures
2
3
1
4
2017 Bermuda Insurance CRO Survey | 3
1
Evolution and background of the CRO
2017 Bermuda Insurance CRO Survey | 4
► In line with the results of last year’s survey, we continue to see an increasing footprint of risk functions within the CROs’ individual organizations.
► About 40% of our CROs have only recently transitioned to a full-time role in risk management, often to address the need for a more “stand-alone” function to provide independent challenge.
► Only two of our CROs are currently “double-hatting” with CFO or CEO roles, with all other CROs having a clear and dedicated mandate around risk management.
► While we see a clear trend in the risk function becoming a “stand-alone” function, we continue to see CROs carefully considering headcount within the function, with lean structures observed across most of our participants.
Startup vs. established risk functions
► The CRO’s roles and responsibilities differ depending on the risk function’s maturity.
► Newly appointed CROs, particularly where the risk function has only recently been created, are dedicating greater focus to the design elements of the risk management framework.
► In contrast, where the risk function is more mature, the focus is clearly around achieving efficiencies and identifying opportunities to streamline existing processes.
39%
46%
15%
≤ 2
3 to 5
> 5
Key accomplishments and challenges for the CRO
When exploring key accomplishments and challenges, we have identified common themes among our CROs in line with the risk function’s level of maturity.
► “Resourcing effectively to ensure the risk function is standalone as the business grows”
► “Resourcing: Given the small size of the team, it is difficult to anticipate when increasing headcount will be required, and, in addition, this needs to be balanced with budgeting constraints”
► “Getting the right balance between being a risk function and not doing what’s been done elsewhere”
► “Keeping pace with how the first line is developing the strategy in response to regulatory change”
► Resistance to change and “reversion to the mean”
► Establishing risk management framework and strengthening risk governance
► Fostering a more open risk culture, with a focus on boosting efficiency and streamlining the risk function
► Aligning enterprise risk management (ERM) on a group-wide basis, with greater operational risk focus
Key accomplishments
Challenges
Average risk function headcount
MaturityStartup Established
CROs find their role shifting as the risk function matures
2017 Bermuda Insurance CRO Survey | 5 www.ey.com/bermuda
We have seen far more consistency and clarity among CROs in terms of “what they own,” and it is in those areas where risk has only ever been an influencer that we have seen the involvement of risk increase in this year’s survey.
Our results show that the background of CROs drive their level of involvement in key business processes.
Includes statistics, actuarial, mathematics, etc.
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
ERM–installation/maintenance of risk framework
Risk appetite setting
Risk tolerance/limits setting
Risk measurement and reporting
Stress testing–design
Stress testing–performance and reporting
Model risk management
Model validation
Capital management
Reinsurance program design
Reinsurance program execution
Risk mitigation (please specify activity)
Development of business strategic plans
Product design and pricing
Strategic decision-making (e.g., M&A)
Underwriting
Setting of asset strategy
Oversight of reserving/valuation
2017 CRO’s role and responsibility by process
Process owned by risk/CRO Influence/approve Limited involvement
We note that CROs with a quantitative background are typically more involved in the following business processes:
► Product design and pricing
► Strategy
► Underwriting
► Capital management
69%
31% Quantitativebackground
Qualitativebackground
Includes accounting, risk management, internal audit, etc.
2017 Bermuda Insurance CRO Survey | 6
2
Innovation and cyber are shaping the CRO agenda, posing both
threats and opportunities
2017 Bermuda Insurance CRO Survey | 7 www.ey.com/bermuda
Cybersecurity is on the CRO agenda, with a number of different approaches being taken
While only 17% of our CROs typically see themselves as being accountable for cyber risk management, all participants have had some sort of involvement with cyber.
Other insights
CROs noted a number of strategies to manage cyber risk:
► Strengthening controls surrounding cybersecurity
► Attack and penetration testing
► Some participants noted use of third parties to manage cybersecurity and IT infrastructure
► Use of cloud storage
Going forward, CROs planned to focus on:
► Investing in tools and skill sets to quantify and measure cyber risk
► Capturing “silent” exposures, with one CRO asking “have we identified it and are we pricing it?”
► Regulatory developments, including General Data Protection Regulation (GDPR)
What do CROs say?“If you have zero tolerance for cyber risk then all your time and effort should be in focusing on not being exposed to cyber risks. However, that’s impossible to do.”
“Cybersecurity is kind of an arms race. An area that concerns me. An area to invest in.”
“My main responsibility regarding cyber risk is to create awareness.”
“Cyber underwriting and cybersecurity are very different skill sets.”
What did our US survey find?
► Similar to Bermuda, in the US there has been an uptick in awareness and concern around cybersecurity across 2016 and 2017.
► Cyber risk appetite and risk tolerances were at an elementary state at most companies, with measurement techniques not yet “advanced.”
► 44% have some form of cyber risk appetite statement in place, while 28% were working on inserting cyber into their risk appetite.
► 1/3 of US CROs cited National Institute of Standards and Technology (NIST) as being referenced by their firms – but few US companies have developed cyber risk measurement.
► The National Association of Insurance Commissioners (NAIC) and the New York State Department of Financial Services (NYDFS) new cyber regulation already in force and influencing companies' approach. NAIC model law being finalized but remains 0 - 2 years before enacted at the state level.
22%
17%61%
Managing cyber as partof operational risk
Directly own cyber risk
Other/various
► Establishing an IT governance framework► Raising awareness throughout the organization► Reviewing cybersecurity/risk policies ► Challenging the activities performed by the
third party vendor
2017 Bermuda Insurance CRO Survey | 8
What do CROs say?“The risk team looks across the whole organization. Risk can see the implications, consequences and secondary impacts.”
“We want to make sure that not everybody gets ahead of themselves.”
“If you’re a good CRO you won’t be perceived as a constraint. A good CRO helps the first line, provides assistance and acts as a sounding board.”
“The big role played by risk on emerging technologies is to make sure the R&D team is on point and remains at the forefront of the latest developments and conversations.”
“You have to look at where innovation will work in order to be able to divert resources to it.”
“The main objective is to keep everybody involved and up to date with the pace of the business and the emerging trends.”
CROs are looking to innovate, although foundations still need to be built
► In an expansion of their role as “strategic advisors” within the organization, some CROs have dedicated significant time in exploring how new technologies can be harnessed to drive efficiency, both within the risk function and across the organization as a whole.
► However, the majority of our CROs see their role as that of raising awareness over the wider risk implications arising from increasing the use of technology across the organization.
Investment in innovation
This CRO is making steps to keep ahead of technological change by:
► Investing in insuretech and participating in consortia
► Establishing an insuretech initiative that helps the board determine which technologies to invest in
The key objectives of this CRO:
► To understand where insuretech is going and how it can be leveraged
► To keep up and have a voice in technological change
The CRO’s key role is to make sure that the research and development (R&D) team is “on point” and remains at the forefront of the latest developments.
Data and automation focus
This CRO is focusing on how technology can be used to foster better collaboration with the business by:
► Investing in tools aimed at increasing data quality and availability
► Understanding automation opportunities and use of AI
The key objectives of this CRO:
► To generate data, interpret it and provide insights
► To enhance data clarity to assist in problem solving
► To assess risks where data was not previously available
Two of our participants have greater involvement in innovation
Cas
e st
udie
s
“In the next few years, there are going to be major disruptions in our model, brought
about by new technology.”
We need to “become much more nimble and experiment with data.”
2017 Bermuda Insurance CRO Survey | 9
3
CROs are confident in the value they can bring to
the business
2017 Bermuda Insurance CRO Survey | 10
CROs took pride in the role that robust risk management played in preparing for emerging risks and the catastrophic events of 2017, which was facilitated by a number of enablers
Key enablersEmerging risk identification and escalation
Formalizing risk appetite Robust stress and scenario testing framework
While all our CROs have an emerging risk management process in place, the design varies across participants, largely as a result of meeting the needs of individual boards and senior management.
Most of our CROs are planning to review the risk appetite framework over the next 12 months. Where risk appetite is established, CROs have taken pride over its effectiveness.
Stress and scenario testing is considered a key risk management tool by all CROs in order to identify “what if” events and further strengthen the relationship with the business.
What do CROs say?
“Providing training to the board and keeping business managers up to date with risks from industry developments like blockchain.”
“The risk team provides the board with reports on the implications and impacts of emerging risks.”
“When all of the emerging risks are collated, the risk team assesses if the emerging risks are immediate or remote and a risk owner is assigned. After further evaluation, the emerging risk will be included in the risk register or on the watch list.”
“We do learning studies, which prepare us for emerging risks. These studies are scenario-based where we analyze the implications of different scenarios.”
“The cat events of Q3 2017 were a good test of risk appetites—losses were not out of line with appetites/expectations.”
“Focus in the next 12 months will be building a risk appetiteframework from the top down, focusing on the development of a formal risk appetite, risk tolerance and limits and risk reporting.”
“We do have appetites set out, but they are evolving.”
“One of the reasons for the rebuild of the internal capital model is to build and expand on the stress tests on the portfolio.”
“Stress and scenario testing is a collaborative effort between the first and second lines.”
“Stress and scenario testingsare developed with the board. My role is to do deep dives and create ad hoc scenarios on specific areas that may be a concern.”
2017 Bermuda Insurance CRO Survey | 11 www.ey.com/bermuda
► CROs were generally happy with the CISSA/ORSA process, as it provides a summary of stress and scenario testing results on the most relevant metrics driving decision-making.
► Rather than fundamental changes, more focus was on streamlining and increasing efficiency by “linking and integrating internal risk reporting with the CISSA.”
CROs have varying opinions on the use and value of the Commercial Insurers’ Solvency Self-Assessment/Own Risk and Solvency Assessment (CISSA/ORSA); some see it as a regulatory exercise, but most CROs see it adding strategic value
While some consider the CISSA/ORSA a regulatory compliance exercise …
► “Unfortunately, it is more of report deadline/ tick-box exercise.“
► “CISSA was mostly treated as a requirement for regulatory compliance, however some components of it are being used to form strategy.”
… 79% use it as a strategic planning tool
► “I think it is useful to us. I see it as a useful tool, which is now embedded in our DNA and drives the risk culture. I think the culture itself is more useful than the documentation.”
► “The ORSA is heavily used and can definitely be seen as a strategic planning tool.”
► “I see the CISSA as one of the few reference points that can be seen as fact … and is a valuable process that we go through.”
► “It’s a repository for our whole risk management framework, therefore it’s a helpful document.”
► “We use the report to inform our review of capital adequacy … and to inform strategic decisions.”
► “I think it’s a blend—it started as a regulatory report but is currently moving toward being a management tool.”
Views from CROs on the CISSA/ORSA process:
50%
17%
33%
What is the primary metric that drives “own solvency”?
Rating agency'scaptial requirements
Internal modelcapital requirements
Regulatory capitalrequirements
2017 Bermuda Insurance CRO Survey | 12
4
The role of the CRO in 2018 and onward
2017 Bermuda Insurance CRO Survey | 13 www.ey.com/bermuda
While current priorities vary between CROs, future investment is driven by common goals and challenges
How do you envisage the budget dedicated to supporting CRO activities to change in the next year?
Budget
This year more CROs saw their budget increase compared to last year (34%). Interestingly, all startup risk functions in our survey anticipate increasing budget for 2018, whereas the responses were more varied among responses from established risk functions.
How many have highlighted automation?
62% of our participants have mentioned investing in automation, which will be a focus going forward. The areas where we typically see automation for the risk function are surrounding compliance tools and reporting mechanisms.
What do CROs say?“We keep an eye out on the increasing regulation and its impact on our strategy. We would like to be and stay nimble, which is harder to achieve with increasing regulations.”
“The CRO’s role and focus area has changed and shifted to strategic decision-making and I believe this will gain momentum. This is definitely true for our company.”
“We will invest in automation processes and tools going forward. Especially with the goal to attain a more robust and efficient approach to reporting.”
61%
31%
8%
Increasing
Static
Decreasing
2017 Bermuda Insurance CRO Survey | 14
► “I expect my role to evolve more toward active risk management and perform as an advisory function instead of a report-producing function.”
► “I believe, in a broader sense, that the CRO will have a holistic overview of the company and its directions. The holistic view provides CROs with the unique ability to advise key strategic decision-makers. However, (the CRO’s) success is ultimately dictated by the one who is in charge.”
► “I don’t think my role will evolve as it is already fully integrated within the decision-making process, including strategy-making. However, as a general perspective, I believe the CRO will evolve with where the industry will take him/her. An example is the development of AI: as AI becomes more prevalent, CROs will need to focus more closely on cyber attacks and their impact.”
► “It comes down to the function being adaptable to being used in different situations. The challenge is how do you take people from doing one part of the risk function and apply them to different tasks?”
Embedding the risk function and evolving toward bringing more strategic value to the organization.
Looking into future industry changes and demonstrating flexibility.
What are CROs focused on going forward and how do they see their role evolving?
While innovation and the outlook on new technologies have emerged as key themes in this survey, regulatory developments still remain a key consideration for CROs.
MaturityStartup Established
While the priorities of CROs vary between startup and established risk functions, looking forward, CROs face common challenges
BrexitSIMR
US tax reform
Accounting changesIDDG GDPRBermuda anti-bribery and corruption regulationsInternational capital standards changes
BMA BSCR rule changes
Stand Re FINMA
2017 Bermuda Insurance CRO Survey | 15 www.ey.com/bermuda
Questions for consideration
What should the role of the CRO be when it comes to cyber risk?
How should the CRO role evolve to respond to the increased use of technologies and innovation in your organizations?
How can you demonstrate the risk function’s value-add? Should you have to?
Given the potential difficulty in quantifying cyber exposures, how should appetites be defined?
What changes can you still make to the CISSA to embed it as a strategic risk management tool?
What steps can you take to make sure risk appetite is understood and actively used in business decisions?
As CRO, how much does your background impact your role in the organization?
As CRO, how does your background influence what business processes you are involved in?
What is the optimal balance of skill sets within a risk team?
As well as mitigating cyber risk, what is the role of the CRO in the wider innovation agenda?
2017 Bermuda Insurance CRO Survey | 16
The bottom line
In line with the trend observed in last year’s survey, risk functions are increasingly playing a critical role in supporting the board in driving their strategic agenda.
While regulation has surely been a key driver in elevating the role of the CRO to become a key contributor to the decision-making process, it is often a business need that led organizations to better formalize and structure their risk management frameworks.
As the insurance industry continues to embrace innovation, CROs are closely monitoring how technological developments across the organization may impact the overall risk profile; in parallel, CROs are continuing to focus on ways to improve the effectiveness of their frameworks through automation and streamlining of existing processes.
Looking ahead, it is clear that CROs expect their role to continue to evolve. As one CRO put it, the success of the risk function going forward will depend on the adaptability of the function to be able to respond to different business challenges as they arise and make sure they continue to be seen as a valued partner by business stakeholders.
2017 Bermuda Insurance CRO Survey | 17
Contacts
Chris MaiatoPrincipalAdvisory Services LeaderBermuda+1 441 294 [email protected]
Paolo FiandesioSenior ManagerInsurance RiskBermuda+1 441 294 [email protected]
David PaulExecutive DirectorInsurance Risk New York+1 212 773 [email protected]
David BrownPartnerInsurance Sector LeaderBermuda+1 441 294 [email protected]
EY | Assurance | Tax | Transactions | Advisory
About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.
EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.
About the EY region of Bahamas, Bermuda, British Virgin Islands, Cayman IslandsThe region of member firms in the Bahamas, Bermuda, British Virgin Islands and Cayman Islands is operationally aligned with our Americas Financial Services Organization, headquartered in New York. We serve the banking and capital markets, insurance, and wealth and asset management sectors providing a full suite of advisory, assurance, transaction advisory and tax services and focus on providing seamless, exceptional client service.
EY is a leader in serving the global financial services marketplaceNearly 43,000 EY financial services professionals around the world provide integrated assurance, tax, transaction and advisory services to our asset management, banking, capital markets and insurance clients. In the Americas, EY is the only public accounting organization with a separate business unit dedicated to the financial services marketplace. Created in 2000, the Americas Financial Services Organization today includes more than 6,900 professionals at member firms in over 50 locations throughout the US, the Caribbean, Bahamas, Bermuda and Latin America.
EY professionals in our financial services practices worldwide align with key global industry groups, including EY’s Global Wealth & Asset Management Center, Global Banking & Capital Markets Center, Global Insurance Center and Global Private Equity Center, which act as hubs for sharing industry-focused knowledge on current and emerging trends and regulations in order to help our clients address key issues. Our practitioners span many disciplines and provide a well-rounded understanding of business issues and challenges, as well as integrated services to our clients.
With a global presence and industry-focused advice, EY’s financial services professionals provide high-quality assurance, tax, transaction and advisory services, including operations, process improvement, risk and technology, to financial services companies worldwide.
© 2018 EY Bermuda Ltd.All Rights Reserved.
ED None