The second-generation chief risk officer (CRO 2.0) — the partner of the business in a purely risk oversight role — could face extinction in the medium to long term.
The role of the CRO in insurance has evolved quickly since the role and title were first defined in the mid-1990s. The start of Solvency II has moved the goalposts, requiring insurance CROs to once more successfully adapt to their changing environment to survive. Prepare for the world of CRO 3.0 — a term that, while not new, is only now starting to be truly understood.
A Brief History
To understand the significance of what might be required of CRO 3.0, we begin with the CRO’s historical role.
The CRO 1.0 generation had a very distinct task: to develop and implement an enterprise risk management (ERM) framework. Regulation kept CROs extremely busy and very much determined their priorities, where organizations needed to be Solvency II compliant.
CROs were allocated a significant share of the company’s expense budget to:
- Build risk models
- Develop the risk function by hiring and training new people
- Enhance systems and processes
- Establish policies, governance and reporting structures
- Catalyze a comprehensive change management program within the organization
Since the CRO’s primary role was to quantify risks and manage the complexity of the insurance business, this dictated that most activity was technically focused.
CROs weren’t always appreciated within some companies, as they increased risk transparency, changed procedures and operations, increased workloads, and made it imperative for senior executives and board members to understand and use complex actuarial and risk calculations and results. Nevertheless, CROs were able to manage their own success.
When offered, praise was often dubious. One CRO 1.0er recalled a grateful board member’s kudo: “Thanks a lot for your effort to keep all this regulatory nonsense off my back!” In short, those outside the risk function often viewed risk management and Solvency II as an annoying compliance exercise to be avoided when possible.
The Own Risk Solvency Assessment (ORSA), required by Solvency II’s Pillar II and the National Association of Insurance Commissioners (NAIC), incorporates qualitative as well as quantitative review. Consequently, the CRO’s role needs to evolve and build upon ERM principles and risk models.
CRO 2.0ers needed to both build the ERM framework and make it come alive for the business. There is a quantum leap between creating policies and defined roles and responsibilities, and imbuing an organization with rules and risk management that are taken seriously and are part of company culture.
Once the core risk management processes were in place, aspiring second-generation CROs had to advance and also cover business decision processes. They had a say in significant business decisions such as business strategy, reinsurance cover, new products (insurance and/or investments) and asset liability management (ALM). The need to embed risk management more deeply into organizations became a key objective.
Commonly employed solutions were to become a member of various committees or to require a compulsory independent risk assessment by the CRO for significant business decisions.
However, the CRO has had to earn the right to participate early in the decision process and exert influence over key decisions. It is extremely difficult, if not impossible, for the CRO to truly perform a thorough risk assessment on a new ALM strategy or a new insurance or investment product if the risk function is involved only a couple of days before the actual committee meeting.
Consequently, senior management, decision takers and risk owners must accept the CRO as a peer with a right and obligation to present a critical and independent viewpoint. They need to acknowledge the CRO’s involvement as a valuable enrichment of insight to make better business decisions.
To earn this acceptance, CROs have needed to exhibit technical expertise and other competencies: business acumen; communication and negotiation skills; and strong leadership values such as a share-to-succeed mentality, a commitment to finding solutions and strategic vision.
In short, the CRO has needed to add a set of competencies often associated with chief executives. This is a difficult set of prerequisites, but necessary to bring value to the business and to successfully embed risk management in the organization. After all, a well-positioned and successful CRO is a second-line-of-defense CEO. Solvency II has positioned this second-generation CRO to gain and maintain this role for quite some time. Still, there is, arguably, a natural end to the CRO 2.0 on the horizon.
As Solvency II becomes business as usual, risk functions will increasingly be subject to standard business pressures such as productivity targets, cost-saving objectives and staffing reviews. These shifts in value assessment are already becoming evident among insurers, particularly those in the first wave of companies seeking internal model approval under Solvency II. For example, one recent comment reportedly made during a European insurance company board meeting went something like: “You risk guys have had your show and your fancy budgets long enough. It’s time you row in the same boat with us again!”
Such an attitude could grow over time, and CROs relying solely on regulation to justify their budgets and head counts will soon find themselves on shaky ground. Challenged by low investment yields that threaten the business model of traditional life and savings offerings, and increasing digitization and its accompanying changes in buying behaviors, management and board members are pressured to guide companies through changing times.
This challenge is likely to diminish senior management’s appetite on risk management, which is often still perceived as a compliance issue. Communicating the value of risk management becomes an even more essential skill for CROs.
So what future can we envisage for the CRO 2.0?
One possibility is that boards and senior executives will reduce the size and importance of the risk function because of the perception that sufficient value isn’t delivered to the wider business. This could be manifested through cost or staff cuts, or implicitly by exerting pressure on the CRO to deliver supportive risk assessments in an increasingly shorter time span.
This would return the CRO to more of a first-generation practitioner, focusing on compliance and formalities rather than engaging with the business as a true business partner.
The more progressive alternative is for boards and senior executives to call on the CRO to add value by assuming more frontline responsibility, a charge that would pave the way for CRO 3.0 — the next stage in risk management evolution.
In either case, CRO 2.0 — the partner of the business in a purely risk oversight role — will disappear.
CRO 3.0 — What’s Different?
CRO 3.0, like CRO 2.0, is proactive, has strong business acumen, effective leadership skills and a flair for communication.
So what is different? Mainly the role’s definition, which, most significantly, includes frontline responsibilities. CRO 3.0 doesn’t focus solely on second-line performance risk oversight that identifies things that might, have or will go wrong. Rather, the third-generation CRO assumes operational business responsibility where necessary or where it makes the most sense — ideally from a position on the management board.
This role ensures the CRO continues to be perceived as a business partner sharing the same kind of responsibility and commitment to success as others in the C-suite. Hence, CRO 3.0’s performance will be measured as much by missed opportunities as by things going wrong.
At Willis Towers Watson, we sense the market is adopting this view. Even so, some would argue that conceptually, the role envisaged for CRO 3.0 violates the three-lines-of-defense (3LOD) system regarded as best practice by insurers today: operational and risk management, and independent review. Certainly in its rigid form it does. But the 3LOD is not the only way to deliver sound business and risk governance, even if many regulators do encourage companies toward a more or less invariable 3LOD structure or regard the CRO as the supervisor’s representative in the company (in the style of CRO 1.0).
Fundamentally, there is no explicit regulatory requirement for 3LOD. It is just one possible methodology for sound risk governance. And it doesn’t need to be rigid; it has the potential to be flexible and adjusted dynamically in specific situations.
Regulation rightly requires a separation of risk taking and risk oversight, but these separate responsibilities don’t always need to be reflected in the organizational structure. It’s possible to separate responsibilities and still allow a dynamic change in roles for specific circumstances using process-specific governance instead of an organizational framework.
This could be temporary for a specific project or permanent for a specific regular process. However, for this to meet risk governance standards and be Solvency II compliant, accompanying measures are needed, such as:
- The third line, e.g., internal audit, can step in.
- Another second-line function can take over the risk oversight role.
- The first line oversees the CRO’s actions.
- Internal audit could also arbitrate process-specific governance to ensure the separation of duties.
The New Normal?
In many companies, arrangements of this sort are already happening — and working very satisfactorily. Rather than being the exception to the rule, this variation in roles could well become the norm. CROs who want to retain their business influence in a post-Solvency II or NAIC ORSA world should consider similar action.
For comments or questions, call or email
Dr. Carsten Hoffmann at +49 221 8000 3202,
Matthew Peters at +1 312 201 5183,