With regulatory requirements intensifying and endless technological advances, senior risk management executives for property/casualty insurers face a complex and shifting landscape.

Executive Summary

How does the risk function participate in capital management? Should CROs be interfacing more with regulators now that ORSA is a fact of life for P/C insurers? Those are just two of the questions that carrier executives are facing in 2016, according to EY Principal Rick Marx.

As a result, many firms have enhanced their risk management capabilities and centralized previously dispersed functions and teams. Others have focused on meeting baseline regulatory requirements in the simplest and most efficient ways.

With the first year of the Own Risk and Solvency Assessment (ORSA) now complete, it’s a good time to take stock of the current state of risk management in the P/C insurance sector. The thoughts below largely reflect inputs received during EY’s 2016 Insurance Chief Risk Officer (CRO) Survey, where we talked with more than 30 senior risk management leaders from across the industry, including many from leading P/C carriers. (Full results will be released later this summer.)

Certainly, the developments of the last several years have reshaped each of the classic components of risk management, leading to a new enterprise orientation of the risk management discipline. Consider risk appetite setting. Historically, P/C companies have clearly defined their underwriting limits by product line, business unit and territory and have carefully monitored their limits on aggregate exposures (by geography, risk type, etc.). But only recently have these limits been formalized and presented to boards as part of holistic risk management frameworks. Risk tolerances and limits are just starting to be linked and stress-tested or incorporated into dynamic capital models.

NAIC mandates for ORSA were obviously the driver of the increased documentation and reviews by senior management and the board. However, progress has been uneven and unpredictable. For instance, some companies lack full-time CROs or have small risk teams that play only coordinating or information-gathering roles. At other firms, CROs are viewed as essential members of the senior leadership team.

At many P/C insurers, risk mitigation takes the form of extensive and complex reinsurance programs. These programs—which may apply a variety of quota-share, excess-loss, stop-loss and other types of treaties—are managed by in-house expert teams working closely with global reinsurance brokers to ensure aggregations remain within limits. Companies developing new and more holistic risk management frameworks often build out from existing aggregation management and use reinsurance modeling as the foundation for enterprise-wide capital models.

When it comes to risk measurement and quantification, the directional trend points clearly toward more complex stress testing or full dynamic financial models. Some companies have unsophisticated models that were developed five or 10 years ago, leading them to question whether these are appropriate to support new risk management approaches or to span all of today’s risks.

The same holds true for risk reporting. Although state regulators have not been highly focused on risk reporting to date, it is not difficult to see how future requirements will call for more granularity, accuracy and frequency. Here again, ORSA has provided an impetus for carriers to establish risk reporting to senior management and the board, if no such processes were in place previously.

A New Set of Questions

bigstock-Risk-Concept-5731670 squaredThe three lines of defense model holds that operational management and front-line staff are the first line of defense; compliance and risk management teams are the second line; and internal audit is the third line.
With one year of ORSA officially in the books, many executives are now facing a range of questions. The first question on their minds is whether the company is effectively served by its risk management framework, especially relative to the right organizational structure for risk management and the three lines of defense model. But there is no way to provide a definitive answer without addressing a subset of issues, many of them having to do with organizational structures for risk management.

  • Should a central corporate risk team be supported directly by risk professionals who are resident in the first line of defense?
  • How should risk management be aligned with finance, actuarial and other functions that also contribute to reporting GAAP, statutory and internal performance metrics?
  • What is the relationship with operational teams—underwriters, product and pricing teams, reinsurance managers, and asset managers—whose actions impact the company’s evolving risk profile?
  • How do CROs and risk teams align with others in the second line of defense, including modeling teams (whether their outputs are for internal or regulatory purposes)? How does risk participate in capital management, recognizing the goals of capital efficiency, accurate allocations to product lines and visibility into true costs? Does oversight of reserving and pricing sit under the CRO or a chief actuary? Do these roles merge? What is the interaction between risk and compliance functions and leaders?
  • Will CROs manage relationships with rating agencies, or will this role be shared with the finance function?
  • How does the interface between the company and regulators evolve now that ORSA has been established as a key deliverable? Does the role of the CRO increase? What will the role be for compliance officers or group counsel, the traditional keepers of regulatory relationships?

Participants in EY’s Insurance CRO Survey made clear that these questions are taking an increasing amount of their attention and that individual insurers will have unique answers.

Looking Ahead: Evolution Toward Enterprise Risk Management

As they seek answers going forward, P/C insurers are very likely to continue maturing their capabilities and expanding their views of risk to see potential impacts across and at various levels of the organization. As second-line functions increasingly come together, CROs will likely be responsible for more risk management functions and activities, including:

  • Risk tolerances and exposure limits.
  • Reinsurance management.
  • Modeling for risk and capital.
  • Compliance.
  • Oversight on reserving.
  • Asset risk reporting.
  • Management of rating agencies and regulators.

In this sense, the long-term evolution is leading to what can truly be called enterprise risk management.