Members of risk committees of the boards of directors of property/casualty insurance companies have more on their minds than the abilities of their companies to withstand tail risks like devastating natural catastrophes or financial markets downturns, a carrier chief risk officer said during a webinar recently.

Board-level interest in risk issues has undergone an evolution that today finds members raising questions in the areas of strategic or business franchise risk, Steve Verney, executive vice president and CRO for Allstate Insurance Company, said during the PwC webcast titled, “Insurance Modernization,” responding to a question for panel moderator Henry Essert.

Essert, the leader of PwC’s Risk Practice in the Insurance Sector, asked CROs from four financial services companies: “Is there a particular risk or aspect of risk management that you characterize as being of greatest interest? What kind of questions are you getting more of than before?”

Verney said that during the financial crisis and immediately after it, there was a lot of “conversation, education and discussion around the easy-to-see balance sheet risks and return opportunities” in the boardroom.

That evolved in later years into “more discussion on operational risk [with] a real laser focus on cyber risk and elevating that to a board-level regular topic” as in almost any type of company, he said.

empty boardroomMoving forward to the current boardroom setting, Verney said that when he talks about tail risks related to equity markets or natural catastrophes, board members respond: “Well, it’s interesting about that 1-in-250-year hurricane and I understand that would hurt. But in today’s world, business models are being overturned almost in an instant.'”

They seek more discussion of those kinds of issues, reasoning that they could impact the company more quickly than “tail risks on the normal risks,” Verney said. “They really want to embed discussions on strategic risks and opportunities.”

“How we use an ERM [enterprise risk management] framework to help guide those discussions is the next frontier for us,” he said.

Panelists representing life insurance and wealth management firms said that liquidity and interest rates are key items attracting interest from boards of directors. Alessa Quane, CRO of AIG Property Casualty, agreed with her life insurance counterparts, but said that in addition to those asset and investment risks she has noticed an increase in understanding of the key operational risks among board members.

Risk experts define operational risk as the risk of loss resulting from inadequate or failed internal processes, people and systems. It can also include risks from natural hazards. In simple terms, outside of the natural hazard piece, it can be thought of as the risk that the wrong people are doing the wrong things at the wrong time.

“You see a lot more fines and mishaps at many firms in the press—both domestically here in the United States and worldwide. I think that has heightened their interest and desire to not be that name in the press for these types of things.”

“That’s put a lot pressure on our operational risk management program to be careful not be always be focusing on the minutia and every little bit of operational risk that exists, but really to see what we can do to mitigate the larger ones that then ultimately lead to reputational risk.”

In addition, “significant regulatory pressure in the consumer space” related to the fair treatment of customers also “winds its way through to operational risk,” drawing questions from board members, she added.

Quane continued: “As we embed risk appetite more and more, as we talk about it more, we get out there and actually use it and set limits against it, there are definitely a lot more questions about accumulations of risk that we have—how those cross different lines or different industries.” Noting the particular importance of this for a large commercial insurer, there are “a lot more requests for more information, more data on [the question,] ‘How do these risks add up together?'”

Evolution and Modernization

Essert opened the session with his own observations about the evolution of enterprise risk management for carriers, suggesting a movement from away from entirely quantitative elements of risk management frameworks.

“If I were looking for a succinct way to describe modernization, I would say it’s about putting more emphasis on the qualitative, he said, listing the following activities as more qualitative in nature:

  • Structuring the risk function.
  • Fitting the risk function within the business.
  • Governance.
  • Documentation.
  • Review and challenge.
  • Model risk management.

“Risk management is about more than calculating economic capital,” he said, noting that three or four years ago, carrier risk management was focused on quantitative activities like developing and maintaining exposure information and information on risk occurrences, as wells as valuing expected and unexpected cash flows.

In terms of quantification, Essert says more emphasis today is put on the setting of risk appetite, tolerance and limits and on developing risk-adjusted performance measurements.

As for the overall evolution shift—from quantitative to qualitative activities—the PwC leader said, “It’s natural that quantification comes first.”

“As you build out a risk function, you [have] to have something to report on or govern or review and challenge. You have to have some numbers that make that work.”

“Risk management is about more than calculating economic capital,” says PwC’s Henry Essert.
Besides the efforts of risk leaders themselves, regulation has played a big role in the shift, Essert said, suggesting that the Federal Reserve has put more emphasis on what the qualitative aspects of what an ERM capability should look like. “This is not only at the Fed level and the implications for SIFIs [systemically important financial institutions] or G-SIIs [global systemically important insurers],” he said, noting that state insurance regulators are taking a similar path—”focusing on the qualitative things that need to get developed” with the Own Risk and Solvency Assessments (ORSA).

In addition, he said, “as senior management and the boards get more serious about risk—and particularly about using risk quantification to run the business, they are naturally going to turn attention to some of the qualitative capabilities. In other words, did someone check this? Is there a model risk management program that assures these models are effective? Are people looking and reviewing and challenging the assumptions that go into these calculations? What’s the governance and do we have an appropriate way of documenting what we’re doing?”

CRO Challenges

With modernization comes CRO challenges to deliver information to regulators and boards with limited resources—a fact underscored by audience responses to a polling question about the biggest challenges for carrier risk functions.

PWC Risk Webinar

Allstate’s Verney offered some advice for risk officers facing these challenges.

While it’s tempting to simply react to requests for more data by supplying it, he said he believes that it is a part of the CROs role to help directors and regulators see what it is they need to know to assure that the carrier has an effective ERM framework, and what they don’t need.

“We can step back and say, instead of what they’re asking for, what is it that they should know,” he said. “It’s difficult work and requires both courage and creativity. That’s a not-enough-talked-about part of dealing with the escalation of information requests relative to resources,” he said.

Noting that the ORSA gives companies the opportunity to lay out the risk framework as they see it, Verney offered praise for state regulators when Essert later asked the CRO panelists whether regulators are on the right track—and are requesting the right information.

In contrast to the states, Verney said the bank-centered views of regulators in the international and banking communities mean those regulators have “a real obsession, almost, with current market values of securities as being the key thing to watch—and a very static, almost bureaucratic, way of assessing risk programs.”

Those are things Verney said he’d like to see changed.

“Fundamentally, our risks are things that might hit the right-hand side of the balance sheet not the current market value on the left. This obsession with a run on the bank, which is the least of the probleme of most well-run life insurers and P/C insurers, creates a big blind spot.”

Verney said the work of the National Association of Insurance Commissioners and the states on ORSA “is a great role model”—giving each carrier the opportunity to say, “Here is the way we look at risk and how we govern it that is more attributable to our firm, our culture and the risks that we take on to drive the franchise.”

Forcing transparency and dialogue around that, he said, “is a more difficult path, but ultimately far more effective—and far less likely to focus on one thing while the elephant in the room escapes you.”

Proving Their Worth

Coming full circle in the webinar, from Essert’s early assessment that the risk management function is evolving to more qualitative activities, life and P/C CROs participating on the webinar panel agreed that qualitative measures are appropriate to measure how well they perform their jobs.

Responding to a question about possible CRO performance measures from a life insurance CRO’s perspective, Leslie Chapman, senior vice president, chief actuary and CRO of Securian told Essert, “I start with the phrase no surprises.”

“A CRO’s job is to facilitate risk management at the enterprise in a way that minimizes the size and number of surprises in terms of the balance sheet behaving differently than people expected,” she said, proposing “some metric that would measure what surprised us during the year.”

That highlights two activities of focus for carrier CROs—communication and teamwork, she suggested.

“Communicate, communicate, communicate a great deal about what is on the balance sheet in terms of risk and how much more can we handle in terms of aggregate risk and types of risk,” she advised.

“The second item would be a qualitative thing—some measure of how well the CRO is partnering with the other risk policy-setters at the enterprise—the compliance officer, general counsel, corporate actuary, and internal auditor leader. All those form a team of risk policy-setters that need to work together well and communicate strongly. Otherwise there are going to be gaps or redundancies,” she said.

Building on Chapman’s response, Charles Philbrook, CRO of John Hancock, said, “I don’t think I should be measured off of the hard quantitative risk metrics and limits that we have today. There are those in the organization that are responsible for managing those risks.”

Echoing Chapman, he said, “My job is to avoid surprises….So I do view my role as more soft or qualitative than quantitative.”

“The more comfortable the management team is inviting me into their conversations and discussions, and their planning and their priorities, the better I’m doing my job,” he added.

AIG’s Quane offered that a suitable performance measure for carrier CROs would look at how the CRO “is contributing to value of the firm as well—and in a more a positive way than making sure that the bad thing doesn’t happen.”

While “not having the surprise” is a key goal, CROs can utilize information that they’re monitoring to “communicate and inform” other executives “on the real key things that they’re making decisions around—business mix, growth or shrinkage opportunities.”

Verney added: “What you look for is evidence of risk-return analysis and planning in other leaders’ conversations. So in board discussions, in strategic plan dialogues, in project decisions, in operating plan and business reviews—those things that are led by the rest of the senior management staff. Is there consistent evidence of risk-return thinking, planning and assessment going into the running of the business?”

“The more you see that, the more effective your risk management function is,” he concluded.