future, virtually all respondents said on a better understand-
ing of risk to improve the company’s risk-adjusted
performance. In fact, more than 80% “strongly agreed.”
This move toward using risk in performance manage-
ment doesn’t imply that insurers should abandon solvency
and regulatory uses. Companies and their CROs have enough
bandwidth to do both. This is the third shift that we observe.
As recently as 10 years ago, enterprise risk management
(ERM) was still in its formative stage. During those years,
insurers devoted much effort and many resources to developing and testing basic concepts and building a workable
infrastructure to deliver economic capital metrics. That effort
has now borne fruit. As a result, rather than spending to
create the framework, CROs can apply that expenditure to
making better business use of what they have built.
The first enhancement we recommend is to define the roles
and responsibilities of the CRO and risk function on their
own, rather than generalized as one of many second-line
functions. Roles should be more precisely defined than “own
and manage” for business owners, “oversee” for risk management, and “independent assurance” for internal audit.
In our recent survey of board members and CROs, we
asked if respondents agreed or disagreed with the statement, “It is important to have a single C-level executive,
other than the CEO, who is the focal point of all risk matters in the company.” Nearly 90% agreed, and nearly 75%
agreed strongly. The CROs focal point needs to be on more
than just overseeing risks, and companies should identify
and directly assign the CRO the following responsibilities:
The establishment of the insurer’s risk framework, including the risk taxonomy to be used throughout the insurer;
The measurement of risks, which should include risk
quantification when it’s feasible and rankings or
prioritization when it’s not; and
Ownership of the risk appetite statement.
Many parts of the organization can and should contribute
to its development, but the CRO should be responsible for
collecting all this input and developing the final version.
There was significantly less consensus in other areas of
the survey. About half agreed and half disagreed with the
statement, “It is important that the CRO not make decisions
to accept or reject risks, as doing so would undermine the
CRO’s independence.” After follow-up discussions with the
respondents, it became clear that the overall appetite should
be the CRO’s responsibility, but business owners could make
tactical decisions consistent with that appetite.
Very little enhancement is needed in defining the internal
auditors’ role. The Institute of Internal Auditors provides a
fulsome description: “To be effective, internal audit needs
a free hand to investigate matters in risk management and
elsewhere. But the function should be careful to ensure that it
does not develop and propose alternatives.”
Lastly, the governance framework needs to more
directly embrace models and model risk. Models are critical
decision-making tools for insurers. Model risk management
provides the ability to add value to business decision-
making. For example, assessing a model’s conceptual sound-
ness is risk management’s responsibility. This is particularly
the case for any risk-based decision-making embedded in
Risk management is appropriately removed from business activity and has the overall enterprise-wide risk
perspective necessary to make that assessment. On the other
hand, the model owners could do (and periodically re-do)
much of the work of replicating calculation accuracy.
WHERE TO NEXT?
It’s easy for an insurer to say it follows the three lines of
defense model. However, if it wants to leverage risk management to improve business performance, then it should take
a closer look at the roles that specific functions should play
and assign clear responsibilities at a sufficiently detailed
level to establish whose job is on the line in the event of a
risk governance failure.
Henry Essert ( email@example.com) is PwC Insurance Risk
Management Leader, focusing on ERM, compliance, and management’s
and directors’ respective roles and responsibilities in managing risk.
Model Falls Short
Where does the “three lines of defense” model fall short in the evolving world?
Not surprisingly, the three lines of defense model focuses on defense. Its description
of roles and responsibilities accords well with an implicit assumption that the task at hand is to
keep risks under control. Less clear is who’s responsible for:
1. Searching out and assessing new emerging risks and opportunities;
2. Identifying disruptive technologies and other existential threats to the business model; and
3. Assessing these impacts on the enterprise and the potential strategies that insurers
could use in anticipation of them.