Role of a Chief Risk Officer


Published on

Published in: Business, Economy & Finance

Role of a Chief Risk Officer

  1. 1. Role of the CRO Bob Lautensack Henry McMillan Michel Rochette Sim Segal May 11 2007Enterprise Risk Advisory, LLC
  2. 2. (1)Main Roles of a CRO: CRO is NOT the Risk Manager of the Risk Managers! Leader, facilitator, integrator, coordinator of risk rather than a manager of risk. Create a culture risk awareness within the organization. Formally bring consideration of risk into the strategic decision making. Develop a center of excellence for managing risk using the skills sets of individual risk managers. Communicate to all stakeholders – internal and external – about risk. Bring the BIG PICTURE PERSPECTIVE!Enterprise Risk Advisory, LLC 2
  3. 3. (1)Main Responsibilities of a CRO: Develop, maintain, and update risk governance framework:  Risk policies, risk appetite and risk limits.  Risk infrastructure, process and reporting.  Risk integration and links between risks. Coordinate with business line:  Risk training  Risk assessment and action plans  Incorporate risk elements in performance metrics  Ensure lines of business have risk capacity both in personnel and risk systems.Enterprise Risk Advisory, LLC 3
  4. 4. (1)Main Responsibilities of a CRO: Senior management:  Advice on risk issues in strategic decision making  Provide aggregated and detailed reports on risk in line with risk appetite and limits  Keep management appraised of industry standards Committees:  ALM, Credit, Operational, IT, Security External Party liaison  New regulatory risk initiatives: Ex. NAIC Corporate Governance for Risk Management Act.Enterprise Risk Advisory, LLC 4
  5. 5. (1)Skills Required: Some quantitative skills but not be a polymath: analytical, understands the models and bright! Excellent understanding of the supply value chains of your organization: See the links between risks that the risk silos don’t see! Strategic and tactical thinker. Ability to understand business issues. Ability to compare risk and reward. Leader/ educator in terms of promoting a risk culture. Project manager of risk initiatives. Ability to synthesize a lot of data and see trends and potential impact on company. Communication skills are a priority because a CRO is a C-level Executive: written and oral.Enterprise Risk Advisory, LLC 5
  6. 6. (1)Differences between Actuaries and CRO Actuaries:  CROs:  Emphasize high  An analytical background is quantitative skills sufficient  Specialize in a field:  Overall view of the Valuation, pricing, risk… businesses: Integrative view. Can see the links.  Risk field: focus on  Some risk can’t be measurement of risk quantified but doesn’t mean that they can be managed.  Communication with peers  Communication to a broad audience, internal/external.  Build links with business  Usually function with other units where risks are actuaries in actuarial managed. departments.Enterprise Risk Advisory, LLC 6
  7. 7. (2)Internal: Interaction with the Board 92% report on risk to their Board of Directors at least annually 12% Once a month 53% Once a quarter Twice a year 15% Once every year 11% Other 1% Do not formally report 8% TP 2006 ERM SurveyEnterprise Risk Advisory, LLC 7
  8. 8. (2)Internal: Interaction with SeniorManagement More frequent than with the Board, about 40% monthly Once a month 39% Once a quarter 35% Twice a year 8% Once every year 6% 5% Other 7% Do not formally report TP 2006 ERM SurveyEnterprise Risk Advisory, LLC 8
  9. 9. (2)External: Interaction with ShareholdersThe majority (61%) of respondents indicate theyreport on risk to shareholders at least annually Once a month 4% Once a quarter 18% Twice a year 8% Once every year 27% Other 4% Do not formally report 39% TP 2006 ERM SurveyEnterprise Risk Advisory, LLC 9
  10. 10. (2)External Interaction with Regulators62% of the participants formally report on risk to regulators 4% Once a month 18% Once a quarter Twice a year 3% Once every year 32% Other 5% Do not formally report 38% TP 2006 ERM Survey Enterprise Risk Advisory, LLC 10
  11. 11. (2)External Interaction with Rating Agencies 63% report on risk to the rating agencies at least annually Once a month 0% Once a quarter 6% Twice a year 6% Once every year 48% Other 3% Do not formally report 37% TP 2006 ERM SurveyEnterprise Risk Advisory, LLC 11
  12. 12. (2)Internal Communication of Risk(75%) provide reports on key risk exposures and risk management activities tothe executive committee or Board of Directors Regular reports to executive 75% committee/board of directors On an ad hoc, as-needed basis 45% Regular reports to CRO 32% Risk “dashboards” at the risk category, business or corporate 29% level Regulatory reporting formats 25% Other 4% TP 2006 ERM Survey Enterprise Risk Advisory, LLC 12
  13. 13. (2)External Communication More common with European insurers (68%) North America (26%) Provide separate information to rating agencies 59%Separate section devoted to risk management 45% in annual report Provide supplementary information to 32% regulators Use regulatory reporting formats 31% Provide separate information to financial analysts 18% Do not externally communicate with stakeholders 14% Hold focus groups with key customers/suppliers/community 3% TP 2006 ERM Survey Other 4% Enterprise Risk Advisory, LLC 13
  14. 14. (3)Decision Making by CROS: Risk/Control High Level position => High level involvement Oversight role, not a cop! Must exist at the same level as CFO. Areas of focus:  Risk identification, particular emerging risks  Risk approval process of new initiatives making sure that all risks are taken into account  Risk exception authorization  Risk prioritization and escalation.  Risk mitigation strategies and alternatives  Risk compliance and business continuity.  Risk communicationEnterprise Risk Advisory, LLC 14
  15. 15. (4) Risks under CRO’s Purview Now Financial risks:  Interest rate (97%)  Equity(81%)  Credit (asset default/migration) (80%)  Liquidity (41%) Demographic risks:  Mortality (92%)  Lapse ( 84%)  Longevity (73%)  Policy holder behavior (58%) Operational risks (70%) TP 2006 ERM SurveyEnterprise Risk Advisory, LLC 15
  16. 16. (4)Risks under CRO’s Purview: Emerging Reputational Risk (52) Regulatory Risk (40) Human Capital Risk (40) IT RISK (35) Financial, Market, Credit and Insurance Risk (30) Crime, security, political, natural hazard, FX, Terrorism, Country Risk (20) Source: Economist Intelligence Unit, 2005 Max Scale: 100Enterprise Risk Advisory, LLC 16
  17. 17. (5) TOP RISKS Economic risks:  Credit losses are at historical lows: Risk of downturn is increasing. No spill over yet from SubPrime meltdown.  Political risks are increasing everywhere.  Liquidity risk: private equity, structured deals.  Thus: Scenarios and Stress tests still RELEVANT. Compliance with the new regulatory environment:  NAIC Corporate Governance For Risk Management Act  Solvency II.  Principles-based  Others: AML Monitoring and identifying emerging risks:  Longevity risk. Impact of new lifestyles, drugs on health.  Extreme events: Avian Flu, terrorism and business continuity  Concentration of risks and links between risks.Enterprise Risk Advisory, LLC 17
  18. 18. (6)Reporting relation of the CRO The person responsible for risk management most often reports to the CEO (45%) Responsible for Risk Management To Whom Primarily Reports CEO 45%Chief Risk Officer 43% CFO or Financial 24% Chief Fin. Officer 18% Director 17%Risk Management Board of Directors Committee 16% COO 4% Chief Actuary 8% Risk Committee 4% Head of Internal 1% Other 6% Audit Other 14% TP 2006 ERM Survey Enterprise Risk Advisory, LLC 18
  19. 19. (7)ERM Culture Evolutionary process: Must see a trend in a company from:  Existing risk identification in silos.  Start establishing links between risks: Ex. Natural Hedge between life and annuity operations.  Start being proactive in risk assessment: Forward looking, not just reporting on existing situation.  Embed risk analysis in new initiatives – new product, new IT system, M & A,  Communicate internally and externally about your risk situation.Enterprise Risk Advisory, LLC 19
  20. 20. (7) ERM Culture: Enshrined in organizationswhen: Business lines takes the initiative on risk issues: Behaviors have changed. Prevention: Scanning for risks, consciously choosing the risks we want to retain, then managing them proactively. Detection: Early identification of risks from internal or external sources. CRO focuses only on emerging risk. Recovery after risk occurrence and learn quickly: continuous improvement. Risk analysis becomes as important as revenue generation: activities are evaluated on a risk-adjusted basis. Compensation becomes tied to risk.Enterprise Risk Advisory, LLC 20
  21. 21. (8) Risk Appetite: Definition: Risk appetite is defined as the organization’s willingness to accept risk in pursuit of its strategic objectives. Risk appetite is assessed against the organization’s key drivers of success: financial and non financial. The establishment of the statement on risk appetite is intended to guide employees in their actions and ability to accept and manage risks. Preferable if determined from top down rather than bottom up. Define metric: Debt rating, earnings volatility.Enterprise Risk Advisory, LLC 21
  22. 22. (8) Risk Appetite: Link with overall strategic goal.  Ex. Insurance financial strength rating or desired debt rating - which implies a desired capital to keep that rating over a given time horizon-. Translate into day-to-day management:  Allocate risk appetite to each type of risk by setting up appropriate limits including the zero tolerance risk.. Ex. Fraud..  Allocate risk appetite even for the non quantifiable risk: Ex. Reputation risk. Firm not willing to compromise its reputation.  Define risk tolerances around that risk appetite.  Communicate internally and externally: Build expectations about risk. When risk materializes within limits, markets will not react as they have already built it into their pricing.Enterprise Risk Advisory, LLC 22
  23. 23. (9) Challenges of the CROs Ensuring that the organization is in compliance with the ever changing regulatory environment. Informing the Board about significant risk issues. Assuring business continuity and prepare for crisis: crisis management and fight inertia to do so. Monitor emerging risks: Operational, reputation, environmental. Get an integrated picture of risk: Establish links. Embed risk management in day-to-day operations. Linking risk management in capital management.Enterprise Risk Advisory, LLC 23
  24. 24. (9) Challenges of the CROsImproving the risk measurement and quantification 77% processes Acting to manage the risk profile of your 64% organization Improving internal risk reporting processes 63%Ensuring that risk management considerations are 59% explicitly factored into decision making Improving the risk identification and prioritization 54% processes Establishing a risk framework and/or risk policy 53%Improving education and internal communication of 46% risk management principles and approach Establishing a risk management organization and 42% governance structure Improving external communications 14%Incorporating risk management considerations into 8% incentive compensation Other 1% TP 2006 ERM Survey Enterprise Risk Advisory, LLC 24
  25. 25. Thanks Ellen Bull, Librarian at the SOA for useful references and help for my two presentationsEnterprise Risk Advisory, LLC 25