Companies originally created the role of the chief risk officer because they “recognized that good risk management is really good business,” according to Michael Steel, former CRO at AXIS Capital.
The role of CRO is a relatively new one for the (re)insurance industry. In 1997, Bruno Porro at Swiss Re became the first CRO in the industry, and other companies quickly followed suit, affirmed Steel, who chairs the Geneva Association’s CRO network.
With the financial crisis in 2008 and 2009, the CRO role received greater profile within the industry, he said during a recent meeting in London held by Litmus Analysis, a company that helps (re)insurers understand ratings and rating agencies.
“I think there was a recognition that what was important wasn’t necessarily the individual risks themselves but the interaction between all of those risks and the need to have frameworks set up to really understand them.”
(Re)insurance companies originally created the CRO role to manage risk within the business, working as a strategic adviser to help create balanced portfolios, develop short- and long-term strategy, optimize capital—supporting the company in its quest to achieve the best returns possible in a difficult market “from both the underwriting side and from the investment side,” said Steel, who is the founding partner of London-based Oxbow Partners, a London-based advisory firm providing advice about strategy, digital, M&A and risk for the insurance industry.
However, in recent years in Europe—particularly with the advent of Solvency II—the CRO’s role has veered strongly into compliance, which really wasn’t its original intent, he said.
As a result, there are different views in the industry about the definition of the role, which range from chief compliance officers to strategic advisers who are also business partners, he affirmed.
It was clear in Steel’s speech that the CRO, who acts as a strategic adviser and business partner, will help the business navigate more successfully over the long term in a difficult market operating environment.
“There are those in the industry who take a passive approach, who look at risk management as a compliance exercise, which they were told to do because the regulator insisted on it…These companies are missing the true value of risk management, and I suggest that over time, the winners will be the ones that have taken a more active approach.”
CRO Skill-Sets
What do these realities mean for the skill-set of the CRO? Steel said the CRO first needs “to be senior enough within the organization or seen to be senior enough within the organization to be a true business partner and a true adviser to the business.”
Secondly, he said, the CRO needs to be able to think about the business from both quantitative and qualitative points of view.
Regulation (such as Solvency II in Europe) has overplayed the quantitative side of risk with its emphasis on internal models, but that’s just one aspect of risk. The CRO also needs to understand the business—what makes the company tick and what makes various lines of business attractive or unattractive, he indicated.
Communication skills are the third attribute for a successful CRO. Communication is “incredibly important” to a large group of stakeholders.
External stakeholders, such as rating agencies, regulators and shareholders, are very interested in risk and how the risk is managed, he said. But the most important stakeholders are the internal stakeholders, which include underwriters, the investment team, the operations team, finance, and the chief executive officer and board of directors.
“We are risk communicators. We wear a number of hats—we are a negotiator, a facilitator and, in some cases, a counsellor, in terms of risks within the business…”
He recalled his tenure as CRO at AXIS Capital, where he would spend four or five hours with each of the rating agencies just on risk management. “We also did an investor day, where we’d be talking to the shareholders about the risks within the business and how they affected the strategy and how that fed through to return expectations. It’s a very broad role that involves dealing and communicating with a lot of different stakeholders.”
Creating Value as a CRO
What is expected from a CRO? Steel told his audience that CROs need to become true business partners and challengers to the business. “You don’t want a passive CRO. You’d be missing out on a lot of the value you get out of the risk function by doing that.”
He suggested that the CRO needs to create the risk framework and the right risk culture and “then step back and let the business get on with it.”
Without a strong risk culture, the risk framework and rules will be ineffective, and “you’ll fail in terms of risk management.”
However, Steel emphasized that the CRO shouldn’t micromanage the business in terms of risk but let the risk culture take hold and provide more steering in terms of the evolving risk framework. “The risk framework should be in the hands of the underwriters and the investment team and the other risk owners,” he said, explaining if they have the right risk culture in which to operate, they feel empowered.
The CRO should use their quantitative skills and models to work with decision-makers to create better key performance indicators (KPIs) to help them make better decisions, he said. “This is how I can help you with the decisions you’re making. Here is why it makes sense to limit our exposures to these certain perils or these certain lines of business.”
During his time at AXIS, Steel said he was involved in the business planning process in order to develop corporate strategy for the short term as well as over a three- to five-year horizon.
He said this process was very valuable because it helped the company determine the best use of capital in current market conditions and projected market conditions, using capital views from rating agencies, regulators as well as the company’s own view of economic capital.
Then you can cast the business plans in the different capital contexts to see which plan works better, he explained.
Using various models, “we helped identify the right characteristics of a new line of business, which would bolster the return, diversify the portfolio and ultimately help reduce capital requirements because of the diversification effect,” Steel said.
“By being part of that process, a CRO can help achieve better outcomes for the firm.”