The role of the chief risk officer (CRO) in European insurance companies has evolved quickly in the last 20 years. Now, I believe that the passage of Solvency II is moving the goalposts again.
As the directive becomes business as usual, I sense that risk functions and their leaders will increasingly be subject to standard business pressures, such as productivity targets, cost-saving objectives, and headcount scrutiny.
To characterise what I mean, a little while ago an industry acquaintance relayed to me a comment that a senior executive at a European insurance company board meeting had made. It went something like: “You risk guys have had your show, and your fancy budgets long enough. It’s time you row in the same boat with us again!”
To put this comment in context, let’s start with a brief recap.
First generation CROs – CRO 1.0 – had a very distinct task: to develop and implement an enterprise risk management (ERM) framework. Regulation (meaning Solvency II in Europe) kept them extremely busy and very much determined their priorities, because organisations needed to be compliant.
To avoid being seen as the person who kept regulators off the backs of senior managers, CROs soon needed to take an evolutionary step towards a CRO 2.0. This meant getting involved in business decisions; to make risk management come alive in the organisation and become a partner of the business – however, still in a second-line-of-defence role.
But, going forward, CROs relying solely on regulation to justify their budgets and headcounts are likely to find themselves on shaky ground. I believe it could go one of two ways, both constituting extinction of the CRO 2.0:
- The first is that boards and senior executives don’t perceive the risk function in a pure oversight role as adding sufficient value to the wider business, and reduce it in size and importance. This would return the CRO to more of a first-generation practitioner, focusing mainly on compliance.
- The more progressive alternative is that boards and senior executives will demand more responsibility and front-line involvement of the CRO in showing added value. This is the world of CRO 3.0.
CRO 3.0 Identikit
I don’t think the CRO 3.0 differs in personality from CRO 2.0. He or she is still pro-active, has strong business acumen, effective leadership skills, and a flair for communication. So what’s different?
The main difference of the CRO 3.0 is the definition of the role, or the operating range. Notably, CRO 3.0 won’t solely provide risk oversight by indicating and escalating where things might go wrong, have gone wrong or will go wrong. Instead, the third-generation CRO will have to assume operational business responsibility where necessary or where it makes most sense. And ideally, he or she should do so from a position on the management board.
This will ensure that the CRO continues to be perceived as a business partner, someone who is committed to the company’s success and – most importantly – shares the same kind of responsibility as the business leaders. CRO 3.0’s performance will be measured as much by missed opportunities as by things going wrong.
What does this mean for the three lines of defence system, widely used by insurance companies? For the CRO 3.0 role to become a reality, it needs to become more flexible, such as having someone else take over oversight if the CRO becomes too much ‘first-line.
There is a parallel with modern football (or what Americans call “soccer”) here. A defensive player now regularly takes an offensive role, while others back him up. As in football, this dynamic adaptation should become the norm, and there should not be a rule that forbids defensive players to cross the midfield line.
What’s Darwin got to do with it?
In the mid-19th century, Charles Darwin defined adaptation as “the alteration or adjustment in structure [or habits], often occurring through natural selection, by which a species or individual becomes better able to function in its environment.” While he didn’t have CROs in mind when he said it, the principles are likely to be useful for insurance CROs across Europe as their remit within, and relationship with, the business evolves.
Guest blogger Carsten Hoffmann specialises in enterprise risk management for European clients with Willis Towers Watson in Cologne. He is a former insurance company CRO himself.