What can a CRO do after the decisions have been made and plans set? The short answer is ‘plenty’ according to Willis Towers Watson’s Mike Wilkinson and Dave Ingram.
Business planning for most insurers wrapped up a few weeks ago. For a chief risk officer (CRO) these sessions offer a key opportunity to share insights on the risks companies may face in the coming year, provided they have a seat at the table. But that’s not the case in some companies. Even when it is, they might have limited opportunities to voice their concerns or be brought in too late in the process to exert the level of influence they would like.
So what can a CRO do after the decisions have been made and plans set? The short answer is — plenty.
Since planning and strategy discussions are focused on future business activities, it’s important to review your current risk management plan to assess whether changes need to be made. Decisions made during the planning process may result in increases to some activities and decreases to others. This shift could mean that activities that were immaterial in the past could become significant in the future; prior decisions on which risks to prioritize in the enterprise risk management (ERM) program should be revisited so that risk management is sufficiently forward-looking rather than just looking back at what’s already happened.
Risk tolerances and limits, metrics and reports should be reconsidered. Risk modeling should establish if different analyses are now needed, including if some items should be separated to reflect changing risks, combining others or using more complex or simpler techniques. Essentially, the CRO should ask, “Does the ERM program appropriately reflect the business as it is now and will be going forward?”
Here are eight things to consider — although ideally these should be integral to the planning process itself:
1. Board visibility: For reporting purposes, many insurers look at their risks as falling into prioritized tiers. For example, Tier 1 goes to the board, Tiers 1 and 2 are discussed by the executive group and risk committee, and Tier 3 are the remaining risks. After planning, the CRO should reassess the tiers so the board is notified of the most important (e.g., whether any Tier 2 risks should now be Tier 1, or vice versa, and any new risks introduced by the planning activity). Of course you need to stay vigilant as risk preferences may also have changed. While it may be tempting to keep adding new risks to Tier 1, the structure and board communication can become less effective if the Tier 1 list is too large. Many firms maintain their list of top risks — often for convenience — called “top 10 risks,” which are monitored continuously by the board, although 10 should be a maximum number rather than a target.
2. Key risk indicators (KRIs), risk measures and risk reports: KRIs should mean exactly that; therefore, the KRIs should follow the risks that are fundamental to delivering the strategic objectives and shorter-term business plan, which, by implication, incorporate critical solvency and regulatory requirements. Typically, these will link to key planning assumptions that can be tested. As an example, stress and scenario testing may find that the performance (both volume growth and improving profitability) of a major distribution channel or business line is critical to achieving the plan, in which case KRIs should be developed to monitor these.
3. Risk mitigation approaches: Changes in the plan could mean that risks will need to be treated differently and different analysis is needed. For example, there may be new products with different exposures or investment decisions changing asset allocations. So, for instance, if the planned allocation of an asset such as mortgage-backed securities is tripled, it may need different asset liability management treatment to better reflect the specifics of the cash flows. Or in current plans, there may be a special class of buildings in a book of property insurance that has become significant enough to make special rules. In the past, you applied a general approach to risk mitigation of large claims (e.g., to limit the size of building that you will insure). But on further examination, you may find the market is much more willing to take a large deductible in exchange for an increase in the total limit.
4. Review of risk targets, limits and checkpoints: The plan naturally provides many of the targets. By incorporating them into the ERM process, you have just joined the team instead of constantly trying to play defense against your own offense. Limits can provide the level of acceptable deviation from the plan. This enables everyone to get on board with the idea that the limit just documents what everyone agrees would be an unacceptable situation or too much of one risk. A much trickier task is the development of ideas in advance on how the company can deal with a scenario of having too much success (e.g., because of limits of capital/capacity, capability to manage and concentration concerns). Once you have settled the limits, checkpoints can be put in place in between the target and the limit to flag potential issues.
5. Updating of model assumptions: While this is done annually for the business plan, you’ll want to consider the impact of planning decisions. If planning assumptions differ from historic trends, there should be a clear understanding of why the future will be different, and the potential level of variation and impact examined via stress and scenario testing. Equally, the frequency of potential changes to risks should be considered. These should feed back to the design of the management information, KRIs and thresholds for limits and warning flags.
6. Updating model output reports: Reporting should reflect the current risk profile of the business as it is, and as it is expected to be. But inflexible reporting approaches create a problem for the strategic CRO because consistency, when applied to risk reports, may not let you feature the information that’s likely to be most important to management. This may lead to a conclusion that two versions of the model output reports are needed — one that features the activity of the newest, hottest activity and one that is consistent. Watch what the sales reports do. See if they favor consistency or relevance, and be careful about just adding more to the reports. Whatever the approach, it needs to be targeted to the audience and facilitate better board understanding.
7. Capital allocations: Capital planning will normally be done from a finance perspective as part of planning. But the strategic CRO will spend some time considering whether the expected changes to the firm might invalidate some explicit or implicit assumption of the allocation process that’s been used, including diversification. There are dozens of allocation schemes and each one starts with different assumptions about the objectives of the allocation process, the interactions of the risks of the firm and links to the risk limit framework. And in some places, the choice depends upon the regulatory regime. The strategic reaction may be to recommend modification to allocations or to provide additional information about the impact of the existing allocation scheme on reporting of results under the chosen course of action.
8. Projections of future profits and return for risk: With the above changes, you can tentatively develop updates to prior calculations of projected return for risk taking. As with the capital allocation, care should be taken with any other allocations of other company activities. Ideally, this will be undertaken in conjunction with the planning process before it’s complete. However, if it can only be completed afterwards, it should provide a key input to plan monitoring and KRIs. This can also be a helpful way of positioning the CRO to play a more active role in the next planning round.
Changes made during the business planning process will require extra consideration. The strategic CRO will want to match, as closely as possible, the thinking of the planning group in order to assess the emerging experience and risks as the plan unfolds. This also involves aligning the risk management plans and activities as much as possible with business and planning cycles to stay relevant throughout the year.
Mike Wilkinson is a Senior Director in Willis Towers Watson’s Insurance Consulting and Technology practice, based in London.
Dave Ingram is an Executive Vice President of Willis Re, specialising in theory and practice of ERM for insurers.