At times, CROs should be able to move more to the frontline, Willis Towers Watson says
Regulators need to give more flexibility to chief risk officers so that they can take on more responsibility and fulfil a more dynamic role, according to Carsten Hoffmann, director at Willis Towers Watson.
In its most basic form, which Hoffmann calls CRO 1.0, the CRO in an insurance company is primarily focusing on compliance with solvency regulation. However, some insurers, particularly more mature and multinational insurance companies or those in countries with a stronger and more sophisticated regulator, have a more evolved interpretation of the role of the CRO.
“The CRO 2.0 is someone who is involved in business decisions and gives independent advice, like a business partner or a critical friend. This means they are not only being involved once the decision is being sent to the committee or to the board, but asked to help out during the entire process. Ideally, that should be the current status of the insurance industry,” Hoffmann says.
However, a CRO 2.0 has a pure second line of defence role. They are solely doing risk oversight and don’t have any direct business responsibility, which basically means they should not be responsible for any risk taking activity.
Such a situation is unsustainable in the long term, Hoffmann believes. “You have an individual in a CRO role who’s supposed to be a peer, but without the same set or nature of responsibilities. If there’s someone giving independent advice and challenging decisions, but without eventually sharing the same kind of responsibilities, sooner or later business leaders will stop regarding the CRO as a value adding peer and say: ‘you’re rowing in a different boat, why should I listen to your advice? Just tick off our decision!’”
He adds that the CRO should therefore be able – at times – to move more to the front line and be involved in direct risk taking activities, where and when it makes sense. Further, the CRO should also share the kind of responsibility of top management, such as for opportunities not being taken, and ideally from a board position.
In order for this to happen, the governance system has to be more flexible, Hoffmann says. “Regulation, currently interpreted in a very rigid way, would forbid that, and say the CRO should remain in a risk oversight role. I think that’s going to be problematic because, with Solvency II now in place, top management will again focus more on business topics and will be less engaged with risk management. Risk departments are also becoming increasingly subject to regular business pressures, such as head count cuts and efficiency targets. If the CRO is not given the opportunity to add value in this new context, the role of the CRO as a business partner is not possible and is instead reduced to a more compliance and formal-minded role or, in other words, CRO 1.0.”
However, CROs are not destined to move back into CRO 1.0, as Hoffmann believes it is possible for them to evolve into CRO 3.0 within the current regulatory framework.
“My interpretation is that it is possible under Solvency II. However, a lot of regulators currently interpret it as a very rigid form of this three lines of defence system. The risk department is supposed to be second line. But why shouldn’t you adapt the process and say, maybe in certain cases the risk department can take the lead and try to solve a certain problem, while someone else covers the second line and does the risk oversight?”
Hoffmann compares this to football, where a few decades ago the defence players normally did not cross the midfield line, while in modern football there are a lot of changing roles. There are defence players being very offensive while other players are then temporarily fulfilling the defence role. Hoffmann believes this kind of dynamism needs to be possible in insurance as well.
“You can still maintain, in my opinion, sound governance and comply with regulation and supervision, but still give more flexibility and first line potential to the CRO. But for the governance system to become more flexible, we need a certain change in mind-set.”