Newsletter Sign-up

By STEVE TUCKEY, who has written on insurance issues for a decade for several national media outlets

The near meltdown of the world's No. 1 economy two years ago produced few images more compelling than that of U.S. Treasury Secretary Henry Paulson genuflecting before House Speaker Nancy Pelosi, begging for a $700 billion blank check to stave off Armageddon.

So he might be forgiven at that moment for cursing all the risk management strategies that had to go awry for him to have to prostrate himself before a mere vote-grubbing, ward-healing politician to put the universe he once mastered back in some semblance of working order.

As the dust cleared and the trains started running again, rethinking those errant strategies became something more than a mere academic enterprise once the consequences of failure became so frighteningly apparent.

As a part of that process, the role of the chief risk officer (CRO) has come under intense scrutiny as just one of the many pieces of the puzzle that may help prevent a recurrence of our national near-death experience.

But just how you can turn this role into one meaningful enough to perform the task that can often be as unpleasant as the one traditionally ascribed to the Federal Reserve chairman: taking the punch bowl away once the party gets rocking?

Independence seems to be the answer.

Earlier this year, Carl Groth was named chief risk officer for rapidly growing insurance company Torus Insurance Holdings Ltd., which is comprised of units in London, Bermuda, India and the United States.

As a direct report to the CEO Clive Tobin, Groth enjoys the kind of access and stature needed for him to perform his job effectively, he said. The number of CROs with top-level access is on the rise, which isgood news for CROs and risk control throughout the enterprise.

Groth, based in Jersey City, N.J., said that reporting to the chief financial officer, which is common in the insurance industry, is increasingly recognised as not creating the desired level of independence to perform primary functions. "While I understand the company needs to maintain a business plan, the means to which that is done needs to happen without unduly exposing the company," he said.

If risk management consultant James Lam feels somewhat proprietary about the CRO term, it could be because he claims to be the first officer to hold the sobriquet. For him, the lessons of the events of late 2008 can be traced to the fact "that not enough CROs stood up against what was happening in their organizations."

As a result, not only are more CROs directly reporting to the CEOs, but CROs are also establishing reporting relationships with company boards. "For many organizations, the CRO has discussions and debate with the board in the absence of other executives very much like the chief audit officer," he said.

Boards are evolving too, along with the CRO role and duties. "Eight years ago, when I started James Lam Associates, I would say 10 percent of my work was directly related to the board. Today, I would say it is about two-thirds. I think the board has really picked up in terms of its role in enterprise risk management."

Former insurance regulator and current Richmond, Va.-based Deloitte Touche director Steven Foster said the last two years have been a wake-up call for insurance regulators.

"If you look at some of the guidance put out by the National Association of Insurance Commissioners (NAIC), while they don't specifically call for a chief risk officer, it is very clear they now expect companies to have a formal risk management framework in place and expect it to be sufficiently independent," he said.

Foster advised that, while he discussed CROs reporting to CEO as what some of his clients are doing or considering, the NAIC has not taken a position. That raises the question of just how well the insurance industry performed when in the fall of 2008 the scale of the financial collapse became evident.

Industry executives and state regulators have taken great pains to convince federal lawmakers that no insurance company deserves the designation of posing a systemic risk to the economy for fear of the penalties that would impose. In a sense, they were patting themselves on the back while the question of how justified such self-congratulations are has now arisen.

The insurance industry line has been that it was the unregulated London unit of AIG that brought the company to its knees. It now turns out that many state-regulated insurers were trafficking in those potentially lethal credit default swaps as well.

Foster and others, therefore, realize the insurance industry will not be immune from the post-meltdown soul-searching to come up with just the right kind of C-level executive shuffle needed to prevent future catastrophes.

"I think with most of our insurance clients, if you talk to CFOs and others, they have taken a fresh look at how they manage risk, and many of them, if not most, have created a chief risk officer position," he said.

His Deloitte colleague, Scott Baret, said the post-meltdown period has been one of maturation for the first generation of CROs. "There is a huge maturity process that has taken place in the last two years in regard to the expectation that boards, regulators and what I will call broadly external stakeholders have of the risk management function."

But companies are still wrestling with the question of developing just the right framework in which the chief risk officer has enough independence without having the CEO and board totally abrogating their duties.

Foster recalled that, in his previous life as a regulator some 15 years ago, insurers with compliance organizations of varying degrees of effectiveness trying to find just the right formula had the same kind of discussions going on today. "Should the chief compliance officer have direct access to the audit committee, to the board and the compliance committee? These were critical issues then and still are now," he said.

Mark Puccia, managing director for Standard and Poor's, agreed that the insurance industry performed relatively well in the wake of the stresses to the market and attributes that in part to the enterprise risk management focus in the past decade. "But just the nature of things that happened were more relative to banks," he said. "Who knows? The next time around they could be more relative to insurance."

As a leader in promulgating enterprise risk management principles through its financial ratings, S&P remains agnostic as to whether companies should have a chief risk officer and, if they do, whom that officer should report to. "What we want to see is risk management empowered and that the senior management team believes in risk management and operates under appropriate ERM principles," he said. "How they get it done is indifferent to us as long as they get it done."

He said that any organization that had an ERM culture embedded in it would probably find it easier to operate without a CRO. "But to the extent that you have an organization that has to come up with a learning curve and embed ERM principles into their thinking, then a CRO will facilitate that process," he said.

While a consensus seems to be forming over a CRO reporting directly to the CEO, Puccia said there still remains the concern that, should a CRO then come up with his own economic capital models and risk-based capital formulas, the CFO's traditional authority in that area could be undermined. Lam contends that there is really no overlap in the function and duties of the two roles.

On the other hand, a CRO with unfettered access to the board and who reports directly to the CEO, will provide a needed counterbalance to both operational managers and the CFO. "And indeed, this will give the CRO an enterprise view of risk, and the correlation of risk, and understanding that the capital needs are determined by the interrelationship of risk," he said.

Oddly enough, Puccia said that, while the insurance industry itself may have embraced ERM principles more so than other industries, its domestic regulators have yet to do so with an equal degree of enthusiasm, especially compared with their U.K. and E.U. counterparts. "They have said one thing and done another," he said.

All that will evolve, of course, particularly as the Solvency II insurance regulatory standards come into place in the next couple of years. "It all dovetails into that. The NAIC is looking at to what extent going forward do they to look like Solvency II," said Foster.

Today, Lam estimates there are thousands of CROs throughout the world with countries such as Singapore and Indonesia requiring the position. That's quite a leap from that day in 1993 when Lam asked his boss in the new capital markets unit GE Capital was forming at the time what he should put on his business card. "I asked him what my responsibilities were, and he said it was in the middle and back office in the capital markets business that included credit, market and strategic risk, along with that of operations," he said.

He recalled that at the time chief information officers were coming to the fore to integrate differing technologies such as mainframe client-server architectures and the then-nascent Internet. "And so I said why not call myself the chief risk officer with responsibilities to integrate strategic, financial and operational risk while elevating it to the C level," he said.

As one of the countless legacies of that decision, Groth now faces the challenge of embedding the strong risk management culture into the day-to-day decisions of Torus' business managers--a process he calls a "work in progress."

Groth previously led Deloitte's U.S. insurance enterprise risk management practice and advised companies on Solvency II-related issues. At Torus, he oversees business units supervised by Bermuda, U.K. and soon U.S. regulators offering commercial, excess and surplus, and reinsurance products.

Groth has to make sure the various units are in compliance with their authorities and is confident that he will embed a program that satisfies all regulators, along with Solvency II directives, when they come to full force.

Capitalized at more than $1 billion, the company has a board committee that has a risk oversight role and ratifies key issues related to risk management strategy, risk policies and appetite.

Among his unique challenges, Groth said, rapid growth associated with the company's early stages of building out its platforms presents additional risks without a proper enterprise wide view of risk. He sits on a capital and risk committee with Tobin and CFO Ian Campbell and other Torus executives. The committee's main function is to keep an eye on that ball.

He has what he terms three lines of defense with business and supporting functions presenting the first line. ERM experts under his guidance performing risk analytics functions make up the second, with internal audits providing the third hedge against nasty surprises down the road.

All the right flow charts in the world will not amount to much when alarm bells go off without a top executive willing to take the right actions instead of demoting or firing the alarmists. The best scenario by far remains no alarm bells at all.

Keeping the bells silent starts from the ground up. "Ultimately, you have to have managers internalizing ERM principles as they operate their business so they think about risk-return, risk-reward features all throughout the day," said Puccia.

May 1, 2010

Copyright 2010© LRP Publications