A survey by consultancy Crowe UK has revealed how CROs are being asked to drive greater efficiency and effectiveness in their processes. Ronan McCaughey explains the implications
Insurers' risk and compliance functions "are increasingly being asked to do more with less" as efficiency considerations rise up the agenda, according to Crowe UK's research.
With this topic in mind, the consultancy surveyed insurers and financial services companies earlier this year to assess how they are looking to improve the effectiveness and efficiency of their risk and compliance teams.
The consultancy received 31 responses to its survey. Insurers comprised the majority of respondents (87%), with the remainder coming from other financial services companies. Most of the responses (68%) involved large businesses with more than 500 employees.
The survey revealed that nearly half of chief risk officers (CROs) have been asked to examine the costs of risk and compliance in the last year, and over two-thirds at some point in the last three years. According to Isaac Alfon, managing director at Crowe UK, if you haven't been asked yet, it's probably only a matter of time before you are.
The survey found that although a sizeable minority do not perform independent reviews, those who do undertake them tend to believe risk and compliance in the first-line is more efficient.
The most frequent challenge for companies in addressing effectiveness and efficiency is the lack of risk and compliance skills and resources in the first line (39%). The lack of skills and resources in the second line followed closely at 29%.
Process inefficiencies
Processes, reporting and systems were viewed as the greatest sources of inefficiency and ineffectiveness for risk and compliance functions, the data reveals.
All respondents thought they were taking the right risks, but a majority (58%) felt they needed to improve processes and systems used in the business to manage risks.
Overall, enhancing risk systems, policies and processes were highlighted as the top areas that need to be fixed for risk and compliance functions.
Structural ambiguities
The survey showed a lack of clear boundaries about the lines of responsibilities are also challenging insurers' risk and compliance teams. It found a real mix in the structure of second-line oversight, with a majority of CROs (58%) combining the reporting lines for risk and compliance. CROs are responsible for compliance at 81% of retail-focused insurers and 36% of wholesale insurers, including Lloyd's of London.
For line 1.5 teams – which refers to a dedicated team in the first line responsible for delivering risk and/or compliance management activities – Crowe UK noted there is not yet an established practice in the industry, with 39% of respondents having a separate first line risk and/or compliance team, but 61% without.
It also emerged that respondents who have a line 1.5 team tend to be less confident they are taking the right level of risks – or have an efficient operating model.
Overall, the industry survey highlighted the risk and compliance operating model "is still a work in progress that has not yet converged".
Alfon comments: "The role of the first-line in risk and compliance management varies, and some companies consider reliance on a dedicated team (i.e. a line 1.5 or 1b) as a stepping stone to embedding in the first line.
"A lack of convergence in operating models and different first-line roles means resource benchmarking is inaccurate as a tool to assess the cost-efficiency of functions."
He says clarifying responsibilities can help to create efficiencies, and the second line can help to free-up time in the first-line through streamlining manual processes and reporting design, and using technology and artificial intelligence.
This would enable the first-line to focus more on managing risks and achieving the right risk management outcomes, rather than seeing risk and compliance as a process exercise, Alfon says.
Make the case
Looking ahead, Alfon stresses the need for many companies "to restate why risk management is important beyond regulatory compliance, articulate what the benefits are, and enter into a dialogue with the wider business as to how best to achieve effective and efficient risk and compliance".
Commenting on the topic, Lukas Ziewer – a former CRO for Athora and MetLife who now runs his own consultancy business, Fuseki Risk Insights – tells InsuranceERM: "Insurance risk teams had a very strong power base in the run-up to Solvency II and all eyes were on the risk function. I think that has led to risk teams and many risk leaders being overly focused on building models and running models, and sometimes I think the opportunity was missed to build a powerbase for using these models and decision making."
With management focus shifting towards efficiency, Ziewer adds: "CROs' power base is eroding and there is a bigger question as to why do we need the size of some risk teams? Why does the risk function need to do X, Y and Z and could we not fulfil those tasks through other departments, such as actuarial and finance?"
Ex-CRO's view
Speaking to other CROs, Ziewer reports they are increasingly being asked to be more independent "and that erodes them from having a real say in decisions".
"People acknowledge the need to have a strong risk function, but in the pressures of business, a focus on the cost base and the lack of efficiency in certain risk processes are more top of mind."
Echoing points from the Crowe UK survey, Ziewer adds with IT and technology risks there has always been a question where it sits and who has responsibility for it.
In Ziewer's view, the focus on efficiency and effectiveness is contributing to the talent pipeline challenges for the risk management community. He says: "A career within insurance risk management for a new joiner is no longer as attractive as my peers and I would have had it.
"Risk management is no longer attractive from a career-building stage and succession to CROs is coming all too rarely from within teams."
Ziewer thinks the focus on efficiency and effectiveness could lead to smaller and leaner risk teams "especially as too often risk processes are too slow to really have an impact".
He says: "People are running around doing risk and control assessments that don't lead to any real insights and change. There is a need for better designed and better run processes, and I think technology is a necessary part of the solution, particularly in operational risk."
While agreeing with this point around automation and process improvement, Crowe's head of consulting Justin Elks believes the layering of risk and compliance processes has led to an appropriate challenge around resource and cost.
"Good CROs aren't generally interested in building their own empires or power bases, but are more interested in how risk is understood and integrated into decision making across the organisation. This makes them embrace the challenge of improving efficiency, as a route to getting to a more embedded, more effective approach."
He continues "I don't agree that a career in risk management is necessarily less attractive today. In my view it is becoming an increasingly collaborative role with an increasing focus on outcomes as opposed to processes and models. While hard power might decrease with a smaller function, soft power increases – as does the value of the seat the CRO has at the table. So it continues to provide an attractive challenge and opportunity for the right candidate, and has the potential to have ever increasing influence and impact."
Being asked to look at the cost of risk and compliance isn't necessarily a threat. Instead, it can provide an opportunity to move the functions from adolescence into adulthood, as Elks explained in this InsuranceERM article published in June.
Channels:Risk management
