APAC Insurance CRO survey 2017-2018 - ey.comFILE/ey-apac-insurance-cro-survey-2017-2018.pdf · APAC Insurance CRO survey 2017–2018 Ι Empowering for transformation 5 We interviewed

APAC Insurance CRO survey 2017–2018Empowering for transformation

Contents >

03 Introduction | 05 Profile of the respondents | 08 Operationalizing the three lines of defense model

10 Enhancing the risk appetite framework | 13 Developing and implementing the risk culture and conduct frameworks

16 Strengthening the management of cyber risk across the organization | 18 Preparing for and addressing key regulatory challenges

21 Positioning adequately for emerging trends | 23 Engaging in the digital transformation of the risk management function

27 Key contacts

APAC Insurance CRO survey 2017–2018 Ι Empowering for transformation 3

Introduction

About the surveyThis Asia-Pacific (APAC) Insurance Chief Risk Officer (CRO) survey has been undertaken with the aim of gaining insights into the role that CROs and risk functions play among insurers, and the key priorities of CROs in the short and medium term.

This survey has been designed to qualitatively understand the changing dynamics in the outlook of the risk function and the manner in which the CRO role is evolving. To that extent, we assessed CROs’ ability to contribute indirectly to value creation, identified the key challenges they face and their priorities as a result of changing regulatory requirements and unstable economic environment, and collected their views on the evolving role of technology in the industry and how they manage the risks associated with it.

Our findings this year call for the continued empowerment of individual accountabilities in particular across the three lines of defense to manage risk. This includes enhancing the risk appetite framework and developing and implementing risk culture and conduct frameworks. The need for this is critical for insurers to be successful in transforming their business in response to numerous internal and external pressures. Our results explore this further in the areas of emerging risks including cyber, the overabundance of regulatory change and the digital agenda already on our door step.

Our respondentsWe spoke to a spectrum of leading life and non-life insurance companies, reinsurers, and prominent insurance groups headquartered in APAC, which specialize in multiline insurance business generating sizeable premiums and with an extensive global reach. Each of these firms have their own unique proposition to offer and are market leaders or trendsetters in their respective area of specialty.

EY sincerely thanks the CROs and companies that shared their insights with us out of their busy schedules to enrich the content of this year’s survey.

APAC Insurance CRO survey 2017–2018 Ι Empowering for transformation4


We interviewed 22 group or regional CROs with the following profile:

Profile of the respondents

The vast majority of respondents surveyed have had a risk team for more than five years and about two-thirds have had the CRO as part of the executive team for more than five years.

Respondents profile by

region

32%

41%

27%

Australia ASEAN

Greater China

Respondents profile by insurance

73%

27%

Insurer Reinsurer

Life GeneralComposite

Respondents profile by business

32%

59%9%

Fig. 1: How long ago was the risk team created?

Fig. 2: How long has the CRO been a part of the executive team?

9%

5%

86%

0% 10% 20% 30% 40% 60%50% 80% 90%70% 100%

1-2 years

3-5 years

Greater than 5 years ago

0%

18%

18%

64%

0% 10% 20% 30% 40% 60%50% 80% 90%70% 100%

1-2 years

Less than 1 year

3-5 years

Greater than 5 years ago


Regulatory requirements and mandate from the board and management were the main motivations behind the building of a risk management capability.

What have been the motivations behind the building of a risk management capability:

1. Regulatory and compliance drivers

2. Board mandated

3. Management driven

4. Need for specialist capability

5. Public perception

6. Shareholder and activist demand

Even though the risk function of most respondents were established a long time ago, the scope of their responsibilities continue to evolve over time. Thirty-six percent of the surveyed CROs have been given new responsibilities over the past year, such as:

• Reviewing potential data breaches

• Measuring and driving risk culture

• Providing input into asset liability management (ALM) and investment risk oversight

• Establishing a quality assurance “line 2.5” between the second and third lines of defense

• Expanding into other area of the business

Fig. 3: Have you been given new responsibilities or authority over the past year?

More than three-quarters of the respondents think that the CRO has a responsibility to ensure that the company grows:

“ While growth is not the primary focus of the CRO as a member of the executive team, the CRO has a responsibility to support shareholder returns and this includes sustainable growth in the investment, and input into risk-adjusted returns is a key component of this — as is the need to ensure a robust system of controls is in place to support business growth and ensure appropriate conduct.”

Fig. 4: Does the CRO have a responsibility to ensure that the company grows?

36% 64%

0% 10% 20% 30% 40% 60%50% 80% 90%70% 100%

Yes

No

77% 23%

0% 10% 20% 30% 40% 60%50% 80% 90%70% 100%

Yes

No


Consistent with last year’s survey results, CROs find it difficult to evidence that the risk function is adding value — in the eyes of the internal stakeholders.

They get mostly informal feedback from management and sometimes from the first line.

As a good practice, some respondents have implemented risk culture and “voice of the customer” surveys to take the pulse of their stakeholders across the organization.

When asked about the Risk team’s biggest accomplishments over the past 12─–24 months and which areas they expect to devote significantly more attention to in the next 12 months, the responses varied between Asia-Pacific respondents. It reflected notably the diversity of Asian respondents and the relative maturity of Australian CROs. Yet, risk culture is on top of the CROs’ agenda across the Asia-Pacific region.

“ [I receive] unsolicited invitations to project meetings, leadership meetings, strategy meetings, working groups, product meetings, client visits, etc. suggesting that, beyond a standard risk governance framework, risk’s advice is being sought.”

Biggest accomplishments over the past 12–24 months

Areas getting significantly more attention in the next 12 months

Asian respondents • Own Risk and Solvency Assessment (ORSA) improvement

• Operational risk management

• Development of an integrated risk management system together with a proper risk appetite framework

• Capital management initiatives

• Risk culture

• Cyber risk and information security

• Enterprise risk management (ERM) framework

• Investment risk

Australian respondents • Risk reporting and dashboards

• Incident management

• Risk culture

• ERM framework

• Embedment and up-skilling of first line and greater risk accountability

• Conduct and culture

• Governance, Risk and Compliance (GRC) tools


Operationalizing the three lines of defense model

Commentary

Ninety-five percent of respondents, surveyed across Asia-Pacific, have adopted a formal three lines of defense (LoD) model, with the remaining insurer indicating that they are working toward implementing this model.

Fig. 5: Does your company adopt a formal three-LoD model?

95% 5%

0% 10% 20% 30% 40% 60%50% 80% 90%70% 100%

Yes

No

Key findings

CROs acknowledged the three-LoD model to work well in design, but the model presented difficulties during its implementation in practice.

A majority of CROs identified that the greatest challenge with the three-LoD model is delineating the roles between the first and second line. In particular, CROs recognize the need to strengthen their first line and ensure their risk ownership and accountability.

Despite these challenges, CROs are already actively thinking about or starting to implement ways to enhance the operating effectiveness of the three-LoD model. These include the following:

• ─ Training is provided through workshops to enhance risk understanding and awareness with a desire to promote a risk management culture across the insurer.

• ─ A line 1.5 function is created where the second line is actively working to develop first line’s capability to own their risks. CROs see that the line 1.5 function would eventually be phased out, allowing the first line to operate independently, and the second line to be a challenge and review function over risks.

• ─ Performance assessment is linked to the responsibilities of day-to-day activities in risk management. Some insurers indicated that they are introducing risk management indicators in the first line as part of their performance appraisal system.


“ The three-LoD model is giving a false sense of security to the board — if there is a failure in the first line, there is a failure in the second line. Then it means there is a failure in all the three lines. In that sense, strengthening the first line is the main challenge.”

“ The three-LoD model works well, but the only problem that can arise is in scenarios where the first line does not want to own up to the risk, and don’t believe their job involves managing the risk.”

What can we learn from the banking sector? Key findings from the Eighth annual global EY/IIF bank risk management survey:

Banks recognize that operationalizing the model, and making it effective and efficient is, if not anything, more challenging than designing the broad-brush framework. Four elements stand out:

• Make risk management smarter, faster and more cost-effective: Reducing costs cannot undermine the need for strong risk management and controls.

• Wean off people-dependent risk management: Traditionally, financial institutions have depended heavily on adding head count in risk and compliance because of tight regulatory and remediation deadlines. There are now signs that people-dependent risk models are not sustainable.

• Develop a new talent strategy: Financial institutions will have to compete much harder to recruit, retain and motivate talent that can operate in contexts of not only risk, but also in technology.

• Drive standardization: Standardizing, automating and centralizing testing capabilities are an important vehicle for weaning off a people-dependent model.


Enhancing the risk appetite framework

Commentary

Risk appetite framework

Ninety-five percent of respondents have a formal risk appetite statement (RAS) in place. A significant proportion of RASs (41%) are qualitative with little quantification of statements.

Respondents seem to converge on the hierarchy of appetite, tolerances and limits. All use a top-down, or a combination of top-down and bottom-up approach in developing the framework to ensure alignment.

Majority of respondents (73%) express the RAS broadly and use tolerances and limits to control the level of acceptable risks. We have observed increased adoption rates of operational risk (86% already in place and in development) and franchise value (50% already in place and in development) in corporate risk appetite as compared with the survey results last year (operational risk 40% already in place; franchise value 0% in place and in development).

Quantitative limits for operational, interest rate and equity risks continue to develop across respondents with further efforts required for full adoption of quantitative limits.

Majority of respondents (73%) take RAS into consideration when writing business.

Capital and stress tests

Most respondents indicate the importance of regulatory capital due to the lack of internal models. A few respondents in Australia indicate capital benefits with internal model use. One respondent, for example, faces higher restrictions on regulatory capital in meeting local requirements.

While regulatory capital helps to understand drivers and impact, it may not measure all risks well (e.g., operational risk).

Stress tests based on regulatory capital framework have been widely adopted to fulfill local reporting requirements. Most of the respondents (64%) applied individual shocks to each risk type. Shocks are then combined via correlation tables. Frequency of stress-testing exercise is usually annual, although more frequent reporting is observed (e.g., monthly) in some insurers.

Better practices:

• Involving management early in the design of stress scenarios

• Considering stress-test scenarios from head office for consistency

• Stochastic models, simulations of balance sheet and profit and loss (P&L), and copulas

• Developing a distribution curve for each operational risk identified

Forty-two percent of respondents have an Internal Capital Adequacy Assessment Process (ICAAP) that have not reached stability. Areas to improve on include:

• Reviewing number of stress tests and increasing level of scenario testing

• Wider coverage of risks (e.g., liquidity risks)

• Enhancing Key Risk Indicators (KRI)

• Evolving with business (demonstrating a stronger link with business)


Fig. 6: Which of the following metrics do you use in your corporate risk appetite?

Regulatory capital

Liquidity

Credit rating

Operational risk

Total profit

Operating profit

Economic capital

Franchise value

Economic profit

In place In development No metric Already in place Not in use

83% 17%

33%

58%

58%

50%

33%

67%

100%

91% 9%

83%

67%

42%

68%

68%

50%

45%

36%

36%

27%

45%

55%

50%

58%

33%

50%

50%

68%

17%

9%

9%8%

14%

5%

5%

18%

86% 14%

27%

14%

42%

2016 2017

Fig. 7: For which of the following risks have you set quantitative limits?

Quantitative limits in place No quantitative limits in place

Liquidity 75% 25% 77% 23%

Insurance andunderwriting 8%92% 82% 18%

Interest rate 9%91% 55% 45%

Equity 68% 32%100%

2016 2017

Credit 8% 82% 18%92%

Operational 67% 33% 50% 50%


Key findings

Emerging practices

• Insurers continue to enhance their risk appetite to better inform decision-making, including risk oversight.

• There are examples where risk appetite have been used to inform reinsurance purchase, business acquisition and underwriting. This reflects greater alignment of the risk management infrastructure and the business drivers.

• Mature organizations recognize the need to align behaviors and culture with risk appetite — this remains work in progress.

Key trends observed

• Better linkage between business plan, risk appetite framework and capital

• Moving toward economic capital in the long run

• Revision of stress tests to have wider coverage of key risks events

Insurers continue to improve the links among business, capital and risk. Setting quantitative limits to all risks continues to be the challenge.


Developing and implementing the risk culture and conduct frameworks

Commentary

There is ongoing work in developing and implementing frameworks for the management of risk culture and conduct risk.

While significant progress has been made over the last two years in thinking about approaches to risk culture, progress has still remained slow.

Less than one in two (45%) insurers across the APAC region have developed a risk culture or risk conduct framework.

The maturity of risk culture elements is largely in development. The elements of goal setting, remuneration and defining a target state are proving to be the leading place to start the development of risk culture frameworks.

Measurement and quantification of risk culture and conduct risk continues to be a challenge.

Fig 8. The three lens approach

Perceptions• Interviews• Focus groups• Identify root cause

Outcomes• Breaches and near misses• Consequence management• Customer complaints analysis and trends

The EY assessment approach

• Hypothesis based on industry and client experience are tested

• The assessment answers the “what” and “why” question and outlines root causes of behaviours and outcomes

• The outcome of our assessment is “intervention-based” and outlines high-impact initiatives that will build on curent strengths and address current weaknesses

• Apply 80/20 approach to survey design and data collection: standard questions and data requests supplemented by tailored questions for the specific drivers of the assessment (i.e., focus on conduct)

• Build a risk culture dashboard to provide the executive committee or non-executive directors committee with a frequent “pulse check”

“The three lens approach” combines perceptions, mechanisms and outcome data to gain an objective view of a firm’s culture

OutcomesBehaviors

Risk management framework O

rgan

isatio

nal s

truc

ture

O

rgan

izatio

n ca

pabi

lity

Ta

lent m

anagement Leadership

Risk appetite

Risk

tran

spar

ency

Capabilities Tone

at t

op

Behaviors

Governance

Roles andresponsibilitiesStrategy

Relationships

Responsiveness

Motivation

Mechanisms• Policies• Processes• Governance• Management information


“ Yes, [we have implemented the risk culture framework] three years ago. We have defined our risk culture through the espoused values with links to the remuneration framework, annual engagement survey, and the reward and recognition program.”

Fig 9. Have you developed a risk culture framework?

45% 55%

0% 10% 20% 30% 40% 60%50% 80% 90%70% 100%

Yes

No

Fig 10. Rate your organization’s maturity against the following risk culture framework elements

Mature Progressing in maturity No action taken

0% 10% 20% 30% 40% 60%50% 80% 90%70% 100%

5% 64% 31%Developing actionplans for risk culture

14% 59% 27%Risk culturein remuneration

9% 59% 32%Risk culture in product development

18% 50% 32%Defining a target state of risk culture

50% 32%18%Risk culture in goal setting

50% 36%14%Reporting measurementsto management committee

36% 55%9%Developing tolerancesfor key culture metrics


Key findings

The focus on conduct risk is clearly uneven across APAC with wide variations between markets, where regulators explicitly discuss conduct risk. There are jurisdictions where elements of conduct risk are embedded in other regulations, and jurisdictions where conduct risk has yet to emerge as a regulatory focus. However, a growing number of regulators in the region are seeking to understand the steps firms are taking to manage conduct risk. Many firms are also beginning to better define conduct risk and incorporate its considerations right across the employee life cycle: recruitment, performance assessment, training, incentives and remuneration. In many jurisdictions, there has been an emergence of formal conduct risk frameworks, with dedicated teams supporting a conduct risk program.

We believe widely divergent conduct risk practices within the region will continue — largely correlated to the level of regulatory focus in home markets. Differences at the country level are largely due to different regulatory expectations and approaches to conduct risk. Larger firms and those headquartered in the US or Europe, where regulators have set high conduct risk management benchmarks, tend to have more advanced practices. Nonetheless, in 2018, we will continue to see an increased focus on conduct risk governance and measurement, frameworks, conflicts of interest, and people practices.

Fig 11. Have you developed a risk conduct framework?

45% 55%

0% 10% 20% 30% 40% 60%50% 80% 90%70% 100%

Yes

No

Fig 12. Rate your organization’s maturity against the following risk conduct framework elements

Mature Progressing in maturity No action taken

8% 67% 25%

8%

67%

67% 25%

33%

0% 10% 20% 30% 40% 60%50% 80% 90%70% 100%

Roles and responsibilitiesof the board and senior

management-related committeesdesignated to conduct risk

Metrics in risk appetite statementfor conduct risk and reporting

Target frameworkfor conduct risk


Strengthening the management of cyber risk across the organization

Commentary

The maturity of understanding, measuring and governing cyber risks has come a long way over the last 12 months.

Organizations now clearly understand that cyber-attackers do not just target money or credit card details, but also valuable data, including customer data. The damage caused by a major data breach

will not only be financial, but will also have a significant reputational impact to the organization.

Despite the material improvement in understanding cyber risks and potential impacts, risk teams are struggling to bring cyber expertise into the second line — this is mainly a function of skills shortage.


Fig. 13: Has cyber risk been incorporated into strategic planning?

59% 41%

0% 10% 20% 30% 40% 60%50% 80% 90%70% 100%

Yes

No

Fig. 14: How much of your team (time and headcount) is devoted to cyber security? Please specify the number of full time equivalent (FTE)

5%

45%

50%

0% 10% 20% 30% 40% 60%50% 80% 90%70% 100%

5+

1-5

0

Key findings

Relationships between the CRO and the chief information and security officers appear to be in development and are improving through increased engagement.

Measurement of cyber risks, including tolerances related to risk appetites, seems more detective and reactive in nature. That is, there is reporting of post-event incidents and intrusions, rather than more proactive metrics that show the cyber risk management capability of an organization (things like training and awareness programs, patching programs and frequency, and vulnerability management).

Cyber risk scenarios do not appear to be consistently embedded in organizations’ crisis management response frameworks (relying on more traditional building outage or pandemic preparations) or scenarios (preferring more financial risk event scenarios).


Preparing for and addressing key regulatory challenges

Commentary

Current and anticipated future challenges: The CRO’s role continues to evolve away from the traditional risk and regulatory compliance role into becoming a partner with the business with greater influence of the strategic direction of the firm.

Fig. 15: 2017 — Can you describe the role of the risk management function in the following key processes?

Process owned by Risk and CRO Influence and approve Risk has limited influence

95% 5%

91%

82%

73%

18%

18%

55%

59% 9%32%

41% 27%32%

36% 41%23%

55% 27%18%

23%

50%

50%

64%

73%

45%

45%

32%

5%

5%

5%

5%

9%

9%

45%

0% 10% 20% 30% 40% 60%50% 80% 90%70% 100%

ERM — installation and maintenance

of risk framework Risk appetite setting

Risk measurement and reportingRisk tolerance

and limit setting

Stress testing — design

Stress testing performance

and reporting Model risk management

Model validation

Model governance

77% 9%14%Capital management

Reinsurance program design

Reinsurance program execution

Oversight or reserving and valuation

Technical provision

14%86%Investments

9%91%Strategic decisions (M&A)

86%14%Risk mitigation

23%77%Setting of asset strategy

27%73%Product design and pricing

59%41%Underwriting


Fig. 16: 2016 — Can you describe the role of the risk management function in the following key processes?

Process owned by Risk and CRO Risk has limited influence

0% 10% 20% 30% 40% 60%50% 80% 90%70% 100%

100%Risk appetite setting

92% 8%Risk tolerance and limit setting

83% 17%Stress andscenario testing

42% 33% 17%Model validation

25% 17%50%Model governance

25%75%Capital management

25% 8%67%Risk mitigation

67% 25%8%Reinsurance

75% 25%Business strategy

67% 25%8%Product approval

17%67%17%Investments

33%67%Strategic decisions (e.g., M&A)

67%25%Reserving

50%Technical provision

Influence and approve

Fig. 17: What impact does the current regulatory environment have on business strategy?

32%

18%13.5%

23%

13.5%

Significant positive impact Insignificant negative impact

Insignificant positive impact Significant negative impact

No impact


Fig. 18: Time allocation of risk function to regulatory vs. business matters

14%

27%

71%

45%

14%

27%

0% 10% 20% 30% 40% 60%50% 80% 90%70% 100%

70% regulatory and 30% business

50% regulatoryand 50% business

30% regulatory and 70% business

2017 2016

Key findings

The role of the CROs continue to evolve from traditional organizational compliance with the risk management frameworks and regulatory agenda to spending more time on strategic drivers and business matters within the firm. This is reflected in the shift from the previous year with CROs spending more time devoted to business matters than regulatory matters.

When asked how much CROs owned, influenced or had limited influence over business processes, most indicated that they had an increased influence or approval over key processes, showcasing the remit of the CRO office continuing to expand and evolve over time.

“ Three to five years from now, possibly, the CROs’ role is to be a key go-to person for the CEO and heads of businesses to engage in relation to business strategies.”

“ The industry is under increased regulatory and government scrutiny, so the role of CRO now has a heightened sensitivity and importance at the executive table than ever before.”

Implementation of new regulatory and supervisory requirements remains a key industry focus, with specific regulations on top of the agendas in Asia, including Risk-Based Capital 2, IFRS 17 Insurance Contracts and China Risk Orientated Solvency System. CROs in Australia are more concerned by the local requirements: Life Insurance Framework, Emergency Service Levy, Banking Executive Accountability Regime, Australian Securities Investment Corporation regulatory work and Parliamentary Joint Committee inquiries. The respondents have very mixed views on the impact of the current regulatory environment on the business strategy, yet 50% still think there is a positive impact.

“ One of our biggest challenges is the heterogeneity of local regulatory requirements.”

As insurers eye the path forward, they must consider existing and future laws and regulations regarding data protection, consumer privacy and cybersecurity.

“ Critical thinking and complex problem-solving skills will be key as new areas (e.g., AI, insurtech) come to the fore.”


Positioning adequately for emerging trends

Commentary

Emerging risk management continues to play a critical role to insurers in how they are managing risks.

Fig. 19: A typical emerging-risks radar for CROs

Political

Declining margins from legacy products

Economic

Environmental Technological

Catastrophe risk

Climatechange

Fintechs

Technological advancements

(continuing threat)

Regulatory compliance risk

Overpopulation issues

Changing consumer expectation

New competitors and new ways of doing business

Internet of things

Cybersecurity

Risk areas that CROs are unaware of

Expense risk and medical inflation Risk models being

overly complicated

Sustainability and affordability of

existing products

Political intervention

Autonomous vehicles

Legacy infrastructure and systems, which

prevent being up-to-date with competitors

Risks with artificial intelligence (AI)

CRO

Consumer regulation

SocialLegal


Key findings

For all the variation across individual companies, there is consensus that the universe of emerging risks is expanding, with CROs facing broader range of more-severe risks in 2017 and in the years to come (refer to Fig. 19)

CRO’s role in emerging risk processes include:

• Facilitating process with the business

• Reporting to the risk committee or board

• Providing feedback to the business units

• Serving as a link to business and strategic planning, to ensure these processes are responsive to emerging risks

An insurer’s understanding of cyber risks, 5–10 years ago, was mostly nonexistent. Now, it is on the agenda of every board. There are dedicated responses to managing cyber as well as capitalizing the opportunity it brings through the development of cyber insurance. Risk functions are clearly investing in this capability. With the onset of new business models, such as the digital agenda,

robotics, telematics, internet of things and insurtech, it is clear that many insurers need to understand what the next emerging risk is.

How do risk functions need to evolve with the emerging landscape?

• Increase role in business and strategic planning

• Continue to challenge role of management

• Create heightened sensitivity and importance at the executive table

• Increase level of monitoring, challenge and reporting

• Greater involvement throughout strategy setting beyond “rubber stamping”

• Responding to an increasing pace of change

Half of the respondents have only used written communications to communicate internally on the potential exposure to geopolitical events. Some good practices involved the use of these events within stress testing and scenario analysis.

Fig. 20: How does risk management evaluate and communicate potential exposure to the geopolitical events that have occured or could occur (e.g., Brexit, French presidential election, US presidential election)?

50%

14%

14%

22%

0% 10% 20% 30% 40% 60%50% 80% 90%70% 100%

No evaluation orcommunciation is done

Other*

Training orinformation sessions

Written communications(email and visual materials)

* Examples include “Ensuring these geopolitical events are factored into the base and stress scenarios”, “Quarterly risk profile updates to the Board Risk Management Committee”, “Evaluation performed at Group level and provided to local CRO” and “Inclusion in Top risks and emerging risks presented to the executives and the Board.”


Engaging in the digital transformation of the risk management function

Commentary

The challenge of developing the risk function’s capabilities include stagnating budgets, scarce specialist resources and balancing people vs. IT.

Fig. 21: Compared with a year ago, has the size of your risk department:

5%

50%

45%

0% 10% 20% 30% 40% 60%50% 80% 90%70% 100%

Decreased

Stayed the same

Increased

Fig. 22: Compared with a year ago, would you say that hiring and retaining good talent is:

73%

27%

0% 10% 20% 30% 40% 60%50% 80% 90%70% 100%

About the same

Easier

Harder

0%

Fig. 23: Do you expect dedicated business-as-usual risk function budgets to materially increase, decrease or stay at similar levels going forward?

9%

5%

86%

0% 10% 20% 30% 40% 60%50% 80% 90%70% 100%

Materially increase

Stay similar

Materially decrease


Fig. 24: The plans for the budget of the risk team are:

77%

23%

0%

0% 10% 20% 30% 40% 60%50% 80% 90%70% 100%

To stay the same

To decrease

To increase

Fig. 25: Is the proportion of your budget allocated towards FTE vs. technology, going to:

59%

27%

14%

0% 10% 20% 30% 40% 60%50% 80% 90%70% 100%

Stay the same

Decrease

Increase

Key findings

The actual results regarding the size of the risk department are mostly in line with what was expected based on last year’s survey — no surprises at least on that side.

Perhaps, this is due to the fact that hiring and retaining good talent has not improved in one year, and that dedicated budgets have not changed dramatically year-on-year in one direction or another.

Going forward, the vast majority of respondents do not expect the dedicated business-as-usual risk budgets to change.

In terms of where these budgets would go in priority, people still have the lead over technology.

In terms of specialist skills, surveyed CROs are especially looking for expertise in cyber and IT security, data analytics and big data, machine learning, anti-money laundering and AI. These talents are very scarce for now and risk functions need to think of ways to overcome this challenging shortage.

“ Critical thinking and complex problem-solving skills will be key as new areas (e.g., AI, insurtech) come to the fore. Specific competencies in cybersecurity, financial technology, negotiation, EQ and collaborating with others will help to facilitate risk advisory, analysis and mitigation actions.”

As the risk function grows in maturity and needs more specialist skills, it is required to improve its cost effectiveness and demonstrate its value so as to be able to invest more going forward. But as it enters the digital age, the risk function needs to find the right balance between poaching (scarce) talent and investing in the new technologies, which will help build the momentum.


Commentary

Outlook for the CRO role in 3–5 years.

“ (1) More attention to IT and data security is required as more businesses are done digitally and more processes are automated.

(2) More integration is required between risk, compliance and financial crime second-line activities.”

“ With strong risk culture, the CRO will have the comfort that all interests are aligned and the CRO will be in a better position to further optimize risk taking.”

“ The issue that CROs will battle with could be different and unexpected. In Asia, there is the prospect of more focus on market-consistent solvency frameworks, as regulators mature. Equally maturing regulations could mean that customer outcomes and fairness have become a key consideration for CROs, especially those responsible for compliance functions.”

“ The role of the CRO in 3-5 years’ time may tilt more towards (a) Strategic risk advisory vs. risk oversight, (b) Preemptive actions vs. ex-post and knowing all the factors (c) Resiliency vs. incident management, and (d) Coach to first line vs. just being at second line of defense.”

“ Continued increase in business and strategic planning. More efficient and real-time risk metrics and reporting.”

“ The industry is under increased regulatory and government scrutiny, so the role of CRO now has a heightened sensitivity and importance at the executive table than ever before. I see the role of CRO as developing beyond being a reactive role to regulatory pressures, to be a very proactive and nimble proactive and evolving role.”

“As more complex risk management will be performed within the line 1 functions, the level of monitoring, challenge and reporting of the risk function will increase.”


Commentary

Engaging in the digital transformation of the risk function.

Key findings

In last year’s survey, under the headline “In the battle between investment in people and in technology, it is people that win every time,” we noted that “CROs recognize the need to continuously improve their existing IT capability; however, we see CROs being hesitant to increase their investment in new technologies.” Even though some of the previous results tend to show the same facts, it needs to be pointed out that almost a third of respondents have plans to look into offshoring, robotics or other forms of efficiency gains to help manage costs in the Risk teams. More precisely, robotics, AI, machine learning and data analytics are increasingly mentioned as being explored for risk and compliance activities (e.g., AML screenings).

Risk functions encounter several technology constraints that restrict them practically from their desired level of monitoring and reporting of risk, mostly data quality (integrity, availability and completeness) and complexity of multiple systems (legacy, fragmented, siloed, incompatible, disparate and inconsistent).

A broader enablement of the risk function is necessary, so that it can gain in efficiency when providing more insightful management information (MI) for the consideration of the board and senior management. This is why some risk functions have embarked onto a journey toward their digital transformation through the development and use of tools, such as GRC, visualization, robotics, big data, analytics, AI and machine learning.

Example of leading practice from a respondent:

Digital transformation continues to be focused on the customer interface. Increasingly, firms are building — or planning to build — technology solutions that fundamentally change the way insurers operate, so they can deliver the digital promise to customers speedily and cost-effectively.

Beyond the interactions with customers, risk functions will increasingly have to consider how to change their approach to manage the shift in the firm’s risk profile resulting from digital transformation, and being agile enough to enable innovation. Over time, risk functions will have to leverage technology to improve risk management, and become technology innovators rather than spectators.

Even if the main focus of insurance CROs is on talent, it is important that someone is tasked with establishing the “risktech” strategy:

• What gaps need addressing?

• ─What options exist to enable risk?

• What are the pros and cons?

• How are you scanning the rapidly changing market?

“ We use big data and analytics tools to support our net promoter score (NPS) surveys to help strengthen our insights into complaints and customer dissatisfaction. We are currently looking at other analytical tools that can be used for quality assurance (QA) and due diligence purposes, which we may implement once evaluated.”

“ We are in the early stages of assessing AI and other analytics to various elements of risk management.”


Key contacts

Kent WongAustralia

+61 2 9248 [email protected]

Thomas Kagermeier EMEIA Insurance FRAC Leader


James BrighamAustralia


Rick MarxUS


Pierre SantoliniSingapore

+65 6340 [email protected]

Jonathan ZhaoAsia-Pacific Insurance Leader


Sumit NarayananASEAN Insurance Leader


Grant PetersOceania Insurance Leader


Bonny FuChina (mainland)


Hiroshi Yamano Japan


David ScottSingapore


Phil RoddHong Kong


Yong Joo Han South Korea


Patrick MenardSingapore


Tze Ping ChngHong Kong


Brandon Bruce Malaysia


Nonglak PumnoiThailand


EY | Assurance | Tax | Transactions | Advisory

About EYEY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.

© 2018 EYGM Limited. All Rights Reserved.

EYG no. 00469-184Gbl

BMC Agency GA 1006647

ED None

In line with EY’s commitment to minimize its impact on the environment, this document has been printed on paper with a high recycled content.

This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for specific advice.

ey.com

Documents

APAC Insurance CRO survey 2017-2018 - ey.comFILE/ey-apac-insurance-cro-survey-2017-2018.pdf · APAC Insurance CRO survey 2017–2018 Ι Empowering for transformation 5 We interviewed