Elevating the risk function in insurance: Building a strategic advantage

Today, banks use risk management to help drive strategic development for growth. This is a comprehensive approach to risk that insurers should aspire to emulate, especially as new risks are emerging more quickly and creating new challenges.

According to a 2023–24 benchmarking survey from McKinsey, leading European insurers should look to reorganize their risk functions, build out the necessary capabilities, and elevate the status of chief risk officers (CROs) within the leadership structure. This will allow them to address the rapidly changing risk landscape and position the company to use risk management as a strategic advantage.

Emerging risks and challenges

One sign that risks are emerging at a rapid pace is that most insurance CROs use early-warning KPIs for a broader set of risks than those deemed material under their Own Risk and Solvency Assessment (ORSA). For example, while only 20 percent of insurers consider data and technology risks in their latest ORSA, 50 percent of CROs are using early-warning KPIs to gauge those risks. The notable exception is climate risk: 60 percent of respondents cite climate risk as material, but just 25 percent have an early-warning KPI in place (Exhibit 1).

Emerging risks already have early-warning KPIs in place, even if they are not yet included in the Own Risk and Solvency Assessment.

In fact, many emerging risks feature prominently in companies’ risk taxonomies today, including data and technology, cyber, and climate risk. And, according to our survey, several challenges are adding to the complexity of the CRO task. One of the most notable is a scarcity of talent—both attracting and retaining it. Half of the survey respondents said they are having difficulty finding talent to fill roles in data and technology, cyber risk, and nonlife underwriting.

Moreover, talent problems exist to some extent in all areas of risk management (except in financial crime, according to our survey participants). This shortage of skilled personnel in the industry poses a hindrance to fully capitalizing on the opportunity of artificial intelligence and generative AI. In our experience, companies must train the teams they have but be clear about the specific skills they need.

Alongside talent, respondents said that increasing data, analytics, and data interconnectivity across products and platforms is critical to improving cyber risk preparedness. Managing cyber risk is becoming a strategic priority for the second line, drawing significant investment and requiring strict prioritization. Insurers have access to large amounts of sensitive data that need protection. Even sophisticated, large carriers with significant investments in cybersecurity are not immune to such threats. In addition, the costs of cyberattacks are on the rise because of increasing fines, business losses, and remediation costs, and they often have significant reputational impact as well.

The key to success for carriers in the second line of defense is to conduct targeted reviews based on cyber risk scenarios and triggers for risk threats. To address resource constraints, the risk team should understand key risks facing the carrier; credibly challenge internal policies, procedures, objectives, and performance; and provide the board and executive team with an independent view of the first line’s program, including its testing.

Another major challenge area for risk remains climate. With mounting natural catastrophes and scientific forecasts for a continued upward trend, investors and regulators are increasingly demanding that insurers better understand their climate risk exposures and be ready for nonlinear, abrupt changes in climate patterns. For carriers with significant commercial or personal property positions, investments in advanced climate analytics are becoming required capabilities, especially in combination with access to third-party data.

Our survey found that climate risk ownership is split among participants, with some assigning it to the CRO and others to the chief sustainability officer. Most participants see gaps in all areas of their climate risk framework. The reporting framework seems to be the most advanced area of preparedness, followed by exposure strategy and investment in data and analytics to baseline portfolio emissions (Exhibit 2).

Climate risk, led by the chief risk officer or chief sustainability officer, currently appears to focus on reporting and baselining.

Interestingly, however, most participants seemed unphased by the climate stress test methodology of the European Insurance and Occupational Pensions Authority (EIOPA). Some stated that it has limited applicability to them, while others said they are already fully in line with its recommendations.

Looking at the broader topic of sustainability, our survey found that the board, shareholders, employees, and regulators were the key influences of company efforts—despite the widespread perception that retail clients’ opinions are driving actions to mitigate reputational risks.

Transforming the risk function

Across all insurers in our survey, it is clear that the role and status of the CRO, as well as the risk function itself, must evolve to address emerging challenges. Among our survey’s respondents, the size of the risk function varies broadly from 0.07 percent to 2.8 percent of the total workforce (0.8 percent on average), while the average risk budget represents only 0.3 percent of operational expenses. These findings imply varied operating models with no market best practice.

As for the actual role of the CRO, along with risk-based decisioning, managing the relationship with the CEO and board of directors, communicating the company’s risk position, and aligning the organization’s overall risk appetite and framework are becoming core activities. Only 34 percent of survey participants said that the second line has veto power on important decisions today, and just 17 percent said business units’ decisions are often changed as a result of a collaboration with or challenge from the risk team (Exhibit 3).

Managing the risk position up to the CEO and board has become a core activity for chief risk officers.

Inconsistent adoption of best practices

In our work with organizations, we have identified four best practices for involving risk in decision making, and none of these have been fully adopted by insurance companies in our survey. At best, these practices are often only partially implemented.

  • Explicit processes for risk dialogue. Two-thirds of our respondents have fully implemented processes to ensure that a comprehensive risk dialogue occurs, even in instances when time or confidentiality constraints prevent the use of normal corporate processes (for example, sudden opportunistic investments).
  • Transparent criteria for decisions. Two-thirds of our respondents have fully implemented a transparent set of criteria that the risk function applies to key event-driven decisions (for example, impact on volatility, capital, and the regulatory remediation program).
  • Involvement in strategic decision making. Half of our respondents said the CRO is fully and consistently involved in strategic decision making, with the right to either veto or escalate a strategic decision—overruled only by the CEO. The impact on the overall risk profile, appetite, and risk strategy is consistently considered in making strategic decisions.
  • Active risk mitigation. Just a third of respondents said that they are actively mitigating risks to the fullest extent prior to commitment (for example, pilots and staging). It is somewhat concerning that 17 percent report having no active risk mitigation whatsoever.

Next steps

In terms of next steps for insurers looking to improve the risk function and integrate it more completely into daily decision making, we suggest fully implementing the four best practices described above, while keeping the following goals top of mind as they continue to transform the risk function:

  • elevate the risk function to the forefront of the strategic agenda; give the CRO a seat at the table, with appropriate CEO and executive committee touchpoints.
  • rethink the risk function operating model in terms of lines of defense, ensuring the right governance for risk management and efficient and effective interactions with business units and other control functions
  • ensure that risk has appropriate resources in terms of talent and analytics capabilities
  • use the risk function as a source of competitive edge—not only as a control function—by, for example, considering results from postmortem analyses and involving risk in financial planning and strategy building

Today’s rapidly developing risk landscape demands a new, more forceful, and swifter approach to assessing and responding to risk. While corporate leadership does involve the risk function in their decision-making progress, the transition from a consultative unit to a real thought partner is far from over. CROs need a seat at the table with genuine authority, resources, and support to reorganize their risk functions, build out the necessary capabilities, and influence business decisions. Elevating the risk function in this manner will allow insurers to transform risk management from its historic role as a control function to a source of strategic advantage to grow the business.