Archive for the ‘Chief Risk Officer’ category

Whose Job is it to do ERM?

January 28, 2014

“We are not big enough to need ERM.” says the smaller company CEO.  “So we all do it together.”

But what is everyone’s job, is no one’s responsibility.  No one is held accountable for how or even whether ERM functions actually happen.

If a company wants to have ERM, then they must make assignments – assignments to individuals.

This process, these assignments, are what RISKVIEWS calls Risk Organization.  Everyone does not need the same Risk Organization, but everyone who is serious about ERM needs to clearly assigning responsibility for the risk identification, measurement and management of risks.

This week’s post on the WillisWire series on ERM Practices is about Risk Organization:

This is Part 4 of a 14 part series on the ERM practices that support an ORSA. The other pieces in that series so far are:

Risk Measurement

RISKVIEWS has also posted discussions of Risk Organization.  Here are a few examples:

Sean Ringsted, ACE Group, Named CRO of the Year

December 2, 2013

Insurance Risk Awards 2013: Chief risk officer of the year: Sean Ringsted, Ace

Sean Ringsted is Chief Risk Officer and Chief Actuary for ACE Limited since 2008.  Ringsted is responsible for the continued development and implementation of ACE’s risk management strategy and processes, and for ensuring a consistent risk management framework across the company. Ringsted also oversees all major actuarial functions, including reserving, pricing, and capital performance measurement. Ringsted’s previous roles at ACE include Chief Actuary for ACE Group from 2004 to 2008, Executive Vice President and Chief Risk Officer for ACE Tempest Re from 2002 to 2004, and Senior Vice President and Chief Actuary for ACE Tempest Re from 1998 to 2002. Mr. Ringsted holds a Bachelor of Science in biochemistry from Bristol University and a doctorate in biochemistry from Oxford University. He also is a Fellow of the Institute of Actuaries (FIA).  Ringsted is also chairman of the North American CRO Council, which has been increasingly active in promoting best practice in risk management and is gaining respect from regulators and standard-setting bodies at a domestic and international level.

The Enterprise Risk Management program at ACE from their annual report.
As an insurer, ACE is in the business of profitably managing risk for its customers. Since risk management must permeate an organization conducting a global insurance business, we have an established Enterprise Risk Management (ERM) framework that is integrated into management of our businesses and is led by ACE’s senior management. As a result, ERM is a part of the day-to-day management of ACE and its operations.

Our global ERM framework is broadly multi-disciplinary and its objectives include:

  • support core risk management responsibilities at division and corporate levels through the identification and management of risks that aggregate and/or correlate across divisions;
  • identify, analyze, and mitigate significant external risks that could impair the financial condition of ACE and/or hinder its business objectives;
  • coordinate accumulation guidelines and actual exposure relative to guidelines, risk codes, and other risk processes;
  • provide analysis and maintain accumulation and economic capital and information systems that enable business leaders to make appropriate and consistent risk/return decisions;
  • identify and assess emerging risk issues; and
  • develop and communicate to our business lines consistent risk management processes

ACE’s Enterprise Risk Management Board (ERMB) reports to and assists the Chief Executive Officer in the oversight and review of the ERM framework which covers the processes and guidelines used to manage insurance risk, financial risk, strategic risk, and operational risk. The ERMB is chaired by ACE’s Chief Risk Officer and Chief Actuary. The ERMB meets at least monthly, and is comprised of ACE’s most senior executives, in addition to the Chair: the Chief Executive Officer, Chief Financial Officer, Chief Investment Officer, Chief Claims Officer, General Counsel, Chief Executive Officer for Insurance – North America, Chief Executive Officer for ACE Overseas General, and our Chief Executive Officer for Global Reinsurance.
The ERMB is provided support from various sources, including the Enterprise Risk Unit (ERU) and Product Boards. The ERU is responsible for the collation and analysis of two types of information. First, external information that provides insight to the ERMB on risks that might significantly impact ACE’s key objectives and second, internal risk aggregations from its business writings and other activities such as investments. The ERU is independent of the operating units and reports to our Chief Risk Officer and Chief Actuary. The Product Boards exist to provide oversight for products that we offer globally. A Product Board currently exists for each of the following products; property/energy, marine, casualty, professional lines, aviation, and political risk. Each Product Board is responsible for ensuring consistency in underwriting and pricing standards, identification of emerg- ing issues, and guidelines for relevant accumulations.
ACE’s Chief Risk Officer and Chief Actuary also reports to the Board’s Risk & Finance Committee, which helps execute the Board’s supervisory responsibilities pertaining to ERM. The role of the Risk & Finance Committee includes evaluation of the integrity and effectiveness of our ERM procedures and systems and information; governance on major policy decisions pertain- ing to risk aggregation and minimization, and assessment of our major decisions and preparedness levels pertaining to perceived material risks. The Audit Committee, which regularly meets with the Risk & Finance Committee, provides oversight of the financial reporting process and safeguarding of assets.
Others within the ERM structure contribute toward accomplishing ACE’s ERM objectives, including regional management, Internal Audit, Compliance, external consultants, and managers of our internal control processes and procedures.

Reinsurance Protection
As part of our risk management strategy, we purchase reinsurance protection to mitigate our exposure to losses, including catastrophes, to an acceptable level. Although reinsurance agreements contractually obligate our reinsurers to reimburse us for an agreed-upon portion of our gross paid losses, this reinsurance does not discharge our primary liability to our insureds and, thus, we ultimately remain liable for the gross direct losses. In certain countries, reinsurer selection is limited by local laws or regulations. In most countries there is more freedom of choice, and the counterparty is selected based upon its financial strength, claims settlement record, management, line of business expertise, and its price for assuming the risk transferred. In support of this process, we maintain an ACE authorized reinsurer list that stratifies these authorized reinsurers by classes of business and acceptable limits. This list is maintained by our Reinsurance Security Committee (RSC), a committee comprising senior management personnel and a dedicated reinsurer security team. Changes to the list are authorized by the RSC and recommended to the Chair of the Enterprise Risk Management Board. The reinsurers on the authorized list and potential new markets are regularly reviewed and the list may be modified following these reviews. In addition to the authorized list, there is a formal exception process that allows authorized reinsurance buyers to use reinsurers already on the authorized list for higher limits or different lines of business, for example, or other reinsurers not on the authorized list if their use is supported by compelling business reasons for a particular reinsurance program.
A separate policy and process exists for captive reinsurance companies. Generally, these reinsurance companies are established by our clients or our clients have an interest in them. It is generally our policy to obtain collateral equal to the expected losses that may be ceded to the captive. Where appropriate, exceptions to the collateral requirement are granted but only after senior management review. Specific collateral guidelines and an exception process are in place for ACE USA and Insurance – Overseas General, both of which have credit management units evaluating the captive’s credit quality and that of their parent company. The credit management units, working with actuaries, determine reasonable exposure estimates (collateral calculations), ensure receipt of collateral in an acceptable form, and coordinate collateral adjustments as and when need-
ed. Currently, financial reviews and expected loss evaluations are performed annually for active captive accounts and as needed for run-off exposures. In addition to collateral, parental guarantees are often used to enhance the credit quality of the captive.
In general, we seek to place our reinsurance with highly rated companies with which we have a strong trading relationship.

Our objective is to maximize investment income and total return while ensuring an appropriate level of liquidity, investment quality and diversification. As such, ACE’s investment portfolio is invested primarily in investment-grade fixed-income securities as measured by the major rating agencies. We do not allow leverage or complex credit structures in our investment portfolio.
The critical aspects of the investment process are controlled by ACE Asset Management, an indirect wholly-owned subsidiary of ACE. These aspects include asset allocation, portfolio and guideline design, risk management and oversight of external asset managers. In this regard, ACE Asset Management:

  • conducts formal asset allocation modeling for each of the ACE subsidiaries, providing formal recommendations for the portfolio’s structure;
  • establishes recommended investment guidelines that are appropriate to the prescribed asset allocation targets;
  • provides the analysis, evaluation, and selection of our external investment advisors;
  • establishes and develops investment-related analytics to enhance portfolio engineering and risk control;
  • monitors and aggregates the correlated risk of the overall investment portfolio; and
  • provides governance over the investment process for each of our operating companies to ensure consistency of approach and adherence to investment guidelines.

Under our guidance and direction, external asset managers conduct security and sector selection and transaction execution. This use of multiple managers benefits ACE in several ways – it provides us with operational and cost efficiencies, diversity of styles and approaches, innovations in investment research and credit and risk management, all of which enhance the risk adjusted returns of our portfolios.
ACE Asset Management determines the investment portfolio’s allowable, targeted asset allocation and ranges for each of the operating segments. These asset allocation targets are derived from sophisticated asset and liability modeling that measures correlated histories of returns and volatility of returns. Allowable investment classes are further refined through analysis of our operating environment, including expected volatility of cash flows, potential impact on our capital position, as well as regulatory and rating agency considerations.

Under the overall supervision of the Risk & Finance Committee of the Board, ACE’s governance over investment management is rigorous and ongoing. Among its responsibilities, the Risk & Finance Committee of the Board:

  • reviews and approves asset allocation targets and investment policy to ensure that it is consistent with our overall goals, strategies, and objectives;
  • reviews and approves investment guidelines to ensure that appropriate levels of portfolio liquidity, credit quality, diversification, and volatility are maintained; and
  • systematically reviews the portfolio’s exposures including any potential violations of investment guidelines.

We have long-standing global credit limits for our entire portfolio across the organization and for individual obligors. Exposures are aggregated, monitored, and actively managed by our Global Credit Committee, comprised of senior executives, including our Chief Financial Officer, our Chief Risk Officer, our Chief Investment Officer, and our Treasurer. Additionally, the Board has established a Risk & Finance Committee which helps execute the Board’s supervisory responsibilities pertaining to enterprise risk management including investment risk.
Within the guidelines and asset allocation parameters established by the Risk & Finance Committee, individual investment committees of the operating segments determine tactical asset allocation. Additionally, these committees review all investment- related activity that affects their operating company, including the selection of outside investment advisors, proposed asset allocations changes, and the systematic review of investment guidelines.

Tug of War Between Intertwined Roles

December 3, 2012


A question posed to RISKVIEWS:

Do you have a clear distinction between “What’s Risk vs What’s Actuarial?”  It seems that the roles of Risk Management and Actuarial are utterly intertwined and overlapping, thus causing utter confusion, within the company of my employ. While we have internally agreed to a segregation of duties over two years ago, the organization has barely moved forward to align itself accordingly.

Any attempt I have made to seek external guidance has not resulted in any definitive clarity. In response to the question “What’s Risk vs What’s Actuarial?”, most consultants offer “it depends on the company”. Solvency II guidance seems to indiscriminately interchange, say, risk management function (risk management is everyone’s job) with Risk Management Department.

I should clarify – when I refer to Actuarial, I am referring to “all four legs of the actuarial stool” – namely, Pricing, Modeling/Projections, Valuation, and Experience Studies.

In fact, it really does depend upon the company.  That is because actuarial roles are extremely broad in some companies and very narrow in others.

The four legs of the actuarial stool referenced, “Pricing, Modeling/Projections, Valuation, and Experience Studies” are in fact a moderately broad definition.  In the most narrowly drawn situations, the actuarial role is limited solely to situations where an actuarial opinion is required by law or regulation.  In companies that define the actuarial role in that manner, there is almost no overlap with the Risk function.

But Risk can be defined differently in different companies as well.  In some companies, the definition of the Risk function takes in only what is needed to get capital relief from regulators or rating agencies.  Or to satisfy other requirements of the same audiences.

In companies where both the Actuarial and Risk roles are broadly defined, there is great potential for overlap.

  • The Actuarial Function in these firms will include not only “Pricing, Modeling/Projections, Valuation, and Experience Studies” but may also have a role in broad financial oversight and or broad risk oversight.  In fact, RISKVIEWS worked for two insurers with such a broad definition of the actuarial function.
  • A broadly defined Risk function in these firms will overlap most clearly with those last two roles.  With the installation of a separate Risk function, it seems clear that the broad risk oversight once performed by the Actuarial function needs to be surrendered.  But there are Risk aspects of all five of the other functions listed.
    • Pricing – A strong Risk function will want to make sure that pricing is appropriate for the risks of the activities
    • Modeling/Projections – A strong Risk function will want to perform stress tests that are in fact simple projections.
    • Valuation – Since the definition of the capital of the firm is totally dependent upon the valuation of the liabilities of the firm and the Risk function usually has a major role regarding capital adequacy, a strong Risk function will have a high interest in Valuation of Liabilities.
    • Experience Analysis – The process that has been developed by actuaries to update Liabilities from year to year includes the collection and analysis of quite a large amount of information about the emerging experience of the firm.  This information is also used in Pricing.  And should be a main part of the information needed to evaluate the risks of the firm.  Which makes this area of high importance to Risk.
    • Broad Financial Oversight – Actuaries in many insurers have already lost this role to CFOs years ago.  But in the cases where they have not, the CRO becomes a new challenger with the idea that Risk should oversee the strategic risk and capital budgeting processes.

Some of the conflict is a matter of competition between the leader of a “new” function within the firm and the leader of an “old” function.  The firms where this conflict is the worst would be the firms where there is a broadly defined Actuarial and Risk function.  The development of a new Risk function in these firms can be interpreted as Actuarial losing influence.  This perception would add to the conflict and to the confusion.  Risk will want to control its own destiny, so would naturally want to control much of what had “always” been Actuarial.  Actuarial would not want to lose any responsibility and may therefore seek to maintain parallel activities even where Risk is now performing a former Actuarial function.

At the other extreme, a number of companies see the very high degree of overlap between the Actuarial function and the Risk function and have named their Chief Actuary to be their Chief Risk Officer.  The success of that approach will depend upon the degree to which the Chief Actuary is willing to appropriately prioritize the activities needed to support the new responsibilities.  In these cases, the conflict described above between Risk and Actuarial will take place, but a large part of it will be inside the Chief Actuary / CRO’s head.

Getting Started in a Risk Management Career

November 10, 2012

RISKVIEWS got an email request…

I am a senior ‘Risk Management & Insurance’ and ‘Finance’ double major at Butler University. I was wondering if you would be able to lend some advice for my future career endeavors. One question is “what made you chose the consulting risk management side over more of a singular corporation risk management position?”  My basic concern is that unlike finance, I feel the path for a student to get involved with the risk management industry is much less defined. I keep hearing how most risk managers usually start in a completely different corporate function. I am just trying to do my due diligence and research to get insight into all career paths before I choose which way I want to go.   Daniel Gable

Daniel, some Risk Management career paths are very new.  New enough that there are not yet any people who entered the field out of college and who are now in retirement.  Now, if you are majoring in “Risk Management and Insurance”, then you are aware that there is a long established career centering upon the management of corporate insurance purchasing programs.  But the risk management programs that go beyond insurance purchasing, in banks, insurance companies and in many other industries are all new enough that they mostly had to go outside the field for at least initial leadership.  Those people will value skills and experiences that come from a wider range of experiences than someone might have who has always worked in risk management.  So their senior staff positions will have some people who also did not start out in a risk management career.

RISKVIEWS’ perspective is that risk management will be best served if a balance of highly trained risk management specialists along with a significant number of people with broader business perspectives and especially experiences working in the areas where the risk is taken on.

The highly trained risk management specialists are needed to keep the technical rigor of the risk management program up to a similar level to the areas that originate the risk taking.


The best sports teams prevail against their rivals only if they have great natural players in both offensive and defensive positions.  There are an extremely small number of players who can excel at either offense or defense.  Most players in most sports are much better at one or the other.  Risk management programs need to find the natural defenders who also excel at the technical skills that are needed to monitor the risk taking effectively.

But only some risk management work can be accomplished by highly technically competent trained risk managers.  Some of risk management requires people with the experience and gut instincts about the business who can tell when something just “smells” wrong.   To get this experience, one needs to have lived in the business, understand the motivations and choices that are available to the people in the business as well as their competition and the markets that they operate in.  This is all experience that is very difficult to get working from within the risk management program.

At the top of the risk management system is a Chief Risk Officer.  Like most senior executives, this person will need a high degree of leadership/managerial/political skills.  Perhaps much more so than most of the people who work in the risk management program.  In the last year or so, there have been a steady stream of bank CROs moving to CEO positions.  So in many places, it is a position with a serious future.

Finally, Daniel asked about consulting vs. working inside a company?  First of all, many consulting firms hire few if any entry level people.  They usually look to find people with at least a few years of experience inside of the firms that they are likely to consult for.  Once you have enough experience to have a choice, the option is for breadth vs. depth.  RISKVIEWS has over ten years of experience in both situations.  Inside of a company, a person may get the chance to develop a deep understanding of one or several aspects of the company operations.  Many people get a feeling of satisfaction from mastering their environment in this way and developing the ability to work with people and situations that they know very well.  Many corporate jobs are also in a fixed location, so that people who have strong reasons to want to be home most nights would prefer that.  While there is some uncertainty about continuation of corporate jobs, many jobs are secure for a decade or more at a time.  Consulting positions on the other hand provide the person to get a very broad perspective on the many different ways that things are being done in the industry.  Consulting often offers the possibility of doing different work without it having a significant impact on career path.  Consultants often travel, some a little and most quite a bit.  An advantage for some and a big disadvantage for others.  Consulting work is insecure, often it is unknown what work a consultant will be doing in six months.  Some people are very excited by the variety and uncertainty of consulting work.  Consultants need to have excellent communications skills, especially the “client facing” consultants.

In both the question of starting out in risk management or moving to risk management after working in a business and the question of starting early in consulting vs. after some work inside of a business, the considerations end up being similar.  A few people have the talent to pick up enough of the details of the business life to be able to be effective consultants or risk managers from outside of the business, but most people need to live it to be really effective risk managers or consultants.

Daniel is studying Finance as well as Risk Management.  RISKVIEWS cannot give any advice in finance careers, but will observe that with the effect of the financial crisis and the resulting changes to regulation of banks, the future finance career path may well be very different than it has been for the past 20 years.


CEO is still the Real CRO

June 23, 2012

It was just a couple of weeks ago Riskviews posted…

It’s the job of a CEO to be the Chief Risk Officer

A week later, Reuters ran a story about JP Morgan…

Analysis: JPMorgan repeats basic mistakes managing traders

In that article Rachel Wolcott suggests that the CRO needs to be powerful enough to buck the most powerful traders.

What she fails to recognize is that the CRO and the trader are both acting out the orders of the CEO.  If the CEO is telling the CRO to enforce a risk limit and also telling the trader that he is free to break the limit, then it is not the power of the CRO that is the problem.

It is a CEO that wants the appearance of risk management and the profits from excessive risk both at the same time.

CEOs will often allow underlings to “fight it out” rather than making all of the decisions in the company.  In this case, however, everyone must realize that when it appears the CRO is too weak to do their job, that means that the CEO is not standing behind them and is completely responsible for the risk that is being taken by the overaggressive traders.

CRO is not the Moral Compass

May 29, 2012

The American Banker has a new column on risk management.  The first article is here.  Clifford Rossi makes some good points about the JP Morgan story.  But Riskviews takes issue with one point that he makes…

The paradigm of the trader and the risk manager are fundamentally at odds. The trader will believe that if they are given the funds to make one more trade, they will make up all of the past losses and post a large gain. The stories of successful traders and hedge fund managers all read the same, losses, growing losses, no one else believes in the trader. Finally, they are vindicated by a large gain that makes them the hero. When you listen to the stories from Bear Sterns and Lehman, folks who were involved all say that it was just a liquidity issue. If they just had a little more funds, they would have made the trades that would have brought the firm back.

The risk manager on the other hand believes that there must be a limit to the amount that is put at risk by the firm. Do not bet what you cannot afford to lose. The risk manager believes that even the best theory can have a run of bad luck that the firm cannot afford.

Ultimately, the risk manager is not the moral compass of the firm. The risk manager is nothing more or less than the person who is charged to make sure that the CEO and the Board understand and are fully aware and approve of all of the risk taking activities of the firm. To make that process work, the risk manager will ask the board and CEO to pre-approve some activities and to require to be notified about others.

In JP Morgan’s case, the board and CEO should have been aware of what was going on, of the size of the positions. Perhaps they did not give clear directions to the risk manager or perhaps the risk manager for some reason failed to report the risk positions.

However, it should have been a business decision made by the Board and CEO, not a decision of the trader or of the risk manager.  The loss that resulted would be a decision that did not work out as intended, not even necessarily a bad decision.  All decisions do not work out well.  And while $3 Billion is a large amount of money, it is only a fraction of earnings for a good year for JP Morgan.

If the decision to make the trade(s) that added up to the $3 Billion loss were made by the trader and not reported to the CEO and Board, then and only then is this a risk management failure.

Chief Scapegoat in Waiting

February 1, 2012

The position of Chief Risk Officer is perilous.

Just watch Demi Moore get fired in Margin Call.  She said that she had sounded the alarm about the risky trades that were the main topic of the film a year ago.  But her warnings were obviously not heeded and when things turned out poorly as she had warned, she was fired as the scapegoat.


Just read the stories about the two Chief Risk Officers at MF Global.  Both of them sounded alarms about the trades that eventually bankrupted the firm.  Roseman left over the issue.  Stockman is testifying to Congress about exactly when he determined that the trades were too risky.

A House committee is expected to disclose on Thursday that MF Global, under Jon S. Corzine, stripped critical powers from its top executive in charge of controlling risk, according to a person briefed on the matter. NYTimes

Riskview suggests that they have it all wrong.  Corzine is the one who is responsible for the risk management of MF Global.  No one is suggesting that Corzine was ill served by his CRO.  Instead, the discussion suggests that the board should have listened to the CRO and not the CEO.  Easy to say in hindsight.  But in fact, the CRO is an agent of the CEO.  If the board sets up the CRO as their agent within the firm who can trump the CRO, then the board is overstepping its role.  If the board does not like what the COE is doing, the board has the responsibility to replace the CEO.

If the board wants to know more about the risk of the firm than the CEO wants to tell, then the board should not be going around the CEO to people who work for the CEO.

Congress should be talking to the board members who repeatedly approved Corzine’s decisions.  The CRO is now being used as a scapegoat by the board and by congress.

The position of CRO at a firm that does fail is even more perilous than usual for that position.  When the firm fails or comes close to failure, the CRO can become the scapegoat for failure to act.  And the fact that the CRO did not have the authority, does not change that process at all.

That is because there is a myth that the CRO is in charge of preventing bad things from happening.  That is not the case.

The CRO job is to make sure that management has the tools and the people and the information to prevent bad things from happening.  Only if the CRO is set up as someone with MORE authority in the organization than the CEO should the CRO be held responsible when bad things that they did warn about do happen.

%d bloggers like this: