On October 10, 2014, the European Insurance and Occupational Pensions Authority (“EIOPA”) published a speech (dated September 26, 2014) given by Gabriel Bernardino, EIOPA Chairman, on a number of topics, including the role of the chief risk officer (“CRO”).

Points of interest inMr. Bernardino’s speech include the following:

  • CROs have helped to shape the new risk-based regime in insurance. In return, regulators have placed risk management as one of the main building blocks. This opportunity should be used to embed a strong culture in firms’ day-to-day operations, ensuring that business units themselves “think and act” from a risk management perspective.
  • It is important to emphasize that risk management goes well beyond compliance. It is about making sure that risk considerations, and their capital consequences, are explicitly taken into account in the strategic decisions of the firm. The matching of the firm’s funds to its risk profile should help to promote a strong risk culture, and can be an essential tool in the sound running of the business.
  • Sound governance and risk management evolve over time. It is now particularly important to include adequate strategies and processes to deal with conduct and consumer risk in the governance system. From product design to claims management, insurers need to put customers at the centre of their business decisions. CROs are instrumental in delivering these results, but progress takes time, commitment, effort and a clear “tone from the top”.
  • In an optimal world, CROs are at the centre of a firm’s organization as the failure to take risk behavior into account when setting business strategies and plans puts the firm itself, and its shareholders, in danger. A strong CRO is a very good signal of strong governance from a supervisory perspective, and it definitely helps in attaining the regulatory objectives of increased financial stability and consumer protection. However, having a strong CRO should be seen as sound business practice, and not a regulatory requirement.
  • CROs need to find a balance between being the devil’s advocate, offering challenge and alternative views, and at the same time being involved in business development and strategy. It is a dual role, where each CRO needs to be “independent but involved”.
  • EIOPA expects each CRO to set an appropriate risk framework, capable of dealing with risk concentrations and emerging risks. It expects CROs to contribute to driving the business and to setting the strategy on a sound and sustainable path. To perform this job, the CRO should have a place in the firm’s structure that allows the CRO to play an effective role in strategy setting and decision making. CROs need to raise their status within their firm and be part of the board or report directly to the chief executive officer. EIOPA sees a clear movement in this direction, but there are still some firms where the current reporting lines have to be challenged and should be rethought.