Module 12: Governance / assurance functions and the role of the CRO Flashcards

1
Q

A good CRO should improve the effectiveness of an organisation’s risk management function by (3)

A
  • filling in any gaps in the skills, knowledge and/or experience in a management team
  • providing additional resource for a risk management function
  • being prepared to escalate issues directly to the Board without fear or prejudice to their own job security or remuneration.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Explain how a CRO might be positioned within an organisation structure

A

Typically the CRO will either sit on the Board or will report to the Board through the CEO or CFO.

It is particularly important that the relationships between the CRO and other officers are unambiguous.

A CRO reporting to the CFO or CEO may mean conflicts of interest inhibit communication to the Board.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Discuss the degree to which the Board might delegate some of its responsibilities for risk management and outline how that might best be achieved

A

It is common for Boards to delegate risk management to a risk subcommittee. This subcommittee will take responsibility for setting risk management strategy and policies and monitoring.

It should be independent from the day-to-day business and those appointed to it should be suitably qualified.

The accountabilities, responsibilities and relationships between the Board, risk subcommittee, CRO and line management should be clearly defined and distinct. While the Board may delegate some responsibilities to a subcommittee, the Board retains overall accountability for risk management.

In the financial sector, such delegation should be to a risk subcommittee, rather than the audit subcommittee.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Outline the key responsibilities of the CRO

A
  • providing overall leadership and direction for ERM
  • establishing and integrating an ERM framework across the company
  • developing risk policies / minimum standards and monitoring adherence
  • developing risk models and data systems
  • effective reporting (internal and external) on risk exposures (current and future / emerging)
  • allocating capital to business activities based on risk-adjusted returns
  • managing optimising the risk portfolio
  • safeguarding the company’s financial and reputational assets
  • ensuring compliance with regulatory requirements.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

6 key skills required of a CRO

A
  1. LEADERSHIP
    to develop the ERM vision and recruit / retain a risk management team
  2. COMMUNICATION SKILLS
    to influence and persuade the business about ERM
  3. STEWARDSHIP
    the ability to act as a guardian of the organisation’s assets
  4. TECHNICAL COMPETENCE
    needed to manage financial and operational risks
  5. CONSULTING SKILLS
    needed to influence and educate the Board and implement policy
  6. PROJECT AND CHANGE MANAGEMENT
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Outline what a CRO will need to establish upon or soon after their appointment to the role

A

The CRO will need to establish whether:

  • there is a clear understanding of the company’s risk tolerance
  • management’s compensation is aligned, with prudent risk management
  • there are any gaps in the skills, capability and experience of the team
  • each part of the insurer’s business increases its overall value
  • risk management is linked into capital management, pricing and reserving processes
  • the quality and extent of the information given to stakeholders enables them to assess the financial condition of the insurer
  • the governance structures are robust
  • the risk management operating model is appropriate

The CRO will need:

  • to establish a close working relationship with the CFO - since they each have a role to play to make earnings more predictable and less likely to reduce in future
  • authority within the organisation
  • to understand the insurer’s key stakeholders and drivers of performance
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

CRF abbreviation

A

Central risk function

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

The role of the CRF should include (7)

A
  • advise the Board on risk
  • guide line managers on identification and management of risks, and suggest risk responses
  • act as a central focus point for staff to report new and enhanced risks
  • assess the overall risks being run by the business
  • make comparisons of the overall risks being run by the business with its risk appetite
  • monitor progress on risk management
  • pull the whole picture together.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

3 lines of defence

A

1st: line management staff in the business units
2nd: the CRO, risk management team and the compliance team
3rd: the Board and audit function

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

The relationship between the first two lines of defence may be characterised as one of (3) models:

A
  • offence vs defence
  • policy and policing
  • partnership
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Outline the offence vs defence model

A

The first two lines are set up in opposition to each other.

  • business units focus on maximising income and
  • risk management focuses on minimising losses.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Key disadvantage of the offence vs defence model

A

The relationship is potentially destructive and damaging to the organisation as business units and the risk management function have opposing objectives (and incentives).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Outline the policy and policing model

A

Business units operate within rules, which are set by the risk management function and policed by the risk management, audit and compliance functions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Key disadvantages of the policy and policing model

A
  • policies may become out of date as the risk management function is not in touch with day-to-day operations.
  • audit and compliance reviews do not occur continuously, so may fail to identify problems.
  • there may be friction between line management and risk management as each fails to understand each other’s viewpoint fully.
  • Line management may have little incentive to report problems, policy violations and issues where it is uncertain whether a violation has occurred. This issue is mitigated somewhat by arguments about “the greater good” or if incentives are linked to policy compliance and reporting violations.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Outline the partnership model

A

Risk management staff are integrated into the business units and the two functions share some measure of performance.

Under this approach:

  • Business units and risk management staff work together in a client-consultant type relationship to manage risk.
  • Business units must recognise the benefit to long-term performance of a risk management function.
  • Risk management staff must recognise the importance of their role as consultants, ie meeting the needs of the business units (the client).
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Key disadvantage of the partnership model

A
  • Independence may suffer in this structure - it is hard for risk management staff who are integrated into business units to have a corporate oversight role.
17
Q

Describe how a mix of organisational structures might work in a large insurer

A

In a large insurer (or indeed any large businesses) the risk management function may be split between a central team and units embedded in each business unit.

In this situation, it is important to ensure that a “silo” mentality does not develop - a matrix reporting framework may help here.

18
Q

4 Key challenges in managing the relationship between business units and risk management staff

A
  • conflict and conflict resolution
  • management of risk management staff within business units
  • aligning incentives
  • measuring non-financial (e.g. operational) risks
19
Q

Outline the nature of the challenges:

conflict and conflict resolution

A

Conflict arises as a result of parties perceiving risk differently - does risk mean an “opportunity for profit” or an “opportunity for loss”?

Business units often want to increase volumes and may argue for pricing based on marginal costs, but the finance department want to grow revenue and control risk and argue for full-cost pricing.

20
Q

Outline the nature of challenges:

management of risk management staff within business units

A
  • Risk management staff embedded within business units may not be trusted by business unit staff and may feel stuck between two opposing sides.
  • it may be best if the risk management staff report to the business unit head and have a “dotted line” link to the CRO.
  • the CRO should have input into the performance review of the risk management staff embedded in business units.
21
Q

Outline the nature of challenges:

aligning incentives

A
  • Aligning incentives for business unit and risk management staff can reduce conflict between them, although in practice the design of suitable performance measurement and incentive systems may be difficult.
22
Q

Outline the nature of challenges:

measuring operational risks

A
  • Operational risks can be difficult to assess and take into account in performance measurement systems.
  • It is particularly important to ensure a common taxonomy around operational risk management to minimise the risk of confusion.
23
Q

List 5 key skills required within a risk management function

A
  1. project management skills
  2. change management skills
  3. relationship management skills
  4. technical expertise
  5. implementation skills
24
Q

Outline 6 (risk-focused) questions management should ask themselves when developing their unit(s) plans and strategies

A

Management should address questions such as:

  1. What risks may prevent us from achieving our objectives?
  2. How do we assess and monitor these risks?
  3. How can we mitigate or transfer these risks?
  4. What level of risk-adjusted performance can we expect?
  5. What risk limits / tolerances should be adopted?
  6. Who will measure and monitor the risks involved?
25
Q

Outline how management might address the risk that assumptions about the business are not borne out in practice

A

The risk of assumptions not being borne out in practice might be addressed by:

  • setting trigger points for each assumption - levels above or below the assumed level which will trigger a specific action or plan.
  • setting up a specific risk committee for new product and business development, particularly when expanding into new / foreign markets.
26
Q

State a key risk for an insurance company arising from not pricing accurately

A

If insurance companies do not price risk accurately they are likely to be subject to selection.

27
Q

Name a business and financial reporting method that should include risk assessment

A

The balanced scorecard approach integrates business and financial reporting.

A scorecard usually assesses 4 main areas:

  • finance
  • key stakeholders
  • growth and learning
  • internal business processes.

Risk management should be incorporated into the scorecard.

28
Q

Outline best practice for remuneration systems in financial organisations

A

The link between executive compensation and risk management should be disclosed, including salaries, incentive-based compensation and stock options.

Compensation arrangements should not encourage excessive or inappropriate risk-taking.

Where appropriate / practical, clawback provisions should be implemented to recoup incentive-based compensation if risk-taking, with hindsight, was deemed excessive.

29
Q

Assurance systems

A

Processes and structures designed to give the Board of Directors confidence that the ERM framework is effective.

30
Q

Outline the role of Chief Risk Officer

A

The Board’s support for the CRO is critical to the success of ERM.

The CRO:

  • often reports to the CEO or CFO
  • — associated conflicts can be reduced if the CRO also has a dotted reporting line to the Board (or risk committee), which becomes a solid line under extreme circumstances
  • ideally, the CRO should be a Board member and lead the risk subcommittee.

The CRO heads up the Risk Management Function (RMF) / Central Risk Function (CRF) and coordinates the various risk management divisions of the company.

The CRO is accountable to the Board for developing, implementing and maintaining an ERM strategy.

31
Q

In order to create value and align interest, it is important for risk management to be integrated into business activities such as (5)

A
  • business strategy development
  • new product development
  • pricing
  • business performance measurement
  • risk and incentive compensation / remuneration
32
Q

The way in which a company chooses to structure the relationship between its RMF / CRF and the rest of the business will vary considerably according to (4)

A
  • existing governance structures
  • size and nature of the business
  • risks faced by the business
  • autonomy / accountability of the business units in the current structure
33
Q

In addition to the Board of Directors and the RMF / CRF, the stakeholders that have a monitoring role in relation to risk management include (3)

A

THE COMPLIANCE FUNCTION, e.g.

  • – managers should document compliance with relevant legislation and rules
  • – risks of non-compliance should be identified, and a plan to achieve full compliance drawn up
  • – regulators should be informed promptly of non-compliance

THE INTERNAL AUDIT FUNCTION, e.g.

  • – security of systems to prevent fraud
  • – compliance with laws, regulations and internal governance codes
  • – key spreadsheets / systems

EXTERNAL AUDIT