A unique time for chief risk officers in insurance

As COVID-19 continues to threaten lives, communities, and industries around the world, insurers face profound disruptions. Uncertainty abounds. No one knows when the crisis will truly end, when safe vaccines will be used at scale, or whether they will stop the pandemic for good. Its ultimate impact on public health and the global economy will be measured in the months and years to come.

Underwriters are struggling to calculate their exposure to pandemic-generated vulnerabilities. Economists are trying to anticipate the direct and indirect impact of massive new government debt. Managers are wondering how long people can work productively from home and maintain healthy organizational and risk cultures. And in a long-lasting low-interest-rate environment, strategists and product leaders are contemplating future insurance solutions—including public–private insurance partnerships—that would enable insurers to remain relevant to their customers.

Our research shows that the industry’s returns to shareholders since the beginning of the year were down by 19 percent at the end of October 2020. In mid-June they had been down by 23 percent—the sharpest drop in recent memory and deeper than those recorded in many other industries (Exhibit 1).

1
Market capitalization has declined across sectors in 2020, with significant variation in the extent of the declines.

With regard to current business impact, insurers will experience pressure on retention rates and margins as customers shop for lower prices. The impact on claims will vary by line of business: auto claims may decline because people are driving less at the moment, but homeowners’ claims could rise as policyholders work from home. Investment income will continue to suffer as interest rates stay low, and life and annuity carriers will be hardest hit. We also believe that the pandemic’s full impact on economies around the world will be felt through 2022.

The pandemic-related challenges intersect with cost-reduction and efficiency pressures. These were intense before the pandemic struck, as discussed in McKinsey’s recent state-of-the-industry reports on P&C and on life. Legacy IT systems and, in some cases, lagging digital capabilities are growing impediments, as the COVID-19 environment pushes many more customers toward digital-first relationships. Insurers, reinsurers, and brokers that made bold moves into digital years ago are now harvesting the benefits of their investments. Others need to catch up in a hurry.

Given the profound uncertainties and their varying impact across business lines, insurers must commit strongly to risk-oriented, structured decision-making approaches. We believe it is time for chief risk officers (CROs) to step up to this challenge. With their help, the industry can reinvent itself to stay relevant to customers and attractive to investors.

The CRO and the evolution of the insurance industry

CROs for leading insurers are playing a critical role in the present risky and uncertain environment. They have risk oversight of activities conducted by the first line (business and corporate functions) and assure the chief executives and boards that companies are achieving a proper risk-management balance. In approaching heightened risk levels, CROs aim to limit the downside danger but also enable the business to make the necessary risk–reward trade-offs to capture the upside. It is a delicate balance.

For a long time—and especially as a consequence of the financial crisis of 2008–09—the CRO role in financial services was regarded as a necessary response to regulatory pressure, to provide required controls and guardrails. Today, the importance of the CRO role has outgrown this conception, and that is a good thing. Many CROs are working with CEOs, executive teams, and boards, stepping forward in this crisis and taking the opportunity to shape the future of the organizations they serve. Over the past few months, we have been listening to leaders of insurers of all sizes around the globe—CEOs, board members, CFOs, human-resources heads, as well as CROs. One insight that has emerged is that the CRO role as risk manager has continued to evolve. CROs are engaged in the most difficult decisions, providing top management with perspectives and guidance on strategic business risks—when to take them and for which expected financial, organizational health, and reputational rewards.

CROs are engaged in the most difficult decisions, providing top management with perspectives and guidance on strategic business risks.

Unsurprisingly, therefore, leading insurers are investing more in their risk-function capabilities. At a recent CRO roundtable with 25 leading North American insurers, 95 percent of the participants indicated that demand for the services of the risk function will increase next year. At this critical juncture, CROs should join top management to set and implement a strategy for capturing value in the next three to five years. A new CRO role is evolving:

  • from using static, backward-looking risk-measurement tools to developing state-of-the art capabilities, such as scenario planning, dynamic stress testing, and advanced analytics
  • from focusing only on financial risk to taking a more holistic view of the risk landscape, including nonfinancial risk: the new focus includes cyberrisk, technology risk, fraud risk, model risk, people risk, and compliance risk, but also wider external risks, including climate risk and geopolitical risk
  • from performing a limited-control function to counseling the CEO and board in developing and executing a sustainable growth strategy supported by a balanced risk appetite

The CRO’s contribution to a sustainable growth strategy

This is an important moment for chief risk officers. Most insurance companies are rethinking their strategies and need the knowledge and skills of CROs to navigate the perils of unprecedented times. To support a sustainable growth strategy under stressed conditions, CROs can start by maximizing the risk organization’s existing capabilities. New capabilities are also needed as CROs help their companies embrace a holistic view of risk, including financial and nonfinancial risks. The following actions are essential and consistent with the new CRO leadership paradigm.

Managing risk through COVID-19 uncertainties

It will be necessary to develop high-frequency stress tests and business-plan forecasts and to review investment strategies.

1. Develop high-frequency stress tests and business-plan forecasts. To reveal vulnerabilities and develop strategic implications, CROs should develop advanced stress-testing for profit and loss (P&L) and the balance sheet (for example, investment portfolios). The program should be scenario-based and refined through iteration. Carriers around the world, from employee-benefit companies to global multiline insurers, have developed analytical tools to rebase revenue expectations using detailed economic data. Some risk leaders are gaining new insights into market dynamics in metropolitan statistical areas by combining customer projections with epidemiological and economic scenarios. This can help improve the accuracy of projections of customer default or renewal rates: projections can become more precise with stronger links between risk identification, economic scenarios, and overall company strategy.

2. Review the investment strategy. Pressure on industry performance is coming from several sources, including equity-market volatility, the low-interest-rate environment, and sometimes the repricing of assets associated with climate risk. The squeeze is felt on insurers’ balance sheets, product profitability in life insurance, and investment-management fees for savings products. Given these pressures, CROs will need to ensure that the investment strategy is reviewed and realigned according to the results based on economic scenarios and resulting risk capacity and risk appetite.

Addressing the nonfinancial-risk profile

Here are measures to strengthen cyberrisk practices, address fraud and other operational risks, and adapt and remediate models.

3. Strengthen cyberrisk practices. The new working environment has increased network exposures to cyberrisk. As employees use personal devices for work, for example, they can become more vulnerable to phishing. Traffic volumes are rising sharply on virtual private networks as employees work from home, straining IT systems and personnel; sensitive data and systems must be protected against access through insecure networks or devices. CROs must take account of these new strains and vulnerabilities, and strengthen cybersecurity and cyber practices across the organization. Many insurance companies have completed comprehensive assessments of their systems and information assets—for example, the likelihood that any component will be compromised. CROs must prioritize and reprioritize assets as needed, protecting critical assets and closing critical control gaps as they appear.

4. Pay more attention to fraud. Fraud and financial crime seem to be on the rise as a result of the new remote working environment and the economic downturn, a situation recalling the spike in insurance fraud during the financial crisis of 2008–09. As CROs strengthen essential controls and the technology infrastructure, they should also push to improve analytics capabilities for fraud. The necessary moves could include building an identification engine capable of ingesting vast amounts of claims data, accurately sizing and analyzing drivers of current losses, and quickly identifying high-risk claim reimbursement.

5. Address other operational risks. Rising levels of digital interaction and remote work have also changed companies’ overall operational risk profiles, which CROs must monitor and assess accurately. They can then build tools to mitigate these and other nonfinancial risks and quickly address emerging concerns. In a recent McKinsey survey of North American carriers, participants discussed their latest approaches to nonfinancial risk. One large global life insurer, for instance, launched an ambitious review of its nonfinancial-risk metrics and upgraded them in key businesses, covering the entire nonfinancial-risk taxonomy in great detail. Before the pandemic, the company had begun to shift its reportage from lagging to leading indicators to help executives gain a more accurate view of risks and make better-informed decisions. That gives them a significant advantage during the pandemic crisis.

6. Adapt and remediate models. The CRO should lead a full review of critical models used across the organization since they could have been compromised in this changed environment. The assessment should include the rapid triage and remediation of models most affected by the pandemic. The associated economic downturn has triggered significant step changes that are often not accounted for in the original assumptions made several years ago, when these models were designed. The persistent low-interest-rate environment—and potentially negative-interest-rate environment—must also be factored in. The CRO should manage remediation on a risk-based timeline and ask the business to develop new models as needed.

Building the insurance organization of the future

CROs should partner with senior management to revisit the risk appetite and strategy, transform risk culture, build reputational resilience, and improve insights about systemic risks.

7. Partner with senior management to revisit the risk appetite and strategy. By becoming thought partners with top management, CROs can help steer the organization, identifying and selectively committing to strategic opportunities. They can also engage in dialogue with regulatory agencies to better anticipate the regulatory landscape. CROs have a key role to play in shaping the risk appetite. The CRO should work closely with the CEO, the CFO, and the heads of businesses to help cascade it through the whole organization, calibrate it as part of the new sustainable growth strategy.

8. Transform the risk conduct and culture framework. In the current environment, companies have to make decisions quickly—too quickly, sometimes, for existing governance and guardrails. An appropriate framework for risk conduct and culture creates a safe environment for speaking up about dangers, fosters adherence to company values, and therefore helps risk leaders make sustainable decisions quickly. As CROs work with top management to develop the future organization, they should partner with HR heads to transform the risk culture. Many insurers have already begun to assess current risk culture and to identify opportunities for improvement by making employees aware of present and emerging risks and giving them the skills to protect both policyholders and the organization. Risk culture can be measured and actions taken to enhance it where improvements are most needed.

9. Build reputational resilience. The pandemic is creating unprecedented challenges to organizational culture. In the work-from-home model, maintaining that culture and transmitting it to new hires can be more difficult. Furthermore, as companies address their customers’ changing needs, they must take into account the heightened public scrutiny and societal impact of the ongoing crisis. The CRO must therefore ensure that robust governance is in place, and work to strengthen risk culture and organizational resilience.

10. Significantly improve the company’s insights about systemic risks. The pandemic is a reminder that low-probability, high-consequence events do indeed happen. Pandemic scenarios were heretofore mostly considered as extreme cases in advanced modeling exercises. That no longer works. With the right mandate from the rest of the organization, the central risk function could become a center of excellence to protect insurers by developing and defining better insights on systemic risk. The center of excellence could also identify issues—climate change and geopolitical risks, for example—that call for innovations to keep insurers relevant in a fast-changing risk landscape.

More sophisticated stress testing to discover business vulnerabilities

For many financial institutions, including insurers, annual investment and product planning was completed before the economic impact of the COVID-19 pandemic was universally apparent. In performing stress tests on the impact of market stress on solvency, most insurers used short-term, next-budget-cycle timelines. Now, deep into the pandemic, insurers understand that the economic recovery path is uncertain and performance may change widely during the next two- or three-year period, and even beyond. The changing probabilities concerning the duration of the work-from-home model and restrictions on travel and retail activity, for example, make it clear that more than short-term planning is required. In this context, companies must go beyond their normal stress-testing regimens.

To understand how rapidly evolving economic conditions will affect their portfolios, leading insurers are using stress-testing tools accompanied by continued close monitoring. They are looking beyond regulatory compliance and building the data and capabilities needed to test scenarios rapidly and to support responsive decision making according to the changing outcomes. New analytics skills and tools are needed, which for most insurers would complement existing capabilities in scenario-based assessments of assets and liabilities. They can be developed using existing resources and capabilities present in the risk organization, in a coordinated effort by the CEO, CFO, CRO, and the heads of businesses.

Insurers need to think through scenarios with varying timelines and sequences of events and how they intersect with different types of stress testing—for liquidity and capital, business strategy, and climate and catastrophic events. This holistic assessment will give CROs a wider view of the uncertainties and therefore support effective risk management. Exhibit 2 shows how more sophisticated stress tests can account for many factors affecting P&Ls over longer time horizons.

2
Stress testing links scenarios to the key profit-and-loss factors of underwriting income.

The new orientation also requires a shift in the stress-test horizon from one year to a three- or four-year period. The objective is rapid design and testing of a wide range of scenarios exploring different company vulnerabilities. The method involves the development of more sophisticated econometric models—statistical analysis of economic data—using detailed, location-specific analytics, since the dynamics of economies will probably differ widely from one city to another. The models should use relevant business-sensitivity metrics (such as policy renewals or new sales) to estimate the impact of different scenarios on business performance and to act on those estimates. Insurers can use these exercises to reallocate capital quickly across the product lines and markets where it can be put to best use.

Many of these capabilities require significant business expertise and may now lie in the realm of business planning and strategy. However, risk teams have the unique analytical and data capabilities to support such modeling. These broader stress tests will also help CROs develop a view of potential emerging business risks and set the company’s strategic direction.

The CRO role in increasing efficiency and effectiveness

Operational efficiency and effectiveness have always been vital in insurance, and the pandemic has made them more important than ever. CROs can lead or contribute to efforts to address the challenges—for example, by shifting governance or strengthening the most critical controls. Partnering with the first line, CROs can work to minimize the burden of controls, without compromising the effectiveness of risk management. On a deeper level, and with CRO involvement, insurers should return to developing process-automation and artificial-intelligence programs. The CRO can help speed up these advances and free colleagues to focus more keenly on the risks requiring experience and judgment.


The insurance industry is undergoing significant change to remain relevant in a changing risk environment that is now evolving even faster as result of the pandemic. We believe that the gap between companies that embrace and act upon these changes, make bold moves, and capture the resulting value and those that do not will continue to widen. Experience suggests that if companies adapt quickly to the crisis and emerge stronger in the first year, they will continue to lead for the next five. The pandemic has certainly elevated the risk function’s strategic role. CROs now have a unique opportunity to seize the moment.

Explore a career with us