The data was gleaned from an online survey they sent out to CRO/equivalents back in Sept-Dec 2012, so is a bit dusty, and there were 86 respondents, so a half-decent sample. It isn't dominated by a particular sector or continent (p7), but there are more conglomerate/bank-heavy respondents than pure insurers.
There is an infographic for those of a short attention span with a few headline numbers, but having sifted through the larger doc, I found the following elements worthy of note;
Boards, Committees and Risk Management
- 80% of Boards are reviewing and approving Risk Management Policies/ERM Frameworks and Risk Appetite Statements. Bearing in mind the types of organisation in the sample, that is disappointingly low.
- 25% don't review individual risk policies
- 23% don't review strategy against risk profile
- Almost half don't invite CRO to EXCOM meetings
- Almost two-thirds delegate risk oversight to satellite committees (and two-thirds of those delegate to a Risk Committee)
- Only half have their Risk Committee chaired by an INED.
- Use of specific management risk committees for individual risk types tends to cluster around the 40-60% bracket (for example, 60% have an ERM committee, while 44% have an Op Risk Committee). Heavily weighted by organisation size i.e. larger ones tend to have them!
- Emerging risk reporting not supplied to 30% of Boards
- Model validation results not supplied to 70% of Boards!
- 66% (of insurance respondents) have their Boards responsible for reviewing economic capital results
- 97% of large respondents have a CRO, 81% of smaller firms
- 88% using "3 Lines of Defence" (almost all of the larger respondents do)
- 62% have an "ERM Programme"
- 58% increasing risk management budgets (still!)
- In the list of tasks currently performed by CROs, the fact that only 63% are involved in the approval of new business lines/products is pretty telling, and not in a good way.
- Almost half of respondents said that Internal Audit and the ERM Framework do not use common risk categories and language.
- 33% do not have a independent model validation 'function' (remember, the banks are in these stats as well!) - most of those who have made provision park it in the Risk Management function.
Risk management techniques
- 90% using some form of stress testing in the business, with most saying the outputs are used in business planning, strategy setting and identifying risk tolerance. More than half however don't use the outputs in the allocation of capital to lines of business.
- 74% have some type of Stress Testing policy
- Over 20% either do not have a Risk Appetite Statement, or only have a quantitative one
- Almost 70% still use regulatory capital as one of their quantitative measures in their Risk Appetite Statements
- Risk limits tending to be set at enterprise level, as opposed to business or desk/subsidiary level - stats are a little murky due to the emphasis towards banking sector.
- Model risk and Liquidity risk seem to be the risk types least factored in to companies ERM programmes
Management of Key Risks
- Full list on p24, with the percentage shown representing the number of respondents who thought their management of each risk was "extremely" or "very" effective - stand outs were that perceptions of the effectiveness of the management of Operational, Model, Outsourcing and Data risks appear to be much lower than one would hope, with Lapse risk management ranked unusually high.
- Op Risk KRIs and Loss data only collected in 60% of respondents
- Just over half are modelling Op Risk in some way - varying degrees of complexity experienced
- Most are using stress testing and/or reserving to assess Insurance risk - over 40% not currently using EC, and over 50% not using VaR.
Risk and Reward
- Almost 60% of remuneration schemes have no clawback provisions
- Almost 70% of schemes do not align incentive payouts with the term exposure of the underlying risks
- 92% (of relevant responders) will focus resource on ORSA in next 12 months
- 77% will focus resource on Data Quality in next 12 months
- 69% will focus resource on Documentation and Reporting in next 12 months
- Less than 25% rate their processes and systems for Data Governance extremely/very effective.
- Declining trend of insurers who will be modelling economic capital (p19)
- Only 80% actually calculate Economic Capital
- Some very grim stats on p21 covering which risk types are modelled for EC purposes (underwriting risks seemingly very low on the list)
There are a number of areas touched on here which fall short of pending (or indeed actual) national/international regulations and codes, never mind "best practice". Perhaps we can account for the innate conservatism of CROs in their responses, and assume things aren't quite as bad as they have self-assessed here?