“Getting involved in such things gives you an appreciation for [the possibility] that you can do a reinsurance deal [and] not get paid. That's what Unicover was,” he said, referring to the debacle in the late 1990s related to workers' compensation reinsurance pools. The pools, which had life-health companies participating in poorly understood carve-out risks that they assumed for insufficient premiums, ultimately filed suit to invalidate their reinsurance deals.

Using the Unicover example, Mr. Angelina stressed the idea that the role of a CRO encompasses an understanding of operational risk, not just reserving risk or a pricing risk, which are the key skills honed by casualty actuaries.

Teresa Dalenta, senior vice president of claims and customer care for Safeco in Seattle, who formerly served as CRO, said that while CROs need to be good risk modelers with analytical skills, there's more to the role. “They need to be curious people,” she said. “It's a world that's attractive to somebody who likes to ask questions. If you like to listen and learn, as opposed to question and probe, it's not very much fun.”

“Generally, you operate in an environment where you don't own the risks,” she added. “You're just trying to manage them. So you need to be able to operate without authority–to be a collaborative person. That also requires strong communication skills,” she said.

In simplest terms, CROs suggest that the job is part technician, part communicator and part teacher, with heavy doses of salesman and politician thrown in. For actuaries, the easiest part of the job of a CRO is the technical, analytical part. But it doesn't matter if your background is actuarial or anything else–the toughest job for a CRO involves changing cultures, industry CROs agreed.

Donald Mango, managing director of Guy Carpenter & Company in New York, explained that the need for CROs to engage in political bargaining evolves from the fact that the risk function naturally operates as a check and balance on other areas.

“It can be perceived as threatening,” said Mr. Mango, who once served as CRO for American Re. CROs have to work the internal political scenes at their companies to rally influential advocates to back recommendations that may not be popular, he warned.

Giving an example, he said that good financial risk management practice dictates that a reinsurer is not overexposed to any single counterparty. “That's Risk Management 101, but it flies in the face of the relationship aspect of reinsurance.”

That means talking to underwriters and telling them to pare back premium plans with a key client. “You could write a report [or] give a presentation” revealing the magnitude of reserve exposure and the potential for loss payments to accelerate should the counterparty suffer a downgrade,” he noted. “But unless you get everyone in the company to acknowledge the risk is real, and get them to actually modify underwriting actions, nothing will happen.”

“It is a pure political exercise, because you have to convince leadership that your model is believable. You're asking them to be proponents of painful decisions,” he said.

“The single most important requirement” to be an effective CRO is “credibility with senior management,” he emphasized.

CROs also act as teachers to push cultural change down through all levels of their organizations, according to Janet Nelson, CRO for London-based Catlin Group. “Anytime you're talking with people about being control-aware, about assessing risk, about being deliberate about risk management, it [introduces] a new vocabulary–a new way of looking at how their doing their job[s].”

Thus, “there's a continuous education process” that a CRO takes on–working with senior management, middle management and the broader employee base to help bring an awareness of risk and controls into daily management activities, she said.

According to Michael Fusco, chief actuary and CRO at Chicago-based CNA, “The thing that's hardest about the job is establishing a risk culture in the company.”

“That's changing behavior,” he said, noting that one issue he worries about is the question of whether the company has the right incentives in place to drive the right behavior. As a result, he said a CRO role can involve working with the head of human resources, who might be in charge of bonus plans, to make that person aware of the potentially detrimental impact of having the wrong goals.

“Goals are great, but recognize one thing: When you assign goals to people, they're going to achieve them,” he said.

Giving a simple example, he said that if production is the goal on which a company monitors its field offices, they're going to write the business. “They're going to meet their goals on new or existing business. Just make sure that it's not sending you down a path of losing lots of money,” he advised.

Several CROs noted that they are not the “risk owners” (risk takers) at their companies, identifying chief underwriting officers, chief investment officers, chief technology officers and the like as the owners of individual risks falling in various categories.

A key task for CROs, then, is pulling all the risks together to develop an enterprisewide view, said Wayne Fisher, an actuary and consultant for Zurich Financial Services, who formerly served as Zurich's CRO.

Most insurers have very effective–but separate–management functions for distinct risks, he said. They might not always call function leaders risk managers.

“They might call it worldwide chief underwriting officer. That's a risk management function with small letters instead of capital letters,” he noted. “Or you can have a credit risk department; you can have an investment department that works on tactical asset allocation and monitors investment quality.”

“But how does that [all] come together? What correlates? What doesn't? How does that…match up with the risk tolerance that the board wants?”–all are key questions for the CRO to answer, he said. (Giving examples of how risk tolerances are expressed, he said the board might tolerate having no earnings for one-in-10 years, or a 20 percent dip in the capital base for one-in-10 years.)

“It really doesn't matter in my mind whether [the separate risk] functions are in a chain of command to [the] risk management [department], as long as risk management has access and influence,” he said, referring to the need for a free flow of information from underwriting, investment and other operational units that allows CROs to determine aggregate risk profiles of their enterprises, and to the need for CROs to have access to their board and executives.

After comparing the profile to the board's risk tolerance, if the CRO determines there is too much risk, he or she makes recommendations to reduce it–by buying a hedge, buying reinsurance, or simply by agreeing to stop doing something, Mr. Fisher explained.

While CROs do not have clout to mandate that risk takers stop taking risks, those interviewed said they are accountable to leaders who do–directly reporting to the CEO or CFO, and giving regular reports to their boards of directors. They also stressed that education is the ultimate tool they have to ensure that aggregate risks fall within corporate tolerances.

“Everyone wants the same thing–to be able to secure regular profits for the company and to do that in a sensible way,” Ms. Nelson said, noting that even when risk takers are initially resistant to recommendations to reduce risk, they become receptive when risk managers deliver information about risk-reward tradeoffs “in a fact-based way.”

A CRO advising that it's dangerous to write windstorm coverage in the Southeast isn't providing any information that's particularly valuable, especially if there's a profit opportunity the company wants to pursue in the region, she said.

Instead, CROs should outline probabilities of potential loss and rewards, as well as how to mitigate risk–ways to pursue risky strategies while analyzing risk concentrations, and putting controls in place to reduce the threat of cataclysmic exposure.

Even where CROs said they were specifically charged to review risk-taking activities that exceed certain thresholds at their companies, they said the goal is to make sure that risk takers move ahead with their eyes wide open.

For example, Mr. Angelina at Endurance serves on a management committee comprised of the CEO, the CUO, the CRO and general counsel, which reviews onshore business that falls outside referral thresholds set by Mr. Angelina and the CUO. The committee typically meets twice a month, but during renewal season last year, “we met daily because we wanted to get the portfolio into a certain shape,” he said.

A referral “doesn't mean we don't want to write it. It just means it needs a second set of eyes,” he said, describing the referral process as a control that simply “forces people to bring their game up a little.”

“The important thing is that understanding risk becomes a cultural issue at the company,” he said. “Our view is that risk doesn't sit with just one person,” he added, describing a committee approach to risk management that was a common theme among the CROs interviewed by NU.

“I think the CRO idea is a good thing.” But risk management can be accomplished without a CRO,” according to Mr. Angelina.

“It's more important to have a culture in place and a group of people thinking about risk day to day–at the point of sale and throughout the company–than to have a CRO,” he said. “The CRO enables [risk] to be coordinated and talked about. But at the end of the day, if you have a CRO that's not engaged with the business, the management and the board, it's not worth it.”

Still, as rating agencies put more emphasis on analyzing enterprise risk management, it may become more important for a company to have an individual executing the CRO function, said Kenneth Kurtzman, executive vice president and CRO for Platinum Administrative Services in New York, the service unit for Bermuda-based Platinum Underwriters.

He noted, for example, that if a CFO or chief actuary handles the risk function, rating analysts will naturally ask who manages the financial risk. They see it as “a bit of a conflict of interest for the risk manager to be the risk owner,” he said.

In general, CROs agreed that rating agencies will make the jobs of insurance industry risk managers in the United States a little easier in years to come, mirroring a push that regulators abroad have given to ERM in recent years.

“Up until now, you've had to simultaneously convince people that risk management was worth investing in. At least now, firms understand that they need to do something,” said Mr. Mango, noting that ERM was not a priority for most companies before 2006.

“There are some companies that are early adopters of any new thing,” he said, noting that such companies jumped on ERM as much as 10 years ago. But there are others that will only do something if forced, and in the middle are firms that largely move on a peer-assessment basis. “They look around and wait until a critical mass of peers have invested in” any new activity, he said, identifying this as the current state of the industry with respect to ERM.

He predicted that over the next two or three years, “as the rating agencies really raise the stakes,” critical mass will be reached, making ERM almost a mandatory aspect of insurance operations.