[caption id="attachment_134795" align="aligncenter" width="616"] As recently as 10 years ago, enterprise risk management (ERM) was still in its formative stage. (iStock)[/caption] Any discussion about organizing and governing risk management in a financial services company typically includes the "three lines of defense" model. There are different interpretations of the three lines' roles and which functional departments fit into each line, which are broadly defined as follows:

1. First line: Those that own and manage risk
2. Second line: Those that oversee risk
3. Third line: Independent assurance

What also differs is how successful this model has been over the last 15 years. Regardless, it needs to change considering how the insurance industry and its risks have changed over the past decade — and will continue to change. Related: The risk modeling benefits of downward counterfactual analysis

Forces reshaping industry needs

PwC recently surveyed more than two dozen board members and chief risk officers (CROs) on risk strategy and organization topics. When we asked what they thought would most likely present the next significant risk to their industry, more than 40% chose "a major strategic disruption" while only a third chose "another financial crisis." What has also changed is the nature of traditional risks. A number of factors, including continued low interest rates, changing buyer preferences, and more robust risk measurement and management, have shifted the traditional risk set more toward insurance risks. In the same survey, nearly 20% saw "a catastrophic insurance event" as the next significant risk. A second shift our survey revealed was toward greater emphasis on using risk to improve company performance. More than 70% of respondents agreed that, over the last several years, insurers' risk management activity has tended to focus on solvency and regulatory uses. When we asked where risk management should focus in the future, virtually all respondents said on a better understanding of risk to improve the company's risk-adjusted performance. In fact, more than 80% "strongly agreed." This move toward using risk in performance management doesn't imply that insurers should abandon solvency and regulatory uses. Companies and their CROs have enough bandwidth to do both. This is the third shift that we observe. As recently as 10 years ago, enterprise risk management (ERM) was still in its formative stage. During those years, insurers devoted much effort and many resources to developing and testing basic concepts and building a workable infrastructure to deliver economic capital metrics. That effort has now borne fruit. As a result, rather than spending to create the framework, CROs can apply that expenditure to making better business use of what they have built. Related: 21 emerging risks for the insurance industry and the global economy

Recommended enhancements

The first enhancement we recommend is to define the roles and responsibilities of the CRO and risk function on their own, rather than generalized as one of many second-line functions. Roles should be more precisely defined than "own and manage" for business owners, "oversee" for risk management, and "independent assurance" for internal audit. In our recent survey of board members and CROs, we asked if respondents agreed or disagreed with the statement: "It is important to have a single C-level executive, other than the CEO, who is the focal point of all risk matters in the company." Nearly 90% agreed, and nearly 75% agreed strongly. The CROs focal point needs to be on more than just overseeing risks, and companies should identify and directly assign the CRO the following responsibilities:

• The establishment of the insurer's risk framework, including the risk taxonomy to be used throughout the insurer;
• The measurement of risks, which should include risk quantification when it's feasible and rankings or prioritization when it's not; and
• Ownership of the risk appetite statement.

Many parts of the organization can and should contribute to its development, but the CRO should be responsible for collecting all this input and developing the final version. There was significantly less consensus in other areas of the survey. About half agreed and half disagreed with the statement, "It is important that the CRO not make decisions to accept or reject risks, as doing so would undermine the CRO's independence." After follow-up discussions with the respondents, it became clear that the overall appetite should be the CRO's responsibility, but business owners could make tactical decisions consistent with that appetite. Very little enhancement is needed in defining the internal auditors' role. The Institute of Internal Auditors provides a fulsome description: "To be effective, internal audit needs a free hand to investigate matters in risk management and elsewhere. But the function should be careful to ensure that it does not develop and propose alternatives." Lastly, the governance framework needs to more directly embrace models and model risk. Models are critical decision-making tools for insurers. Model risk management provides the ability to add value to business decision-making. For example, assessing a model's conceptual soundness is risk management's responsibility. This is particularly the case for any risk-based decision-making embedded in the model. Risk management is appropriately removed from business activity and has the overall enterprise-wide risk perspective necessary to make that assessment. On the other hand, the model owners could do (and periodically re-do) much of the work of replicating calculation accuracy.

Where to next?

It's easy for an insurer to say it follows the three lines of defense model. However, if it wants to leverage risk management to improve business performance, then it should take a closer look at the roles that specific functions should play and assign clear responsibilities at a sufficiently detailed level to establish whose job is on the line in the event of a risk governance failure. Henry Essert ([email protected]) is PwC Insurance Risk Management Leader, focusing on ERM, compliance, and management's and directors' respective roles and responsibilities in managing risk. The opinions expressed here are the author's own. See also: How data analysis quantifies water, fire risks for insurers 6 ways cybersecurity changed in 2017