Roads to Resilience

executives will have regular contact with each other ” (Chief Actuary General Insurance). Effective communication between specialist areas is stressed at Zurich because “ one of the differentiating features of an effective insurance business from one that’s perhaps less good is the sharing of information across functions. This is absolutely key, should there, for example, be a legal change impacting a product that we sell; this may lead to a need for the actuaries to set aside higher reserves for past claims, but which may also impact how we view that product from a future marketing, pricing and underwriting perspective. To not make these connections across functions can leave an insurer fundamentally exposed. Zurich expands significant energy and has institutionalised formal frameworks to address this ” (CEO UK General Insurance). There are ‘three lines of defence’ required to produce comprehensive Enterprise Risk Management. In the case of Zurich, like other insurers, these are explicitly built into the structures and processes. The first line is operational management practices, which are guided by the Risk Management Framework, and performance is monitored through a formal process and specific metrics, which are reported up through the line structure. For example, the Chief Actuary is responsible for ensuring the provisions and reserves are adequate to meet the costs of all claims from any business that Zurich has previously written around the world. The second line is compliance to policies and procedures, overseen by the legal and compliance functions as well as Risk Managers, who have dual reporting to local management, and through to the Chief Risk Officers (CRO) for each business segment and each region. The CROs form a network across the whole business. There has been significant growth in this aspect of insurance companies over the last 10 years as there has been more intense focus on risk management. CROs are responsible for the ‘Risk Management Framework’ – the policies, controls, tests and processes – both defining them and ensuring there are no policy breaches. Although there is a high degree of internal trust: “ it is reinforced by the risk and control framework ” (Chief Actuary General Insurance). The CROs, who were introduced around 2000, perform more of an assurance and review than assessment function, although they do collect and analyse data and model it for certain risk types to assess the potential financial impact. They write reports to the appropriate executive teams and the Group Chief Risk Officer does the same to the CEO. The CROs have a direct line to the unit CEO and the Risk Committee. “ There are no blocks to the risk officer in our company ” (Chief Risk Officer General Insurance). The third line of defence is Internal Audit (plus External Auditors and Regulators), whose role includes review of operational integrity and objective evaluation of the key risk areas in the business and the overall risk of the business model. Business structure

Strategy, tactics and operations

Many organisations have risk management processes that are detached from strategy. In the insurance industry, ‘risk mitigation’ up-front reduces the likely damage from an incident and ‘resilience’ is what produces an effective recovery. Zurich has business continuity plans for every country, backed up by a Group Crisis Protocol, which proved very effective after the earthquakes in Chile and New Zealand. This applies to the company

156

Appendix A Case study: Zurich