Four steps for managing risk at the CEO level – McKinsey
Adapting to a fast-changing risk landscape has become a priority for most organizations, a necessity made more evident by the global pandemic and recent geopolitical events. At the same time, chief executives are under more pressure than ever to reconcile agendas from multiple stakeholders affecting their organization. The convergence of these two trends means that CEOs need to take an increasingly active, innovative role in shaping their organizations’ approach to risk, playing both offense and defense.
Experience shows that organizations that create strategic distance from their competitors have elevated their risk agenda and share some common traits in that regard. They anticipate and manage risks effectively as a core element of their customer value proposition while maintaining their entrepreneurial spirit and making bold moves. These types of organizations have greater alignment on strategic trade-offs and transparency on how much risk capacity they have and where to best deploy it. They have a strong risk culture and, when shocks occur, pivot quickly and reinvent themselves decisively. And because of the significance of the many underlying decisions, chief executives need to take charge. CEOs who elevate their role as the ultimate risk decision makers and partner with the executive team (especially business leaders, chief risk officers, chief compliance officers, and chief financial officers) are better able to leverage modern risk management.
While the elevation of the risk agenda has been ongoing, it has recently picked up speed, as major international events demonstrate. In 2000, for example, just a dozen sessions (of nearly 250) of the annual meeting of the World Economic Forum in Davos focused explicitly on risk. Today, nearly half typically focus on how to manage a wide spectrum of risks and build resilience. Or consider the boardroom dynamic, which affects the CEO agenda. According to the latest McKinsey Board Survey, which includes more than 1,000 directors globally, risk management ranks as one of the five top priorities for boards in 2022. As more directors become acutely aware of their fiduciary responsibility in a changing risk environment, they need to better understand the new risk agenda themselves and demand more from the management team on this front.
For many organizations, the pressure is compounded by the rising expectations of the media, regulators, investors, customers, employees, and society at large. Firms are more frequently expected to take a stance on a range of public issues that may be politically charged—such as social and racial justice, economic inequality, and climate change. There is also increased scrutiny and amplification of incidents that could subsequently create significant reputational risks and represent career turning points for chief executives.
We believe that a CEO’s risk agenda should include four key dimensions (exhibit):
- Ensure that the organization has robust risk management capabilities appropriate to its size, complexity, and aspiration.
- Orchestrate alignment on strategic trade-offs to capture the upside while protecting the downside for the top risks, supported by a clear risk appetite.
- Promote and role model a risk-aware culture that supports entrepreneurship and a growth mindset while protecting the organization.
- Lean in personally in high-stakes risk-related decisions for which the company has not yet developed fully mature capabilities.
In this article, we focus on each of the dimensions that can help CEOs rise to the challenge. To make it specific, we focus on insurance as a concrete case, an industry that is at the heart of both taking risk and helping others protect against risks. Our perspectives are informed by discussions with insurance CEOs, chief risk officers (CROs), and other executives and stakeholders around the world.
Ensure that the organization has robust risk management capabilities
Since the global financial crisis of 2008, many sophisticated insurance companies have built stronger risk capabilities across three lines of defense: business and corporate functions in the first line, risk and compliance in the second line, and internal audit in the third. But there is a wide spectrum of maturity across insurers and financial services more broadly. It is the CEO’s role to continuously elevate that risk maturity to the appropriate level for the size and complexity of the institution.
What does risk management maturity look like? Processes and governance structures ensure that key risk decisions are appropriately evaluated and, when needed, escalated and challenged. Risks are owned by the business, but the right checks and balances provide the necessary guardrails and challenges without preventing agile decision making. The risk functions understand sources of value creation and translate technical risk concepts into novel insights that are useful to the business. There is a clear sense of priorities and direction, given the multiplicity of sometimes conflicting capital constraints (GAAP, STAT, economic capital regulatory requirement, etcetera). Systems and advanced analytics provide support and insights to monitor financial and nonfinancial or operational risk positions across business units, functions, and geographies and at the enterprise level. Risk capacity is measured transparently and allocated strategically. Talent is hired and trained to provide expertise on well-known and emerging risks; internal as well as external sources of insights are leveraged for business decisions.
Once an organization reaches risk management maturity, its CEO can rely on solid day-to-day practices. As one chief executive put it, “My job is to ensure that we collectively reach such a maturity by allocating adequate budget, hiring the required talent internally and externally, structuring the right operating model across lines of defense, and supporting adequate board-level governance. I also set the tone on our overall enterprise-level risk appetite.”
For a CEO, knowing where the organization stands across these dimensions, how it compares with best-in-class institutions, and how to improve along this journey is critical (see sidebar, “Managing high-stake risks: A checklist for CEOs”).
Orchestrate alignment on strategic trade-offs
In today’s rapidly changing environment, organizations need to be able to play offense and defense at the same time. This is the core of a modern strategy that incorporates a thoughtful amount of controlled risk-taking to enable sustainable returns. Typically, the role of the CEO is particularly important in this space. For risks where the upside and downside are sizable and interconnected, no single executive other than the CEO is in a position to balance all aspects and trade-offs. CROs and chief compliance officers (CCOs) would naturally be in the best position to manage the downside, while business leaders would more naturally take actions to capture the upside opportunities.
Consider a few examples. Being bold can mean deciding to enter or expand in foreign markets. Some markets present significant opportunities for life and nonlife insurers given the significant insurance gap there. But there is an inherent trade-off, given geopolitical and business risks that have emerged recently. Where to play (home or abroad) and how intense the resource (re-)deployment should be are fundamental and complex questions. Aligning the organization’s stakeholders on choosing one path over another typically requires the CEO’s capacity and final determination.
Or consider climate change and sustainable and inclusive growth. Insurance companies, either through their asset management strategy or their underwriting portfolio choices, are inherently involved with those that are contributing to anthropogenic climate risk as well as with those who suffer from it. We believe this is a true moment for insurers globally. They can either accelerate or hinder progress toward the green transition. We also foresee more frequent extreme events leading to massive risk redistribution, demand for innovative products, and questions about who should ultimately pay for climate catastrophes in both mature and emerging markets.
Our most recent research suggests that the climate change transition will create massive capital redeployment. Capital spending on physical assets for energy and land-use systems in the net-zero transition between 2021 and 2050 will amount to about $275 trillion, or $9.2 trillion per year on average—an annual increase of $3.5 trillion from today. Insurance companies and their CEOs must judiciously consider the higher-level trade-offs and meaningfully engage internal and external stakeholders to clearly articulate the near- and long-term position. This becomes an even more important dimension as more regulators around the world ask for detailed climate risk disclosure for public companies that is reliable, auditable, and comprehensive (including the 2022 proposed SEC rule in the United States). At the same time, a holistic impact strategy that correctly incorporates climate transition trends is likely to be a key source of material advantage for a long time to come. Such a strategy could focus on new products for property and casualty (P&C) insurance, for example, or investment portfolios for all insurance carriers. It should factor in both physical trends, such as changing hazards, and the likely influence of customers, regulators, and investors on future states.
Climate transition brings meaningful upside opportunities, because investment in greener technology is expected to lead to the emergence of new and growing sectors (including those focused on energy generation, storage, green transportation, and construction) that require insurance protection to succeed. Many of these nascent sectors are unable to secure favorable funding (for example, through debt) due to limited insurance capacity today. How much risk capacity to allocate and who to partner with are CEO-level decisions.
Finally, insurance carriers face societal pressure to keep rates affordable for small businesses and individual consumers, especially in economically challenged communities, even if that means that the insurance premiums would no longer reflect the true risk exposure. This pressure challenges market viability without government intervention, as experience shows in several US coastal states and several European countries. Insurance affordability issues are likely to be elevated further as risk continues to increase. These issues often thrust the CEO into the public arena, so CEO-level alignment is needed here as well.
Promote a risk-aware culture that supports entrepreneurship
A strong risk culture is becoming table stakes in the value proposition of many companies. Customers and employees expect it. An important challenge for risk-mature organizations is how to ensure a strong entrepreneurial drive while promoting robust risk awareness and accountability. Especially among large financial institutions, the noble objective of building strong risk capabilities sometimes drifts into the creation of an oversize and inefficient bureaucracy of redundant controls. “We really need to take a step back and cleansheet,” a senior insurance executive recently told us. “Where do we truly need to allocate our risk management capacity moving forward? How do we link this to where the value is created, versus adding layers after layers of controls?”
By elevating the importance of risk culture in the business and by adopting a risk lens for all key business processes, organizations can create a more efficient and cost-effective operating model in the second and third lines. In these instances, CEOs should set the right tone from the top across several dimensions. Concrete actions include encouraging regular, open, fact-based discussions about risk at the senior-management level. CEOs should also involve the risk function as a thought partner from the very beginning on topics such as strategy, new products, market expansion, distribution channels, technology, and even customer experience and advanced-analytics transformation.
For example, most insurance companies are currently pursuing investments in advanced data and analytics capabilities to improve pricing and claim management. Machine learning models and third-party data can unlock significant value for insurers and their customers as they provide new and deeper insights and enable automation of tasks previously done manually and prone to error.
In some cases, however, the use of such advanced models and external data can lead to financial, regulatory, and reputational risks. Take underwriting models in life insurance. They can enable seamless customer experience (for example, through real-time decisions on applications), but they can contain and mask biases against minorities and underrepresented groups even if racial and demographic data are excluded from the models. Appropriate response and guidance from risk practitioners (from risk, model validation, compliance, and legal functions) can help mitigate these risks upfront without stifling further exploration and innovation. However, the organization’s risk culture often needs to evolve to be able to understand, assess, and appropriately manage these types of risks from inception.
CEOs must also make it clear that risk management is the responsibility of the entire organization, not just those individuals with the word “risk” in their title. Good practices include simulation exercises, stress testing with a wider spectrum of scenarios, and even inclusion of risk management consideration in employee compensation and annual review. As our colleagues Carolyn Dewar, Scott Keller, and Vikram Malhotra demonstrate in their recent book, which analyzes the best-performing CEOs, “regular stress-testing can reveal opportunities to make a business more resilient. It can lead to divesting underperforming businesses, cutting excess costs, doubling down in high-growth geographies, enhancing the M&A plan, and improving the effectiveness of the top team.”
What many of these high-performing executives have in common is that they always analyze the potential downside risks of bold moves and how to prevent them, so they avoid surprises down the road.
CEOs must make it clear that risk management is the responsibility of the entire organization, not just those individuals with the word “risk” in their title.
CEOs should regularly measure their organization’s risk culture too. Many tools are available to conduct risk culture diagnostics. Such an exercise can help CEOs develop an understanding of how each part of the organization integrates risk considerations into the way it works, allowing CEOs to prioritize risk efforts organizationally.
Lean in personally in high-stakes risk-related decisions
Not all risks should reach the CEO’s office. When the core is working well and a culture of risk management supports entrepreneurship across the organization, CEOs can focus on a select number of high-stakes decisions related to risk. A simple but effective way to identify these decisions is to consider two dimensions: low-to-high risk materiality and low-to-high maturity of the organization to manage that risk.
A given risk’s position along these two dimensions will differ across organizations, even among businesses in the same company and over time. In general, financial risks are certainly material for insurance companies, but in most cases, they are handled well by existing processes. In contrast, the immediate management of some nonfinancial risks (including conduct, model errors, third-party risk, and operational resilience) and emerging risks—such as cyberrisk, climate risk, crypto, pandemics, and geopolitics—is likely beyond the existing core risk management capabilities of many insurance carriers. CEOs need to focus their attention on material risks in areas where their organizations lack sufficient maturity. This is especially true of high-velocity, high-ambiguity situations and situations with the potential to significantly affect the reputation of the firm.
High velocity, high ambiguity
A prime example of this is the deadly COVID-19 pandemic, which also caused a rapid pace of change (weeks versus years) to customer and employee behaviors, possibly on a permanent basis. To be clear, the test is not whether organizations were able to move all their employees to remote work in just a few weeks back in 2020; virtually all organizations globally did it. We believe a longer-term test is yet to come. CEOs will need to address important questions about how to adjust to new modes of customer interactions that have resulted from accelerated digitalization at scale and how to confront the risks of not doing it right and in a timely way. They have to consider the implications of changing the mix of products and distribution channels versus favoring the status quo. We also see an innovative redesign of the employee working model to retain talent.
CEOs will need to address important questions about how to adjust to new modes of customer interactions that have resulted from accelerated digitalization at scale and how to confront the risks of not doing it right and in a timely way.
Cyberthreat is another risk that has escalated to the agenda of the CEO, because cyber missteps can have a significant business impact beyond operational losses. Today, trusted digital experience is an integral part of any winning customer value proposition: customers (whether B2B or B2C) expect a flawless experience and heightened security. To achieve this, businesses often impose security standards on all third-party vendors, as the US Department of Defense recently established through the Cybersecurity Maturity Model Certification (CMMC) program. CMMC mandates new cybersecurity requirements for all companies that are part of the vast defense industrial base.
What’s more, cyberrisk is rapidly changing by nature. For example, many hacker groups have expanded their ransomware targets to include personal customer data, IP, payroll information, system codes, and other elements that are important to businesses. As a result, hacked organizations are more willing to pay to restore private access to their own data and normal operations. In fact, media mentions of ransomware attacks on financial services firms have gone up 900 percent in the past six to eight years.
Organizations should also consider the impact of nontechnical attacks on systems. What would happen if hackers used misinformation to create a false story that went viral about a publicly traded organization, which in turn quickly drove down the stock, allowing the hackers to make money on selling short? On all of these topics, it often takes the CEO’s influence to move from a purely technical discussion on cyber to an understanding of the vulnerabilities along the value creation chain and how it can be disrupted.
Navigating an organization’s diverse stakeholders is also ambiguous in nature. Customers and employees require companies to have a clear purpose beyond shareholder value maximization and increasingly demand absolute integrity from their executives. What’s more, CEOs are expected to take public positions on a growing number of issues. Some relate closely to the business, while others are more societal and often beyond the scope of the company or the industry. Not all of these issues are controversial, but every case requires the direct involvement of the CEO, who represents the company and faces public scrutiny. This is where clearly defined purpose and values matter most; those provide a solid guidepost to the chief executive regarding which topics to take a public stand on and when it is better not to.
As the world continues to transform at a rapid pace, the CEO’s new risk agenda will be complex and ambiguous but also exciting. By elevating their role as the ultimate risk decision maker, CEOs will expect more from their management team (including the CRO) in shaping and executing the strategy, and they will make better investments in modern risk management solutions. Ultimately, this shift creates a more resilient foundation for the business to thrive. It increases transparency into the risks the organization is taking to remain ahead—and into those it should take. When it is done well, customers are better served too.
Discover Past Posts