In late 2010 Ray Pickup, with the approval of the board, created the chief risk officer (CRO) position, designating Dan Hair, who had been and would continue to serve as the Chief Underwriting and Safety Officer, as the first CRO. An additional committee of the board, the Risk Oversight Committee, was also created. The job description for the new CRO position contained several key elements (see WCF Chief Risk Officer Job Description). First, the CRO was to report to the president and CEO but with additional reporting responsibilities to the board and the newly formed Board Risk Oversight Committee. This was reinforced by the CEO, who encouraged direct access to the board by the CRO, including the airing of any differences of opinion. Second, the CRO was to have access to all areas of the company and its affiliates. This was fundamentally important if the CRO was to have an enterprise-wide understanding of all the risks facing WCF. Third, implicit in the job description and explicit in the WCF Risk Policy (see WCF Risk Policy) is the idea of excellence in the development of a program that is suitable and appropriate for WCF.
January 25, 2011: Initially the CRO, working with Chief Financial Officer Scott Westra, developed a preliminary risk assessment matrix to be used by the senior officers in a Delphi qualitative assessment of all risks facing the company. Each executive was asked to look at a list of risks provided by the CRO, add to it any risks they felt should be considered, and score the severity and probability of those risks. Several meetings followed with the entire senior team to come to a consensus on the matrix, scores, and risk list. Initial results were then presented to the entire Board, which resulted in further refinement of the matrix and heat maps (Exhibits 11.1 and 11.2). The Board and management were in agreement that risk appetite should primarily be evaluated by impact on WCF surplus. This was later refined to include statutory combined ratio and operating income. Senior management was explicitly tasked with developing mitigation plans for any risks scoring in the red area of the heat map.
WCF Chief Risk Officer Job Description
The purpose of this position is to develop and monitor the Risk Management strategy, policies, and processes under the direction of the CEO, Board of Directors, and Board Risk Oversight Committee. Ensure that appropriate risk assessment and mitigation strategies are developed for all core functions of WCF.
Nature and Scope
The Chief Risk Officer (CRO) is a Senior Executive with 10-15 years of experience who has a broad understanding of all key areas of the business. The CRO possesses management experience in key business areas with proven ability to provide strategic direction and leadership. He/she has superior analytical, presentation, communication, and facilitation skills. The incumbent usually possesses advanced degrees and/or technical certifications in accounting, actuarial, risk management, operations, or finance.
Performance is measured on overall achievement of company financial objectives and the effectiveness of the ERM program in developing and implementing the best approaches for protecting WCF, its employees, and assets.
1. Develops and communicates an appropriate Enterprise Risk Management (ERM) infrastructure within WCF by working cooperatively with the Senior Officers as a group and with each department in a collaborative manner.
2. Under the direction of the CEO, works with other company executives and the Board Risk Oversight Committee to develop an ERM strategy for WCF that identifies, quantifies, and mitigates risks facing the company. Provides appropriate risk reporting.
3. Consults with and provides assistance as requested to WCF affiliates and subsidiaries. Works with them to ensure that appropriate ERM planning is in place.
4. Facilitates enterprise-wide risk assessments and monitors the capabilities around managing priority risks across the organization.
WCF Risk Policy
Failure to manage risk, whether it is financial, operational, or reputational, may subject the Company to negative outcomes. These outcomes could impact our customers, colleagues, partners, and the viability of our business. Managing risk reinforces our corporate values of compassion, accountability, and expertise.
Consequently, every employee, WCF department, and affiliate will continually assess and monitor risks of all types. Under the direction of Senior Management and the Board of Directors we will take appropriate mitigation actions consistent with our mission of excellence.
In subsequent months the CRO met with the leadership of each WCF department and affiliate to explain the importance of the ERM program, why it was being launched, and their role in the program. Basic risk management training was given to them along with a modified departmental risk matrix. Their views on risks within the company and their departments were solicited and they were guided to the development of their own heat maps. At the same time the initial meeting of the Board Risk Oversight Committee was held and the duties of the Internal Risk Committee (IRC), chaired by the CRO, were established (see WCF Internal Risk Committee Duties). This effectively created an ongoing three-level review of risk consisting of the board, senior management, and key company leaders.
Exhibit 11.1 WCF ERM Risk Management Matrix Values
In its initial meetings, the Board Risk Oversight Committee, which meets two or three times per year, approved the IRC Charter and gave direction and feedback regarding initial efforts. One valuable suggestion was to do a risk survey of the entire company. Although approximately one-third of WCF employees had already been involved in ERM activities to date, this was a very helpful idea. Over 50 percent of all employees responded (see 2012 All-Employee
Exhibit 11.2 WCF Risk Assessment Matrix; the increased darkness corresponds to the risk, i.e. low = least dark, medium = middle shade, and high = darkest.
Under 4: Category 1: Risk reduction actions discretionary, risk acceptable 4 to 8: Category 2: Ongoing risk assessment appropriate with informal mitigation but may be within risk tolerances; to be discussed with Internal Risk Committee 9 or greater: Category 3: Unacceptable risk, triggers scenario planning and development of mitigation plan to be presented to Board Committee ERM Survey). The survey was done electronically with optional anonymity for all participants.
Initial IRC discussions were robust and enthusiastic. The mix of company officers, managers, and risk champions worked effectively together. Many of the risks that were contained in the consolidated risk list they developed were also identified by the senior group and the company-wide survey. Having wide unanimity on which risks were most important was very helpful and allowed effective focus. Early on it was decided to split the list of risks thus developed into two sections. The first section contained the risks that, as department leaders, the IRC could impact and manage. The second-tier risks were those that were of a strategic nature or just simply could only be managed by senior management.
The initial duties of the Internal Risk Committee were to review all the department risks, consolidate them where possible, and come up with a consensus scoring using the risk matrix. The committee was split into a gold team and a blue team to accomplish this and report back to the IRC, whereupon a consensus was reached. Mitigation plans were discussed and developed where appropriate. In some cases this involved tailored mitigation steps. In many others it was determined that existing WCF and department management protocols and procedures were adequate. It is the ongoing duty of the IRC to meet quarterly to discuss the adequacy of existing mitigation efforts and to consider new risks. In each meeting of the IRC, members are asked to again consider the question "Have we adequately protected the company against these risks?" Many of the early discussions of the IRC were taken up with data security concerns, particularly relating to the Health Insurance Portability and Accountability Act of 1996. The committee also focused on cyber risk, other operational risks, affiliate risks, and compliance risks.
As a final note to this section, developing and maintaining positive and helpful relationships with other executives is very important. Two roles that are especially important at WCF are the CFO and the company's head of Internal Audit. At WCF they work closely and effectively by fully sharing information, both internal and external. Both the CFO and Internal Audit leader participate in the IRC. The CRO has no direct authority over other executives, so he or she must work in a collaborative manner, building consensus as to needed measures and ERM development. Should problems arise, the CEO has been willing to intervene in support of the ERM program, but that has rarely been needed.