Insurance: Transforming risk and compliance

| Article

In the decade between the global financial crisis and the COVID-19 pandemic, many insurance companies focused their risk and compliance activities on protecting themselves from downside risks and meeting ever-evolving regulatory requirements. Today, a significant transformation is gaining steam as insurers must reinvent themselves in the multiyear reality of COVID-19, increased levels of uncertainty, pressures for efficiency, and the need to be resilient and relevant by tapping new sources of growth. The risk and compliance functions are expected not only to go on protecting insurance companies from downside risks but also to shift toward providing them with strategic advice to support growth (for instance, new business) and change (such as company-wide cost and tech transformations).

At the same time, the risk and compliance functions need to perform second-line risk reviews and to help the business, as the ultimate risk owner, connect the dots on key issues. Deep dives on business performance, such as unusual claim patterns or better-than-expected customer-retention levels, can help inform business decisions. And forward-looking metrics for financial and nonfinancial risks, combined with regular stress testing, are important to ensure that the business is operationally resilient and functioning in a safe, sound manner across an extended risk and compliance landscape.

The scope of these demands is posing a creative challenge for chief risk officers and chief compliance officers (CROs and CCOs). In response, some insurance companies are beginning to restructure these functions extensively so they can fulfill their new responsibilities in a more effective way. For some insurers, the change is about beefing up their game and expanding the risk and compliance functions to meet the new expectations. For others—companies that had significantly expanded the functions after the financial crisis to meet specific regulatory requirements—it is about right-sizing and developing a true value proposition, beyond regulatory issues. By supporting a number of insurers that were making this journey, we have identified several key elements that companies should consider when they restructure to create the risk function of the future.

A new role for the risk function

Elevating risk and compliance leaders to take a seat at the strategy table gives them a way to discuss business priorities in the context of a company’s appetite for risk, as well as ways to mitigate it. Since the leaders are not caught up in day-to-day operations, they have a very valuable, high-level view of the balance sheet, operations, and emerging trends, and these advantages put them in a position to see future possibilities that others might ignore. Including these leaders in the strategic-planning process and in company-wide transformation efforts (to grow, cut costs, and modernize tech, for example) helps to keep insurers from becoming either too aggressive and making bad bets or too conservative and missing opportunities their competitors will seize.

The risk and compliance functions also play an important role by conducting various types of stress tests—for instance, rapid stress testing to assess and act quickly on sudden new exposures to real or simulated events. Enhanced stress testing, which tends to be a longer-term exercise, helps the organization to maintain the financial health necessary to execute its strategic plans and to better prepare stakeholders for its efforts to manage through uncertainty.

CROs also have an important role to play when business trends move quickly—for instance, helping to optimize capital tied up in legacy blocks for life insurers (see sidebar “Legacy block solutions”). CROs should also help insurers develop a strategic risk-management framework on topics related to environmental, social, and governance (ESG) issues and climate risk, for both investment and underwriting decisions (see sidebar “Defining the strategic management framework for environmental, social, and governance issues and climate risk”).

How to build the risk function of the future

To execute these new responsibilities, the risk and compliance functions must be agile and proactive, delivering results cost-efficiently. They must tap into the power of advanced analytics and automation so that their people can focus entirely on the activities that most need human judgement: mapping key processes and leveraging technology advances. Ideally, risk and compliance employees should also focus on modernizing the rigid legacy systems and processes that inhibit the sharing and cross-checking of data in a timely manner, which is vital to evaluating exposures.

That’s a tall order for many existing risk and compliance functions in insurance and will require a paradigm shift at most of them. While the pivot to a more agile, proactive, and cross-functional setup will be different in every organization, certain common design elements are a useful guide:

  • Simplify divisional, regional, and functional risk and compliance structures to make them more business oriented and agile.
  • To avoid duplicating activities in the new paradigm, clarify roles and responsibilities across the first and second lines of defense for all risks, including emerging ones.
  • Educate risk and compliance employees about the strategic challenges and aspirations of the business, which remains the ultimate risk owner as the first line of defense.
  • Continue to foster the businesses’ ownership of risk and enhanced risk culture, especially when growth is the strategic imperative.
  • Create centers of excellence to share added-value standardized services in a consistent manner.
  • Using a standardized enterprise-wide approach, acquire timely and accurate data obtained internally, as well as externally from gold-standard sources.
  • Seek out tech- and analytics-savvy talent that understands the business and has expertise in specific hazards (such as technology, cyberrisks, models, and climate).
  • Apply the risk-based approach consistently to ensure that attention is always focused on what’s most important.
  • Avoid check-the-box risk exercises that might provide a false sense of preparedness but that also ignore the larger strategic picture.
  • In all large transformation efforts, which many insurers are currently experiencing, be a central partner from the beginning, so risk and compliance teams better understand how other functions and the business will change. Also, play the second-line role in identifying potential risks and oversee their management during the transformation.

Companies that already have robust risk and compliance operations face some challenges differing from those of companies that lack them. In particular, they can have a deeply (perhaps too deeply) embedded compliance mindset, and headcounts often grow to 1 to 2 percent of an insurer’s full-time equivalents. The risk and compliance functions of the future should strive to be a more business-focused strategic partner and a leaner, less expensive cost center. The necessary changes do not involve compromises in protecting the insurer but rather modernizing the functions and making them more efficient.

For insurers that have not yet developed a strong second line, now is the time to invest in efficient, effective risk and compliance functions by adopting a cross-functional approach and coordinating the activities of the first and second lines of defense, such as the design of controls, automation, and digital processes. These companies have a compelling opportunity to leapfrog their competitors by building, from scratch, an operating model that harnesses analytics and automation and runs on a flexible architecture, which allows insurers to integrate new business and regulatory requirements quickly and to support new business use cases more effectively. The critical elements of success include getting risk and compliance teams to work together in a complementary rather than redundant way and defining their governance model and organizational structure.


In an environment of rapid change and competitive pressures, some insurers have an often underutilized source of brainpower. When the risk and compliance functions take a seat at the strategy table early on, they can support both day-to-day and transformative decision making. This support not only advances growth strategies that create healthier balance sheets and stronger bottom lines but also improves the experience of employees and customers, as well as an insurer’s overall reputation.

Explore a career with us