A National Chief Risk Officer? Really?

In June this year, I had the privilege of attending the Insurance Development Forum (IDF) Summit in London, where I had a front-row seat to a very inspiring opening panel discussion helmed by the esteemed speakers of H.E Mia Amor Mottley, Prime Minister of Barbados, Michel Liès, Chairman of IDF Steering Committee & Zurich Insurance Group, and Jonathan Dixon, Secretary General of International Association of Insurance Supervisors (IAIS), moderated by Ekhosuehi Iyahen, Secretary General of IDF.

During the discussion on country level resilience in the face of worsening risk landscape, panellists started to discuss why most companies have a Chief Risk Officer but countries do not? This was truly a light-bulb moment for me and, I believe, many in the audience that day. Yes! Why not?

In the face of ever-evolving global risks, from natural disasters and pandemics to cyber threats and geopolitical instability, and not forgetting the day-to-day risks that individuals, families, and businesses face in terms of mortality, health, business disruptions, etc., perhaps there is a case for a holistic approach to all these risks at a national level. This seemingly unconventional idea, when thoroughly examined, reveals potential benefits that could significantly enhance risk management at the national level. Effective and efficient risk management at the national level will mean better stability for economic and social progress.

Risk management at the national level

In a corporate environment, the Chief Risk Officer has overall responsibility for risk management across all risk categories/types and has the overall responsibility to ensure that appropriate risk management practices are in place, which could encompass any or all of the following:

• risk prevention, mitigation, or adaptation measures such as ensuring the proper governance process is in place to mitigate operational risks,
• risk transfer measures such as ensuring that the company has the appropriate liability insurance purchased,
• risk financing measures such as ensuring the appropriate contingency budgets are in place.

At a national (or perhaps provincial or city) level, risk management is typically at a sectoral level, and very often, the mandates do not span across the categories of (1) risk reduction, (2) insurance, and (3) risk financing. A simple example: the building and construction authority of a country (or province or city) may have responsibility for proper building codes to ensure disaster resilience and for enforcement of them but will likely not have the mandate to ensure building owners have the right insurance in place during and after development, nor the mandate to ensure financing is available to support post-disaster recovery and reconstruction. Similarly, an insurance supervisor or regulator will have the mandate to ensure that insurers are providing the right insurance to the population and that they can keep their promise of a payout to their customers in the event of a claim, regardless of any (or most) adverse situations. However, the insurance supervisor or regulator may not have the mandate to ensure the population has the right level of insurance literacy to manage their own risks, be it mortality, health, or other non-life risks, via insurance.

Countries have complex, multi-layered governance structures with various ministries, departments, and agencies responsible for different aspects of risk management, and they face a broader and more complex array of risks, including natural disasters, economic crises, political instability, cybersecurity threats, and public health emergencies. All these make it immensely challenging to have a single individual, department or agency responsible for all risks. But is it impossible?

Having a national-level approach to risk management may not always mean a centralised risk management process – it can also mean de-centralised but with standardised risk management processes throughout the country^[1]. This is not dissimilar to discussions in the Enterprise Risk Management (ERM) space, albeit at a much larger scale.

At a corporate level, theoretically, a CRO's risk management team may be responsible for implementing all appropriate risk management practices across all departments and risks. However, what is more common is that a lean risk team may have the responsibility to ensure that all departments have implemented the risk management practices according to the company risk management policy, appetite and guidelines, i.e., the implementation is not the responsibility of the risk team, but of the individual departments in the company. Risk teams are viewed as the second line of defence, whilst everyone in the company is viewed as the first line of defence (and internal and external audits are viewed as the third line of defence). The risk teams are typically responsible for developing and implementing the company-wide risk management policy, which will include an assessment of the company's risk appetite, risk budgets, and the corresponding guidelines where appropriate. With these in place, the risk teams are responsible for ensuring the various departments follow these guidelines and policies through risk registers, risk assessments, reporting, etc.

The question that comes to mind is – could something similar work at a national level?

The Case for a National Chief Risk Officer (NCRO)

Centralised Coordination and Efficiency

Centralising risk management under an NCRO unifies efforts across various sectors, ensuring cohesive strategies and avoiding redundancy. For instance, Japan's response to the 2011 earthquake and tsunami required significant multi-agency coordination. Several jurisdictions have dedicated agencies in place to coordinate across multiple agencies to enable prevention, preparedness, and responses in natural disaster crises, such as the Federal Emergency Management Agency (FEMA) in the United States. These agencies are central in integrating disaster-related risk management into national policy. These agencies focus on natural disasters, but their centralised approach offers valuable lessons for expanding risk management to encompass a broader range of risks.

An emerging area of risk management is the intersection of cyber risks and artificial intelligence (AI). AI touches many sectors, but without a unified approach to managing this, regulatory fragmentation can arise. Different sectors may classify AI risks inconsistently, leading to inefficiencies, potential gaps, and, hence, unnecessary resource allocation. An NCRO could address this by standardising risk management practices across sectors, ensuring a streamlined approach to AI governance and cyber risk mitigation.

By expanding the focus to include all categories of risks, an NCRO can help ensure that risk management is a central part of national economic and social policy. The NCRO's role would be to standardise and unify risk management practices across sectors, creating a holistic framework that embeds resilience into all aspects of governance rather than focusing only on disaster preparedness and response.

Enhanced Risk Identification and Management

A dedicated NCRO systematically identifies, assesses, and prioritises risks, leading to better preparedness, mitigation, and financing strategies. The US Department of Homeland Security integrates risk management across domains like terrorism, cyber threats, and natural disasters. An NCRO could further strengthen this integration, ensuring all potential risks are systematically managed. The NCRO would play a critical role in connecting risk identification to actionable, ex-ante measures, particularly regarding financial resources and stakeholder alignment. This proactive risk management can prevent large-scale disruptions, protecting the economy and ensuring continuous social services, while early risk identification enables more effective planning and response, including ex-ante solutions and not just ex-post responses.

Strategic Decision-Making

Integrating risk management into strategic planning ensures that long-term policies are resilient and adaptable to emerging risks. An NCRO can enhance this integration, supporting long-term economic planning and development. Strategic risk management directs investments to areas with the highest return on risk-adjusted investments, promoting economic growth and stability.

An NCRO can provide a neutral, data-driven voice that focuses on long-term risk management. The NCRO's role would be advisory, offering strategic insights that might help governments make more informed decisions, even in the face of political pressures. The aim is to equip decision-makers with the appropriate risk assessments needed to weigh the long-term risk-return trade-offs.

Enhanced Communication and Collaboration

An NCRO can facilitate better communication and collaboration among different regions and sectors, improving public trust and social cohesion, which are essential for a stable society. Similar to the role of the CRO in private sector companies, the NCRO's role would include fostering a risk management culture within the government. Enhancing risk literacy across ministries/agencies would ensure that risk management practices are integrated into decision-making processes, building a foundation for coordinated and informed risk responses across sectors. Coordinated efforts in risk management can lead to shared resources and cost-saving measures, optimising national efforts and reducing redundant activities.

The Challenges and Drawbacks

As mentioned above, countries have complex, multi-layered governance structures with various ministries, departments, and agencies responsible for different aspects of risk management, and they face a broader and more complex array of risks. There will be significant challenges to this concept of an NCRO. What is presented here is probably just the tip of the iceberg.

Complexity and Bureaucracy

Introducing an NCRO might complicate existing structures and slow decision-making. Increased bureaucracy can lead to inefficiencies and delayed emergency responses, negatively impacting economic stability and social welfare. Additional layers could lead to increased administrative costs, affecting the overall efficiency of budget utilisation.

Overlapping Responsibilities

In most countries, various agencies have the technical expertise and clear mandates for managing specific risks, such as FEMA, DHS, and the CDC in the United States. Adding an NCRO without a careful, thorough assessment of current agencies and responsibilities and a review of existing mandates could create overlaps and jurisdictional conflicts, making coordination challenging​​. Jurisdictional conflicts can result in delayed responses and ineffective risk management, harming economic activities and public safety. Overlaps can lead to duplication of efforts and resources, resulting in inefficient use of public funds.

Political Influence and Independence

Ensuring independence and autonomy within government is necessary for an NCRO to work. Politicised risk management can lead to poor advice and result in suboptimal decisions. It is recognised that complete independence will be difficult to achieve, and the NCRO would still be subject to the broader political environment, and there may be instances where political expediency overrides its recommendations.

Despite this, the NCRO can serve as a key advisor that provides long-term risk management insights, balancing short-term political pressures with data-driven strategies for national resilience.

Resistance to Change

One of the key challenges for the NCRO would be overcoming resistance to change and optimism bias, which can lead governments to underestimate risks or avoid making necessary but difficult reforms.

This resistance to change and optimism bias can lead to a lack of cooperation, which can impede risk management efforts, affecting economic efficiency and public trust. Resistance can result in delays and increased costs, impacting the efficiency of budget utilisation and the implementation of new risk management strategies.

So What Next?

In my personal, and perhaps naïve, view, the concept of a National Chief Risk Officer can be a game-changer for a country's resilience and development. That said, the complexities and challenges would require careful planning, strategic execution, and ongoing evaluation to ensure the benefits outweigh the challenges. Most importantly, high levels of engagement, commitment, and buy-in across all levels of government will be required.

That said, with or without a National Chief Risk Officer, adopting a holistic and integrated approach to risk management can enhance a country's ability to withstand and recover from various risks, support long-term economic and social development, and ensure efficient and effective fiscal budgeting.

GAIP strongly believes in this holistic and integrated approach to effectively managing protection gaps, an integral part of risk management. GAIP is in the process of developing a framework for this integrated approach, and, in collaboration with the Asian Development Bank Institute and Nanyang Technological University, GAIP is also exploring the development of a tool to provide Asian countries with a comprehensive view of their risk exposures across all major risk types, ensuring that they can make informed decisions on risk management. GAIP is committed to supporting both the public and private sectors in addressing Asia's protection gaps. These two initiatives will be foundational as GAIP works with its tripartite partners and others in the risk management and insurance ecosystem to build long-term risk resilience in Asia. The framework and the tool will be foundational in enhancing national resilience efforts and ensuring that countries are better equipped to address and mitigate a broad range of risks.