Chief Risk Officers Take on Gen AI

  • Post author:

By Russ Banham

Carrier Management

When Generative AI burst onto the scene at the end of 2022, users gushed about the automatic content creation, greater productivity, and some funny or disturbing anomalies. Within days, it seemed, people who had not given Gen AI a try were outliers. Few technologies had captured the public’s imagination so quickly.

These developments were closely watched by chief risk officers across diverse industries, given their responsibility to identify, assess and mitigate significant risks to operations. This was especially the case in the insurance industry, where many CROs either took it upon themselves or were tasked by other senior executives and board members to balance the perceived benefits of Gen AI with its opaque risks.


Concerns centered on the accuracy and source of the underlying data used by different Gen AI models to detect commonalities, patterns and anomalies. Biased, inaccurate, fake or copyrighted information can result in compliance violations, intellectual property infringement, breach of contract, erroneous fraud alerts, harmful customer communications, third-party exposures and reputational damage. These risks and others are only half the story, of course.

Gen AI’s ability to process large sources of unstructured data on behalf of user prompts and turn it into images, speech, text, video and other content is of enormous benefit to insurance carriers. Gen AI offers the opportunity to enhance operational processes in underwriting, claims, fraud detection, customer interactions, risk assessment and regulatory compliance, as well as in traditional business functions like marketing, customer service, accounting, financial reporting and so on.

Carrier Management reached out to four CROs to discern their role in establishing sound rules and governance practices to constrain potential abuses without eliminating Gen AI’s obvious value. Their efforts suggest the high-priority status of the new technology. As CRO Adrian La Forgia at QBE North America put it, “Of all the opportunities out there, this is the time for the risk function to really shine. You either stand on the sidelines and observe, or you help shape the direction.”

Test and Learn

La Forgia began his insurance career at AIG, eventually becoming chief operating officer in the commercial underwriting office. In 2016, he migrated to QBE NA to lead Enterprise Risk Management, before becoming deputy CRO and then CRO in June 2022. La Forgia is a member of the executive management board for QBE NA and part of the large insurer’s global risk function, leading Risk and Compliance for North America.

“I became involved with Gen AI as it exploded across the world, initially thinking we’d need to quickly build a governance framework around its use with sensible and flexible risk guardrails,” said La Forgia.

In February 2023, employees had begun dabbling with Gen AI tools like ChatGPT. “Boards were concerned about the implications and how we were seeking to protect ourselves,” he said. “Early on, we issued a set of ‘dos and don’ts,’ mindful of our existing acceptable use policy, data management guidelines and the broader cybersecurity infrastructure. We wanted to ensure rigor and the application of our subject matter expertise.”

Once the restrictions were in place, the spotlight turned to the opportunities presented by Gen AI. “We were at an inflection point, where the risk of embracing it and getting it wrong was starting to converge with the risk of being left behind. We either needed to get behind it and address the risks or insulate ourselves from the opportunity,” said La Forgia. “We decided to get behind it through a very measured ‘test and learn’ methodology.”

The CRO was part of a cross-functional and global team overseeing the development of the governance framework to identify and manage Gen AI use cases and potential pilot projects. Once in place, the first use case, focused on the insurance broker submission intake process, was undertaken. “Gen AI was used to test how various forms of unstructured data provided by brokers could be parsed into the different elements needed for underwriting, pricing and risk selection,” he said.

Once a use case demonstrates confidence in the specific use of Gen AI, the next stage is to launch a pilot for further testing and refining. La Forgia commented that the submission intake use case is now in the pilot phase.

In this methodical test-and-learn process, the opportunities of Gen AI are carefully weighed against perceived risks. “What sounds good on paper may not provide the benefits and efficiencies touted,” he explained. “We’re mindful of the ‘hallucination effect,’ the risk of inaccurate conclusions drawn from nonexistent patterns and correlations.”

He provided an example of a public case study in the legal arena. “In one case, Gen AI cited case law that didn’t actually exist,” La Forgia said. “We’re thoughtful in not rushing toward a fully autonomous platform, as the technology is still emerging and volatile.”

Other use cases are in the works, La Forgia said, adding that it is premature to discuss them in detail. “What’s most important in choosing use cases is to pick the big opportunities that align with the strategy,” he said. “With any use case, we review the implications of which data will be used, how it will be used, and the conclusions that may be drawn from this use. This is a long journey.”

As CRO, La Forgia said he “needs to monitor Gen AI-driven regulations on a state-by-state and international basis, as some states are taking a regulatory approach to Gen AI, whereas others are looking at legislation.”

Having demonstrated the early value of Gen AI usage, La Forgia said that board members have “fewer questions about protecting [the company] from the downsides and are more engaged in how we can harness the upside.”

Stay Calm and Carry On

The paradigm sea change represented by Gen AI has compelled QBE NA and other large insurers to be deliberate in their approach to implementing the tools, the case at The Cincinnati Insurance Companies. “We’re looking at both sides of the sword, making sure we’re taking advantage of a new technology that will be transformational for every industry but also making sure we do it in a safe, ethical and governed way,” said Teresa Cracas, CRO at the property and casualty insurer, which serves customers in 46 states and the District of Columbia.

Cracas manages enterprise strategy and risk, which includes oversight of the carrier’s analytical and actuarial teams. She is a member of a three-person steering committee responsible for the governance of Gen AI and AI-based predictive models (the other members are the company’s chief information officer and chief legal officer).

In 2018, the committee put together a governance framework to manage the use of early predictive models for fraud detection and spatial imaging, giving it a leg up on managing Gen AI. “Like Gen AI, the predictive models use open source algorithms, but Gen AI is a big nut to crack,” Cracas said. The steering committee decided to enhance the governance framework specifically for Gen AI and tasked the head of compliance (Kelly Chasteen) with developing it. “It’s in her wheelhouse and she’s passionate about the topic.”

The more robust framework will include an ethical statement crafted by the actuarial group defining appropriate and inappropriate Gen AI use. “We’re fortunate the early work on our predictive models was done inside the actuarial group, which is governed by a very strict code of conduct. A lot of ethical requirements come with being an actuary,” Cracas explained. “We want to be very clear in what Gen AI will and won’t do, how to vet the tools, and how to manage them.”

Several professionals in the insurer’s IT organization are already using Gen AI in their work, and both traditional and newer vendors are embedding the tools in the solutions provided the company. “One of the things we struggle with is how to vet every Gen AI vendor to see what’s under the hood,” she said.

Other concerns include the safety of open source models, properly vetting them to ensure they don’t infect the carrier’s network and systems; emerging regulations; and hiring people skilled in using Gen AI models. “They’re in very high demand, since every company on the planet has made Gen AI a focus,” Cracas said.

Like QBE NA, Cincinnati Insurance has commenced a Gen AI pilot project, which is aimed at pushing information more quickly to underwriters. “We’re in the early days of it, and are still working on security,” said Cracas. “We recently hired a Gen AI expert from Google, who is inspirational when he talks about all the things Gen AI can do. Now our problem is keeping everybody patient.”

The Game-Changer

In April 2023, then-CEO Rich Poirier at Church Mutual Insurance Company asked CRO Stephanie Lynn to marshal a Gen AI strategy and a formal Gen AI governance committee to govern its use across the business. “I assembled a group of eight people from legal, data analytics, IT, InfoSec and other functions, and asked them to find as much information as possible on what other businesses are doing as far as governance,” said Lynn. Church Mutual provides specialized insurance to religious organizations, schools, colleges, nonprofits and other service organizations.

Armed with this information, the committee evaluated other companies’ governance processes, insofar as “what made sense and what didn’t,” Lynn said. “We examined the use cases for Gen AI at these organizations to see which ones actually succeeded in managing the risks against the potential.”

Instead of scrambling, Lynn and the committee took a few months in developing the insurer’s Gen AI strategy before presenting it to the board of directors. “I had previously met one-on-one with one board member, who had extensive technology experience, to show him what we were thinking,” she said. “He helped us expand some areas. Ultimately, the board approved and away we go.”

The committee’s next actions included crafting a charter detailing the scope and objectives of Gen AI implementation, drafting a policy requiring employees to solicit permission for using Gen AI to the governance committee, and creating an intake form template for this purpose. The form is subsequently submitted to the committee for review. “We evaluate the proposals from a data perspective—why and how the tool will be used, who owns the outputs, will we be masking proprietary information—and then have the legal team takes a look” before it is approved or denied, Lynn said.

Like many insurance carriers, Church Mutual a decade ago was wary about the influx of new insurance technology solutions. No longer is this the case. “We’re at the forefront in innovation in using emerging technologies across the business, but we realized very quickly that Gen AI had a much bigger footprint, as it can be used by every single person in the organization,” she said. “At the same time, it’s still the Wild West.”

She pointed to her overflowing email box, which is inundated with emails from Gen AI vendors specializing in insurance operations. “There’s a ‘spaghetti map’ of different tools competing against each other. To control the chaos, we’ve tasked a single group to evaluate [the vendors] to avoid the potential for duplicative tools being brought into the organization.”

Three Gen AI pilot tests are underway at Church Mutual. “One is for marketing to enhance our social media presence; another is for customer service, instantly and correctly summarizing communications between our CSR’s and customers; and the third is more of an operational efficiency tool, like ChatGPT but not quite,” the CRO said. “They’re just getting started.” Altogether, some 40 people across the organization are engaged in the three pilots and several use cases, including HR, claims, compliance, legal and information security.

Looking back, Lynn said, “I was a little intimidated at first to take this on. At the outset, I knew next to nothing about Gen AI. But I just poured myself into it and got the right team around me to help. We did a lot in just three quarters. We all knew Gen AI was a game-changer and didn’t want to be late to the party.”

Executive Sponsor

At United Educators (UE), a risk retention group and licensed liability insurer owned by 1,600 member schools and colleges, CRO Johnny Gilbert was a natural to lead the Gen AI governance effort—he’s also UE’s chief actuary, in charge of data analytics and modeling. “I’d worked on earlier versions of Gen AI like machine learning that were more passive and less generative, but when the news came out that everyone was using this new tool called ChatGPT, I realized we needed to quickly get out in front of it,” he said.

Like other CROs, Gilbert was alarmed by the possibility that employees might use Gen AI to develop content from their emails and other proprietary data. “I was concerned about the lack of control, so we immediately developed a policy requiring everyone before using Gen AI to receive explicit permission from the CFO and corporate counsel,” he said. “We then paused to think about more long-term sustainable governance.”

Gilbert has assembled a committee that includes business leaders and UE’s IT, actuarial and analytics teams to consider how Gen AI may change work across the enterprise from a competitive standpoint. “My role is as the executive sponsor, making sure everyone has the right goals in mind, we’re all moving in the same direction, and we’re thinking about our members in everything we’re trying to do,” he said. “We’re still in this exploration phase.”

One possible benefit of Gen AI to member schools and colleges is in risk management, given the potential to take a huge volume of claims data and quickly recycle it into knowledge helping members improve their risk profile. As Gilbert put it, “Using Gen AI, an enormous amount of claims data and text can be summarized into useful themes. It’s not a magic bullet, but it does give researchers a lot more breadcrumbs to think about.”

Russ Banham is a veteran reporter covering the insurance industry.

Leave a Reply