February 21, 2018
Formula for Creating a Positive Risk Culture
by Donna Galer
It makes sense that insurers should be excellent at managing their own strategic, financial and operational risk. But is that always the case?
The insurance industry is all about understanding and taking risk prudently. In other words, it is about assuming risk from individuals or organizations for the right return. Thus, it makes sense that insurers should be excellent at managing their own strategic, financial and operational risk. But is that always the case?
Regulators and rating agencies have done a great deal to require robust enterprise risk management at insurance companies and to consider how well they are implementing it in evaluating them. However, their focus is decidedly on capital risk management and to a much lesser extent on other risk categories. Yet, other risk categories can certainly affect financial stability.
Are insurers being asked to show regulators and rating agencies how they have measured their risk culture? Are they asked to explain to what extent their strategies have been influenced or revised based on risk-related input? Likewise, is there inquiry into how deep within the insurers’ ranks the risk-identification process goes to gather input? Is there much questioning about how financial targets are set, such as whether non-management or field input is gathered before setting these targets?
If the answer is no, then some vital evaluative data is being missed. That is because risk culture, and the things that strongly influence it, can make a huge difference in the financial success or failure of an insurer.
What Is Risk Culture?
There are various definitions for it, but the best I have found is the one suggested by the Institute of International Finance, “‘Risk culture’ can be defined as the norms and traditions of behavior of individuals and of groups within an organization that determine the way in which they identify, understand, discuss and act on the risks the organization confronts and the risks it takes.”
See also: Building a Risk Culture Is Simple–Really
The prevailing risk culture can be one explanation for why some insurers have more negative surprises than others, or why some have a poor track record for reserve increases whereas others do not. or why some experience adverse results from significant growth whereas others can do so profitably.
What Influences Risk Culture
The things that influence risk culture and help to create a risk-aware culture are:
- Message from the top – board, CEO, senior team
- Behavior at the top
- Existence of board and management-level risk committees
- Existence of risk appetite, risk tolerances that are well-communicated
- How far down in the organization risk identification methods delve
- How unauthorized/excessive risk-taking is handled by management
- Whether there is a risk reporting hotline
- Whether goals are aligned with risk appetite and risk tolerances
- Whether incentives are aligned with risk appetite and risk tolerances
- Whether risk culture is measured
How Management Behavior Can Create Risk and Block Risk Culture
There are many ways that management can contribute to a poor or non-existent risk culture. Below are just a few examples.
By setting unreasonable goals, management creates obstacles for a healthy risk culture. There is a difference between stretch goals and unreasonable ones. Good managers know this and know how to set a proper goal. Unreasonable goals beget unreasonable behavior, e.g. risky behavior. Such behavior might play out in underpricing business to meet a premium growth goal; it might play out in bad faith claims to meet an average paid loss goal. These things can happen in any environment but are more likely when goals are set too high and the risk associated with that is ignored.
Another management action that can produce risk is developing a strategy without input from the field. A strategy that is based only on the ideas in the corporate suite can lead to the risk of failure or the risk of producing negative or unintended consequences. For example, field staff may have more insight about how a change in compensation practices or local contacts may be reacted to by agents and brokers than home office strategy pundits. Getting field input might avoid losing business, losing agents or brokers or some equally undesirable business result. In a study sponsored by the Casualty Actuarial Society, the authors Shaun Wang and Robert Faber state, “In running an enterprise, it is essential to recognize both global and local views: Without inputs from the field, any development of business strategy lacks a solid footing; while the strategic directions are set at the company level, the success and failure of the strategy depends on the local business execution.”
Insurers are introducing many types of innovations into their operations to stay relevant in today’s digital world and sharing economy. If it is perceived that management is not taking into account the risks inherent in any new way of doing things, then a strong signal is being sent to the rest of the organization. The signal is that managing risk is not always important. Taking risk into account should never stop forward movement. Instead, it should ensure that innovations are optimized. Management should be able to point to the risks that were identified and how they were addressed, regardless of whether those risks pertain to cyber security, system integration, scalability, customer or distributor satisfaction and any number of other matters.
See also: A New Paradigm for Risk Management?
How Management Can Create a Positive Risk Culture
Management’s behavior becomes the model for the rest of the organization. Generally, each level of management tends to mimic the approach of the level to which it reports. Even when such cascading is not perfectly distributed, the overall tone and modus operandi of top managers tend to influence most employees of the organization over time.
Thus, management must be continually aware of what message it is sending about risk awareness by its own actions as well as by designed communications. Where a risk-aware culture is nurtured, there will be many ways in which management reinforces it:
- Rewarding staff when risks are handled well and holding staff accountable when risks are not handled well
- Ensuring that risk is discussed during decision-making not after decisions are made
- Treating those who report a risk as a team player rather than a naysayer or trouble seeker – encouraging the person to become a problem solver by being asked to help address the risk
- Discussing risk and the status of risk mitigation plans in staff meetings or whenever appropriate.
In risk-aware cultures, risk is considered as part of every key decision or action. Thus, the bottom line is improved.