More than seven years after the onset of the global crisis, the financial sector continues to attract unwanted headlines, with the spotlight shifting somewhat from banks to insurers. Consequently, regulators are taking a heightened interest in organizations’ risk management and underlying cultures. In 2014, the International Association of Insurance Supervisors (IAIS) called for insurers to demonstrate “the ability to promote a sound risk and compliance culture across the group.”
The Financial Stability Board (FSB), an international body that monitors and makes recommendations about the global financial system, has also issued guidance on risk culture, stating: “Supervisors should satisfy themselves that risk cultures are based on sound, articulated values and are carefully managed by the leadership of the financial institution. Furthermore, the FSB stated: “Institutions with a strong culture of risk management and ethical business practices are less likely to experience damaging risk events and are better placed to deal with those events that do occur.”
Why risk culture matters
Risk culture can be described as the way in which decision-makers (at all levels within an insurer) consider and take risks. When risk appetite is fully agreed and understood, all employees are conscious of risk in their everyday decision-making, appreciate the trade-offs between risk and reward and consider the interests of the wider organization above their individual objectives.
However, defining risk culture and establishing a sound risk management framework is a considerable challenge. Traditionally, “risk” within insurance is seen as solely the domain of the actuary, and employees in customer-facing or product design positions may have never acknowledged there is a risk management element to their work. Consequently, many organizations fail to prevent excessive or inappropriate risk-taking, which can, in some cases, cause significant losses, penalties and negative publicity. One example is the recent U.K. payment protection scandal, where insurance companies and bancassurers have to pay billions in compensation for mis-selling of policies.
In organizations with weak or undeveloped risk cultures, responsibility for risk management is unclear, with lack of board oversight and direction, low awareness of risks among employees and deficiencies in risk monitoring, reporting and controls. The risk management function itself is typically under-resourced and under-qualified, while key individuals such as the chief risk officer (CRO), the chief financial officer (CFO) and the approved actuary often have multiple risk decision-making roles that create an excessive workload.
Perhaps more importantly, individuals are not measured or given an incentive for risk performance, and there is an over-tolerant attitude to breaches or mistakes, with those taking excessive
or inappropriate risks rarely disciplined, implying that such behavior is acceptable.
Within a branch network or telephone service center, staff may be under considerable pressure to meet targets, which can lead to sales of products that are not always a) in the customers’ best interests and b) in line with strategic goals. Incentive schemes are partly to blame; they reward salespeople primarily for goals set by their immediate managers, which may prioritize volume over quality. (These can apply both to direct sales and those made through intermediaries.)
Insurance companies’ reputations are also at daily risk from poor service quality resulting from slow, inaccurate or unfair claims handling or marketing messages that over-promise benefits (such as speed of replacement for stolen or damaged goods or availability of rental cars to replace damaged vehicles). A poorly designed online sales process can easily cause customers to self-select the wrong products.
Compliance reporting for regulations — including Solvency II and International Financial Reporting Standards (IFRS) — can also highlight weaknesses in risk management. Insurers may be unable to demonstrate that controls are in place and are being adhered to, and they fail to produce accurate reporting that paints a true picture of the business.
Consequently, regulators are raising the bar by demanding more risk-sensitive capital regimes as well as stress and scenario requirements. They are also, increasingly, requiring a clearly articulated risk appetite statement and better assessments of risk management frameworks and risk culture, as well as expecting senior executives to be rewarded directly for encouraging sensible risk-taking behavior that supports long-term corporate financial interests.
From awareness to action
Ultimately, culture is all about action — not policies or documentation. With regulators showing an increasing interest in risk culture and behavior, how can companies take a barometer of their current capabilities to make relevant improvements?
There are three important questions to address:
- Does the organization have appropriate structures and processes in place to define the desired culture?
- Are those structures and processes adequate to create the desired culture?
- Do structures and processes drive effective behaviors in practice?
An in-depth evaluation involves close scrutiny of risk and compliance policies, past interactions with regulators and detailed observations of staff behavior at all levels. By seeking the views of a cross-section of employees and managers, leaders can better understand employees’ attitudes toward risk management and how risk management policies, procedures and systems work in practice, highlighting any gaps.
Data analysis can reveal patterns of customer complaints, regulatory fines and requests for closer supervision and monitoring across different departments and locations. Such incidents should be monitored constantly and their root causes identified to offer a continuous indicator of cultural performance. This is a sizable investment requiring strong endorsement from leaders.
Insurance companies with strong risk cultures are likely to exhibit four key characteristics:
1. Tone at the top
The board and executive management should drive risk culture, with leaders exhibiting total consistency in words and actions, taking a visible lead in risk management activities — and being fully accountable when risk parameters are breached. By making risk a formal standing agenda item at board and management forums, the company’s leaders can demonstrate risk management’s importance to all stakeholders. They must ensure all employees are aware of the organization’s approach to risk management, reward positive behavior and act decisively when inappropriate risks are taken (if necessary through disciplinary action). It is very helpful to keep in touch with front-line activity through regular visits to branches and contact centers.
Although leaders set the tone, they can’t be alone in delivering messages about the importance of risk. Senior managers of divisions and business units are also part of the communication process, which must filter down through the organization — and between departments — to the most junior people. In this way, everyone can understand the risk appetite and capacity at the individual, team, department and company level. In addition to recording sales calls, staff should engage in focus groups, surveys and one-on-one interviews to ensure they are continually aware of the risk culture and are conforming to procedures.
Rather than acting as static recipients of advice, all employees should be encouraged to share information and feel safe to challenge unacceptable behavior and to escalate issues. This calls for clear channels for whistle-blowing, implying it is acceptable to criticize the business’ activities without fear of retribution.
In a risk-aware culture, issues are escalated and dealt with swiftly and decisively before they can become major problems, with a central point of contact for all employees for the management and treatment of risks. And, crucially, any learning from such incidents is assessed and built into future policies and behavior to avoid a recurrence. If something slips through the cracks, management should analyze why staff did not comply with protocols and re-educate people on the importance of such checks and balances — as well as stressing the need to act within the “spirit” of risk management.
Risk must become second nature to all, not something that applies only to actuaries or a central risk team. High-profile cultural transformation programs often fail to achieve lasting change because they don’t focus sufficiently on individuals or explain how people should behave to be more risk-aware. To make cultural change happen, leaders must understand the day-to-day dilemmas faced by staff — such as management pressure on sales numbers — and address these issues directly. Performance management and related compensation systems are key to gaining commitment and should balance local branch/office sales targets with wider organizational goals, as well as rewarding good risk management behavior. That will deter staff from taking unnecessary risks in pursuit of short-term profit. Whether selling in person, by phone, online, directly or through intermediaries, the same principles of fairness and appropriateness must apply.
The approval process for new marketing initiatives has to be robust to ensure the business has the capability to meet any promises. Risk management also requires new skills to identify, assess and mitigate risks, which calls for tailored training and coaching.
Good for compliance, good for the business
As well as increasing the chances of remaining compliant, a strong risk culture gives the board and shareholders greater confidence in an insurer’s integrity and in its ability to meet customer expectations. Comparison websites may have made the sector more price-driven, but customers still appreciate doing business with companies that are seen to be acting in a customer’s interests, often through a company offering relevant products, attentive customer service and a swift, fair claims process.
See Also: Building a Risk Culture
Having invested in risk processes and frameworks, insurance companies must also devote resources to building a risk culture, to bringing frameworks to life and to ensuring adherence to policies. Once this has been achieved, all employees — not just actuaries — will be able to say they are risk managers.
In a strong risk culture…
- The board and executive management drive risk culture
- Every employee understands and embraces the organization’s risk appetite and risk management framework
- Threats or concerns are identified and escalated swiftly, with employees comfortable (and encouraged) to raise issues
- Individuals are clear about the risks inherent in their strategic and day-to-day decisions
- Every employee continuously learns from the experiences of others
- Personal and organizational interests are aligned via appropriate performance metrics; links to remuneration risk behavior is monitored regularly, with swift corrective actions taken after any breaches; and staff are encouraged to consult with a superior when it is unclear whether a particular action is outside the organization’s risk tolerance
Questions for insurers
- Is your board able to articulate the kind of risk culture it wants, and can it explain this clearly to all employees?
- Does your board have a road map toward a strong risk culture, and can it demonstrate steps it is taking in this direction?
- Are risks being identified, measured, managed and controlled in a manner consistent with the organization’s risk appetite?
- Does your staff understand and adhere to the organization’s risk appetite — as it relates to their particular roles?
- Do employee incentives promote long-term financial sustainability?
- Do employees at all levels have the skills to manage risk effectively?
Reprinted from (Regulatory Challenges Facing the Insurance Industry in 2016,) Copyright: 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in the U.S.A. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
All information provided is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the facts of a particular situation.
For additional news and information, please access KPMG’s global web site.