True, a great deal has been written about the importance of inculcating a positive risk culture if an organization is serious about managing its enterprise risk. Yet, when it comes to discussions about organizational culture, many executives’ eyes glaze over because the topic is too nebulous or because they have no idea how to influence or develop a particular type of culture. Underwriters, considering an application from a commercial customer, generally do not look too deeply into the company’s risk culture. Given that risk is growing in magnitude and variety and with increasing speed of onset, it behooves leaders to take concrete actions to establish a sound risk culture or to maintain one if it already exists. And underwriters should also be interested in the risk culture of accounts they write for the same reasons.
Often, I am inspired to write about something because of some news I hear or read about. In this case, something on the law360 website caught my attention: A woman slipped and fell near a collapsed “wet floor” sign at a casino. This person, Ms. Sadowski, suffered serious injuries and was awarded $3 million by an Ohio jury.
“The sign lay flat on the floor that day in September 2016, and a Jack Cincinnati Casino employee even walked around it but did not pick it up,” Sadowski’s attorney, Matt Nakajima, said, according to the Cincinnati Enquirer. He said that, moments later, Sadowski tripped over it and broke one of her knee caps. There were no safety measures in place for floor inspections or fall prevention, he said, and the employee who walked around the collapsed sign was not reprimanded. So, despite the use of “wet floor” signs, other aspects of risk management were purportedly absent.
It seems the jury believed Nakajima’s description. If the description is accurate, the part about an employee walking around a collapsed “wet floor” sign is very troubling, as is the fact that there were no consequences for the employee. These kinds of actions point to a lack of a risk aware culture at various levels.
So, how do leaders build a risk culture and how do underwriters probe to see what kind of risk culture exists in their prospective insureds’ organizations.
Three Basic Steps to Build Risk Culture
Articulate the organization’s position on managing risk at key communication junctures and through different media with employees: 1) hiring interview, 2) orientation, 3) staff meetings, 4) webcasts, newsletters, bulletin boards.
Include a risk culture criterion in all performance reviews; e.g., does the employee perform duties safely and address or report hazards/risks when they are identified? Evaluate positively or negatively, as warranted. Celebrate exemplary cases of risk awareness or risk mitigation.
Ensure that policies, procedures and work instructions all describe what is expected in terms of safety, precaution and risk reporting
Three Basic Data Points for Underwriters to Ascertain
Does the organization have any losses in the loss history that show an egregious lack of risk awareness?
Does the organization practice ERM or, at least, have policies around required safety measures, risk/hazard reporting, training on avoiding cyber and other risks, etc.?
Does the organization discuss or evaluate risk awareness as part of normal performance management?
At a time when every insurer is streamlining the information it requests from potential insureds, adding more requests for data seems antithetical. However, in light of the thousands of ways that employees can create, increase or decrease risk in an organization, the culture they embrace is very important. For example, an HR staffer who delays inputting an employee termination to the appropriate systems can create huge data and physical security risks. Likewise, a factory worker who leaves equipment running while going on break, when it should be turned off, can create safety and property risk. Or, consider a finance employee who thinks a spoofed email is actually from the CEO and sends a payroll check to the hacker’s account because there was no secondary control or it was not adhered to. The questions above will help underwriters to get a glimpse of the risk culture at the company they are evaluating.
A risk aware culture plays a role regardless of the category of risk: financial, operational, legal, cyber, human resource, strategic, etc. Everyone from the top to the bottom of the organization needs to have an automatic and quickfire gut check regarding their actions – am I creating a risk by taking this action; have I recognized the risks in the situation that is leading me to action; do I need to vet a recognized risk with others? When an organization reaches the point where this type of thinking is natural, and almost universal, then it can be said that a positive risk culture has been embedded.
Her latest book, “Enterprise Risk Management: Straight Talk for Nonprofits,” can be found here.
The insurance industry is all about understanding and taking risk prudently. In other words, it is about assuming risk from individuals or organizations for the right return. Thus, it makes sense that insurers should be excellent at managing their own strategic, financial and operational risk. But is that always the case?
Regulators and rating agencies have done a great deal to require robust enterprise risk management at insurance companies and to consider how well they are implementing it in evaluating them. However, their focus is decidedly on capital risk management and to a much lesser extent on other risk categories. Yet, other risk categories can certainly affect financial stability.
Are insurers being asked to show regulators and rating agencies how they have measured their risk culture? Are they asked to explain to what extent their strategies have been influenced or revised based on risk-related input? Likewise, is there inquiry into how deep within the insurers’ ranks the risk-identification process goes to gather input? Is there much questioning about how financial targets are set, such as whether non-management or field input is gathered before setting these targets?
If the answer is no, then some vital evaluative data is being missed. That is because risk culture, and the things that strongly influence it, can make a huge difference in the financial success or failure of an insurer.
What Is Risk Culture?
There are various definitions for it, but the best I have found is the one suggested by the Institute of International Finance, “‘Risk culture’ can be defined as the norms and traditions of behavior of individuals and of groups within an organization that determine the way in which they identify, understand, discuss and act on the risks the organization confronts and the risks it takes.”
The prevailing risk culture can be one explanation for why some insurers have more negative surprises than others, or why some have a poor track record for reserve increases whereas others do not. or why some experience adverse results from significant growth whereas others can do so profitably.
What Influences Risk Culture
The things that influence risk culture and help to create a risk-aware culture are:
Message from the top – board, CEO, senior team
Behavior at the top
Existence of board and management-level risk committees
Existence of risk appetite, risk tolerances that are well-communicated
How far down in the organization risk identification methods delve
How unauthorized/excessive risk-taking is handled by management
Whether there is a risk reporting hotline
Whether goals are aligned with risk appetite and risk tolerances
Whether incentives are aligned with risk appetite and risk tolerances
Whether risk culture is measured
How Management Behavior Can Create Risk and Block Risk Culture
There are many ways that management can contribute to a poor or non-existent risk culture. Below are just a few examples.
By setting unreasonable goals, management creates obstacles for a healthy risk culture. There is a difference between stretch goals and unreasonable ones. Good managers know this and know how to set a proper goal. Unreasonable goals beget unreasonable behavior, e.g. risky behavior. Such behavior might play out in underpricing business to meet a premium growth goal; it might play out in bad faith claims to meet an average paid loss goal. These things can happen in any environment but are more likely when goals are set too high and the risk associated with that is ignored.
Another management action that can produce risk is developing a strategy without input from the field. A strategy that is based only on the ideas in the corporate suite can lead to the risk of failure or the risk of producing negative or unintended consequences. For example, field staff may have more insight about how a change in compensation practices or local contacts may be reacted to by agents and brokers than home office strategy pundits. Getting field input might avoid losing business, losing agents or brokers or some equally undesirable business result. In a study sponsored by the Casualty Actuarial Society, the authors Shaun Wang and Robert Faber state, “In running an enterprise, it is essential to recognize both global and local views: Without inputs from the field, any development of business strategy lacks a solid footing; while the strategic directions are set at the company level, the success and failure of the strategy depends on the local business execution.”
Insurers are introducing many types of innovations into their operations to stay relevant in today’s digital world and sharing economy. If it is perceived that management is not taking into account the risks inherent in any new way of doing things, then a strong signal is being sent to the rest of the organization. The signal is that managing risk is not always important. Taking risk into account should never stop forward movement. Instead, it should ensure that innovations are optimized. Management should be able to point to the risks that were identified and how they were addressed, regardless of whether those risks pertain to cyber security, system integration, scalability, customer or distributor satisfaction and any number of other matters.
Management’s behavior becomes the model for the rest of the organization. Generally, each level of management tends to mimic the approach of the level to which it reports. Even when such cascading is not perfectly distributed, the overall tone and modus operandi of top managers tend to influence most employees of the organization over time.
Thus, management must be continually aware of what message it is sending about risk awareness by its own actions as well as by designed communications. Where a risk-aware culture is nurtured, there will be many ways in which management reinforces it:
Rewarding staff when risks are handled well and holding staff accountable when risks are not handled well
Ensuring that risk is discussed during decision-making not after decisions are made
Treating those who report a risk as a team player rather than a naysayer or trouble seeker – encouraging the person to become a problem solver by being asked to help address the risk
Discussing risk and the status of risk mitigation plans in staff meetings or whenever appropriate.
In risk-aware cultures, risk is considered as part of every key decision or action. Thus, the bottom line is improved.
Risk management is ultimately about creating a culture that would facilitate risk discussion when performing business activities or making any strategic, investment or project decision.
Here are some of the key points that are often missed:
Risk management is not just about tools and techniques; it is about changing the corporate culture and the mindset of management and employees. This change cannot happen overnight. Risk managers need to start small by embedding elements of risk analysis into various decision-making processes, expanding the scope of risk management over time.
It is vital to break the status quo where risk management is seen as a separate and independent activity. Instead, risk managers should integrate risk management into all core business activities. This can be achieved by integrating risk analysis into decision-making processes, assisting management in evaluating projects and strategic initiatives with the use of risk analysis tools, integrating risk management into strategic planning, budgeting and performance management, incorporating responsibilities in job descriptions, providing management training, etc.
Risk managers should strive to become advisers to senior management and the board, advisers who are trusted and whose recommendations are listened to. To achieve this, risk managers may need to break away from traditional models like “three lines of defense” and instead choose to actively participate in the decision-making, take ownership of some risks and provide an independent assessment of risks associated with important business decisions, maybe even vetoing some high-risk activities.
To explore these topics, Elena Demidenko and I have written a free book, “Guide to Effective Risk Management 3.0” It talks about practical steps risk managers can take to integrate risk management into decision-making and core business processes. Based on our research and the interviews, we have summarized 15 practical ideas on how to improve the integration of risk management into the daily life of the organisation. These were grouped into three high-level objectives: drive risk culture, help integrate risk management into business and become a trusted adviser.
This document is designed to be a practical implementation guide. Each section is accompanied by checklists, video references, useful links and templates. This guide isn’t about “classical” risk management with its useless risk maps, risk registers, risk owners or risk mitigation plans. This guide is about implementing the most current risk analysis research into the business processes, decision making and the overall culture of the organization.
Yes, building risk culture is easy! Before I explain, let me first clear up a few weird misconceptions about risk culture that have been floating around in non-financial companies:
Making decisions under uncertainty is not natural for humans.
Back in the 1970s, scientists had a breakthrough in understanding how the human brain works, what influences our decisions, how cognitive biases affect our perception of the world and so on. Daniel Kahneman and Vernon Smith received a Nobel prize in economics back in 2002 “for having integrated insights from psychological research into economic science, especially concerning human judgment and decision-making under uncertainty.” I am amazed how many risk managers and consultants continue to simply ignore this research. Identifying, analyzing and dealing with risks is against human nature. Stop kidding yourself. The sooner we, as a professional community, accept this, the easier it will be to integrate risk management into decision making.
Managers do not take risks into account by default.
One of the biggest deceptions floated around is that most business processes already take into account risks and that decisions are made by management after careful consideration of risks. Not so. Naturally, managers do consider some of the more obvious risks, and there are exceptional cases where risk analysis is already integrated into the decision making. For the other 95% of the companies, existing processes and management tools ignore or purposefully hide significant risks. I bet that if risk managers, instead of running useless risk workshops, had a deep hard look, they would soon discover that budgets are overly optimistic, project plans are unrealistic and some corporate objectives are borderline naïve. Of course, the rest of the company is fine with how things are and will do everything to stop risk managers from getting involved.
Making risk management everyone’s responsibility is just wishful thinking.
I don’t quite understand why, but there seems to be an idea that strong, robust, risk-aware culture is the ultimate objective. It sounds great, but it is physically impossible. And this is why I think so many risk managers have failed and so many more are struggling to make an impact. They are trying to move the rock that is not meant to be moved. This is probably the most important point of this article:
The only person in the company who thinks strong risk culture is a positive thing is the risk manager. The rest of the organization sees risk management as a direct threat to their personal interests, their income and their position in the corporate world.
Let me repeat: Most managers ignore risks and take uncalculated risks for a reason.
But not all managers and not all the time. And that’s where the risk manager comes in, trying to change the culture of CERTAIN individuals SOME of the time.
Risk management culture is not about hearts and minds.
By now, after reading everything I tried to communicate above, I hope you realize that management doesn’t care about risk culture. I mean they will still say the right words when the risk manager is present, but deep down nobody will care. The only chance for risk culture to stick is if it makes business sense for the individuals. And I don’t mean soft things like transparency, corporate governance and other nonsense, I mean direct impact on the bottom line or the personal security of an individual. The best examples of managers suddenly becoming very risk-aware were when I was able to show that by better managing risks individuals could protect their role, avoid prosecution, have a better business case for investors, save on insurance, save on financing costs or get higher bonuses.
And yet despite everything I said above, building risk culture is a piece of cake. Risk managers just have to realize that they won’t be able to convert everyone and that some people are beyond help. There is also no single solution that will do the job. It’s all about finding what makes each individual tick. It’s time-consuming, yes, but not difficult at all. Hence it can be equally applied by large corporations and small and medium-sized businesses.
Here are some practical ideas (make sure you click on the links in the article; each one leads to a short video explanation) to get you started:
Develop high-level risk management policy – It is generally considered a good idea to document an organization’s attitude and commitment to risk management in a high-level document, such as a risk management policy. The policy should describe the general attitude of the company toward risks, risk management principles, roles and responsibilities and risk management infrastructure, as well as resources and processes dedicated to risk management. Section 4.3.2 of the ISO31000:2009 also provides guidance on risk management policy.
Integrate risk appetites for different risk types into existing board-level documents; don’t create separate risk appetite statements.
More than seven years after the onset of the global crisis, the financial sector continues to attract unwanted headlines, with the spotlight shifting somewhat from banks to insurers. Consequently, regulators are taking a heightened interest in organizations’ risk management and underlying cultures. In 2014, the International Association of Insurance Supervisors (IAIS) called for insurers to demonstrate “the ability to promote a sound risk and compliance culture across the group.”
The Financial Stability Board (FSB), an international body that monitors and makes recommendations about the global financial system, has also issued guidance on risk culture, stating: “Supervisors should satisfy themselves that risk cultures are based on sound, articulated values and are carefully managed by the leadership of the financial institution. Furthermore, the FSB stated: “Institutions with a strong culture of risk management and ethical business practices are less likely to experience damaging risk events and are better placed to deal with those events that do occur.”
Why risk culture matters
Risk culture can be described as the way in which decision-makers (at all levels within an insurer) consider and take risks. When risk appetite is fully agreed and understood, all employees are conscious of risk in their everyday decision-making, appreciate the trade-offs between risk and reward and consider the interests of the wider organization above their individual objectives.
However, defining risk culture and establishing a sound risk management framework is a considerable challenge. Traditionally, “risk” within insurance is seen as solely the domain of the actuary, and employees in customer-facing or product design positions may have never acknowledged there is a risk management element to their work. Consequently, many organizations fail to prevent excessive or inappropriate risk-taking, which can, in some cases, cause significant losses, penalties and negative publicity. One example is the recent U.K. payment protection scandal, where insurance companies and bancassurers have to pay billions in compensation for mis-selling of policies.
In organizations with weak or undeveloped risk cultures, responsibility for risk management is unclear, with lack of board oversight and direction, low awareness of risks among employees and deficiencies in risk monitoring, reporting and controls. The risk management function itself is typically under-resourced and under-qualified, while key individuals such as the chief risk officer (CRO), the chief financial officer (CFO) and the approved actuary often have multiple risk decision-making roles that create an excessive workload.
Perhaps more importantly, individuals are not measured or given an incentive for risk performance, and there is an over-tolerant attitude to breaches or mistakes, with those taking excessive
or inappropriate risks rarely disciplined, implying that such behavior is acceptable.
Within a branch network or telephone service center, staff may be under considerable pressure to meet targets, which can lead to sales of products that are not always a) in the customers’ best interests and b) in line with strategic goals. Incentive schemes are partly to blame; they reward salespeople primarily for goals set by their immediate managers, which may prioritize volume over quality. (These can apply both to direct sales and those made through intermediaries.)
Insurance companies’ reputations are also at daily risk from poor service quality resulting from slow, inaccurate or unfair claims handling or marketing messages that over-promise benefits (such as speed of replacement for stolen or damaged goods or availability of rental cars to replace damaged vehicles). A poorly designed online sales process can easily cause customers to self-select the wrong products.
Compliance reporting for regulations — including Solvency II and International Financial Reporting Standards (IFRS) — can also highlight weaknesses in risk management. Insurers may be unable to demonstrate that controls are in place and are being adhered to, and they fail to produce accurate reporting that paints a true picture of the business.
Consequently, regulators are raising the bar by demanding more risk-sensitive capital regimes as well as stress and scenario requirements. They are also, increasingly, requiring a clearly articulated risk appetite statement and better assessments of risk management frameworks and risk culture, as well as expecting senior executives to be rewarded directly for encouraging sensible risk-taking behavior that supports long-term corporate financial interests.
From awareness to action
Ultimately, culture is all about action — not policies or documentation. With regulators showing an increasing interest in risk culture and behavior, how can companies take a barometer of their current capabilities to make relevant improvements?
There are three important questions to address:
Does the organization have appropriate structures and processes in place to define the desired culture?
Are those structures and processes adequate to create the desired culture?
Do structures and processes drive effective behaviors in practice?
An in-depth evaluation involves close scrutiny of risk and compliance policies, past interactions with regulators and detailed observations of staff behavior at all levels. By seeking the views of a cross-section of employees and managers, leaders can better understand employees’ attitudes toward risk management and how risk management policies, procedures and systems work in practice, highlighting any gaps.
Data analysis can reveal patterns of customer complaints, regulatory fines and requests for closer supervision and monitoring across different departments and locations. Such incidents should be monitored constantly and their root causes identified to offer a continuous indicator of cultural performance. This is a sizable investment requiring strong endorsement from leaders.
Insurance companies with strong risk cultures are likely to exhibit four key characteristics:
1. Tone at the top
The board and executive management should drive risk culture, with leaders exhibiting total consistency in words and actions, taking a visible lead in risk management activities — and being fully accountable when risk parameters are breached. By making risk a formal standing agenda item at board and management forums, the company’s leaders can demonstrate risk management’s importance to all stakeholders. They must ensure all employees are aware of the organization’s approach to risk management, reward positive behavior and act decisively when inappropriate risks are taken (if necessary through disciplinary action). It is very helpful to keep in touch with front-line activity through regular visits to branches and contact centers.
Although leaders set the tone, they can’t be alone in delivering messages about the importance of risk. Senior managers of divisions and business units are also part of the communication process, which must filter down through the organization — and between departments — to the most junior people. In this way, everyone can understand the risk appetite and capacity at the individual, team, department and company level. In addition to recording sales calls, staff should engage in focus groups, surveys and one-on-one interviews to ensure they are continually aware of the risk culture and are conforming to procedures.
Rather than acting as static recipients of advice, all employees should be encouraged to share information and feel safe to challenge unacceptable behavior and to escalate issues. This calls for clear channels for whistle-blowing, implying it is acceptable to criticize the business’ activities without fear of retribution.
In a risk-aware culture, issues are escalated and dealt with swiftly and decisively before they can become major problems, with a central point of contact for all employees for the management and treatment of risks. And, crucially, any learning from such incidents is assessed and built into future policies and behavior to avoid a recurrence. If something slips through the cracks, management should analyze why staff did not comply with protocols and re-educate people on the importance of such checks and balances — as well as stressing the need to act within the “spirit” of risk management.
Risk must become second nature to all, not something that applies only to actuaries or a central risk team. High-profile cultural transformation programs often fail to achieve lasting change because they don’t focus sufficiently on individuals or explain how people should behave to be more risk-aware. To make cultural change happen, leaders must understand the day-to-day dilemmas faced by staff — such as management pressure on sales numbers — and address these issues directly. Performance management and related compensation systems are key to gaining commitment and should balance local branch/office sales targets with wider organizational goals, as well as rewarding good risk management behavior. That will deter staff from taking unnecessary risks in pursuit of short-term profit. Whether selling in person, by phone, online, directly or through intermediaries, the same principles of fairness and appropriateness must apply.
The approval process for new marketing initiatives has to be robust to ensure the business has the capability to meet any promises. Risk management also requires new skills to identify, assess and mitigate risks, which calls for tailored training and coaching.
Good for compliance, good for the business
As well as increasing the chances of remaining compliant, a strong risk culture gives the board and shareholders greater confidence in an insurer’s integrity and in its ability to meet customer expectations. Comparison websites may have made the sector more price-driven, but customers still appreciate doing business with companies that are seen to be acting in a customer’s interests, often through a company offering relevant products, attentive customer service and a swift, fair claims process.
Having invested in risk processes and frameworks, insurance companies must also devote resources to building a risk culture, to bringing frameworks to life and to ensuring adherence to policies. Once this has been achieved, all employees — not just actuaries — will be able to say they are risk managers.
In a strong risk culture…
The board and executive management drive risk culture
Every employee understands and embraces the organization’s risk appetite and risk management framework
Threats or concerns are identified and escalated swiftly, with employees comfortable (and encouraged) to raise issues
Individuals are clear about the risks inherent in their strategic and day-to-day decisions
Every employee continuously learns from the experiences of others
Personal and organizational interests are aligned via appropriate performance metrics; links to remuneration risk behavior is monitored regularly, with swift corrective actions taken after any breaches; and staff are encouraged to consult with a superior when it is unclear whether a particular action is outside the organization’s risk tolerance
Questions for insurers
Is your board able to articulate the kind of risk culture it wants, and can it explain this clearly to all employees?
Does your board have a road map toward a strong risk culture, and can it demonstrate steps it is taking in this direction?
Are risks being identified, measured, managed and controlled in a manner consistent with the organization’s risk appetite?
Does your staff understand and adhere to the organization’s risk appetite — as it relates to their particular roles?
Do employee incentives promote long-term financial sustainability?
Do employees at all levels have the skills to manage risk effectively?
Reprinted from (Regulatory Challenges Facing the Insurance Industry in 2016,) Copyright: 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in the U.S.A. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
All information provided is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the facts of a particular situation.