Tag Archives: risk culture

Building a Strong Insurance Risk Culture

More than seven years after the onset of the global crisis, the financial sector continues to attract unwanted headlines, with the spotlight shifting somewhat from banks to insurers. Consequently, regulators are taking a heightened interest in organizations’ risk management and underlying cultures. In 2014, the International Association of Insurance Supervisors (IAIS) called for insurers to demonstrate “the ability to promote a sound risk and compliance culture across the group.”

The Financial Stability Board (FSB), an international body that monitors and makes recommendations about the global financial system, has also issued guidance on risk culture, stating: “Supervisors should satisfy themselves that risk cultures are based on sound, articulated values and are carefully managed by the leadership of the financial institution. Furthermore, the FSB stated: “Institutions with a strong culture of risk management and ethical business practices are less likely to experience damaging risk events and are better placed to deal with those events that do occur.”

Why risk culture matters

Risk culture can be described as the way in which decision-makers (at all levels within an insurer) consider and take risks. When risk appetite is fully agreed and understood, all employees are conscious of risk in their everyday decision-making, appreciate the trade-offs between risk and reward and consider the interests of the wider organization above their individual objectives.

However, defining risk culture and establishing a sound risk management framework is a considerable challenge. Traditionally, “risk” within insurance is seen as solely the domain of the actuary, and employees in customer-facing or product design positions may have never acknowledged there is a risk management element to their work. Consequently, many organizations fail to prevent excessive or inappropriate risk-taking, which can, in some cases, cause significant losses, penalties and negative publicity. One example is the recent U.K. payment protection scandal, where insurance companies and bancassurers have to pay billions in compensation for mis-selling of policies.

In organizations with weak or undeveloped risk cultures, responsibility for risk management is unclear, with lack of board oversight and direction, low awareness of risks among employees and deficiencies in risk monitoring, reporting and controls. The risk management function itself is typically under-resourced and under-qualified, while key individuals such as the chief risk officer (CRO), the chief financial officer (CFO) and the approved actuary often have multiple risk decision-making roles that create an excessive workload.

Perhaps more importantly, individuals are not measured or given an incentive for risk performance, and there is an over-tolerant attitude to breaches or mistakes, with those taking excessive
or inappropriate risks rarely disciplined, implying that such behavior is acceptable.

Within a branch network or telephone service center, staff may be under considerable pressure to meet targets, which can lead to sales of products that are not always a) in the customers’ best interests and b) in line with strategic goals. Incentive schemes are partly to blame; they reward salespeople primarily for goals set by their immediate managers, which may prioritize volume over quality. (These can apply both to direct sales and those made through intermediaries.)

See Also: The Key to Building Effective Risk Culture

Insurance companies’ reputations are also at daily risk from poor service quality resulting from slow, inaccurate or unfair claims handling or marketing messages that over-promise benefits (such as speed of replacement for stolen or damaged goods or availability of rental cars to replace damaged vehicles). A poorly designed online sales process can easily cause customers to self-select the wrong products.

Compliance reporting for regulations — including Solvency II and International Financial Reporting Standards (IFRS) — can also highlight weaknesses in risk management. Insurers may be unable to demonstrate that controls are in place and are being adhered to, and they fail to produce accurate reporting that paints a true picture of the business.

Consequently, regulators are raising the bar by demanding more risk-sensitive capital regimes as well as stress and scenario requirements. They are also, increasingly, requiring a clearly articulated risk appetite statement and better assessments of risk management frameworks and risk culture, as well as expecting senior executives to be rewarded directly for encouraging sensible risk-taking behavior that supports long-term corporate financial interests.

From awareness to action

Ultimately, culture is all about action — not policies or documentation. With regulators showing an increasing interest in risk culture and behavior, how can companies take a barometer of their current capabilities to make relevant improvements?

There are three important questions to address:

  1. Does the organization have appropriate structures and processes in place to define the desired culture?
  2. Are those structures and processes adequate to create the desired culture?
  3. Do structures and processes drive effective behaviors in practice?

An in-depth evaluation involves close scrutiny of risk and compliance policies, past interactions with regulators and detailed observations of staff behavior at all levels. By seeking the views of a cross-section of employees and managers, leaders can better understand employees’ attitudes toward risk management and how risk management policies, procedures and systems work in practice, highlighting any gaps.

Data analysis can reveal patterns of customer complaints, regulatory fines and requests for closer supervision and monitoring across different departments and locations. Such incidents should be monitored constantly and their root causes identified to offer a continuous indicator of cultural performance. This is a sizable investment requiring strong endorsement from leaders.

Insurance companies with strong risk cultures are likely to exhibit four key characteristics:

1. Tone at the top

The board and executive management should drive risk culture, with leaders exhibiting total consistency in words and actions, taking a visible lead in risk management activities — and being fully accountable when risk parameters are breached. By making risk a formal standing agenda item at board and management forums, the company’s leaders can demonstrate risk management’s importance to all stakeholders. They must ensure all employees are aware of the organization’s approach to risk management, reward positive behavior and act decisively when inappropriate risks are taken (if necessary through disciplinary action). It is very helpful to keep in touch with front-line activity through regular visits to branches and contact centers.

Screen Shot 2016-04-13 at 2.20.12 PM

2. Communication

Although leaders set the tone, they can’t be alone in delivering messages about the importance of risk. Senior managers of divisions and business units are also part of the communication process, which must filter down through the organization — and between departments — to the most junior people. In this way, everyone can understand the risk appetite and capacity at the individual, team, department and company level. In addition to recording sales calls, staff should engage in focus groups, surveys and one-on-one interviews to ensure they are continually aware of the risk culture and are conforming to procedures.

Rather than acting as static recipients of advice, all employees should be encouraged to share information and feel safe to challenge unacceptable behavior and to escalate issues. This calls for clear channels for whistle-blowing, implying it is acceptable to criticize the business’ activities without fear of retribution.

3. Responsiveness

In a risk-aware culture, issues are escalated and dealt with swiftly and decisively before they can become major problems, with a central point of contact for all employees for the management and treatment of risks. And, crucially, any learning from such incidents is assessed and built into future policies and behavior to avoid a recurrence. If something slips through the cracks, management should analyze why staff did not comply with protocols and re-educate people on the importance of such checks and balances — as well as stressing the need to act within the “spirit” of risk management.

4. Commitment

Risk must become second nature to all, not something that applies only to actuaries or a central risk team. High-profile cultural transformation programs often fail to achieve lasting change because they don’t focus sufficiently on individuals or explain how people should behave to be more risk-aware. To make cultural change happen, leaders must understand the day-to-day dilemmas faced by staff — such as management pressure on sales numbers — and address these issues directly. Performance management and related compensation systems are key to gaining commitment and should balance local branch/office sales targets with wider organizational goals, as well as rewarding good risk management behavior. That will deter staff from taking unnecessary risks in pursuit of short-term profit. Whether selling in person, by phone, online, directly or through intermediaries, the same principles of fairness and appropriateness must apply.

The approval process for new marketing initiatives has to be robust to ensure the business has the capability to meet any promises. Risk management also requires new skills to identify, assess and mitigate risks, which calls for tailored training and coaching.

Good for compliance, good for the business

As well as increasing the chances of remaining compliant, a strong risk culture gives the board and shareholders greater confidence in an insurer’s integrity and in its ability to meet customer expectations. Comparison websites may have made the sector more price-driven, but customers still appreciate doing business with companies that are seen to be acting in a customer’s interests, often through a company offering relevant products, attentive customer service and a swift, fair claims process.

See Also: Building a Risk Culture

Having invested in risk processes and frameworks, insurance companies must also devote resources to building a risk culture, to bringing frameworks to life and to ensuring adherence to policies. Once this has been achieved, all employees — not just actuaries — will be able to say they are risk managers.

In a strong risk culture…

  • The board and executive management drive risk culture
  • Every employee understands and embraces the organization’s risk appetite and risk management framework
  • Threats or concerns are identified and escalated swiftly, with employees comfortable (and encouraged) to raise issues
  • Individuals are clear about the risks inherent in their strategic and day-to-day decisions
  • Every employee continuously learns from the experiences of others
  • Personal and organizational interests are aligned via appropriate performance metrics; links to remuneration risk behavior is monitored regularly, with swift corrective actions taken after any breaches;  and staff are encouraged to consult with a superior when it is unclear whether a particular action is outside the organization’s risk tolerance

Questions for insurers

  • Is your board able to articulate the kind of risk culture it wants, and can it explain this clearly to all employees?
  • Does your board have a road map toward a strong risk culture, and can it demonstrate steps it is taking in this direction?
  • Are risks being identified, measured, managed and controlled in a manner consistent with the organization’s risk appetite?
  • Does your staff understand and adhere to the organization’s risk appetite — as it relates to their particular roles?
  • Do employee incentives promote long-term financial sustainability?
  • Do employees at all levels have the skills to manage risk effectively?

Reprinted from (Regulatory Challenges Facing the Insurance Industry in 2016,) Copyright: 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in the U.S.A. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

All information provided is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the facts of a particular situation.

For additional news and information, please access KPMG’s global web site.

How to Measure the Value of ERM

When the question of whether ERM is a success or failure comes up, it raises a further question: Why aren’t companies doing a better job of measuring the value it generates?

The reasons that the value of ERM is not quantified by companies include:

  • It is extremely hard to know when a loss did not happen because of ERM.
  • It is just as hard to quantify the cost of loss that did not happen.
  • It is difficult to quantify the “soft” benefits of enhanced reputation because ERM is practiced or because of improved strategic alignment in the organization; ERM requires an understanding of the company’s strategic goals and objectives to identify the risks that might derail their achievement.
  • It is often hard to justify the time and expense of measuring something that is not easy to measure.

Having acknowledged some of these obstacles, the only way that companies will know if their ERM efforts are successful is to create some measurement scheme that makes sense for their particular situation. Without measurement, how would a company know not only if it wants to continue an ERM implementation but also how much to invest in it.

Let us look at a few possible approaches to measuring the value of ERM:

Before-and-After Approach

Once an ERM process has gained some level of maturity in an organization, this approach would take the form of looking at fairly common and reliable metrics on a before-ERM and after-ERM basis. (There are ERM maturity models, developed by experts, that can be used to evaluate how far along the path to full or optimal implementation a company has progressed.) In fact, each of the approaches described would only be reasonable if the ERM process had been in place and well-executed for some period.

Naturally, there will multiple variables, not just the practice of ERM, that play into these metrics, but that is true for most metrics, and explanations can and should accompany the numbers to explain such variables.

Such metrics would include: 1) number of insurance claims, 2) number of worker injuries, 3) number of lawsuits related to a risk/loss events, 4) number of days or hours production is lost because of a risk/loss event, 5) cost of insurance and 6) total cost of risk (TCOR). Thus, when reviewed before and after ERM, the metrics can be charted to show absolute changes in value as well as trend lines. It might even be possible to notice on a relative basis that there are fewer risk-related surprises brought to management’s attention because ERM effectively identified risks while there was still time to deal with them.

Each company will be able to come up with its own unique metrics based on what it is currently capturing, what it could capture and what is important to its business operations.

The value of ERM would be evident or could be computed from the before-and-after metrics.

“What If” Approach

In the “what if” approach, one or more of the most significant risks in the risk register, which did not materialize when expected because of mitigation by the company, would be selected. Perhaps this was a regulatory change that would have harmed a product line, but the company took lobbying efforts or did product redesign because the risk was appropriately identified, prioritized and mitigated.

The amount of the loss that the risk would have likely have produced would be computed. Even if it were an insured loss, the estimate would take into account such things as the potential increase in insurance rates, management time and all other attendant expenses not covered.

Since the risk did not produce a loss, the amount of the “what if” loss is the value of ERM.

Alternatively, a significant loss event that affected key competitors but did not affect the company using ERM could be used to assess value. Perhaps it was a natural catastrophe that the company was better protected for or a demographic shift that the company anticipated and reacted to because of ERM.

To get at ERM’s value, the company would have to approximate what the risk, if ignored, would have cost.

Lacking Any Other Explanation Approach

In “The Valuation Implications of Enterprise Risk Management Maturity,” a wholly independent and peer-reviewed research project conducted by Mark Farrell of Queen’s University Management School and Dr. Ronan Gallagher of University of Edinburgh Business School, pub­lished in The Journal of Risk and Insurance, using data from the RIMS Risk Maturity Model, the case is made that, failing any other explanation, the companies with greater maturity have higher valuations because of it. Specifically, the study found that there was “clear and significant statistical correlation between mature enterprise risk management practices and a firm’s value.” Organizations exhibiting mature risk management practices-as assessed with the RIMS Risk Maturity Model-realize a valu­ation premium of 25%.

Discretionary Approach

Yet another approach that does not rely on metrics, per se, is a discretionary approach. In other words, the board, CEO or C-suite could attribute a value to ERM that is based on the recognition that the ERM process has, for example: 1) created a risk aware culture, 2) helped to identify and ameliorate risk, 3) made recovery from risks that have materialized much faster and more efficiently and 4) enhanced the brand among stakeholders.

The discretionary approach does require that management is involved in the ERM process, has an open mind about its contribution and will articulate its conclusions about ERM’s value so that the entire organization is aware of this assessment. Without management’s giving voice to its success, the question of whether it is a success or failure will haunt ERM.


There are undoubtedly other approaches that could be used. The key point is that companies that have invested in introducing ERM should do so in a vigorous way and should measure and communicate its value. This will ensure that the entire organization maintains a commitment to this important process.

How ‘Cascades’ Can Build Work Culture

Most of us have heard the phrase: “Culture eats strategy for breakfast.” It could be restated as, “Your actions speak louder than your words.” This means that management can dream up any strategy they want, but their behaviors and actions are what create the culture of an organization.

Culture drives how efficient an organization’s processes are. Culture drives the success or failure of an organization. Culture is the product of leadership decisions or the lack of decisions.

The best-articulated corporate vision and strategy are of no value if they cannot engage the hearts, minds and work habits of employees at all levels and convey a purpose beyond just profit.

A vision states where an organization wants to go; a strategy defines the path to get there; and the work culture describes how business processes are actually executed along the path toward the vision. The health of a work culture can range from a contagiously high-performance work culture to mediocre or all the way down to a disruptive, confrontational culture that can’t get much done on time or done right the first time. A disruptive culture can trump the best vision and strategies every time. On the other hand, if a work culture is nurtured and groomed to align with a carefully crafted vision and strategy, the positive momentum could be unstoppable.

Figure 1 shows possible scenarios of vision, strategy, culture and performance alignment and misalignment. Business process performance (small white arrows) is more correlated with the work culture (small red arrows) than with the vision or strategy (big blue arrow) of an organization. Work culture — not vision or strategy — culture drives business performance. The challenge presented by this dilemma is that the work culture is an invisible force that is hard to measure. It shows its good side when you watch it and only displays its bad sides when you look away. The work culture is the product of complex cascade effects inside an organization and is as much affected by leadership actions as it is by the lack of appropriate actions. If left unattended, it will create its own random world of hidden agendas, which will probably not be aligned with the priorities of the organization.

Figure 1
– 3 Possible scenarios of vision, strategy, culture and performance alignment

Corporate visions and strategies are usually rolled out in formal three- to five-year plans. Work culture management and monitoring is too often not in sync with that plan and referred as an “HR thing,” even though it is the gate-keeper of business performance. If you do not understand and actively manage the work culture, it will manage you.

Measuring Cascade Effects Risks

It would be wonderful if we could just plug a measurement device into an organization to check its health and the risks of cascade effects (Figure 2). The work culture defines how employees work with each other through communication, coordination and cooperation. It generates multiple slow-motion and rapid chain reactions, ripple effects and cascade effects that greatly affect the mood and attitude of the organization. It predestines an organization for success or failure.

Figure 2
– The challenge of measuring work culture health and risks

How can we measure the health of invisible cultural chain reactions that can drive the success, mediocrity or failure of an entire corporation? I suggest a series of management and employee surveys and brainstorming assessments to test for the presence of 56 different elements of risk that can be present at any level in an organization. (See Figure 3 for a partial view of the survey.) The culture assessment tool shown in Figure 3 should be used for at least three different levels of management in an organization. These three levels of perception will offer triangulation data points, which will show how common or diverse the perceptions are that describe the organizational culture.


Figure 3 – Partial view of a gamified organizational health survey

The Organizational Force-Fields That Drive Success or Failure

Chain reactions, domino effects, ripple effects and snowball effects are similar in that they are defined by the single acts that created them. Once triggered, they will play out their effects depending on the amount of resistance the system presents against them. Cascade effects are different. They are fueled by a hierarchy of multiple interacting triggers at different levels in the system.  Time delays between cause and effect are common, making the direct correlations between cause and effect more difficult to identify. Each element of the cascade effect can create dramatic outputs involving as many as three degrees of separation, rippling through an organization. There are three types of organizational cascade effects:

  • Destructive tsunamis of non-cooperation and negativity
  • Expanding groups of  status quo herd followers
  • Constructive waves of cooperation, empowerment, motivation and positivity

If all of the cascade effects are present in an organization at the same time, the result will be conflict, employee frustration and lack of momentum in the right direction.  A random mix containing equal parts of motivated, frustrated, positive and cynical employees co-located for 40 hours a week is not a formula for success; it is a recipe for mediocrity or even disaster.

Positive Organizational Cascades

These are acts of positivity that multiply and can also spread from person to person. In 2010, researchers from the University of California, San Diego and Harvard published the results from their experiments in an article titled: “Cooperative behavior cascades in human social networks.” They showed that cooperative behavior can be just as contagious as bad behavior. They showed that positivity can spread from person to person to person by displaying random acts of cooperation, generosity and other positive behaviors. This creates a cascade of cooperation that influences dozens of people who were not involved in the initial trigger event.

Mediocrity and Consensus Cascades

These cascades are the result of contagious personal decisions to blend in with the crowd and not make any waves (also known as “group think”). Many researchers, including those from the computer science department at Carnegie Mellon University, have confirmed this phenomenon. Forces in organizations and society like peer pressure, blending in, the herd mentality and the band-wagon effect can cause an individual to follow the herd, even if that violates personal preferences and value systems of what is right and what is wrong. This is often done to save one’s reputation in a group and gain acceptance. Efforts to achieve team consensus can create the same phenomena, resulting in conclusions that might not always be the best ones. Teams can assign a “devil’s advocate” role to a participant to deliberately challenge “herd decisions” to counter this cascade effect.

In 2013, Forbes wrote an article titled: “Brainstorming is Dead…,” which summarized recent criticism by many about how creative people can get suppressed by other personalities during brainstorming events when the main priority is to get consensus on all brainstorming conclusions. Forcing consensus is as useful as it is dangerous. To avoid ineffective and dangerous group-think cascade effects, group decisions should build on each other’s ideas, when possible, to create innovative hybrid solutions and not pick one idea and totally discount another idea that might have a flicker of genius.

Negative Organizational Cascades

These are acts of negativity that multiply and spread from person to person in an organization. Risky, combative and uncooperative behaviors all have the unfortunate ability to multiply and spread to three degrees of separation from the original act. This can have a negative impact on dozens and even hundreds of downstream people not involved in the initial negative triggering acts. Negative human interactions can break the bonds of humanity and teamwork. These cascades can destroy the work culture, effectiveness and performance of an entire organization.

The Broad Influence of Cascades

Behavioral researchers have demonstrated with team experiments that positive, mediocrity and negative cascades can all have affect three degrees of separation (friends of friends of friends). Other researchers and computer models have determined that only three to four degrees of separation is what separates everyone in the USA, and only six degrees of separation separate everyone in the world. Exceptions to this rule are the secluded tribes in the Amazon jungle and other remote places. Yes, the world is smaller than we think, and actions really do speak much louder than words. Actions and behaviors can reach beyond the horizon and into different time zones.

The Organizational Forces Survey

The Organizational Forces Survey tests the health of the individual organizational forces that drive chain reactions, cascades and other behavior propagation phenomena. This survey asks participants to assess the presence of positive and negative organizational forces shown in Figure 4 by identifying the forces they believe to be present. This survey is given to all levels of employees and management.

Figure 4
– The Organizational Forces Survey used to assess the health of the work culture.

Figure 5 shows an example of survey responses, using the form in Figure 4, that were attained from the survey for three different levels in an organization: top leadership, middle management and non-management. One sign of healthy communications between management and employees is when organizational risk assessments are similar between different levels in the organization. However, that is not the case here.

In this survey response example, top leadership rated the health of the work culture as overwhelmingly positive (green). They perceived their environment to be a Grand Organization in the making. Unfortunately, non-management employee responses to this survey were at the opposite end of the scale (red). They rated the forces in the organization as overwhelmingly negative, filled with high risk and knocking on the door of a Grand Disaster. Middle management rated the work culture as mediocre (yellow), with some responses slightly positive and others slightly negative. This group of employees was apparently influenced by perceptions of top leadership and non-management.

Figure 5
– The range of survey responses from various levels in this organization shows major discrepancies in their perception of the health for the organizational work culture.


Grand investigations are often done after a loss of life disaster occurs, such as a NASA space shuttle disaster, a passenger airplane crash or an accidental employee death on the job. However, it is hard to find this level of effort and analysis applied to prevent such disasters. Deep and thorough disaster investigations often find flawed undisciplined leadership practices and organizational cultures at the root of the problems. It is also common to discover a zealous ambition to grow the business without really ensuring that a healthy work culture foundation is put in place to safely support such expansion.

Huge opportunities for organizational productivity improvements still exist today by cultivating a high-performance work culture. Breakthroughs can be made when organizations appreciate the fact that  “culture eats strategy for breakfast,” a phrase coined by Peter Drucker, a famous management consultant, educator and author. True organizational greatness can be achieved when organizations look beyond trying to just manage the bottom line and learn how to manage, analyze and monitor the cultural forces and cascade effects that drive success or failure.

A grand vision and strategy can only revolutionize a company when the work culture is healthy, engaged and aligned with those concepts. Taboos on talk must be broken. Open, frequent and candid communications must exist between all levels in the organization. Employee issues and concerns must be addressed in a timely manner as proof that a functioning communication and countermeasure system are in place. Only then can an organization really have a chance to break its barriers to greatness.

How to Develop ‘Risk Maturity’

This is Paper 4 in a series of five on risk appetite and associated questions. The author believes that enterprise risk management (ERM) will remain locked in organizational silos until boards comprehend the links between risk and strategy. This is achieved either through painful crises or through the less expensive development of a risk appetite framework (RAF). Understanding of risk appetite is in our view very much a work in progress for many organizations, but RAF development and approval can lead boards to demand action from executives.

Paper 1, the shortest paper, makes a number of general observations based on experience in working with a wide variety of companies. Paper 2 describes the risk landscape, measurable and unmeasurable uncertainties and the evolution of risk management. Paper 3 answers questions relating to the need for risk appetite frameworks and describes in some detail the relationship between risk appetite frameworks and strategy. This article, Paper 4, answers further questions on risk appetite and goes into some detail on the questions of risk culture and risk maturity. Paper 5 describes the characteristics of a risk appetite statement and provides a detailed summary of how to operate based on the links between risk and strategy.

How are risk appetite, risk tolerance and risk limits related to one another? A range of differences in philosophy are influencing the gradual determination of internationally accepted definitions. Notwithstanding, we recommend the definitions and the sequence of diagrams and explanations given in the Institute of Risk Management’s (IRM) guidance, which are


A number of models exist that seek to describe the relationship between risk appetite, tolerance and risk; for instance, the Ernest and Young Risk Pyramid below:


How are organizations using risk limits and risk tolerances around those limits? Our experience in working with clients shows that organizations are continuing to struggle with basic risk concepts, definitions, language, responsibilities, reporting and delivery. Accordingly, while risk limits are set to contain risk-taking practices, lack of common language and loose interpretation of concepts is causing confusion within organizations and leading to limits being seen as negotiable within the context of risk tolerances. As a corporate discipline, risk management is in its infancy, and the quality of risk practitioners is generally poor. Risk limits are perceived negatively by business practitioners, who use their limited knowledge of risk tolerances to argue for greater flexibility in applying limits.

How do organizations facilitate early warning of potential breaches of risk appetite? In practice, we find that there is limited facilitation. Rather, business people see the concept of risk as limiting practices that drive value and, thus, adopt the business school mantra of “seeking forgiveness rather than permission.” This is made easier in organizations where risk is seen as a nuisance and impediment to business and where appreciation of quality risk management is not apparent at senior levels. Business generators tend to view risk as friendly and flexible, designed to support business generation. Thus, risk limits are treated like speed limits on the public highway, more for observation than observance. Accordingly, we find few cases where early warnings are seen as anything other than flashing lights on the dashboard. In many cases, early warnings result in a case’s being presented to the risk committee for raising limits, rather than resulting in severe braking to ensure conformity in risk management.

Much of the foregoing represents the cultural challenge of embedding risk as a serious discipline rather than a faux science treated as an add-on. This reflects the nascent nature of risk management and its failure to be seen at board level as front and central to strategy and its effective and safe execution. Culture and “tone from the top” are critical here. So is strong support for risk executives at senior management level and an appreciation that risk management is akin to the medical profession, where hygiene is embedded in all procedures and provides a safe and secure means of conducting business, rather than being an impediment. The absence of good-quality risk officers and of universally accepted definitions of risk also undermine the discipline in organizations where there are few effective sanctions against limits being broken.

How do organizations assess risk culture? Optimal risk culture is designed and nurtured on building blocks practically described as blocks ABC:


The building blocks are briefly summarized as follows:

  1. Training, values and beliefs, reporting and continuous improvement directed at outcomes driving attitudes displayed by people, which
  2. Influence their behaviors and thus the quality of their discussions and decision making, thereby
  3. Manifesting as demonstrably credible risk culture.

Other than retrospective analysis of poor risk culture following various corporate crises, there is a limited body of reliable knowledge, and experience, on assessing “existing risk culture” and successfully navigating to a “target risk culture.” The IRM’s “Risk Culture, Under the Microscope: Guidance for Boards” describes multiple interactions:


Diagnostic tools are available to track the components described within the framework above. In our experience, however, such is the poor state of risk maturity in very many organizations that they are not sufficiently advanced to practically determine how they might chart a course from the existing to the target state of risk culture.

In 2011, the Financial Reporting Council produced the report: “Boards and Risk: A Summary of Discussions with Companies, Investors and Advisors.” In the section on risk and control culture, the report said:

  • It was recognized that risk and control culture was one of the issues on which it was most difficult for boards to get assurance, although boards appeared to be making more efforts to do so.
  • The risk management and internal audit functions could play an important role, as could reports from and discussions with senior management, but some directors felt that there was no substitute for going on to the shop floor and seeing for themselves. It was otherwise very difficult to judge whether risk awareness was truly embedded or whether it was seen as a compliance exercise. This, in turn, assumed that non-executive directors had a sufficient understanding of the business, which some participants noted may not always be the case.
  • One common approach was to ensure that responsibility for managing specific risks was clearly allocated to individuals at all levels of the organization, with their performance measured and reflected in how they were rewarded.
  • In some companies, the remuneration committee had been given responsibility for considering how to align the company’s approach to risk and control with its remuneration and incentives. Examples were also given of the head of the risk management or internal audit function submitting reports to that committee, for example on how the company was performing against certain key risks, or being invited to comment on the details of proposed incentive schemes. More recently, the Financial Stability Board (FSB) in its “Peer Review Report on Risk Governance,” published in February 2013, identified ‘’business conduct’’ as a new risk category and said, “One of the key lessons from the crisis (GFC) was that reputational risk was severely underestimated; hence, there is more focus on business conduct and the suitability of products, e.g., the type of products sold and to whom they are sold. As the crisis showed, consumer products such as residential mortgage loans could become a source of financial instability.” In consulting and developing guidance for regulators, the FSB emphasizes the importance of risk culture as a principal influencer reducing the risk of misselling financial services products that can end up in the wrong hands with detrimental prospects for consumers in particular and society in general. Clearly, conduct risk is systemic, and inherently so when considered in the context of big data; that is to say, conduct risk is very unlikely to exist in isolation within an organization.

Separately, the FSB has articulated what it considers to be the foundation elements of a strong risk culture in its publications on risk governance, risk appetite and compensation. It has broken down the indicators into four parts, which need to be considered collectively and as mutually reinforcing. The four parts are:

  1. Tone from the top: The board of directors and senior managers are the starting point for setting the financial institution’s core values and risk culture, and their behavior must reflect the values being espoused. The leadership of the institution should systematically develop, monitor and assess the culture of the financial institution.
  2. Accountability: Successful risk management requires employees at all levels to understand the core values of the institution’s risk culture and its approach to risk, be capable of performing their prescribed roles and be aware that they are held accountable for their actions in relation to the institution’s risk-taking behavior. Staff acceptance of risk-related goals and related values is seen as essential.
  3. Effective challenge: A sound risk culture promotes an environment of effective challenge in which decision-making processes promote a range of views, allow for testing of current practices and stimulate a positive, critical attitude among employees and an environment of open and constructive engagement.
  4. Incentives: Performance and talent management should encourage and reinforce maintenance of the financial institution’s desired risk management behavior. Financial and non-financial incentives should support the core values and risk culture at all levels of the financial institution.

Clearly, there is consistency in thinking as to the importance of risk culture and its core attributes. Monitoring risk culture is, however, very challenging, indeed. To the particular question of communicating risk culture to stakeholders, we question whether this can be done credibly in the absence of finding proxies for attitudes and behaviors described in the ABC risk culture building blocks described above. Our experience tells us that risk maturity capability requirements are today well-understood, reliable and credible proxies for risk culture. On this basis, we recommend that organizations travel the better known road of “risk maturity,” for which there are a number of capable maturity models in existence.


We believe there to be a demonstrably credible correlation between full maturity (optimizing value through aligning risk and strategy with corporate objectives) and board ownership of the risk appetite framework, building resilience (defending operations, business model and reputation) and risk culture. The RMI Risk Maturity Index correlates:

  1. Level of alignment of risks to strategy, objectives and execution,
  2. Risk role affirmations at each maturity level,
  3. Risk culture affirmations (practices confirmed by internal and external attestors),
  4. Risk defense affirmations (practices confirmed by internal and external attestors),
  5. Board and organizational processes, and
  6. Value realized at three levels: a) the investor, b) the organization and c) stakeholders.

Progression from one level to the next requires a blend of internal and external independent attestations, which are facilitated with the aid of a database containing structured question sets. Risk maturity scores are weighted according to the:

  1. Quality of answers provided to questions,
  2. Availability of demonstrably credible evidence supporting answers,
  3. Rigor and consistency of risk data,

We believe that risk maturity attestation by seasoned practitioners will provide evidence-based assurance as to organizational risk culture.

The Key to Building Effective Risk Culture

Building an effective risk culture is much more than changing your organizational culture in line with your vision, mission, corporate values and risk appetite — you must factor in the interests of competing national cultures, sub-cultures, Maslow’s theory on individual self-actualization and the informal groups in the company.

The interactions among all of these are not predictable, and variables cannot accurately be isolated.

An effective risk culture is not a matter of risk assessment or level of compliance; it is a matter of “conviction” — a corporate state of mind where human beings can take well-informed risk decisions because they want to, not because they have to.

ERM policies, systems and reporting dashboards are all part of the foundation for good risk management. Once you have all of these in place, you can start building an effective risk culture. Remember also that there is too much complexity and subjectivity in culture to assume that individual reactions and responses can be aggregated to reflect or give an accurate picture of the whole organization’s  risk culture. You cannot “pop” an effective risk culture in the microwave; it takes a lot of preparation, dedication and time to get it to perfection.

You can have the best staff retention rates in the industry or the most awards for long service — both of these can also indicate a high risk of employee fraud. According to ACFE research:  53% of fraudsters have more than five years of  service and the median loss for fraudsters with six to 10 years of service is $200 000. 52% of fraudsters are between 31 and 45 years old, and older fraudsters tend to cause larger losses.

Scanning the horizon might just be the most important thing to do. You cannot control or stop what is coming; you have to prepare to respond to it. So many organizations spend large amounts of money to focus and report only on what is happening inside the organization, where they actually have control. Your biggest risks are outside of the organization, where you have no control.

Key elements for the future of your risk strategy should include internal networking; you have to talk to the informal groups and their informal leaders just as much as you do talk to the executives and managers, maybe even more. The real business does not always get done in the formal “boxes and lines” structure.

Just as important are the aspects of desk research and external networking. To have a good risk management strategy and action plan, you have to know everything about your industry, markets, competitors, supply chain, alternative supply chain, global risks in a connected world and many more. Failure to adapt your business model to the ever-changing internal and external risk environments will lead straight to the corporate graveyard.

The future of risk management is just: “risk management through people.” You can have the best systems, great models and scenario analysis with elaborate dashboards; at the end of the day a person will take a decision.

Are your employees aiming at more than one target, or do you have a clearly defined risk for reward strategy and risk appetite statement to guide them? Business strategy and risk culture are parts of an interdependent system.

Start working on your success by training every employee with some basic risk management skills.

As my Moody’s colleague Sarah Tennyson wrote last year: “Enterprise-wide risk management requires a shift in the behavior and mindset of employees across an organization. To realize the full benefits of improved systems, tools and analytical skills, people need to learn new ways of perceiving situations, interpreting data, making decisions, influencing and negotiating.”

This was originally published at Zawya.