Risk culture a ‘work in progress’ within most insurers finds IRM survey
But risk managers within European insurance and reinsurance companies still have work to do if they are to truly embed risk management culture within their organisations and secure serious top management buy-in, according to an in-depth survey of insurance company CROs recently carried out by the Institute of Risk Management (IRM) in London.
The survey that was carried out with 28 CROs of member companies of the Institute. Fourteen of the respondents worked for companies based in the UK, seven from North America, five from other EU countries and two from the Caribbean. Sixteen were multi-line general insurers, five mono-line insurers, three life insurers, two were consultants and one company described itself as a composite insurer.
hide
The responses suggested that risk culture is still a work in progress within many organisations. The majority said that risk culture is an element of all Solvency II workstreams but that there is no specific risk culture programme. The good news was that 32.1% of those surveyed said that they do have a specific workstream to consider risk culture linked to embedding risk management but 14.3% said that they have no plans to introduce a risk culture programme.
The response was mixed when asked whether organisations have analysed their risk culture and how this was approached. Eleven of the companies said that they had undertaken a formal risk culture survey, which asked management to self-assess against a structured assessment. The majority, 14 companies, said that an informal evaluation had been completed by management.
Risk culture work is generally sponsored by chief risk officers. Twelve of the group said that their CRO was the chief sponsor, four said that the Solvency II programme manager is in charge of this job and one said that it was the remit of the chief executive. But seven companies said that they have no sponsor in place.
The challenges faced when attempting to establish a risk culture across an insurance group were found to be varied. The biggest single problem was said to be insufficient resources with 11 companies. Nine respondents said that lack of clarity over embedding strategies was the main problem, eight said lack of access to management time, another eight said insufficient tools to establish or drive risk culture change, seven a lack of understanding of current culture and six a lack of management and board direction on desired risk culture.
The chief method adopted to evaluate whether elements of risk culture are embedded is an informal evaluation completed by management (20%) and useful indicators of whether an effective risk culture exists are considered to be the effectiveness of risk committee and governance processes (77.8%) and adoption and use of risk appetites and tolerances (66.7%).
The risk leadership element of the survey was not overly promising. Most (44.4%) said that leadership expectations on risk management are defined but inconsistently communicated and understood and staff are not clear on overall direction. The next largest group (33.3%) said, however, that leadership expectations are clearly expressed and consistently communicated and that direction is set and leaders create a ‘tone at the top’ through reinforcement and challenge.
One positive response was on how companies react to bad news. The vast majority (59.3%) said that leaders encourage the timely communication of material risk information and challenge managers to divulge bad news early to ensure it is acted upon in a timely manner. Some 29.6% said that the communication of bad news is sporadic but thankfully only one respondent said that their organisation does not encourage it and stories exist within the group of the messenger having been ‘shot’.
On risk governance, 14 of the companies said that accountabilities for the management of risk are clearly defined and widely understood but 11 said that they are only partly defined and that the reporting process is not clearly defined or widely understood. On transparency the majority, 13 companies, said that risk information is effectively communicated but also that this communication tends to be one way (bottom up) and supports a tick box approach.
The response was that risk resource was evenly divided. Twelve said that the risk function has a clear role and remit that is endorsed by senior management and the skills and resources needed to support an effective risk management culture. Eleven said that the risk function’s role is defined but does not cover all aspects required for an effective governance process to be implemented and that the function does not have the breadth and depth of skills to support all aspects needed to develop an effective risk management culture.
There was a disappointing response on risk competence and education as 16 of those who took part said that training and awareness programmes on risk management only exist in parts of the organisations and are implemented in a partial or siloed manner.
Equally disappointing will have been the response to the question about risk decisions as 14 respondents said that leaders see risk information on an ad hoc basis to support decisions. Also the majority of the group said that the boundaries of acceptable risk are only defined on specific issues and that it is not clear how risk and reward are balanced, although they are part of decision making. Only seven of the respondents said that leaders actively seek risk information to help them make key business decisions.
Another area with obvious room for improvement is reward. The majority said that it is recognised that risk awareness and risk taking behaviour are valuable to their business and steps have been taken to encourage it but this is not ‘explicitly’ connected to performance management processes and inappropriate behaviours are typically unchallenged.
In a presentation given by Alex Hindson, Chairman of the IRM, he explained that to embed the IRM means to make risk management truly part of the day-to-day activity of the business. Under Solvency II, more accurately, this means the ability to provide evidence that ‘it’ is actually happening.
Risk culture is complex and multi-faceted, he said. But, at its simplest level, to embed risk management culture is to ensure that it is factored into decision making, said Mr Hindson. He added that it is also reflected in how management is rewarded for taking ‘appropriate risks’ and how it encourages communication on risk and responds to bad news.
Mr Hindson said that evidence from the survey showed that the majority of companies have embedded risk culture across all Solvency II work streams and don’t have a specific project. Also the majority of assessments of risk culture are informal and unstructured.
CROs are the main sponsors of risk culture, but a significant number of organisations have no sponsor in place and the principle barrier to progress is lack of resources and unclear embedding criteria, he added.
The fact that the principal proxies for risk culture are around the quality of board and risk committee processes and discussions and the use of risk culture implies that risk culture is for senior management only, and not about risk awareness across the organisation, he concluded.
Thus, risk maturity is fairly consistently a ‘work in progress’ and the key areas to focus upon are to strengthen risk leadership and transparency, develop risk competence and training and strengthen links between decisions and performance management.