Risk culture is an evolving process – be prepared

Risk culture is an evolving process – be prepared | Corporate Risk & Insurance

Risk culture is an evolving process – be prepared

By Scott Unterrheiner, Chief Risk Officer - Asia Pacific, Sydney, Gen Re

In the current era of global regulatory change, much focus has been directed toward the substantive and structural elements of risk management and regulatory compliance. The main focus is generally:
•    What is your solvency margin and capital sufficiency?
•    What is your governance structure?
•    What is your process for risk assessment and the capture or identification of emerging risks?
•    What process ensures that you are compliant with regulatory, licencing and legislative requirements?

The often overlooked and underappreciated element is that of the organisational culture – and how it affects the company’s response to risk.

While the structural implementation and operation of your governance, risk and compliance framework is important, having an appropriate risk culture aids the transition from mere compliance to something that creates value for an organisation. This is evident from the instances of employee-created reputational damage to financial service institutions. In most cases, adequate frameworks are in place, but they are not embedded in business operations due to misaligned risk culture.

The other side of the equation is ensuring that your organisation has an appetite for new opportunities that aligns with the board’s strategy and risk appetite. The elements discussed below will have an impact on the individual’s and collective team’s approach to assessing and taking advantage of opportunities; it may be that your risk management framework and culture is inadvertently inhibiting profitable and growth-making decisions.

One final matter to note before diving into details: What risk culture means, how it is measured, and how to influence it in each organisation will be different. While the theory and concepts can be discussed ad nausea, it is up to the board, risk management, and human resources of each company to be actively engaged on the topic and determine the approach. This is part of the reason why regulators generally do not prescribe prudential requirements around risk culture; most rely on the board and senior management to form an opinion on what is appropriate and how this will be determined.

In theory
Risk culture, although widely defined in conflicting manners, is generally the values, beliefs, knowledge, attitude and understanding of risk shared across an organisation. It’s manifested in how an organisation reacts to uncertainty and risk, and is organisation-wide (operational, strategic, market/investment, and underwriting). An appropriate risk culture will differ between organisations and industries, but it’s one that’s aligned with business strategy and ensures all members of your entity approach risk in the manner that senior management and the board expects.

While this article will discuss the concepts of risk culture across an organisation broadly, it is essential to note that the risk management framework itself has a significant impact on organisational culture. Reviewing the risk and compliance frameworks as part of a wider risk culture review is a powerful and reinforcing approach to organisational change. The risk management principles focus on ensuring opportunities are identified and adequate resources are available to take that opportunity, however the risk management framework often focuses mainly on risk mitigation.

Elements of risk culture
Elements of risk culture vary widely, depending on the organisation, market, country, and regulatory environment in which you operate. What is important to your organisation may matter little to another. While these elements can be considered from a stand-alone perspective, the wider culture should understand which ones take precedence when they are in conflict, such as a situation where meeting client expectations requires omitting internal compliance processes to deliver the outcome.

Some elements to be considered are listed below and should be considered as levers that you can change and that impact not only risk but organisational culture.

A company’s board and senior management should form a clear and communicable approach to risk, which is understood by all levels of the employee hierarchy. Generally, the company business strategy and risk appetite is determined; however, often this is not then supported by a statement about the appropriate risk culture to deliver this direction.

Larger organisations should clarify who is responsible for setting any desired subcultures that may need to exist and that also align with the larger organisation culture. An example of this may be differences in the front office (client facing, underwriting, trading floor) compared to the back office (finance, taxation, legal, reserving). Even if the organisation-wide culture is defined in a way that can be applied across all segments or units, responsibility for ensuring the culture of each unit should be clearly assigned – normally to the unit head.

Tone from the top
Consistency in corporate communication, decision-making and actions is critical to avoid misinterpretation. Employees will adopt “what you do” over “what you say.”

Consider how the communication is filtered down through your organisation. Often in larger organisations a statement or decision that impacts risk culture is made by the board or senior management, and by the time it filters down through the levels of the hierarchy, it is “reinterpreted” into a very different application and implementation. In some instances, these reinterpretations find their way into performance incentives and have significant and negative impact. Company-wide communication should be utilised if there is the possibility of the message being lost in translation.

Lines of accountability need to be clear and enforced, preferably to individuals rather than committees where accountability is often lost. In larger organisations, the lines of responsibility are often blurred and the aftermath of an incident may focus on the internal politics and assigning responsibility. This is especially the case when processes, data, or information flows from one team to the next and all controls along the chain fail to identify the event.

An ideal approach to assess if accountability is clearly established includes:
•    A review of your risk management framework. Does it clearly identify owners of risks, controls, and processes?
•    When an event occurs, is there any uncertainty about who is accountable?
•    Rather than waiting for an incident or event to occur, run some scenarios through and consider who would be responsible for control failures or for risks occurring that were not mitigated.

You may have established acceptance that certain risks should not be completely mitigated by controls. Normally this would occur because the cost of implementing controls is significantly higher than the frequency and cost of the risk actually occurring. In these instances, accountability rests with the individual who determined the unmitigated risk was acceptable.

Frequently overlooked is consistency and wider communication of any disciplinary action. If the balance is not achieved, then the communication void will be filled by uninformed employee discussion. Management will need to assess this on a case-by-case basis, as some matters will not require wider communication.

Incidents and escalation
We are referring here to 1) risk or events that were unknown but that either have occurred or could have occurred, and 2) controls that did not mitigate the risk as expected. The focus should be on the identification of what actually went wrong, what can be learned, and whether changes to processes or controls are required. It is important to deal with disciplinary action or assignment of accountability as a separate matter to encourage open discussions.

An incident should be utilised as an opportunity to challenge your risk management framework. A process should be in place to ensure that incidents occurring across the organisation either by unit or geographic location are consolidated and reviewed for potential impact organisation-wide. To find efficiencies, many organisations have moved towards common systems, controls and processes; inherently, sharing learnings of control weakness across an organisation will have a compounding impact.

As a side note, internal sharing of internal audit findings, observations, or reports is a powerful way to identify potential gaps within your framework. While local management may not wish to share observations; reviewing this information from one location and considering wider organisational impact, especially if it’s an operational risk, is valuable.

Incentives and remuneration
Measure and reward performance based on your desired risk culture, both financially and non-financially. Setting goals around key performance indicators will influence the culture you create.

When reviewing the goals across the organisation, critically assess if they align with the cultural statement that has been established as part of your business strategy. All too often, the strategy is focused on growing the business through bettering customer experiences or serving their needs; however, individual goals are focused on short-term profitability and meeting key performance indicators that are not linked to customer needs.

A recent media storm surrounded an American banking institution, which is an excellent example of the impact of bonus-linked incentives having an impact on your culture. The bank set employee performance targets where remuneration was linked to the number of accounts and credit cards established. The resultant outcome was the establishment of thousands of fraudulent accounts and credit cards. The impact on shareholders’/stakeholders’ interests from this incident occurred through various means, including:
•    Reputational impact
•    Financial and regulatory fines
•    The customers’ time (in this instance some customers credit rating was affected)
•    The incentives paid to employees (if not recoverable)
•    The time spent and resource cost of creating the fraudulent accounts

Organisations are starting to link remuneration to the operation of the risk management framework. In this instance, failures to follow defined procedures and controls, or not having an appropriate approach to risk on each transaction impacts employee remuneration.

Training, succession planning and talent management
These elements should support and enforce the desired culture and behaviour. Be conscious of your risk culture when making decisions around them.

Many have been in the position of hiring or managing performance of individuals; however, we often naturally focus on the ability to perform the role, the individual’s attitude to work, and how the person fits into the immediate team. The wider impact on organisation culture is a crucial element that is generally not considered. If the desired culture differs from the existing one, then talent management carries significant influence on the culture’s ability to change.

Something an organisation also needs to consider is how the attitude of high performers reflects on cultural attitudes or perceptions to risk and compliance. High performers can be naturally influential, and where their attitude is misaligned, it may become contagious and toxic. More disturbing is that their negative outlook may not be easily identified by management.

Core competency
The risk culture should support your business strategy, which is built around your core competency. A close link exists between the success of a strategy’s implementation and the organisation culture. If they are not already aligned, then changing one is critical to achieving the other. An easy way to gauge this is to compare how you wish to be perceived by clients and the marketplace versus how they actually perceive you.

Risk culture measures
When approaching this topic, the end goal is to determine what the appropriate risk culture is for your organisation and how you can influence and shape your current culture into it. There is no “best” risk culture, and a risk adverse one doesn’t mean it’s “strong”. In some instances you may desire centralised risk taking, where the risk culture is heavily driven by compliance and strict policies, procedures, and controls. Some instances require front-line employees empowered to make decisions.

While we have identified some levers above of how to influence your risk culture, below are some areas you may wish to use as measures or to indicate desired behaviours. Many of these will also appear in your measure of wider organisational culture but the levers below focus on a risk culture perspective. Also note that each item should be seen as a spectrum, and the challenge to those defining an appropriate risk culture is to determine where on the spectrum your organisation should reside. Additionally, these may differ entity to entity or may be broken down to more detail; the ones below are just a guide.

•    The strategy: To what extent does your risk management and compliance process define individual roles? To what extent are they to be followed or is there leeway for employee judgement?
•    The measure: This assessment should be around employees following the risk management process, control or procedure. Will they follow it when the workload is busy, or will they take short cuts? Do they actually understand why it is in place? Do they believe it adds value?

Risk-based decision making
•    The strategy: What approach to risk based decisions should your culture take? Should they focus on the conservative approach, essentially searching for an opportunity to reject business? Or should they take a risk when they perceive the opportunity has a greater than 50 % chance at profitability? In this area, it’s a conscious decision about the perceived risk and the desired return your organisation wishes to receive. It also should consider the cost of capital, and the capital level you are willing to risk (i. e. should a loss event occur what is the maximum value at risk).
•    The measure: Here you should attempt to gauge your company’s approach to the decisions around a risk event – from writing a new business opportunity, to approving a new client, to the admittance of a claim. Ask questions to flesh out undue conservatism where an entity may pass over a profitable opportunity, including whether risk-taking activities should be aggressive or whether the risk-based decision aligns with your appetite.

•    The strategy: Most organisations will have the central measure of creating shareholder wealth. They will also have the strategy of being customer-centric and focusing on consumer outcomes. Your strategy should help your staff understand the relationship between the two, and what actions to take when shareholder and customer interests are not aligned.
•    The measure: Do your employees understand your organisation’s approach to performance? In different situations, do they know in whose interest they should act?

The process of reviewing and assessing your organisation’s risk culture

Determine the appropriate risk culture
The first step in the path to understanding your risk culture is to determine what is most appropriate to support your business vision or strategy. If the business vision or strategy is not clearly defined, an alternative approach is to consider how your company would want to be viewed through the eyes of your client. If you are operating in a financial services environment, it’s assumed that your risk appetite is already aligned to your business vision or strategy (hence why it is not mentioned here).

As mentioned above, it is also common to have one enterprise-wide statement of a desired risk culture, which is elaborated and made relevant to each business and service unit. Also ensure these statements are precise, simple, and not open to interpretation.

Determine which levers of the risk culture elements will support the vision
There are two levels that must be addressed: 1) enterprise-wide, and 2) by department or service unit.

Organisation-wide refers to the governance, the tone from the top, and the risk management framework itself. Each department or service unit will focus on its individual function and how to service internal and external stakeholders.

Establishing a view of your risk culture and how to assess it

Risk management professionals have a wide dialog across the organisation, and with culture it’s often the informal interaction that reveals the most truth.

Through all these interactions, you will be able to assess risk culture. Think of the above measures and levers, and your interactions in risk committees or when resolving incidents. An individual in an effective risk management function often has better understanding of the cultures and sub-cultures than senior management.

Assess it with management and their teams
Objectively engage with your managers to discuss the above topics, form an opinion of your culture and compare it with that of senior management or the board. Be prepared to discuss with the team any particular results that require their action, meaning facilitating a direct conversation with the team to interpret or understand results.

This process works best when you break your risk culture statement down into sub components, such as the levers above. Below each sub component, critically assess your culture and challenge each other to assess if that behaviour is the most prevalent. While it may be difficult to admit that a certain team or even organisation-wide behaviour exists, not honestly identifying and attempting to rectify it will have negative outcomes – on culture and financial performance.

This is a quick tool to obtain insight into your risk culture. Comparing year-on-year, or benchmarking results against industry, provides guidance on areas for improvement or misalignment. It also assists your board in forming an opinion about your company culture and offers a measure to be able to define what is appropriate.

The questions in the survey should not be open to interpretation and are best laid out by a series of statements which respondents rate their reaction on a scale from positive to negative.

In addition to the survey questions, it is critical to capture the responders’ demographic – generally their team, tenure, role and geographic region. This will allow you to drill into the responses that require analysis. Is that response from a particular team, or location? Or is it organisation-wide?

Another interesting data point is the respondent’s role within the hierarchy (employee, manager, senior manager, executive, board member). Asking your board to complete the survey (their viewpoint reflects their understanding of the culture) will often highlight some perceived differences between the information being reported by senior management on the survey and what actually occurs.

Interview employees and teams
A more intensive approach is to interview employees where the survey results indicate hot spots, especially if your understanding of the result is unclear, or to discuss potential action points. Obviously, the team culture will affect how this should be facilitated, but generally a healthy discussion about improvements or problem areas can be facilitated in a positive manner.

Where to now?
Every organisation is different, which means the setting for a desired risk culture, how to change it and measure it, will differ from one organisation to the next. While much theory is established about culture and risk culture, implementation of the aspects discussed here is extremely difficult and time consuming. However, with so many cases of poor corporate culture reaching the media over the past 12 months, it should be clear to all what the potential downside of no action may be.

Treat your approach to risk culture as an evolving process. The approach in the first iteration will differ from the one applied in five years’ time, but being prepared will allow the approach to evolve.

© Published with the permission of General Reinsurance AG 2018 at  www.genre.com.

Related stories:
Building bridges between CROs and insurers