What Makes a Successful Risk Culture?
June 17, 2017
A successful risk culture is explicit and supported by top management all the way through senior management. It is founded on ethical and responsible business behavior that is translated into actual practices. Successful risk culture flourishes in an informed environment where all employees are enabled to cultivate the desired practices. Ultimately, risk culture is bolstered by rewarding employees who take the right risks in an informed way.
As captives have matured and continued to flourish, they are being called upon to expand the risks that they underwrite. Captive boards and management should work to understand that, as their risk appetite grows, so should their dedication to building a successful risk culture within the captive. Bad things frequently happen to risk-bearing organizations that ignore this advice. For captives, where capital or surplus may be constrained, an effective risk culture is even more critical.
This article is inspired by a series of blog posts written by Alasdair Wood of Willis Towers Watson. In reading Mr. Wood's posts, this editor wonders how many captives today have really thought about this question in detail. It seems that too often the culture of many entities becomes an afterthought instead of something that both management and the board work to cultivate and enhance. Certainly, the "culture" alleged at Uber is a case in point. The question to all of you captive owners and managers out there: "What is your risk culture, and can your board, staff, and policyholders/members clearly articulate it?
Mr. Wood's blog on risk culture is composed of five separate articles, four of which are germane to all captives, while the fifth will be of interest primarily to captives underwriting commercial auto and transportation. He begins by defining the concept of a "risk culture" using the definition supplied by the Institute of Risk Management:
[A risk culture] is the sum of an organization's "shared values, beliefs, knowledge, attitudes and understanding about risk, shared by a group of people with a common intended purpose, in particular the leadership and employees of an organization."
In essence, it is the sum of all views of how an institution should take and manage risk.
Every captive insurer has a risk culture whether it is implicit or explicit. The problem with an implicit risk culture is it leaves too many variables to chance. How many stories have you read in which management, armed with the benefit of 20/20 hindsight, acknowledges that there were definitely warning signs that something was wrong or it was not working as intended and, yet, these warning signs were either missed or dismissed?
Effective risk cultures cannot operate in a vacuum (i.e., they cannot be implicit in nature). For a risk culture to be effective, it needs to be explicit and supported by top management all the way through senior management. It is founded on ethical and responsible business behavior that is translated into actual practices that are lived and cultivated by all employees of the organization.
Also, an effective risk culture should be predicated on the following.
- Open and transparent reporting
- An effective control structure
- Clear accountability for results
- Alignment with the incentive compensation structure
Mr. Wood points out that "The board has a responsibility to set, communicate and enforce a risk culture that consistently influences and directs the strategy and objectives of the business. This starts with the risk behaviors, attitudes and culture of the board itself and translates into concrete actions down through the organization." At your next captive board meeting, ask each of your directors individually to write down in a paragraph or less what your company's risk culture is. Do all of the answers read the same or are they all over the map? If it's the latter, you probably need to work on making your risk culture more explicit.
If you need to enhance your captive's risk culture, begin by asking a series of questions such as the following.
- What is the tone of the organization concerning risk, and how clearly is that tone communicated both up and down through the organization? The larger your captive is, the more likely there are incongruities between the various levels of the company.
- How is the risk culture communicated to employees, policyholders/members, and vendors? Does your captive have a corporate values statement, a code of conduct and ethics policy, a committee charged with oversight of risk activities, a risk assessment process, reporting of key risk indicators back to management and the board, and processes and reviews that reinforce this risk culture?
- Can each of your employees describe what a "good risk culture" in your captive looks like?
Captive leaders who need further evidence of why a healthy risk culture is so important may want to read the following two articles: "Risk Management Practices Cannot Be 'Bolted On'" by Mark Layton and "Risk Culture and Claim Fraud: A Classic Tale of the Chicken and the Egg" by Christopher Mandel.
The fourth installment of Mr. Wood's blog provides 12 points on which to measure a successful risk culture. As he states, "An effective risk culture is one that enables and rewards individuals and groups for taking the right risks in an informed manner." Captive insurers should use these as a reference to measure where they fall along the risk culture continuum, especially if they are considering accepting new risk coverages within their underwriting portfolio.
June 17, 2017