Regulators urge insurers to build deeper risk cultures to drive the right risk behaviors.
Traditionally, ‘risk’ within insurance is seen as solely the domain of the actuary. This is no longer the case.
As financial regulators take a heightened interest in insurance company risk management, they note that insurance risk cultures should be based on sound, articulated values and be carefully managed by company leadership. They opine that insurers with a strong risk management culture and ethical business practices are less likely to experience damaging risk events and are better placed to deal with those events that do occur.
Risk culture can be described as the way in which decision-makers at all levels within an insurer consider and take risks. However, defining risk culture, and establishing a sound risk management framework, is a considerable challenge.
Traditionally, ‘risk’ within insurance is seen as solely the domain of the actuary, and employees in customer-facing or product design positions may have never even acknowledged that there is a risk management element to their work. Consequently, many organizations fail to prevent excessive or inappropriate risk-taking, which can, in some cases, cause significant losses, penalties and negative publicity.
In organizations with weak or undeveloped risk cultures, responsibility for risk management is unclear, with lack of board oversight and direction, low awareness of risks amongst employees, and deficiencies in risk monitoring, reporting and controls. The risk management function itself is typically under-resourced and under-qualified.
Perhaps more importantly, individuals are not measured or incentivized on risk performance, and there is an over-tolerant attitude to breaches or mistakes, with those taking excessive or inappropriate risks rarely disciplined, implying that such behavior is acceptable.
Insurance companies’ reputations are also at daily risk from poor service quality resulting from slow, inaccurate or unfair claims handling, or marketing messages that over-promise benefits.
Compliance reporting, for regulations including Solvency II and International Financial Reporting Standards (IFRS), can also highlight weaknesses in risk management. Insurers may be unable to demonstrate that controls are in place, and being adhered to, and fail to produce accurate reporting that paints a true picture of the business.
Consequently, regulators are demanding more risk-sensitive capital regimes, as well as stress and scenario requirements. They are also, increasingly, requiring a clearly articulated risk appetite statement, better assessments of risk management frameworks and risk culture, and expecting senior executives to be rewarded directly for encouraging sensible risk-taking behavior that supports long-term corporate financial interests.
There are three important questions to help insurance companies improve their risk capabilities:
An in-depth evaluation involves close scrutiny of risk and compliance policies and past interactions with regulators, along with detailed observations of staff behavior at all levels. Data analysis can reveal patterns of customer complaints, regulatory fines and requests for closer supervision and monitoring, across different departments and locations.
To build an effective risk transformation program, an insurer should aim to build a culture aligned with strategy, values and risk appetite. It needs to detail actions to address any gaps in current risk management practices; actions that are specific, owned by an accountable executive, subject to time limits and have relevant success indicators.
Insurance companies with strong risk cultures are likely to exhibit four key characteristics:
Having invested in risk processes and frameworks, insurance companies must also devote resources to building a risk culture, to bring frameworks to life and to ensure adherence to policies. Once this has been achieved, all employees – not just actuaries – will be able to say that they are risk managers.