The culture of a business can be easily observed in the statements and policies of top management and in the behaviors of management and employees. But to truly understand the culture of a business you need to know the shared embedded assumptions that are the real drivers of company success or failure. Those embedded assumptions will explain the discrepancies between the mission statement and the actual decisions made by a company, according to Edgar Shein.
The risk management culture for an insurer consists of the ERM policies of the group and the practices of management and employees in measuring and mitigating risks. These topics are covered in other postings in this series.
A healthy risk management culture will usually have training programs to make sure that managers, supervisors and other employees are aware of the risks and the risk management programs of the firm.
The ERM culture is often best supported by one or several members of a risk management team who have experience and training in risk management and who keep that expertise up to date with their own training and continuing education activities.
Finally, a healthy risk culture will be action oriented with a priority for risk management processes that lead to decisions and actions rather than just discussions.
The risk management culture also includes the sometimes unspoken assumptions about risk taking and risk management. These determine the way in which risk management is actually performed and the risk output which it provides the firm.
Most often, the unspoken assumptions of a risk management culture can be traced back to one of four fundamental attitudes about risk.
The four risk attitudes are:
- Pragmatists, who believe that the world is uncertain and unpredictable
- Conservators, whose world belief is of peril and high risk
- Maximizers, who see the world as low-risk and fundamentally self-correcting
- Managers, whose world is moderately risky, but not too risky for firms that are guided properly
Impact on Risk Strategy
Each risk attitude would favor a different basic risk management strategy.
This is the most traditional form of risk management; it seeks to identify and mitigate the firm’s most significant risks. Commonly practiced by nonfinancial firms, loss controlling also applies to financial risk; examples include the careful underwriting of loans or insurance policies, as well as the practice of claims management. Risk management of this sort is not new—but the inclusion of an aggregate, firm-wide view of risk is a relatively new development that could be termed loss controlling ERM. This type of ERM is favored by conservator firms.
A newer form of risk management, this approach arose from bank trading desks and the insurance industry. Risk trading focuses on getting the price of risk correct— which leads to sometimes complicated models of risk, reward and economic capital. While a risk trading strategy can be applied on a transaction by-transaction or other “siloed” basis, establishment of a consistent risk valuation on a firm-wide level is risk trading ERM. This type of ERM is favored by maximizer firms.
Under this strategy, the ideas of risk trading are applied at a macro level to the major strategic decisions of the firm. Here, rather than focusing on the proper price of risk, the question becomes one of how much risk the firm should take—and how to steer the firm in that ideal direction. By its very nature, this is an enterprise-wide approach. Perhaps this is why some seem to think that only risk steering ERM is “real” ERM. Risk steering ERM is highly favored by academics and consultants; manager firms tend to find it appealing, but firms that hold any of the other three strategies generally do not.
Spreading risk exposures among a variety of different classes of risks, and avoiding large risk concentrations, is another traditional form of risk management. Formal diversification programs will have targets for the spread of risk with maximums and minimums for various classes of risks. The newer ERM discipline adds the idea of interdependencies across classes, providing better quantification of the benefits of risk spreading. Pragmatists tend to favor diversification because it maximizes their tactical flexibility, but they avoid reliance on any particular risk mitigation process and often mistrust quantitative measurement of diversification benefits.
In reality, firms will typically use one or more methods. Companies using a risk steering strategy will almost certainly include diversification as part of their toolkit.
Risk based regulatory capital regimes, such as Solvency II in Europe, makes it ever more important that companies adopt a diversified approach to risk taking.
Already we have seen a number of re-structures which bring the majority of group risk onto a single balance sheet.
This allows for maximum diversification benefit under the standard formula and provides for more efficient centralized reinsurance purchasing.
Robust Risk Culture
Risk-based frameworks are resulting in increased scrutiny of risk culture by regulators and rating agencies.
Many consultants also suggest that a robust risk culture is highly important but in most cases go on to describe that culture in highly limited terms of just the policies and required activities of the risk management system.
Willis Re would suggest that a robust risk management culture may require much more from top management than simply developing ERM policy in line with board-defined risk appetite.
Regulators may see little value in a sophisticated looking ERM policy if risk culture appears to be weak.
Ideas that are often associated with a robust risk culture such as accountability, transparency, ethics, openness to bad news and proper alignment of incentives are values that firms need to succeed in the long run and not particularly unique to risk management.
All firms may be well served to make sure that these values are a part of their culture and in the current climate of enhanced scrutiny of risk management programs, to effectively demonstrate this to stakeholders.
Article authored with David Simmons.