While any self-respecting (re)insurer would not be taken seriously without a risk management process that established a Risk Appetite, set Risk Limits, and carefully managed potential aggregations across various factors and product lines, there is one area in which it can be somewhat harder to discern a company’s approach- namely, its Risk Culture, whose purpose should be to ensure that the enterprise not only survives, but prospers and achieves its objectives.
Unlike Mission Statements, articulations of Risk Culture tend not to be published, so one is often left guessing. What is also interesting is that formal definitions of what a Risk Culture is tend to be value neutral- for example (from RIMS) : “values, beliefs, knowledge, attitudes and understanding about risk shared by a group of people with a common purpose…”; which begs the question of what such a statement can be expected to clarify or signal, other than some commonality.
In reality, of course, any such statement is pointless without an overlay of judgement, as well as effective transmission both within and external to an enterprise where appropriate- and its content has to be applied.
So, how does one inculcate and embed a Risk Culture?
Firstly, the tone has to be set at the top, as a Risk Culture is a sub-set of an entity’s overall culture (and, in fact, co-dependent with it): it amounts to a “soft” control. If the consistent behaviour of a Board and senior managers does not set an example, it is naïve to expect that anyone else will pay much attention. The individuals responsible have to have a clear idea of the standards they expect to be adhered to, including by themselves, and a mechanism for ensuring that they are adhered to.
Secondly, expecting that individuals will all act ethically and appropriately at all times in the absence of factors other than their innate sense of what is “right” can be misguided: not because anyone should be considered amoral a priori, but rather because external factors and influences are important. “Good” people can do bad things and still consider themselves “good” because their value judgements have been influenced by factors such as fatigue, the “slippery slope” from minor to more serious transgressions, misplaced organizational loyalty, or inappropriate incentives. Therefore, the rules and goals of what is acceptable or expected have to be obvious, even if they are not set out in detail.
Thirdly, how the “culture” is safeguarded and transmitted is also important. In a (re)insurer, this responsibility will usually be assigned to the CRO, who will need to employ different approaches depending upon circumstances, because no single technique will be sufficient. So, the CRO will need to coach and build relationships; offer expert advice; be a steward of culture and ethics; and be willing to challenge decisions or behaviours that may adversely impact the entity’s success or reputation. Therefore, the role, particularly in a large, complex organization, is a demanding one, requiring a broad range of skills and attributes.
Everyone likes to believe that their organization’s Risk Culture is “fit for purpose”, but this can be difficult to demonstrate, as the concept can seem rather amorphous. As Andrew Bailey, Chief Executive of the FCA commented; “Culture is “everywhere and nowhere”… [it is] an outcome more than an input”
At Awbury, we are fortunate to have, in essence, grown together as a cohesive unit in building our business and franchise. We all interact frequently and comprehensively, and so are direct custodians of each other’s actions, individually and collectively. Given that our reputations and livelihood are inextricably and directly linked to the group’s continuing success, we believe that our culture and Risk Culture have become innate and inseparable. Of course, being Awbury, we would never assume that our approach is “the best”, nor that we should consider it immutable. However, we do believe that it is fit for purpose.
The Awbury Team