Wednesday, 24 June 2015

CRO Forum on Risk Culture - comin' from the body heat?

Risk Culture
- need another hero?
A subject which is gathering more steam than Tina Turner's windows, Risk Culture has been given the kid gloves treatment by the CRO Forum in their paper, Sound Risk Culture in the Insurance Industry.

They say at the start that the topic has become "prominent in regulatory circles", which given EIOPA appear to be wining and dining the subject (here and here in the last couple of weeks alone), is something of an understatement. Their increased interest has no doubt been fuelled by the FSB's work on the subject from a year ago. In addition, the Financial Reporting Council took a shine to the topic in its last update of guidelines in late 2014 (point 27 in particular), while cultural failings have turned the FCA into a modern day Robin Hood (speech from inception time here).

As well as fiddling around the edges of definition, the paper expands on a few examples of where cultural change can be driven from, stealing from a few other industries (aviation in particular) and a couple of insurers (Zurich receiving particular attention).

They fundamental base they work from is pretty fair:
  • No "good" or "bad" culture, hence they talk about practices that encourage a "sound" risk culture throughout. Given that ropey culture does not necessarily prevent the achievement of strategic goals, this smart.
  • No "one-size-fits-all" concept of Risk Culture (i.e. don't look for one in this paper!)
That said, the definition used for the purposes of the paper from the NN Group CRO is actually a pretty good one - "shared philosophy of managing uncertainty" etc - though it does suggest that a failure in risk culture might simply be someone not sharing the philosophy, which I suspect is where a lot of your more pragmatic colleagues sit!

There are a number of sound inclusions throughout;
  • Emphasising the links between risk culture and conduct risk currently being force-fed to the industry by EIOPA (p3)
  • The chart on p6 showing survey results of essential elements of risk culture - senior management and Boards leading by example is evidently seen as more important than risk-based remuneration, despite the legislative attention the latter receives (including this week in the UK).
  • Zurich's internal 10 question survey on culture assessment - contains the gorgeous expression "organisational humility", as well as bringing some of the granular risk culture elements onto the table, such as treatment of whistleblowers.
  • Highlighting the "common phenomenon" of management teams containing people with the same personal attitudes - could benefit the creation of a "shared philosophy" without necessarily any of the benefits.
  • The illustration of NN Group's "Risk Culture Dashboard" (p11) - I don't have preference for it either way, but it does illustrate how much effort one can direct towards risk cultural identification, assessment and monitoring, which begs the question "is there that much value in it?" They seem to like it as a way of covenying the concept in the business in any case.
  • Pages 13-14 provide some good brain candy for those who have ambitions to educate or brief their colleagues on risk cultural matters. Zurich's "we are all risk managers" campaign looks like it probably has legs (more on it here).
There are a couple of mildly objectionable parts within;
  • Concepts of "Risk Vision" and "holistic" dropped in early doors and littered throughout, as well as a few extras such as "risk perspective" - the kind of obtuse terminologies which serve to divorce Risk functions from their colleagues
  • That firms should have a "clear vision" for their risk culture - why would something as opaque as culture be expected to be "clear". They don't even define it as a term in the paper!
  • Concerned that risk culture is "...only practiced by risk specialists" currently - how can this be if risk culture is " element that influences and is influence by various forces"?
  • Tha an organisation's corporate culture and risk culture "must be linked" - how are they not one and the same thing?
  • That Risk Appetite Statements are "effectively part of the business strategy" - as opposed to "actually"?
  • Use of the term Risk Profile as if it is unquantifiable, specifically that a firms who learn from their mistakes rather than chastise those who make them "tend to have a better risk profile". Not clever.

No comments:

Post a Comment