Risk Culture: What It Is and How It Affects an Insurer's Risk Management

• DOI: http://doi.org/10.1111/rmir.12025
• Published date: 01 September 2014
• Date: 01 September 2014
• Author: Angela Zeier Roeschmann

Risk Management and Insurance Review

C

Risk Management and Insurance Review, 2014, Vol.17, No. 2, 277-296

DOI: 10.1111/rmir.12025

RISK CULTURE:WHAT ITISANDHOW ITAFFECTS

AN INSURER’SRISK MANAGEMENT

Angela Zeier Roeschmann

ABSTRACT

This article conceptualizes risk culture and sheds light on the role it plays in in-

surers’ risk management frameworks. The article follows a cognitive, dynamic

approach, arguing that risk culture is the product of organizational learning

about what has or has not worked for it in the past. Within their local context,

the members of a group learn which of the typically centrally prescribed formal

risk management policies and procedures and which espoused risk philoso-

phies actually work in practice in the sense of behavior that is formally or in-

formally encouraged or discouraged, rewarded or punished. While the formal

risk management framework defines which processes to use, which limits to

obey,and which values to aspire to, it is the risk culture that defines which rules

and norms are perceived to be rational and important. The insurance literature

commonly argues, and practice suggests, that it is necessary to achieve consis-

tency in order to effectivelyembed risk management. Nevertheless, inconsistent

basic assumptions at the deepest level of risk culture are a likely feature of local

subgroups. However, what is rational and efficient to one subgroup might be

random and dangerous for the organization as a whole.

INTRODUCTION

Risk management is accomplished by people, by what they perceive, think, say, and

finally by what they do. While much work has gone into measuring and modeling

credit, market, and underwriting risk, operational risk and governance (the two aspects

most associated with culture and behavior) still seem to be least tangible. Power (2009),

for example, argues that “rather than vague demands for improved risk culture and

governance in financial institutions, risk appetite should be recognized as a dynamic

construction involving values and the situational experience of a multitude of orga-

nizational agents” (p. 854). In a case study of European-based insurance companies

Acharyya and Johnson (2006) find that the current Enterprise Risk Management (ERM)

systems of the studied insurers take an overly deterministic, technical view, excluding

most subjective issues. Consequently,these companies exhibit difficulties incorporating

cultural values in designing risk management policies and procedures, as a consequence

This article was subject to double-blind peer review.

Angela Zeier is with the Zurich University of Applied Sciences; e-mail: zeie@zhaw.ch.

277

278 RISK MANAGEMENT AND INSURANCE REVIEW

of which these authors find, for example, “serious misunderstanding of what ‘all risks’

among staff from different disciplines” means (p. 11).

In the aftermath of the 2007–2009 financial crisis, many questioned how the sizes of

losses experienced were possible in the face of sophisticated risk management systems

and models. Whether risk was handled appropriately was argued to be more a matter

of culture than of the specific deficiencies of the formal risk management framework,

and the term “risk culture” emerged. Many institutions pointed to the need for (a bet-

ter) risk culture. The Committee of European Insurance and Occupational Pensions and

Supervisors (CEIOPS) emphasized, for example, that undertakings need to “ensure an

organizational culture that enables and supports the effective operation of the system of

governance . . . with the administrative or management body and senior management

providing appropriate organizational values and priorities” (CEIOPS, 2009, p. 10). Sim-

ilarly, the International Institute of Finance considered risk culture as a main enabling

factor for effective risk management and recommended that a robust risk culture be

developed that is “embedded in the way the firm operates, covering all areas and activi-

ties, with accountability for risk management being a priority for the whole institution”

(Institute of International Finance, 2008, p. 9). Management consultants and industry

institutions often point to culture as a potential operational risk and an important aspect

of corporate governance (e.g., COSO, 2004; Deloitte Development LL, 2009; Institute of

International Finance, 2009; Organisation for Economic Co-operation and Development,

2011).

Although the recognition of culture as an operational risk and the calls for a sound risk

culture are frequent, what risk culture is and what role it plays in the risk management

frameworks of insurers still remains rather vague. This gap prompted the research aims

of this article: to conceptualize risk culture and shed more light on its role in the risk

management frameworks of insurers. This article integrates insights from organizational

culture with risk management research and practice. The argument is that the formal

and informal elements of an organization’s risk management system interact. While the

formal risk management framework of an organization defines the processes to use, the

limits to obey,and the values to aspire to, its risk culture determines, in essence, how risk

management is actually lived. In the words of Schein (2010), “a set of values that becomes

embodied in an ideology or organizational philosophy . . . serves as a guide and as a way

of dealing with the uncertainty of intrinsically uncontrollable or difficult events” (p. 27).

With culturebeing an abstraction that mostly operates outside of awareness, the absence

of a better understanding limits the effectiveness of risk management frameworks.

Power (2009) even argues that “we have fallen prey to a legitimacy-driven style of risk

management which has been extensively institutionalized and globalized . . . and . . .

the people side of risk appetite has become lost in the procedural detail of organizational-

specific internal control, compliance and accounting systems” (p. 854).

The remainder of this article is organized as follows. The second section reviews orga-

nizational culture in the ERM and insurance literature while the third section discusses

how culture is used by the insurance and risk management industry.The fourth section

takes a step toward conceptualizing risk culture through a matrix of findings fromthe re-

search on organizational culture and elements of the 2004 risk management framework

of the Committee of Sponsoring Organizations of the Treadway Commission (COSO).

The structure and role of risk culturewithin risk management frameworks are discussed.