Risk Culture In Insurance Enterprises

In recent weeks the subject of risk culture has been on everyone’s lips. How do we measure, improve and control it? While broad brush statements about the need for a “good” risk culture abound, few people can actually define what they mean by it, let alone root their ideas back to a sound theoretical underpin. Today, risk culture is typically used in reference to the behavior of an organisation towards risk taking.

Definition of Culture

The best place to start would be the definition of culture. Instead of making one up, let’s seek guidance from the discipline that concerns itself with the study of culture – anthropology.

One early definition was given in 1897 by Sir Edward Taylor, “[c]ulture or civilisation taken in its broad ethnographic sense, is that complex whole which includes knowledge, belief, art, morals, law, custom and any other capabilities and habits acquired by man as a member of society.

While providing a good background, this definition is too general to have a practical application in risk management. In fact when we talk of culture we tend to focus on the status and relationships between individuals in our working environment and how that affects decision-making. The wider society that we inhabit, while having an impact on the risk culture in our workplace, is too wide a target to score off even for the most ardent CEOs.

There are however sub-divisions in social anthropology that address the type of issues that concern those involved in the risk management of insurance companies. Since these disciplines study the diversity of positions and perspectives within social groups, their skill set can be useful to us in understanding our organisations.

Risk Management System

Insurance CROs often think of risk culture as they design the Risk Management System. Here, risk culture is often portrayed as a coloured box to be found in a multi-coloured scheme reflecting a consultant’s flavor of risk management framework. But these graphical representations can be misleading and almost seem to erroneously suggest that risk culture can be done to an insurer. Done in the sense that, as long as a work-stream is kicked off with a project manager, a Gantt chart, milestones and a small army of contractors or consultants, risk culture will happen.

Our experience of working with anthropologists to understand the nature of culture suggests that an effective risk culture will not be created using this type of framework. Before moving onto discussion of what risk managers should do in insurance companies, there are two misconceptions about risk culture that we would like to address.

Culture as the individual or the collective

The first misconception is the belief that the individual is in some way the central unit of study in a culture. This misconception is reinforced by some papers and presentations on risk culture that, in our view, make this mistake.
The definition we shared above from Sir Edward Taylor above mentions the complexity of the interactions between individuals. Contrary to general beliefs, risk culture emerges from this complex net of interconnections, and the flow of information along these interconnections. While most individuals will propagate culture through their actions some will influence it more than others – and culture, in return, will impact the individual at some degree. So what we end up with is a complex symbiotic relationship between the individual and the culture in which he or she is embedded.
What we have in essence is a complex system – technically a complex adaptive network. One thing science knows about these networks is that you cannot understand them just by looking at the behavior of the individual elements – we need to look at the emergent behavior of the system as a whole.

How many cultures are there?

The next misconception we would like to address is that there is only one culture within an organisation. The risk culture box can suggest that there is just one of these and that it can maybe uniquely identified – somehow – using a highly subjective real number disguised as a risk culture index.

In reality, our findings as well as those of social anthropologists and clients, suggest that there are multiple diverse cultures within each organisation. One might come to the same conclusion by reflecting on his or her own experience. Indeed, some parts of organisations feel hierarchical and some are more entrepreneurial. On the more negative side, we all have probably witnessed cliques developing in organisations (not just our own), or groups suffering alienation. Also, we seen how when things go wrong in an organisation, good intentions to cooperate and work in harmony can turn to a blame-game, especially between groups of opposing views.

The pervasiveness of patterns such as hierarchy, entrepreneurship and cliques throughout the social structure of humankind means that this has been very well studied and we find that social anthropologists already have well developed theories for explaining these patterns and their inter-relationships. We conclude, therefore, that there is not one homogeneous culture to the organisation (in a sizable one in particular) and that an organisation will – inevitably – be a collection of sub-cultures. Understanding the organisational culture – let alone doing anything about it – requires an acknowledgement of this diversity and a way of recognizing the recurring patterns that have been previously identified by the social anthropologists.

Is there such a thing as risk culture?

We’ve discussed culture so far but before we move on it is worth pausing a moment to think if there actually is such a thing as risk culture at all. We note that senior managers often refer to organisational culture as risk culture and there are other types of culture which we may struggle to see separately from organisational culture.

There are parts within an organisations where innovation and creativity are the most valuable commodity – obvious examples are product design, strategy and marketing. Professionals and academics concerned with the generation of new ideas and products are prone to refer to this as the innovation culture of an organisation. By this they mean the ability of organisations to innovate new products and come up with new ideas. We could describe this as, ‘the ability of an innovation narrative to operate and influence the decision making process of the organisation.‘ In this framing we can think of risk culture as the risk (or uncertainty) awareness within the organisation. Using an analogous description to the above we could define risk culture as, “the ability of a risk and uncertainty narrative to operate and influence the decision making process of the organisation.” We may therefore argue that risk culture and innovation culture are two emergent properties of the overall organisational culture.

Right Culture in the Right Place

Picking up on the concept of these two quite separate sub-cultures we could consider the idea that the organisation culture is a portfolio of sub-cultures. We don’t mean this in a passive way (a fact of organisational life); instead, we argue that this portfolio of sub-cultures is actually essential to the well-being of the enterprise.

From a naïve point of view one might suspect that risk managers should see their objective as ensuring everyone in the organisation is thinking about risk in everything they do. Surely then they can truly be said to have cultivated risk culture in their organisations. But we might argue that this path of good intentions could also lead to an adverse outcome if the avoidance of risk becomes an objective in its own right. Such an outcome might take the form of slow decline in run-off or acquisition by a consolidator, rather than the loud pop of a high profile corporate insolvency.

Let us take the example of the product design team. Having a team of over-cautious risk managers as your creative epicenter is likely to result in, well, a distinct lack of creativity. An area such as product design will want to promote creativity and will necessarily be less focused on risk and downside. They will focus on upside potential, opportunity and how to move real options into the money. However the risk function most certainly does need to uncover all the risks in the product design and express its view on what could go wrong.

But in other parts of an organisation an innovation culture can be quite destructive. The finance team at ENRON, for example, were infamously creative – operating as a highly innovative profit center and applying their creativity to financial accounting. Hence, an internal control culture is more likely to be desirable for an accounting team. Having said this, an innovation culture directed at more efficient systems and processes is clearly to be encouraged within a finance function – which rather underlines the difficulty we have in neatly packaging up what is good culture and bad culture.

Balancing Cultures

But how do these different cultures interact when it comes to decision making? We argue that the risk culture vs. innovation culture dialogue needs to take place in the debating chamber of the boardroom where the opportunities for innovation can be compared and contrasted to the risks and dangers that such innovation entails. The important point is not what the decision is – as this is subjective and will depend on the risk appetite of the board and of the executive. The important point is that the both facts and uncertainties are also laid out for the board and executive to see and understand.

A successful risk culture could therefore be seen as the ability of the risk and uncertainty narrative to be given equal prominence at the boardroom table to other perspectives such as the innovation and opportunity narrative.

What can you do?

So what can you do as a risk manager to influence the risk culture of the organisation? We will look at two things you can (and in our view should) be doing to get some handle on the culture in your organisation, how it treats the risk and uncertainty narrative and how you might start to think about shifting the risk culture – should that be the appropriate course of action. So we will look at the following:

  1. Measurement of risk culture
  2. Changing the (risk) culture

Case Studies

First though let’s make an aside on case studies. We are told by some CROs that examples of what has worked in other places before – “Case Studies” – are the most helpful. We certainly don’t deny that case studies are instructive but we note that case studies show what worked (or didn’t work) for a particular organisation in a particular situation at a particular time. While there are common themes emerging from case studies which are useful, we don’t believe you should start operating until the physiology of the particular patient in question has been studied and diagnosed.

Complex adaptive systems (as we argue cultures are) have a knack for kicking back with unintended consequences – so we argue that the more information the CRO has about the cultural map of his or her organisation, the better armed the CRO will be to make or propose changes that could influence the culture in the desired way.

Measurement and Diagnosis

The first thing to do is to try to measure or diagnose the culture of the organisation. This sounds incredibly hard and time intensive – and indeed it could be so. But it is in fact possible to get useful insights into the cultural map of an organisation from an online questionnaire using very little of employees’ time – only if, of course, one knows what to ask and how to interpret those answers.

One way to make rapid progress is to sample staff’s perceptions of the way different activities are carried out in their part of the company. This can be achieved by asking people to indicate whether activity tends towards either of two statements, such as “there is a well-established process which is used to regularly identify risks” vs. “the time that is spent identifying risks is governed by the nature of our work and the timescales for completing it”. Framing the questions in this manner enables you to elicit an understanding of the emergent behavior of groups and sub-groups within the company, rather than the inherent individual motives, and to diagnose the cultural behaviors rather than simply judging them. This type of granular approach helps to uncover cultures within sub-groups which are somewhat different to the norm, and can help CROs (and indeed has helped some of our CRO clients) to diagnose particular areas, or sub-groups, where there is a clash between the way people like to work and the things they are being asked to do.

Changing Risk Culture

The next thing that a CRO might want to undertake is to change culture in a way so as to make it better reflect the risk and uncertainty narrative.

We argue that the CRO should use his or her cultural map to identify areas of concern where the risk and uncertainty narrative is struggling to be developed – or struggling to be heard in the decision making process of the organisation. We also argue that the culture – as enacted through the behaviors of the staff in an organisation – has a symbiotic relationship to the processes within the organisation.

In other words the processes that are followed by the staff influence the observed culture – and also the culture feeds back to influence the processes that the staff will follow. The solutions to changing the culture will therefore be multi-faceted and depend on both:

  1. the existing culture of the organisation as manifested through the observed behaviors of the staff;
  2. the processes that the staff are following.

Possible changes could be:

  • Staff training;
  • amended governance procedures;
  • enforcement of existing governance procedures;
  • amended processes;
  • enforcement of existing processes;
  • recruitment of new skills to the organisation.

Which of these are appropriate to try will depend on the culture diagnosis of the organisation and the (current) understanding that the CRO has of the organisational culture and processes. We used the word current deliberately because we are dealing with a complex adaptive system. We would suggest that the CRO should try one change first and then re-profile the culture to determine how it had (or had not) been shifted.

The feedback loops and complexity can lead to the culture changing in some unforeseen ways. This will help the CRO better understand how the organisation operates and evolve the culture in a more gradual way that does not throw up too many unintended consequences.

The difficulty in executing each change will also depend on the task – and the culture of the organisation.At the easier end of the spectrum it may involve time investment from different parts of the organisation not currently bought into the Risk and Uncertainty narrative. In this case the winning of hearts and minds will be important and this will mean helping other parts of the business see value in a risk and uncertainty narrative. At the harder end of the spectrum personnel changes or recruitment in other areas may be the obvious solution. Such difficult decisions require a broader consensus of agreement at senior management level and a CEO who is seeing value in the risk and uncertainty narrative enough to make some hard choices or release budget to recruit new skills into the organisation.

Changing Risk Culture Recap

To summarise we argue that culture is bifurcated into two dimensions:

  1. the behaviours of the staff
  2. the processes they follow.

In order to change the culture we need to consider which of these needs to be (or indeed can be) changed to best effect the desired change in culture. Where behaviors are deeply rooted and would take a great deal of effort to change – or indeed a change in personnel is required to change behaviors – then a change in the process is a way forward. Practically this means setting different tasks and altering the process that the staff member(s) follow. Where processes are more fixed – perhaps due to regulation or the wider organisation – then behaviors are a more natural area of focus and techniques to help staff members reflect and take a new perspective will be useful. There will be some extreme instances where behaviors and processes are both rigid and in these cases more drastic action will be needed, such as changes in personnel (changing behaviors) or winning over stakeholders in the wider business / government (changing processes) – both of which will be disruptive. Then the question will become whether the desire to change the culture outweighs the disruption.

However, often both processes and behaviors will have some degree of variability and in these cases some relatively easy adjustment can influence the culture in the desired direction. It is quite common, for example, to find sub-groups within organisations who culturally tend to shy away from rapid disclosure of “problems”. It is also common to have others who disclose concerns quickly, possibly too quickly. A risk framework relying on front line disclosures will be inconsistently applied where these cultures exist. A CRO who is aware of this can make small modifications to the framework, such as moving to more evidence-based reporting compared to self-certification, in areas where disclosure is difficult. The important result from assessing culture is to reach an understanding of which processes and which behaviors fit together so the CRO can finesse the framework design to have the best chance of achieving the desired outcome. We argue it is dangerous to simply “benchmark” against a mythical gold standard which assumes people all behaving the same way will achieve the best outcome.


In this article we show how understanding and changing the risk culture of an insurer needs a different perspective from that we are used to in traditional actuarial work. We explained our view that organisational culture is a portfolio of sub-cultures of which risk culture is just one. We argued that a successful risk culture was one where the risk and uncertainty narrative had an equal voice at the boardroom table with other important sub-cultures, such as the innovation sub-culture. We shared some ideas with which we have successfully helped some of our CRO clients to understand the risk culture in their organisations using short questionnaires that their staff members have found easy and quick to complete. Finally we shared some ideas on how risk culture can be altered and how the process needs to be carried out step by step with a focus on one, or both, of the processes and the staff behaviors. We argued that care needs to be taken to attempt cultural change in a step by step way, due to the complex interactions that can lead to unforeseen consequences.

The following two tabs change content below.

Elliot Varnell

Consulting Actuary at Milliman
Elliot Varnell is a consultant Actuary working in London for Milliman. He advises firms in the areas of Enterprise Risk Management, Economic Capital and ALM and is a regular speaker and article author on these topics. He is Chair of the ERM Research and Development Committee of the UK Actuarial Profession and also serves on the governing council of the UK Actuarial Profession.

Latest posts by Elliot Varnell (see all)

One Comment

  1. Without risk, there is little reward. As frightening as it can be, it’s important to adopt a risk managemet, rather than risk avoidant culture. When everyone in the company is watching for risk mitigation, you’ll be more likely to take smart, rewarding risks.

Leave a Reply