RMORSA: Risk Culture and Governance

by Steven Minsky on August 27, 2013 · 1 comment

The National Association of Insurance Commissioners adoption of the Risk Management and Own Risk and Solvency Assessment Model Act (RMORSA) requires insurance organizations to take a broader approach to risk management. As U.S. insurers begin to mobilize their efforts to comply with the regulation by the 2015 deadline, it’s important for them to take a step back, leverage their existing risk management operations, and develop their RMORSA efforts with a mind to the future.

The groundwork for RMORSA was laid with International Association of Insurance Supervisors’ (IAIS) Core Principle 16 – Enterprise Risk Management – and much of the ORSA requirements can be fulfilled with the adoption of an ERM framework that addresses:

• Risk culture and governance

• Risk identification and prioritization

• Risk appetite and tolerances

• Risk management and controls

• Risk reporting and communication

Before you scoff at the scope of these requirements, consider that the ORSA Guidance Manual stipulates that insurers with appropriately developed ERM frameworks “may not require the same scope or depth of review” as organizations with less defined processes.

As defined by the NAIC, risk culture and governance defines roles, responsibilities, and accountability in risk-based decision making. In effect, the principle builds off of a 2010 SEC mandate requiring corporate boards to document their role overseeing enterprise risk. This rule extends the board’s role in risk oversight from C-level risks, activities and decisions to now having accountability at the business process level. Boards are explicitly given a choice between either having effective risk management, or disclosing their ineffectiveness to the public. Doing neither is considered fraud or negligence. Enforcement actions by the SEC have doubled in recent years, so it’s likely your board has already established risk management as a priority, but what does this mean for your organization?

The first practical issue is that it is no longer sufficient to rely on the audit function as a hub for risk management. Risk responsibility has always been the responsibility of process owners, and ORSA is now mandating better oversight under the guidance of a risk management function. For many organizations, the critical first step has been taken by establishing executive responsibility in a chief risk officer (a CRO is actually required to sign off on the ORSA assessment), but without the appropriate tools to make risk management actionable, accountability beyond the CRO is never properly defined. Front line managers hear “risk responsibility” and take the same action they would for other lofty strategic initiatives—that is to say, they take no action at all.

To engage process owners in a risk culture, each business area must take ownership for a subset of the enterprise risks. Risk managers, in effect, do not own the risks to the organization; on the contrary, they own the ERM process. Their primary role is to lay the groundwork for risk assessments, aggregate risk intelligence for board reports and create actionable initiatives for business areas in need of oversight.

Engaging process owners has the dual effect of permeating an enterprise-wide risk culture, while also creating a sense of shared responsibility. The structure defined above also creates three levels of defense, a concept adopted and well-articulated by the Institute of Internal Auditors. The operational risks are owned by the process owners. The risk management function provides guidance and strategic alignment. And finally, internal audit ensures adherence to the proper policies and regulatory standards.

Risk culture and governance cannot be accomplished overnight, but significant progress can be made by adopting and articulating the best practices outlined above.

For more information on engaging process owners, implementing a standardized risk assessment process, and reporting this information to the board, download LogicManager’s complimentary eBook, Presenting Risk Management to the Board.

Similar Posts:

Steven Minsky is CEO of LogicManager and co-author of the RIMS Risk Maturity Model for Enterprise Risk Management.

{ 1 comment… read it below or add one }

Risk Culture Builder September 15, 2013 at 1:23 am

Addressing the aspect of people risk is the only way an organisation can improve the way their people respond to a situation of risk and the effectiveness of their risk management function. No organisation can ever have a perfect risk management culture, but organisations can achieve a level of maturity where they have an effective risk culture process and every employee is risk-minded and does something on a daily basis to mitigate, control and optimize risk.

To start the process of Risk Culture Building, an organisation first needs to get an accurate picture of the current level of risk culture maturity in the organisation. Various attempts have been made to do this and generally most revert to some kind of questionnaire or checklist approach linked to a scoring sheet that is eventually tabulated to quantify an overall score which is linked to a perceived level of maturity. In some cases organisations call in consultants who use an interview process combined with some of the attempts already mentioned, the outcomes are then debated and agreed upon by consensus with the client.

Although most inputs in any kind of culture maturity assessment are subjective, there is value in using a combination of approaches, but generally the outcome, due to human nature and perception, is always mid-point or average. These processes also fail to identify specific weaknesses or action plans. There is also no standard definition for the different levels of maturity, but an interesting aspect is that most practitioners working on this use the concept of 5 different levels of maturity, this in itself also contributes to most consolidated assessment results ending up at mid-point.

In an attempt to improve the accuracy of these kinds of assessments, Genius Methods; a leading UK consultancy in governance has recently developed and launched an on-line assessment tool. The tool uses sets of questions focused on six operational areas within the risk management discipline:

Policies
Processes
People and Organisational Design
Reporting
Management and Control
Systems and Data

One or more of the questions in each operational area is linked to a specific level of risk culture maturity in the defined 5 levels of risk culture maturity. The questions are not in any kind of sequence which relates to the different levels of maturity and the user can also not see the underlying mathematical calculations, thus the assessment process cannot be manipulated and the outcome cannot be predicted by the user. Various combinations of reporting of the outcomes are produced, but the most important aspect, other that the accurate measurement of the level of maturity; is that by comparing the maturity levels in each of the six operational areas, the organisation can pinpoint the areas in which improvement is needed and focus their action plans accordingly.

The five levels of Risk Culture maturity have been defined in the assessment tool as follows:

· In a bad risk culture, people will NOT do the right things regardless of risk policies and controls
· In a typical risk culture, people will do the right things when risk policies and controls are in place
· In a good risk culture, people will do the right things even when risk policies and controls are not in place
· In an effective risk culture every person will do something about the risks associated with his/her job on a daily basis
· In the ultimate risk culture every person is a risk manager and will evaluate, control and optimise risks to build sustainable competitive advantage for the organisation

Leave a Comment