Your Risk Management Magazine
Risk management in practice: risk culture at IAG

Font size : + -

email print

When Risk Management magazine contacted us in April “looking for someone to tackle the issue of risk culture”, our initial response was a mixture of trepidation tinged with opportunity. Having devoted significant management effort toward exploring the behavioural dimensions of risk management we would wish to make it clear at the outset:

• We have a better understanding of our risk management “culture” now

• We can see the linkages between a proactive risk management culture and behaviours and competitive advantage

• Like others engaged in the journey, we have a long way to go, but we consider it to be a worthwhile and rewarding journey

IAG’s risk culture journey over the last few years has developed in an environment of IAG reflecting on its core purpose, company values and strategic direction. Measuring and pricing risk is a fundamental part of IAG’s purpose so it was clear that the culture strategy needed to have a strong measurement component both to be effective and credible in this metrics focused business. It is not enough to simply aspire to improving the culture via leadership communication, policy statements and training programs. Moreover, measurement of the cultural/behavioural aspects of risk management would need to be incorporated into standard reporting processes for it to be subject to the disciplines and proper scrutiny of management. That is, risk culture needed to be central not an-add on to business activities. With these thoughts in mind the following describes our journey to date.

Getting traction

The demutualisation of the company in 2000 and subsequent organisation structure changes laid the foundations/conditions for cultural change across a wide spectrum of areas. The risk management & compliance and the audit committees were formed and the following year in 2001 Mike Hawker was appointed CEO and Tony Coleman chief risk officer. By 2002, IAG had grown to be the largest general insurance group in Australia and New Zealand employing over 8,000 people. Risk management had a place in IAG operations but it was not yet pervasive.

However, impending sweeping regulatory change in the form of a new prudential regime (APRA) and new consumer protection regime (ASIC) created the “business case” for a fundamental reassessment of IAG’s risk management and compliance frameworks. Indeed, the beginnings of the risk management cultural shift can be linked to IAG’s project to implement ASIC’s Financial Services Reform (FSR) legislative framework, spanning a 3-year period from 2002 to 2004.

Like so many organisations, we began by treating FSR as a compliance project. However as we approached “go-live” for the personal lines direct business we realised that FSR was, in fact, a change management project. Having (somewhat belatedly) made this discovery, we proceeded to recruit a “change expert” to work as a consultant to the project. This person (one of the co-authors of this article!) had to move very quickly to work with the project team and the business to develop strategies, tools and training materials to effect cultural change.

There were significant challenges. For the direct business, coming from the history of the NRMA Insurance mutual ‘help’ mindset, staff voiced concerns about how to continue to give ‘help’ and give good customer service without providing advice, as they had done in the past. ‘right help’ was adopted as the internal marketing brand for the FSR project building onto the NRMA Insurance ‘help’ brand. For frontline staff providing the ‘right help’ meant following the FSR processes both in customer interactions and in putting your hand up if you made a mistake, a requirement of the legislation. For leaders and managers ‘right help’ meant role modelling encouraging behaviours and welcoming reports of mistakes or things ‘not right’. A fundamental aspect of this was providing guidance to managers about how to respond to “bad news”. Similar strategies to address FSR were implemented for the intermediated businesses.

In this way implementing FSR had focused our attention on risk management and revealed the next step we needed to take on our journey. Also at this time, two risk committees were created to oversight our risk management activities. These were the asset and liability committee and underwriting and pricing policy committee. These two forums served to demonstrate executive commitment to driving a culture of risk management ‘from the top’. We clarified the range of risks we needed to manage and included this ‘wheel’ to guide thinking in our risk management strategy.

Gaining Monemtum

Following the implementation of FSR for the direct business we felt that the material we had developed had far wider application than FSR compliance. FSR was not simply about a change in regulations but about promoting and supporting a proactive risk management culture. More importantly, the group’s risk management function decided to create a permanent role focused solely on change strategy and organisation/human behaviour. This appointment created an environment for new thinking to emerge.

Once you start seeing things in behavioural terms rather than a process, you can begin to see “risk management” quite differently. Most risk professionals see risk management as a process – this is reinforced by global standards such as AS4360, COSO, Turnbull (and by regulators). To a degree this is true but this view misses the fact that risk management can equally be seen as a set of behaviors. This simple idea triggered the development of a risk management behavioural model.

At the core are:

• Prevention: Scanning for risks, consciously choosing the risks we want to manage then managing them proactively.

• Detection: Early identification of risks from internal or external sources using the risk monitoring practices and processes.

• Recovery: Managing risks that occur quickly and effectively.

• Continuous Improvement: Using learnings from managing risk situations to plan, monitor and manage risks better in the future.

These core activities influence and in turn influenced by people knowing what was expected of them in their role, having the training they needed to do their jobs and both taking, being held accountable for performance and working in an encouraging environment where they felt comfortable to speak up and report risks or things ‘not right’ including mistakes they or others may have made and managers would welcome this ‘bad news’.

At the same time we were struggling with two separate but related issues:

• A range of different methodologies for measuring risks associated with audit recommendations

• An ongoing challenge associated with having to follow up managers on status of agreed audit recommendations

We were able to solve these issues simultaneously by introducing a common language for measurement (with both quantitative criteria and qualitative criteria) and an IAG-wide performance incentive (bonus component) directed at encouraging managers to implement agreed “red” and “orange” risks with agreed time frames. This applies to all audit and regulator recommendations. This initiative, implemented in 2003, has become part of day-to-day management and life a lot easier for our internal audit function.

IAG conducts a comprehensive survey of its 11,000 staff on an annual basis. This presented an opportunity to the risk management function. Why not convert the risk management behavioural model to a set of questions that could be incorporated into the annual survey? The first set of “risk culture” results was produced in May 2004. For the first time, the organisation was able to objectively measure the health of the risk management culture – in overall terms and at detailed departmental levels.

The logical next step was to use this baseline data to drive risk management performance improvement. This was achieved when the executive team decided to include within management incentives a specific measure to improve the risk management culture. This “score” is a composite of the risk questions.

There was now an opportunity to build onto this initial momentum. We could grow the ‘right help’ brand out of its regulatory focus to support a more proactive approach to risk management. We wanted to create a proactive risk management environment. This latest project uses the tag line ‘its all about being proactive’. A simple scale is used to describe the change in behaviour we want people to make. The colours are aligned with the risk ‘traffic light’ rating system.

It’s all about being proactive

This scale describes the range of responses a person can use in a situation and can be applied to identifying and avoiding potential risks as well as what to do if people see something ‘not right’. We want all people to move towards and operate from the deep green proactive square.

This scale has been incorporated into a tiered learning curriculum covering risk principles and proactive behaviours. These behaviours are also being incorporated into the core risk and compliance curriculum modules such as privacy and trade practices so that people are clear about how to be proactive in their day-to-day roles. Managers are being encouraged to use this scale when discussing behaviours with staff and when coaching performance.

The risk management culture model and processes are integrated with and a prominent feature of the “risk management strategy” which is board approved and an APRA requirement. We now use the culture measure as key lead indicator of risk and control issues. We have examples of the correlation between low risk culture “score” and operational risk losses/incidents. We are finding more issues than we did previously. We consider this a positive measure of the program. As with many change initiatives there is a period of ‘clearing out’ which is both necessary and healthy. We also recognise it takes managerial courage to hold the line while the right behaviours develop. Changing culture takes time.

Taking stock

Multiple levers across the organisation and integrating into the ‘infrastructure’ have been used to lay the groundwork for developing and sustaining our desired risk culture. We have built onto existing organisation wide programs to jump start activities. These activities have been developed through the combined effort of people in the risk and compliance, change and learning functions. We are working on:

• Integrated culture measurement system that includes the following elements:

• Development of tiered learning curriculum covering risk principles and proactive behaviours. This material is presented using business case studies so that people can easily apply the learnings in their day-to-day roles.

• Aligning the risk framework with IAG sustainability framework and workplace safety strategy

• Extending IAG risk measurement frameworks to measure the “difficult to measure” risks such as reputation and cultural risks.

Fundamental was the approach of being joined up. Connections were made because change people worked within the same structure as risk and compliance. Change people had more understanding of the connections that needed to be made and more influence coming from risk and compliance.

Looking to the future

IAG’s focus on measuring the health of its risk management culture was not simply a response to external trends and pressures. Rather, it seemed a natural extension and amplification of the company’s purpose. The traction gained so far reflects the support from the top and acceptance of the importance of these initiatives for the health of IAG. However there is still a way to go developing, embedding and sustaining our desired proactive risk management culture. The major challenges are in completing the change initiatives underway in busy often-distracted businesses, maintaining the momentum and building proactive risk management as a core capability for all people in IAG. For us the journey has only really just begun.

Peter Sutherland is Head of Group Risk & Compliance, IAG, and Dr Katarina Hackman is Senior Manager Change Strategy in Group Risk & Compliance, IAG

  • Bookmark & Share
go back
Your comment
Risk management is the place for positive industry interaction and welcomes your professional and informed opinion.
eNewsletter

Breaking news, video interviews, opinion and analysis delivered straight to your inbox. Subscribe now
Categories

Home   |    Advertising   |    About Us   |    Contact Us   |    Privacy Policy  

© 2012 Key Media Pty Ltd.