Recently Paul Fisher of the PRA gave a speech titled “Regulation and future of the insurance industry“. In it he says:
“Solvency II will introduce an enhanced system of governance standards – promoting the embedding of a strong risk culture, demonstrable within the day-to-day operations of insurers.”
Risk culture is big in risk management now. Prudential regulations started off being directive based, then evolved to principles based regulation. Post GFC we have beyond principles to risk culture. While companies and consultants talk about it, it is an ethereal concept.
A system of governance standards is certainly very useful as it gives a common set of principles for risk processes, policies and reporting that should exist. Rules and limits are also useful where management have requirements that are NOT subject to personal judgement. But can you “implement” risk culture?
To me risk culture exists where the organisation and people value and exercise traits such as prudence, inquiry, transparency and critical thinking. Risk culture makes standards effective. Sure, standards can help with risk culture by requiring that people do things like getting models reviewed and approved. However if people do these things only because of standards then the standards haven’t really created good risk culture…