Remarks by Director of Insurance Supervision, Sylvia Cronin, at the Association of Compliance Officers in Ireland (ACOI)

18 January 2017 Speech

Insurance

Good afternoon ladies and gentlemen.  I would like to thank the incoming Chairperson of the ACOI, Clive Kelly, for his invitation to speak with you here today.  I welcome this opportunity to talk to you about the role of Culture in Insurance Supervision within the Central Bank of Ireland. 

Culture comes in many shapes and forms and we can give it many labels like organisation culture, corporate governance culture, risk culture, conduct culture and so on.  However, put simply, culture is the consequence of our attitudes and behaviours.  It is the way we think, act, speak to each other and make decisions, sometimes subconsciously.  A culture can often determine if a person will engage in effective or ineffective behaviours when nobody is looking.

Our role in prudential supervision is to ensure the prudential soundness and resilience of the balance sheet; building an awareness of, and assessing the cultures and behaviours of the companies we supervise, is an element of forward looking supervision.  Looking at ‘what could go wrong’ rather than ‘what did go wrong’. 

In addition to this, Solvency II is a risk based regulatory regime.  One of the most powerful drivers of setting the benchmark and embedding this regime will be the risk culture that is established within each company.  I have just said that culture is the consequence of our attitudes and behaviours.  Attitudes come from our beliefs and our mind-set, while behaviours is how we exhibit these day to day. Under a risk based regulatory regime, for this to truly get traction in an organisation, a conscious effort needs to be made to shape the attitudes and mind-set of people across your company, from the boardroom to the frontline staff. 

I often get asked, what does a ‘good’ culture look like.  Well my answer to that is that there is no one answer.  It is up to each organisation to design for themselves what they want their culture to be.  We are not here to prescribe culture.  As regulator, we can endeavour to move companies in the right direction through regulation such as the Corporate Governance Code, the Fitness and Probity regime, the Consumer Protection Code and so on.  However, regulation and the Central Bank cannot prescribe what each company’s culture should be.  The Board, senior and middle management have a critical role in driving culture and we expect that key functions, including compliance, carry weight within the company and that they breathe life into the risk and compliance culture day to day.  Notwithstanding that, we would expect culture is built around the general principle of ‘doing the right thing’ for all stakeholders, including consumers and the regulator. 

Although I cannot prescribe a culture for you, what I can do is highlight to you some of the main drivers of ineffective cultures identified both from academic research and our own first-hand experience in the Central Bank.  We can also share with you what we would regard as ‘good’ practice in encouraging the development of more effective cultures.

Natural questions are, what has Insurance Supervision been doing in the area of culture, what have we seen and what do we regard as good practice?

What has Insurance Supervision been doing in the area of culture?

At the outset in 2016 we determined that cultural awareness would be an underlying theme as part of our normal supervisory activity.  This included our continuous assessment meetings, risk management and governance reviews, and as part of our on-site inspections.

We are striving to build culture into everything we do as supervisors.  Whether we are performing a review of your capital risk, investment risk, operational risk etc., we will be looking at how decisions are made, how they are communicated, how this is reflective of your risk management framework and how actions are implemented on the ground. 

For instance, during 2016 the on-site inspections team reviewed a number of areas core to insurance companies, including claims and underwriting, as well as a number of operational risk inspections.  While a strong emphasis was placed on assessing the robustness of frameworks, internal governance, policies, procedures and controls; observations of behaviour and culture have also been made.  These were observations of risk and compliance as well as organisation culture.

In tandem with this we have an in house organisational psychologist working with us to enhance our supervisory approach.  To date her work has focused on how to identify key influencers of culture in the organisations we supervise, how to identify whether cultures are effective or ineffective and how to aggregate this information to form a holistic view of a company at a point in time.

We are cognisant of the fact that no one thing will tell you what the culture of a company is like, it is the sum of many different things.  What we have focused on is identifying the dots, the indicators of risk and organisation culture.  So you’re probably wondering, what are the dots?  There is not an exhaustive list, as they can be tangible and intangible.  Areas we have identified include:

  • ‘tone at the top’, the way decision making occurs and how this is communicated;
  • board membership and performance, including the quality of board effectiveness reviews;
  • the leadership team;
  • what evidence is available to demonstrate the effectiveness of the risk, compliance and internal audit functions;
  • the governance and internal controls in place and the level of compliance or non-compliance with these.  Do you follow your own procedures or are workarounds allowed and commonplace?;
  • observing what are ‘accepted’ behaviours in your organisation;
  • reviewing remuneration and reward models;
  • assessing the skills, knowledge, competence and on-going training;
  • the way your companies and individuals in your companies engage with the Central Bank, is this an open and co-operative relationship or is it guarded and suspicious?; and
  • what is your approach to compliance, do you comply with the letter of the law but not the spirit of the regulation?

Steve Jobs is famously quoted as saying “You can’t connect the dots looking forward; you can only connect them looking backwards”, so we have quite the task in front of us to join those dots, but somewhere in your organisation and through our supervisory judgement they do join up, and they manifest into a clear and definite culture and sometimes this can help identify potential emerging risks.

Where we see weaknesses, the intensity of supervision may increase.  The Central Bank looks to co-operate with companies in resolving serious supervisory issues but we will not hesitate to use our formal powers where we do not see change or co-operation.  Examples of where we have used these powers in the past have been to investigate board effectiveness and investigate the effectiveness and embeddedness of risk management in companies we supervise.

We will continue to examine both empirical and anecdotal evidence across these areas as well as continuing to assess risk awareness and embeddedness on the ground in your companies.  You may also be interested to know that we will conduct a thematic review of internal audit functions in 2017.  Again, culture will be an element of this review.

What have we seen?

At a high level what we have observed first hand is that culture truly is the personality of an organisation, and changes in key personnel can have a major impact either positively or negatively.  We have also witnessed that often ineffective cultures appear to move quicker through an organisation and take hold faster than an effort to build an effective culture.  To move a culture in a positive direction appears to be much slower and much more of an uphill battle, perhaps this is reflective of the fact that it takes longer to build trust, than it does to destroy it. 

We have observed a mixed response to the ‘culture movement’, as such.  A small minority of companies are starting to scratch the surface, while the vast majority have not shown any specific real tangible approach towards the culture agenda. 

On the positive end of the spectrum, through our engagement with companies, we have seen some companies are very proactive in the culture space.  We have seen different approaches taken by companies, some have carried out staff surveys, while very few have carried out specific culture assessments.

The staff surveys we have seen the results of, can sometimes have differing objectives.  Some were aimed at identifying where there are gaps between the espoused values of the company compared to actual experience on the ground.  These also examined the reward and incentive structures in the company and the behaviours the reward model in place could potentially drive. 

We have seen other staff surveys where the focus was on compliance, to gauge the levels of awareness of employees of their compliance requirements, the views of staff on the leaders of the organisation and to get feedback on areas that could be improved.  This was really helpful in that it highlighted areas where more training was required and sometimes where clearer policies and procedures were required around how to comply. 

We have seen a very limited number of culture assessments, but where we have seen them, they have been detailed.  They have involved looking at the stated and intended values and beliefs of the company, how these are communicated to staff from the top to the frontline and how these values are reinforced in practice, and then an assessment of the behaviours on the ground through workshops.

What we have seen come through strongly from reviewing the output of these exercises, is that people in the organisation, and their experiences of the organisation are intrinsically linked to the resulting behaviours of individuals and the culture of the company.  What we have also observed is that the cultural agenda has to be championed by the leaders of the organisation, both at the top, such as the Chief Executive Officer (CEO) and in the key function holders such as the Heads of Compliance and the Chief Risk Officer (CRO).  However, I would stress that companies that have taken this approach are in the minority.  We have a long way to go and if you leave here with one key message today, it is that I would ask you all to drive the cultural agenda in your companies and start raising your levels of awareness of what your culture actually is.

On the negative end of the spectrum, academic studies suggest that there are three main drivers of poor behaviour in companies:

  • Corporate Stress that leads to people taking shortcuts;
  • Excessive focus on short term financial targets, and
  • 'ready tolerance’ of small breaches of rules that could become incremental.

These indeed are not at all far removed from some poor practices we have seen through our own experience as supervisors.  We have witnessed instances where we have seen the theory come true in practice.  These practices can be categorised broadly across the spectrums of:

  • Lack of self-awareness;
  • Inconsistent communications, and
  • Structures in place without the right behaviours to support them.

Going through each of these in turn.  We saw some companies where there was a lack of self-reflection and self-awareness.   Often the hardest step for a supervisor is getting the company to a place where they realise and acknowledge that there is an issue. 

Take for example board effectiveness.  We meet many board members every year as part of our supervisory engagement and we can see across the entire industry, life, non-life, health and reinsurance.  We meet all of the individuals on those boards, see all of the minutes and management information (MI) being provided to those boards, and we receive the board effectiveness reviews for the majority of those boards.  There have been times when we have raised our concerns with board members, this can range from the quality of the MI or the board minutes to the lack of self-reflection apparent in the board effectiveness reviews.  When we raise these concerns there is often a period where there is a lack of acceptance by board members.  What we ask, is that you truly hold a mirror up to yourselves as board members when performing board effectiveness reviews, be honest with yourselves.  

We have seen examples of inconsistent communications in companies.  Often cultural priorities are not clear and are not communicated, or Human Resources (HR) has been communicating on culture rather than the senior management team in collaboration with HR.  For any culture to have traction the senior management team needs to support the culture both in their words and in their actions.  It can be difficult to engage an entire organisation, therefore, you need strong leaders to do this and to do it consistently across the organisation.

We have seen some instances where the intended culture is not understood by staff on the ground.  To quote George Bernard Shaw, “The single biggest problem in communication is the illusion that it has taken place”.  Your message at a senior level is open to interpretation at all levels.  What you say and what your people see and hear may be two different things.  Therefore, it is of utmost importance that there is congruence of words and actions.  For instance, we have on some occasions seen a disjoint between what is said to be valued and what is rewarded.  How you promote and reward staff confirms to your people what is truly valued.

We have seen that many companies may have the right structures in place but we have not seen the supporting behaviours.  Nearly every organisation has the three lines of defence model on paper, multiple committees exist and reams of policies and procedures have been developed. However, where we have seen a common and significant cultural risk is that often a risk and compliance culture is not embedded in the first line of defence, committees do not operate in line with their terms of reference and often policies and procedures are well designed but people don’t follow them in practice. 

Take for example error reporting.  To err is human and there will always be human failures and we believe that human failures can fall into two categories - inadvertent and deliberate.  The question is, was it an inadvertent error or was it an instance of deliberate non-compliance.  Getting to the crux of this can be reflective of what happens when the error occurs.  Is there a root cause analysis investigation which will tell you about the error, but more importantly may also tell you about your culture on the ground, your risk and compliance culture?  Deliberate non-compliance may be contravening the policies and procedures you have in place.  Why and what is the reaction to this?  How often does this happen?  Be wary of making exceptions.  If non-compliance with internal policies and procedures becomes acceptable and tolerated, then this behaviour can become normalised.  If this is the normalised behaviour of a function or team, then you have an issue, as the procedures may as well not be there. 

We have seen evidence of where internal processes and policies are not adhered to.  For example, an underwriter exceeds their authority limit repeatedly and there is no reprimand; an operational risk event occurs but is not recorded on the events log and there is no reaction or root cause investigation from the risk function; internal audit has open issues that continue quarter on quarter and remain unaddressed but there is no reaction from the audit committee or clear plan of action between the head of internal audit and the business function.  What do these things tell us about how seriously authority limits, risk reporting or even audit findings are taken by the company? What risks can these attitudes and behaviours potentially expose the company to in the future? 

Where there are actions or informal processes, or shortcuts that exist, there is room to subvert the process and scope to diverge from the intended outcome.  We would strongly recommend that given the amount of time involved in putting frameworks and structures in place, companies need to be more diligent about using them day to day in running their business.

Related to this, we have seen instances where the processes for compliance with external regulations and internal controls have become overly cumbersome and complex.  We are fully aware that in compliance there are lots of regulations and it is a battle to keep up with the changing and evolving legal and regulatory environment. As compliance practitioners you are all trying to do the best for your company and recognise the need to simplify your structures and control frameworks. You need to be constantly vigilant to remember to retain the principles behind the regulations, policies and procedures and to drive the culture in your companies of doing the right thing, the culture of adhering to the spirit of the law and not just complying with the letter of the law.

We encourage those that have started on the culture journey to keep going and undertaking staff surveys is a positive first step.  Ensure that your surveys are anonymous, in order for them to be more meaningful and we would encourage you to assess risk culture as well as organisation and compliance culture. 

What do we regard as good practice?

Internally we have grappled with the idea of culture being intangible, difficult to define and to pin down.  In some ways you should think of culture like any other part of running your business.  Just as you would define goals and targets in a business plan, you have to define the culture you are aiming for.  And as you know, to achieve any plan, you need actions in order to execute the plan.  Like any other risk you should be able to identify, measure, monitor and report on it regularly.    You will have a culture, whether it is intentional by design or not, therefore it is better to make a conscious effort to manage it.

We would recommend that:

  1. culture is championed from the top, that the senior leaders and the role models in the organisation live and breathe the cultures they set for their company;
  2. you need to engage your people to follow you in this journey and make contact with them to help you identify your ‘real’ culture, what is under the surface, identify the gaps, the risks, and the inconsistencies.  The staff surveys are a start in this regard;
  3. through vigilance and constant reinforcement, you need to drive effective behaviours, this is both through your policies, procedures, processes etc. but also through your behaviours day to day on the job.  You need to commit to your culture, reward what you say is valued and reprimand violations of espoused values.  The Jack Welch approach to ‘values violations’ in GE has received much acclaim as being effective in driving positive cultural change.  Actions you can take to support your culture can include raising awareness, providing appropriate training, creating a ‘no blame culture’ through an active problem solving culture, looking at what went wrong and how it can be avoided again, rather than who was to blame;
  4. you need to have clear roles, responsibilities and accountabilities in your organisation. 
  5. you need to find a way of measuring your culture and tracking cultural change as “To measure is to know and what gets measured gets done.”  We would expect a company to have KPIs for financial performance and KRIs for risk appetite, likewise time and effort should be put into considering how you could develop measures for your culture, and
  6. most importantly culture should not be seen a s a ‘nice to have’ or a topical buzz word in which interest will fade over time.  Culture needs to ingrained in your people and adhered to, even in times of pressure and stress, as it is during these times that the strength of your culture will truly be tested.

Close

Addressing the area of culture is essential if we want to stop history repeating itself.  The financial corporate memory can often be a very short one.  There has been an acknowledgement from the regulatory community that reform of the dysfunctional practices in industry will not be brought about through regulation alone.  This has been demonstrated by international bodies such as the FSB and G30 issuing guidance in relation to culture over the past few years.

Many companies will struggle with how to articulate what type of organisational or risk culture they aspire to, they will struggle to identify where specific weaknesses might exist in their current culture and of course, one of the most difficult pieces of the puzzle, how to effectively address those weaknesses.  Rome wasn’t built in a day.  In my experience, a positive culture is more difficult and takes longer to build than a negative one, but diligence and persistence pays off.

We can all fall into the traps of decision making biases, group think, overconfidence, becoming more comfortable breaking the rules when we see no immediate negative consequences, so we continue taking shortcuts under pressure.  However, you need to always have your defences up against this and you need to have mechanisms in place to protect yourself from them.  This is particularly true for the key decision makers in an organisation and in particular for board members.

Ultimately, a sound culture, risk including conduct, or otherwise, across the industry is not something that can be regulated into existence.  It requires engagement from the industry itself – the senior management teams of companies, the board members and you, as a key function holder and leader in the organisation, it requires your on-going, drive, persistence and support.  As compliance officers you have a responsibility to influence this culture across the organisation.  Not just one of compliance, but one of thinking how we can do things better.

The very first step is self-reflection.  Be honest with yourself, whether you are on the board or a member of the senior management team.  Without that first step of being honest about the current state of affairs, or a genuine curiosity to reach out to your people as to how they perceive the culture, following through on everything else will be meaningless.  The next steps are to take actions to shape and embed your culture and to monitor it on an on-going basis.  The most important step is to truly live your culture and transform your organisation.