The Risk Management System, the Risk Culture and the Duties of the Insurers’ Directors

Marano, Pierpaolo; Grima, Simon

doi:10.1007/978-3-030-85817-9_2

Pierpaolo Marano⁴⁴ &
Simon Grima⁴⁵

Part of the book series: AIDA Europe Research Series on Insurance Law and Regulation ((ERSILR,volume 6))

3828 Accesses

Abstract

The risk management system and the risk culture pertain to the organisation of the insurance undertaking and face the risk, which is a multifaceted concept challenging such an organisation. This chapter analyses the perimeter of the risk management system to identify the risks that fall within this system and the persons who, within the insurance undertaking, are responsible for ensuring an effective risk management system to the supervisory authority. The chapter also investigates how corporate bodies can assess the head of the risk management function and the risk management system can incorporate risk culture. Lastly, the chapter illustrates concrete actions the persons with the ultimate responsibility of the risk management system can perform to comply with the task to promote, implement and monitor the risk culture.

You have full access to this open access chapter, Download chapter PDF

The Relevance of Legal Aspects, Risk Cultures and Insurance Possibilities for Risk Management

Role of Internal Audit on Risk Culture

Banks’ risk culture and management control systems: A systematic literature review

Article Open access 13 August 2021

1 Introduction

Solvency II, which is considered as one of the most sophisticated insurance regulatory regimes is built around the principles of market consistency which aim is to instil strong risk management, governance and internal control systems within the insurance industry. It proposed to remedy the shortcomings of Solvency I by introducing a sweeping regulatory reform for insurance companies.^{Footnote 1}

Although Solvency II is mostly known for its risk-based capital requirement calculation, one of the most important elements in this regime is the heavy reliance on robust risk management practices.^{Footnote 2} Thus, an underlying objective for Solvency II is to improve the system of governance within an organisation. As stated in Recital No. 29 of Solvency II, ‘some risks may only be properly addressed through governance requirements rather than through the quantitative requirements reflected in the Solvency Capital Requirement. An effective system of governance is therefore essential for the adequate management of the insurance undertaking and the regulatory system’.

This approach is common to the EU regulation on financial services^{Footnote 3} and denotes the willingness of regulators to dominate uncertainty by organising market uncertainty into recognisable categories of quantifiable risks.^{Footnote 4} However, the risk management regulation may facilitate misperceptions about what risk management can and cannot do.^{Footnote 5} The push towards a quantitative risk assessment based on statutory schemes and a fixed pattern to catch it could prevent a true risk culture based on a ‘thinking outside of the box’ approach.^{Footnote 6} The risk management needs to move from mere calculation to a broader range of activities, including scenario-thinking, war-gaming, playing the devil’s advocate.^{Footnote 7}

Solvency II requires insurance undertakings to set up a risk management system and, therefore, enforces risk management to be embedded in the day-to-day activities of insurance undertakings. However, so far, several insurance undertakings have been focusing on improving risk measurement frameworks, rather than taking the opportunity to implement a real cultural change based on an intelligent understanding of the actual risks they are facing.^{Footnote 8} Addressing risks proactively requires that insurance undertakings are aware of the current risk culture within the organisation, the industry and the direct and indirect effect of the wider environment surrounding the industry. It requires an understanding of risk and the tools available to address these risks. Moreover, it requires that directors are fully aware and kept abreast of assumptions about models used to measure and report risks, are involved in and understand the Own Risk Self-Assessment (ORSA), the need for a Risk Register and are involved in the design of and understand the stress tests and reverse stress tests implemented.

However, one should be aware of the concept of risk.^{Footnote 9} Risk classification in insurance markets is the avenue through which insurance undertakings try to be efficient and compete in insurance contracts.^{Footnote 10} Solvency II requests insurers to adopt a forward-looking approach for risks including those of underwriting but not limited to these risks. The intent is to take an enterprise risk-management approach towards capital standards that will provide an integrated solvency framework that covers all significant risk categories and their interdependencies.^{Footnote 11} Every risk management process should be custom made, reflecting the firm’s profit goal, existing risk portfolio and risk appetite.^{Footnote 12} Risk is a multifaceted concept, and its identification requires complex approaches that are often misunderstood. The consequence is that decisions are based on limited perception rather than the full value and meaning of what risk is, as a result, the way it is being tackled is incorrect.

Since risk management is concerned with what might happen in the future risk managers are also concerned with creating scenarios by using models to generate: (i) ‘stress tests’; this involves evaluating the impact of extreme, but plausible, scenarios that are not considered by value at risk (VaR) or expected shortfall (ES) models and (ii) ‘reverse stress tests’^{Footnote 13}—also known as a ‘pre-mortem’,^{Footnote 14} this is a managerial strategy in which a project team imagines that a project or organisation has failed, and then works backwards to determine what potentially could lead to the failure of the project or organisation. However, these tests are as good as the directors or their advisors. They depend on their experience, skills and knowledge. Therefore, authorising or recruiting the wrong persons can mean that the risk key indicators (red flags) are set and calibrated incorrectly.

Furthermore, Solvency II pushes insurance undertakings to promote a risk culture alongside the setting up of the risk management function. Weaknesses in risk culture are often considered a root cause of the global financial crisis, headline risk and compliance events.^{Footnote 15} A sound risk culture consistently supports appropriate risk awareness, behaviours and judgements about risk-taking within a strong risk governance framework.^{Footnote 16} Thus, risk culture and risk management can be considered as the two sides of the same coin—the risk governance—and the improvement of the risk culture does not affect the performance of financial institutions.^{Footnote 17} However, risk culture can be implemented in different ways. A cognitive risk culture, which focuses on improving the understanding of risk and resolving the problems by addressing their root cause,^{Footnote 18} stands in contrast to compliance-based and defensive risk cultures. The risk culture could be implemented only to demonstrate to the authorities that their request is being fulfiled, or to promote professionally sub-optimal or even wrong decisions for the sake of preventing lawsuits and blame.^{Footnote 19}

However, risk culture goes also beyond the regulators.^{Footnote 20} In the current economic environment, companies are looking for opportunities to differentiate themselves from their peers particularly in the area of risk management.^{Footnote 21} Determining and documenting the risk culture, appetite, tolerance and strategy provide credible evidence, which can be used to inform regulators, clients, rating agencies and other stakeholders.^{Footnote 22} By promoting a common language, and structure in which to discuss risk culture and risk management across the undertaking,^{Footnote 23} one can envisage an environment where reporting, communicating and monitoring risk culture is a key part of public disclosures and advertising.^{Footnote 24} However, some organisations still currently lack this focus and consistency.^{Footnote 25}

2 Aim and Research Questions

The introductory remarks outlined the relevance of the risk management system within the governance of the insurance undertakings. A risk culture must be embedded in the governance together with risk management practices. Both the risk management system and the risk culture pertain to the organisation of the company and face the risk. The risk is a multifaceted concept, which challenges the organisation of the insurance undertaking. These remarks allow us to define the aim of this chapter and, ultimately, the research questions.

The preliminary issue concerns the perimeter of the risk management system. The analysis aims to identify the risks that fall within this system and the persons who, within the insurance undertaking, are responsible for ensuring an effective risk management system to the supervisory authority. The risk management system includes the risk management function, but it does not end with the latter. Several people within the company might be deemed responsible by the supervisory authority and/or determine the ultimate responsibility of whoever appointed them as well as of the undertaking. The board of directors is responsible for managing the business (in all its respects) under corporate law. One should understand to what extent individuals bear ultimate responsibility for the functioning of the risk management system, including the head of the risk management function. Thus, corporate bodies including staff working within the company fall into the scope of the analysis. While external auditors are outside the scope.

Based on the result of this analysis, our second research question relates to how corporate bodies can assess the performances of the head of the risk management function. Solvency II provides for a list of risks and a questionnaire and is in a sense, at the standardised approach/model level, prescriptive in the methodologies to be used to monitor and quantify the risks, although companies are expected to add-on other risks that the company may face (Pillar II). It is however more flexible when if the undertaking is using an internal model, which can only be used if the undertaking has proven capacity and experience and it is allowed by the regulator. We aim to understand if these lists, questionnaire and models are exhaustive. How can one understand ex-ante if methodologies adopted by the head of the risk management function are adequate?

Understanding risk should be part of the corporate culture. Risk culture defines how a company’s management and employees understand risk and manage it to maximise rewards.^{Footnote 26} If the risk management function is part of the risk management system, the risk culture should concern all the operational units that are exposed to the risk considered under the risk management system. Thus, risk culture is a component of the risk management system.^{Footnote 27} Such a culture needs to be promoted, implemented and monitored,^{Footnote 28} and persons are responsible for these processes.^{Footnote 29} With this analysis, we will therefore investigate the third research question, that is, the concrete actions that can be performed by the persons with the ultimate responsibility of the risk management system to comply with the above task.^{Footnote 30}

Based on the above, the next section aims to answer the first research questions and, therefore, will investigate both the perimeter of the risk management system and the legal foundations of the duties imposed on the persons who are responsible for that system to the supervisory authority. In the following two sections we will recommend and suggest solutions to address the other two research questions.

3 The Perimeter of the Risk Management System and the Persons Who Are Responsible for Its Functioning

Solvency II sets forth that the ‘administrative, management or supervisory body’ (AMSB) of the insurance (or reinsurance) undertaking has the ultimate responsibility for the compliance, by the undertaking concerned, with the laws, regulations and administrative provisions adopted according to Solvency II.^{Footnote 31} Also, Solvency II requires all insurance (and reinsurance) undertakings to have in place an effective system of governance that provides for sound and prudent management of the business.^{Footnote 32} That system must include among other things compliance with the requirements to have in place an effective risk management system comprising strategies, processes and reporting procedures necessary to identify, measure, monitor, manage and report, continuously the risks, at an individual and at an aggregated level, to which they are or could be exposed, and their interdependencies.^{Footnote 33}

The introduction of rules and principles addressed to the corporate bodies of insurance undertakings must consider the absence of a uniform structure of corporate governance in the EU. Solvency II reflects this lack of harmonisation using the generic term ‘administrative, management or supervisory body’ (AMSB) when sets forth rules involving corporate bodies.^{Footnote 34} Although the board structure is a matter of national law, the term AMSB covers both the unitary (one-tier) board structure and the dualistic (two-tier) board structure, which are the recurring board structures in the Member States and regulated by their respective national laws. Where no specific body is specified in national law, the regulatory framework issued under Solvency II provides that the term AMSB means the management body.^{Footnote 35}

The AMSB has the ultimate responsibility of the system of governance comprising the risk management system. Thus, AMSB is responsible for the proper functioning of the risk management system. Consequently, European legislation requires national regulations to identify a corporate body within the AMSB, which is responsible for the system of governance, including the risk management system. Furthermore, the responsibility towards the supervisory authority is established for the whole corporate body as identified by national rules.^{Footnote 36} Thus, it should not be possible to distinguish between the responsibility of the executive and non-executive directors within the management body. European legislation seems to establish their joint responsibility towards the supervisory authority for the compliance to Solvency II, including the system of governance/risk management system. This, regardless of what may be provided by national corporate laws.

Being part of the system of governance, the risk management system pursues the same purpose as the first, which is to ensure sound and prudent management of the business.

The meaning of sound and prudent management of the business should be understood, having in mind that the main objective of insurance and reinsurance regulation and supervision in the European Union is the adequate protection of policyholders and beneficiaries.^{Footnote 37} Financial stability and fair and stable markets are other objectives of insurance and reinsurance regulation, and supervision that should also be considered but should not undermine the main objective.^{Footnote 38} Therefore, adequate protection of policyholders has not only a ‘passive’ meaning consisting of pursuing management of the insurance undertaking that ensures its solvency.

Such protection also has functional significance as clearly expressed by the Directive 2016/97 on insurance distribution (IDD). This Directive sets forth that when carrying out insurance distribution, insurance distributors always act honestly, fairly and professionally in accordance with the best interests of their customers.^{Footnote 39} This principle does not refer only to business conduct but also involves the manufacturing of insurance products.^{Footnote 40} The IDD sets forth product oversight and governance requirements (POG) under which manufacturers must maintain, operate and review a process for the approval of each insurance product to ensure that insurance products meet the needs of the target market.^{Footnote 41} Thus, the sound and prudent management of the business requires insurers not only to ensure their solvency, but also to design products matching the interests and needs of their target market, and to distribute such products to the relevant target market.

Solvency II provides that the risk-management system must cover the risks to be included in the calculation of the Solvency Capital Requirement, as well as the risks which are not or not fully included in the calculation thereof.^{Footnote 42} Some risks may only be properly addressed through governance requirements rather than through the quantitative requirements reflected in the Solvency Capital Requirement. An effective system of governance is therefore essential for the adequate management of the insurance undertaking and the regulatory system.^{Footnote 43} Thus, Solvency II requires insurance undertakings to have in place an effective risk-management system to identify, measure, monitor, manage and report, continuously, the risks to which they are or could be exposed, and their interdependencies.^{Footnote 44} The IDD complements this provision. The set of rules on POG requests undertakings to manage the risks inherent in poorly designed or improperly distributed products by avoiding the manufacturing and offering of worthless products to customers, and imposing remedial actions in case it happens.^{Footnote 45} POG meets the goal of increasing customer protection by aligning the approach to products with the approach to capital requirements as introduced under Solvency II.^{Footnote 46}

In conclusion, the system of governance comprising the risk management system should be able to address all risks of insurance undertakings, that is, those related to the solvency and the risks inherent to the quality of products and their distribution. The list of risks provided by Solvency II must be complemented with those related to the manufacturing and distribution of the insurance products as arising under the IDD and implementing national laws.^{Footnote 47}

The risk management system must be effective and well-integrated into the organisational structure and in the decision-making processes of the insurance undertaking with proper consideration of the persons who effectively run the undertaking or have other key functions.^{Footnote 48} These persons are the members of the AMSB, taking into account national law, as well as members of the senior management.^{Footnote 49} EIOPA clarified that the AMSB is other than the senior management, which includes persons employed by the undertaking who are responsible for high-level decision making and for implementing the strategies devised and the policies approved by the AMSB.^{Footnote 50}

The AMSB appoints the senior management including the head of the risk management function after a positive fit and proper assessment and is responsible for evaluating reports on risk exposures submitted from the head of the risk management function. Reports and activities will include both the risks to be included in the calculation of the Solvency Capital Requirement as well as the risks which are not or not fully included in the calculation thereof including those related to the manufacturing and distribution of products. These statements introduce the first list of issues outlined earlier concerning how the AMSB can (i) assess the fitness and properness requirements of the head of the risk management function and (ii) understand ex-ante if methodologies and questionnaires adopted by the head of the risk management function are adequate.

Furthermore, the risk management function is a (key) component of the risk management system as a control function but does not incorporate the whole system which also refers to the business units.

Solvency II does not specifically recognise the ‘three lines of defence’ model as developed by the Institute of Internal Auditors (IIA) and based on the framework for evaluating internal controls elaborated by COSO.^{Footnote 51} According to the latest version elaborated by the IIA,^{Footnote 52} this model consists of the first line provided by front line staff and operational management, i.e. those providing products/services to clients, where the business units have to anticipate and manage risks at the operating level. The monitoring of risk is the second line, which is provided by the functions of risk management and compliance. These functions provide the oversight and the tools, systems and advice necessary to support the first line in identifying, managing and monitoring risks. Because of the specific nature of insurance, where the liabilities side of the balance sheet is more important, the actuarial function is added to this line.^{Footnote 53} The third line is provided by the internal audit function. This function provides an independent review that the risk management, internal control and actuarial function framework is working as designed.

The three lines model has been challenged promoting four lines of defence, five lines of defence or the integrated lines of defence.^{Footnote 54} An analysis of criticism and a discussion on the most efficient defence model for insurance undertakings is outside the scope of this essay.

Nonetheless, the legal framework introduced under Solvency II sets forth the insurance undertakings must establish information systems that produce complete, reliable, clear, consistent, timely and relevant information concerning the business activities, the commitments assumed and the risks to which the undertaking is exposed,^{Footnote 55} and ensure that all personnel is aware of the procedures for the proper carrying out of their responsibilities.^{Footnote 56} To that end, the risk management function includes the tasks of assisting the AMSB (and other functions in the effective operation of the risk management system)^{Footnote 57} and monitoring the risk management system and the general risk profile of the undertaking as a whole.^{Footnote 58} The AMSB has the ultimate responsibility for ensuring the effectiveness of the risk management system.^{Footnote 59} Such responsibility means ensuring that there is a coordinated and integrated approach to the risk management system and a common ‘risk language’ with the right tone from the top.^{Footnote 60} Business units are, therefore, the first line of defence within the risk management system introduced under Solvency II. These units are embedded in the risk management system being requested to deal with the risks inherent to their functions. The risk management function must support the business units by providing them with the tools that are pertinent to the management of these risks.

Since the ultimate responsibility of the risk management system lies on the AMSB, the latter should not rely solely on the support provided by the risk management function to the business units. The AMSB must play an active role in promoting and monitoring the implementation of risk culture across the company. This statement is in line with the Insurance Core Principles (ICPs) issued by the International Association of Insurance Supervisors (IAIS). The ICP 8 refers to Risk Management and Internal Controls and provides that the risk management function must be capable of assisting the insurer to promote and sustain a sound risk culture (see Standard 8.1.). The reference to the capability of ‘assisting’ the insurer should exclude that the risk function has the specific task and the related liability to promote the risk culture. This conclusion opens up the other research question consisting of how the AMSB can assess the performances of the head of the risk management function.

4 Identifying Risk and Managing It

A starting point for addressing risk should be the understanding of what is considered as a risk in the context of the undertaking and the direct and indirect effects over its objectives. Risk is a multifaceted concept, and its identification requires complex approaches that are often misunderstood. The consequence is, that decisions are based on limited perception rather than the full value and meaning of what risk is, as a result, the way it is being tackled is incorrect. Moreover, individuals do not embrace the full multifaceted nature of risk.^{Footnote 61} Regulators impose on directors and individuals, norms and checklists, overuse, or misinterpret the value of models, simulations and templates; thereby reducing responsibility and capability for innovative decision-making. At the same time, the wider use of technology and rules reduces the critical thinking of directors and individuals. We advance the automation process by building robots that follow protocols and forget about the part of risk assessment that cannot be programmed. Therefore, before the risk management process can start, one needs to define, understand and communicate the objective, then determine the risks that can affect this objective and identify the controls in place. Regulations and respective guidelines to define this process but forget to address the meaning and context of risk.^{Footnote 62} The framework introduced under Solvency II mentions that we need to address, Market Risk, Settlement Risk, Liquidity Risk, Credit Risk, Interest Rate Risk, Model Risk and any other Business Risk, etc.,^{Footnote 63} and it does go into great detail on how to address these risks and their definition but there is no mention of the definition of risk itself. That is, when risk is a risk or risk is not a risk.^{Footnote 64}

Although there are various definitions of risk, the best working definition is that of ‘uncertainty that matters because it can affect one or more objectives’.^{Footnote 65} This can be simplified into two ingredients ‘Uncertainty’ and ‘Materiality’.^{Footnote 66} This should be the main guideline provided by regulators to AMSB.^{Footnote 67} In fact, in risk management, we look at three forms of knowledge and non-knowledge associated with risk, which need to be understood. Known (K) risk, the Unknown (u) risk and the unknowable (U) risk. The first type of risk (K) can be measured, and any disruption forecasted and may be established from prior experience, are understood and appreciated. These events are normally a result of incompetence. The second type (u) are the most commonly encountered situations, but the extent and full implications remain unclear due to the lack of judgment. These events may be quantifiable, but the time of occurrence is unknown. They are events where the location, timing and extent of the event are difficult to quantify. The third type of risk (U) are events that are difficult, if not impossible, to model due to lack of knowledge in hand. To manage unknowable risks, companies should ensure business processes remain flexible, ensuring variable costs, and diversifying across products and markets whenever possible. This type of uncertainty is quantifiable by using simulators that make what is implicit explicit, but there is no availability of data.^{Footnote 68}

Regulations are there to guide and trigger thinking. However, the thinking needs to be done at the level of the undertaking; where it is expected that the personnel and the directors are well equipped with knowledge and experience that enables them to determine objectives and risk-taking that are in line with the appetite and tolerance of the stakeholders/shareholders and that this is communicated appropriately down, up and across the undertaking. Regulators must not do the mistake of micro-managing undertakings by imposing authorisation judgements on who is appropriate or authorised for specific positions, and what and how to address risk. This responsibility should remain the onus of the AMSB.^{Footnote 69}

As noted above regulations require that an insurance undertaking has a risk management function and employs a risk manager or risk team to carry out the day-to-day responsibility of this function on behalf of the directors. Regulations offer a framework through Solvency II and the respective ORSA to address risk in an insurance undertaking, but this is far from solving the problem of ensuring that this responsibility is carried out appropriately. The risk manager is a regulator-approved/authorised position and in some cases can also fall under the responsibility of a Risk Committee, but the ultimate responsibility is always that of the AMSB. Therefore, the determination of whether the function and the personnel are appropriate is that of the AMSB. However, there is no clear-cut answer to this question, and many a time the reliance is based on the suggestions of advisors built from their understanding of what the regulator would accept as a person’s qualifications and experience. Besides, unless on the AMSB there is someone who understands the need for risk management, the function becomes perfunctory and bottom-up, with little feedback and challenge, or on the other hand, it can take the opposite scenario of challenging the wrong things.

The problem is that risk management is not considered as a profession in its own right, and education, experience, associations, institutes and standards are vast. The only common requirement in the case of insurance undertakings is Solvency II and the guidelines and rules that form around it. Regulatory authorisation requirements^{Footnote 70} do not distinguish between qualifications that are focussed mainly on monitoring or setting up policies and procedures, those that are focussed on measurement and statistical models, those that are focussed on monitoring, and those that are focussed on management. That is, a Director who takes on any type of corporate position such as Risk Manager, Internal Auditor, Compliance Officer, MLRO, Valuation Officer, Portfolio Manager, or sits on some committees, needs to obtain authorisation from the regulator—one needs to prepare a Personal Questionnaire and then obtain authorisation by the regulator. This is a requirement of the licence application and ongoing procedure.^{Footnote 71}

A complete risk manager should have all these skills; that is, (1) understanding models and their assumptions, (2) ability to document procedures, standards and policies to ensure they are within the appetite of the undertaking’s stakeholders (3) ability to communicate up and down and across the undertaking, (4) ability to understand and advise on risks and (5) ability to lead and manage proactively to ensure continuity.^{Footnote 72}

To ensure this, the AMSB needs to have a wide-angle scan of these needs and before recruiting ensure that the risk function has players that can offer these assurances or put in a structure that can ensure this is happening within the risk management function. Risk management is not about one person or more taking up that position but about the whole team of employees working together to achieve the objectives. It is about communication and acceptance of objectives and the determination or ‘buy-in’ of everyone to achieve them.

Unfortunately, the absence of this profession and the potential lack of people with this skillset in some Member States leads directors to look at other professions to fill this profession, such as economists, lawyers and accountants who might have taken a short course and a few years of on-the-job training. Even with training, most of the time, their mind-set is either on models and model building or financial or policymaking but lack the management skills and the ability to innovate.^{Footnote 73}

It is important to note this since it explains why the mistake is being done—people with the wrong skillsets are asking and teaching people to have the wrong skillsets. That is, to replicate themselves. That is, ‘what goes in goes out’. One is addressing a new area with the eyes of an old skill/profession, which to such an extent is reactive. If these professions are to understand and address the problem they need to open up to the wider context and think outside their comfort zone or else we will continue to face the same issues we face today—may be a more modern version of the same problems. Similar cases with similar governance issues causing failure or large losses but using more modern techniques.^{Footnote 74}

It should also be noted that the lack of adequate professionalism in risk management is not a matter inherent only to the responsibility of the AMSB towards the supervisory authority of the Member State in which the insurer is based. In the case of cross-border operations, the lack of professionalism of the risk manager could jeopardise compliance with the obligations undertaken by the insurer towards policyholders in the host Member State.

We believe that ultimately, risk management is about character and culture and the AMSB can only fully understand, determine and recognise the fitness and properness of a risk management function if common explicit standards are determining the skillsets of the risk manager by embedding this into a profession. Regulations only talk about the function of the risk manager but forget the skillset or are—as noted above—incorrectly filling this gap with the wrong skillsets.^{Footnote 75} Skillsets that look only at education and forget the other necessary characteristics necessary to reach objectives such as an aligned appetite and tolerance and a common culture. Maybe, this is also, because authorisation/approval, is determined by persons who do not have enough knowledge of what this skillset should be. However, the AMSB does not define and understand what risk is and base their knowledge on regulators, who give them a recipe of what to look out for—so they do not use their minds to think but satisfice and do what they are told. However, the regulator himself/herself does not know how to determine risk because s/he does not have the correct skillset to do so and there is no one singled out profession, which can be identifiable in law as a risk profession, similarly to other professions.^{Footnote 76}

It is not surprising that most persons working in a risk function do not know how to define risk, let alone how to manage it.^{Footnote 77} Defining the role of the Risk Manager in law as a separate focussed profession would strengthen the profession, by standardising the training and knowledge requirements, the required responsibilities, and thereby the skillset required, putting them on the same level as other professions even in the eyes of the regulators.

Regulations should be there to reach objectives without hiccups—however if the objectives are incorrect because they are addressing different objectives. Lawyers have one perception of what is risk and what are the objectives, Accountants have another, Economists have another, and they are the people addressing the requirements and drafting regulations—these people are all reactive by nature. Therefore, where is the Risk Managers’ skillset in all this, where is the proactivity?^{Footnote 78} You do not address a risk after it happens, because if you know about it because it happened before, you can manage it, and therefore as noted above it is not a risk. For example, the underwriter takes risks he understands a calculated risk to make a profit. The other party who does not want can manage it.^{Footnote 79}

However, Solvency II is driving changes in insurance undertakings, that is, from the AMSB through to wider organisation. For directors, and particularly non-executive directors, this means getting closer to the business. Has the industry (regulators and educators) understood that what was good a few years ago is now day irrelevant? The directors must be simultaneously entrepreneurial and drive the business forward while keeping it under prudent control. Apart from the education, character, experience and charisma of the individual member, one needs to determine how these fit in as a team and this cannot be something determined by regulations or micro-managed by the regulator.^{Footnote 80}

Solvency II makes it clear that the AMSB is not able to delegate its responsibilities, and individual directors^{Footnote 81} must be able to explain the decisions taken by the undertaking. The corollary of their position is that the existence and requirement of having a risk management function demands the board to have risk expertise; therefore, requiring expertise at the board level in every area or function within the undertaking.

These obligations are creating tension and challenges within undertakings, putting a lot of stress on the directors. Therefore, in our opinion, there is a need for a risk management profession and for expanding the directors’ skillset. This should compile all standards and frame the understanding of their expected function and skillset as already mentioned above.^{Footnote 82} Without this, the AMSB is at the mercy of the regulators and the knowledge, character and experience of the person leading the risk management function. Whether s/he is fit and proper or not is another question.

5 Importance of Performing and Communicating a Risk Culture Diagnostic

Inappropriate risky behaviour beyond the appetite of stakeholders can destroy the reputation, value and the undertaking.^{Footnote 83} This is why processes and oversight structures to control the level of variability from this appetite is so important. However, unfortunately, regulations and directors forget or ignore the attitudes and behaviour of decision-makers and the reasons why they make specific decisions. Shaping the risk culture, maybe through policies, procedures, standards, and communications ensure that business risks such as reputation and strategy are managed appropriately.^{Footnote 84} Both are important since reputation and following an inappropriate strategy can destroy an undertaking. Regulations do focus on the risk management function on this risk and do point out that these risks need to be addressed appropriately and processes and policies documented and structured appropriately. Regulators, to a certain extent, do micromanage this during onsite visits.^{Footnote 85}

If the AMSB makes risk culture diagnostics a priority, then there is quicker buy-in throughout the undertaking. There needs to be soliciting of views from employees with a message that management believes in the empowerment of all members and that this is a priority. Objectives should be clear and the focus of all. Communication of the risk culture should be a priority on the leadership agenda, and lack of awareness, indifference or disregard for this should not be tolerated.

Humans are very sensitive to signals arising from how an organisation reacts and behaves. If ignoring limits, failure to complete risk reports, or disregard for processes is tolerated and not identified, monitored and corrected, then the undertaking risks perpetuating a cavalier attitude to risk and control throughout the undertaking.^{Footnote 86}

In some cases, it has been difficult to engage with the AMSB on risk management as the focus is often on the technical details around risk measurement. However, the results of the diagnostic should be visual and qualitative, making it easily communicated and, hence, encouraging engagement. That is, to ensure that risk management is not lost in translation and that uncertainties are documented, communicated and addressed efficiently and in line with the appetite set at the strategy stage.^{Footnote 87} Benchmarking also provides the context of the results of similar undertakings. The better-informed one is about what others are doing, the better one is at designing a gap analysis for decision-making.^{Footnote 88}

All results, findings and discussions need to be analysed at various levels, depending on data capture, and used to identify ‘red flags’ needing remedial action whether this is by business unit or function. Tools used for reporting and addressing risk should be user-friendly and enable personnel to engage in understanding risk culture in their part of the undertaking and encourage constructive dialogue on improvement. However, for this to hold, employees must feel secure to answer truthfully and this is best achieved if this is coming from the top and communicated well.^{Footnote 89}

Solvency II, if interpreted well, does promote all this. However, many undertakings are still not recognising the need to improve governance, as this is a change in mentality and may relate to an overhaul of the system of governance, the need to invest, and a change in mentality. Therefore, sometimes even because of the lack of proportionate in the approach and the enforcement of the requirements, Solvency II is seen as a perfunctory function and not as a competitive edge.

Relying on processes and formalised controls will not be enough to give the confidence that an organisation is capable of state-of-the-art risk management. There will always be ways to circumvent the models, systems and controls as we see from some of the cases found in the literature, such as those of Long Term Capital Management, Barings Bank, Societé General and many others.^{Footnote 90} It is, therefore, necessary for the AMSB to encourage a strong risk culture where employees are risk-aware, understand the consequences of their decisions, and are confident to raise objections when necessary. Unfortunately, there is no hard and fast rule or fixed methodology to ensure this and the AMSB has the task of putting in measurable and realistic objectives with the help of the risk manager, which recognise uncertainties and ensuring that these are addressed responsibly and with integrity.

That is:

Objectives must be stated, and achievements measured.
Information related to the achievement of objectives should accurately present the facts.
The objectives should be updated regularly, ongoing and sustainable.
Uncertainty about the future should address both dangers and rewards.
Being wrong should be acceptable but must be communicated and addressed thoughtfully and rigorously.
Mandatory and voluntary promises must be maintained, measured, monitored and ensured.^{Footnote 91}

Risk culture is not static and should be actively challenged to encourage continuous improvement. This cycle must be continuously improving by allowing management to benchmark against other undertakings, track own performance over time and provide results at a sufficiently granular level so that remedial action can be applied. Although change does not happen overnight, Solvency II is an opportunity to improve the risk culture within insurance undertakings. However, to do that, insurers need to grasp this opportunity and understand that risk management system is not only one person, but it is a system, that is the result of many other functions working together to reach common objectives with the least hiccups in a sustainable manner^{Footnote 92} (vide Fig. 1).

Moreover, one needs to consider the starting point of the undertaking and proportionality when determining the action to be taken to deciding on how to ensure a culture change.^{Footnote 93} This since, although, the above list is generalisable, not all actions may be applicable, and some circumstances might require a different address.^{Footnote 94}

6 Conclusion

Solvency II does provide methodologies, guidelines, and suggestions to measure, monitor, and manage risks. However, these can misguide directors into believing that these are exhaustive, and following these requirements will ensure that we are immune from trouble or danger of loss. As noted above, this is not the case. Far from it, the AMSB needs to understand the risk their undertaking is facing and impose ex-ante adequate and proportional methodologies to mitigate unwanted risks and monitor those risks that they are willing to take.

To do this, the AMSB must understand the culture of the undertaking and its personnel to determine the adequacy to meet objectives. Adequacy in terms of character, education and experience. That is the fitness and properness of the team. Although this task is sometimes delegated to the Human Resource Manager, the AMSB has to have a full view of the delegated task.^{Footnote 95}

Another important task should be that of ensuring that all policies and procedures are documented and reviewed periodically and in line with the strategy of the undertaking. Everything needs to focus on the objectives and appetite and tolerance of the stakeholders and within the mandatory regulatory parameters.

Once these are complete, the communication lines should be addressed to ensure that any risk, variance from the appetite, and tolerance are communicated to the AMSB in a time and through the set communication channels depending on the importance/materiality as decided by the AMSB. Any noise suppressing this communication, such as internal politics should be tackled immediately and stopped.

This shows the importance of having a governance structure with internal controls that are proportional to the size and responsibility of the undertaking, based on the licensable activity it is providing. Although the chosen persons are important and their experience and qualifications are important factors in ensuring the adequacy of the governance structure to meet objectives set, it is the way they fit together and their buy-in to the project and objective to ensure the appropriate communication, integrity, responsibility and sustainability of the set objectives of the undertaking.^{Footnote 96}

The makeup of the AMSB might well need to change with at least one person with risk management and knowledge of internal controls. However, such senior people are in short supply, and it is doubtful there are many of them in some Member States, where Risk officers with knowledge and experience on financial modelling, regulations and internal controls within the insurance industry, is less developed and the number of suitably qualified senior staff is low. As noted, this lack of professionalism in one Member State risks spreading to other States in the case of cross-border activity of the insurer concerned.

The solution for having an appropriate and effective AMSB is not something that can be developed overnight just by implementing regulations, but one needs to take a deeper look at the environment and the developments required to arrive at such. Education plays an important part in all this, and regulation needs to push in that direction to ensure that this is brought in line with the new needs; coupled with driving, providing and setting of a European professional status (embedded in the law) for these new skillsets. Moreover, national regulators need to be put in a position to apply the principle of proportionality without fear. Until this is achieved, directors, risk managers and regulators will continue to doubt whether what they are doing is enough and in line with requirements, and fear and confusion will continue to reign.

Notes

1.
See Manes (2017), p. 111 ff.; Van Hulle (2019), p. 38 ff. See also Loguinova (2019) for an assessment of the ideology of Solvency II.
2.
Bernardino (2011), p. 2.
3.
Everson and Vos (2016), p. 139 ff.
4.
Mikes (2011), p. 2.
5.
Enriques and Zetzsche (2013), p. 282 ff.
6.
Manes (2017), p. 110.
7.
Manes (2017), p. 110.
8.
See PricewaterhouseCoopers (PWC) (2019), p. 2.
9.
See Milkau (2017), p. on the different perspectives about risk and culture developed along the historical perspective.
10.
See Croker and Snow (2000), p. 245 ff.
11.
See Klein (2012), p. 186.
12.
See Skipper and Kwon (2007), p. 293.
13.
See Grundke (2011), p. 71 ff.
14.
See Eisenbach et al. (2020), p. 2.
15.
FSB (2014), p. 1.
16.
FSB (2014), p. 1.
17.
Bianchi et al. (2021).
18.
See Agarwal and Kallapur (2018).
19.
See Agarwal and Kallapur (2018).
20.
See Awrey et al. (2013), p. 217 ff.
21.
See Dobrota (2012), p. 227.
22.
See MFSA (2020).
23.
See Bondesson (2011), p. 58 f.
24.
See International Finance Corporation (IFC) (2015), p. 33.
25.
See Grima and Bezzina (2021) in press.
26.
Shimpi and Klappach (2013), p. 205.
27.
See Palermo et al. (2017), p. 164 ff., who developed a model of risk culture dynamics.
28.
See Sheedy et al. (2019), who provide the first empirical evidence on how risk compliance is affected by financial incentives and organisational culture.
29.
Shimpi and Klappach (2013), p. 208 f., identifies six important dimensions of an effective risk management culture and outline that leadership is crucial to everyone.
30.
On the internal auditing approaches to risk culture, see Sinha and Arena (2020), p. 81 ff. See also Ring et al. (2013), pp. 364 ff., on the potential use of financial notices as a means of communicating how the regulator interprets the relevance of (risk) culture in an organisation; in particular, the nature of behaviours and actions which might signal what a good or bad (risk) culture looks like.
31.
See Article 40 of Solvency II.
32.
See Article 41(1) of Solvency II.
33.
See Article 44(1) of Solvency II.
34.
See Van Hulle (2019), p. 402.
35.
See Article 1 (43) Commission Delegated Regulation (EU) 2015/35 of 10 October 2014 supplementing Solvency II.
36.
See EIOPA, Guidelines on system of governance, Guideline No. 17, available at https://www.eiopa.europa.eu/content/guidelines-system-governance_en.
37.
See Recital No. 16 of Solvency II, where the term beneficiary is intended to cover any natural or legal person who is entitled to a right under an insurance contract.
38.
See Recital No. 16 of Solvency II.
39.
See Article 17(1) of IDD.
40.
See Joint Position of the European Supervisory Authorities on Manufacturers’ Product Oversight & Governance Processes, at point 22. The Joint position is available at https://www.eba.europa.eu/documents/10180/15736/JC-2013-77+%28POG+-+Joint+Position%29.pdf.
41.
See Recital No. 55 of IDD.
42.
See Article 44(2) of Solvency II.
43.
See Recital No. 19 of Solvency II.
44.
See Article 44(1) of Solvency II.
45.
See Marano (2020), p. 65.
46.
See Marano (2020), p. 65.
47.
On the impact of IDD on distribution risk management, Bravo (2020), p. 359 ff.
48.
See Article 44(2) of Solvency II.
49.
EIOPA, Introduction, Guidelines on System of Governance, 2014, at point. 1.21., is available at https://www.eiopa.europa.eu/content/guidelines-system-governance_en.
50.
EIOPA, Introduction, Guidelines on System of Governance, 2014, at point. 1.21. In addition, the following definitions are provided: ‘persons having other key functions’ which include all persons performing tasks related to a key function, and ‘key function holders’ who are the persons responsible for a key function as opposed to persons having, carrying out or performing a key function.
51.
See Van Hulle (2019), p. 408.
52.
IIA, IIA’s Three Lines Model. An Update of the Three Lines of Defense, June 2020 available at https://na.theiia.org/about-ia/PublicDocuments/Three-Lines-Model-Updated.pdf.
53.
See Van Hulle (2019), p. 409.
54.
See Borg et al. (2020), p. 303 ff., for further references.
55.
See Article 258(1), let. h), Commission Delegated Regulation (EU) 2015/35 of 10 October 2014 supplementing Solvency II.
56.
See Article 258(1), let. f), Commission Delegated Regulation (EU) 2015/35 of 10 October 2014 supplementing Solvency II.
57.
See Article 269(1) let. a), Commission Delegated Regulation (EU) 2015/35 of 10 October 2014 supplementing Solvency II.
58.
See Article 269(1) let. b) and c), Commission Delegated Regulation (EU) 2015/35 of 10 October 2014 supplementing Solvency II.
59.
See EIOPA, Guideline No.17, Guidelines on System of Governance, 2014.
60.
See Van Hulle (2019), p. 415.
61.
See Girlando (2021), in press.
62.
PricewaterhouseCoopers (PWC) (2019), p. 5.
63.
See, e.g. Article 13, No. 30 to 35 of Solvency II.
64.
See Hillson (2018), p. 6.
65.
See Hillson (2018), p. 6.
66.
See Kruf (2019), pp. 19 ff.
67.
See Hillson (2018), p. 7.
68.
See Higgins and Perera (2018), p. 10.
69.
See Grima (2017), pp. 60 ff.
70.
See Financial Conduct authority (2020), pp. 22 ff.
71.
See European Confederation of Directors’ Associations (2015), pp. 16 ff.
72.
See Grima and Bezzina (2018), pp. 12 ff.
73.
See Grima and Thalassinos (2020b), pp. 122 ff.
74.
See Grima and Thalassinos (2020a), pp. 4 ff.
75.
See Grima and Bezzina (2021), in press.
76.
See Grima and Bezzina (2018), pp. 3 ff.
77.
See Girlando (2021), in press.
78.
See Grima and Thalassinos (2020b), pp. 121 ff.
79.
See Hillson (2018), p. 7.
80.
See Baldacchino et al. (2020), p. 6.
81.
See Solvency II Wire Data (2011).
82.
See Grima and Bezzina (2018), pp. 3ff.
83.
See International Finance Corporation (IFC) (2015), p. 64.
84.
Bonime-Blanc and Ponzi (2016), pp. 16 ff.
85.
See Dalli Gonzi (2019), pp. 113 ff.
86.
See Doff (2008), p. 205 f.
87.
Kruf (2019), pp. 24 ff.
88.
Kruf (2019), pp. 27 ff.
89.
See Bondesson (2011), p. 22 f.
90.
Grima and Thalassinos (2020a), pp. 4 ff.
91.
See Bondesson (2011), p. 41 f.
92.
See Krivkovich and Cindy (2013), pp. 1ff.
93.
See Grima and Thalassinos (2020b), pp. 120 ff.
94.
See Grima (2019), p. 223.
95.
Micallef et al. (2020), pp. 26 ff.
96.
Kruf (2019), pp. 28 ff.

References

Agarwal R, Kallapur S (2018) Cognitive risk culture and advanced roles of actors in risk governance: a case study. J Risk Finance 19(4):327–342
Article Google Scholar
Awrey D, Blair W, Kershaw D (2013) Between law and market: is there a role for culture and ethics in financial regulation. Del J Corp Law 38:191–245
Google Scholar
Baldacchino PJ, Tabone N, Camilleri J, Grima S (2020) An analysis of the board of directors composition: the case of Maltese listed companies. Int J Finance Insur Risk Manag X(1):25–44
Google Scholar
Bernardino G (2011) Risk management – a supervisor’s approach. Presentation by Gabriel Bernardino, Chairman of EIOPA, at SUERF Annual Lecture in Helsinki, retrieved at https://www.eiopa.europa.eu/content/risk-management-%E2%80%93-supervisor%E2%80%99s-approach
Bianchi N, Carretta A, Farina V, Fiordelisi F (2021) Does espouse risk culture pay? Evidence from European banks. J Bank Finance 122:1–13
Article Google Scholar
Bondesson I (2011) Suitability assessment procedures in solvency II. Outlining suitable processes for own assessment of article 42’s fit and proper requirements. UMEA University, pp 17-4, viewed online http://www.diva-portal.org/smash/get/diva2:546867/FULLTEXT01.pdf
Bonime-Blanc A, Ponzi LJ (2016) Understanding reputation risk: the qualitative and quantitative imperative. Corporate Compliance Insights, pp 1–31. https://www.corporatecomplianceinsights.com/wp-content/uploads/2017/11/Understanding-Reputation-Risk-.pdf
Borg G, Baldacchino PJ, Buttigieg S, Botztepe E, Grima S (2020) Challenging the adequacy of the conventional “three lines of defence” model: a case study on Maltese Credit Institutions. In: Grima S, Boztepe E, Baldacchino PJ (eds) Contemporary issues in audit management and forensic accounting, vol 103. Emerald, pp 303–324, chpt. 18
Chapter Google Scholar
Bravo JM (2020) IDD and distribution risk management. In: Marano P, Noussia K (eds) Insurance distribution directive: a legal analysis. Springer, pp 349–369
Google Scholar
Croker KJ, Snow A (2000) The theory of risk classification. In: Dionne G (ed) Handbook of insurance. Kluwer Academic Publishers, pp 245–276
Chapter Google Scholar
Dalli Gonzi R (2019) In: Grima S (ed) Change and continuity management in the public sector: the DALI model for effective decision making. Emerald Group Publishing Limited, pp 113–123
Chapter Google Scholar
Dobrota G (2012) Risk management in business – the foundation of performance in economic organizations, risk management - current issues and challenges, Nerija Banaitiene, IntechOpen. Chapter 11, pp 227–252. https://doi.org/10.5772/50706. https://www.intechopen.com/books/risk-management-current-issues-and-challenges/risk-management-in-business-the-foundation-of-performance-in-economic-organizations
Doff R (2008) A critical analysis of the Solvency II proposals. Geneva Pap Risk Insur Issues Pract 33:193–206
Article Google Scholar
Eisenbach TM, Kovner A, Junho Lee M (2020) Cyber risk and the U.S. financial system: a pre-mortem analysis. Federal Reserve Bank of New York. Staff Reports no. 909, January 2020, pp 1–40. https://www.newyorkfed.org/medialibrary/media/research/staff_reports/sr909.pdf
Enriques L, Zetzsche D (2013) The risky business of regulating risk management in listed companies. Eur Company Financ Law Rev 2:272–303
Google Scholar
European Confederation of Directors’ Associations (2015) A Guide to Corporate Governance Practices in the European Union International Finance Corporation. 2015. World Bank Group, pp 9–24. https://www.ifc.org/wps/wcm/connect/506d49a2-3763-4fe4-a783-5d58e37b8906/CG_Practices_in_EU_Guide.pdf?MOD=AJPERES&CVID=kNmxTtG
Everson M, Vos E (2016) European agencies: what about the institutional balance. In: Research handbook on EU institutional law. Edward Elgar Publishing, Cheltenham. https://doi.org/10.4337/9781782544746.00011
Chapter Google Scholar
Financial Conduct authority (2020) Corporate Governance of the Financial Conduct authority. Adopted by resolution of the board on 30 January 2020, pp 4–39. Online at: https://www.fca.org.uk/publication/corporate/fca-corporate-governance.pdf
FSB (2014) Guidance on Supervisory Interaction with Financial Institutions on Risk Culture
Google Scholar
Girlando A, Grima S, Boztepe E, Seychell S, Rupeika-Apoga R, Romanova I (2021) Individual risk perceptions and behaviour. Emerald Insight. Contemporary studies in Economic and Financial Analysis, vol 106, chapter 23 (in press 2021)
Google Scholar
Grima S (2019) Proportionality in the application of insurance solvency requirements: the case of small EU jurisdiction. In: 21st annual conference modern aspects of the legal and regulatory insurance concept. Palic Serbia. 25 to 27 September 2020, pp 222–233
Google Scholar
Grima S, Bezzina F (2018) Risk management practices adopted by European Financial Firms with a Mediterranean Connection. Perspectives on Risk, Assessment & Management Paradigms, pp 1–14. IntechOpen. https://kopernio.com/viewer?doi=10.5772/intechopen.80640&token=WzYzMTk0LCIxMC41NzcyL2ludGVjaG9wZW4uODA2NDAiXQ.DyV8CGys17vuNeqzeiHtJP82akc
Grima S, Bezzina F (2021) A study of the effectiveness of corporate governance in EU small states financial services firms. Methods and behavioural tools for decision making in management. Springer Series, Contributions to Management Science (in press, 2021)
Google Scholar
Grima S, Thalassinos E (2020a) In: Dalli Gonzi R, Thalassinos I (eds) Financial derivatives: a blessing or a curse? Emerald Group Publishing Limited, pp 1–22
Chapter Google Scholar
Grima S, Thalassinos E (2020b) In: Dalli Gonzi R, Thalassinos I (eds) Financial derivatives: a blessing or a curse? Emerald Group Publishing Limited, pp 66–172
Chapter Google Scholar
Grima S, Romanova I, Bezzina F (2017) Misuse of derivatives: considerations for internal control. Contemporary issues in finance: current challenges from across Europe (Series Editor Rupeika-Apoga R, Romanova I, Grima S, Bezzina F), Contemporary studies in economic and financial analysis, vol 98. Emerald Group Publishing Limited, chp 4, pp 49–62
Google Scholar
Grundke P (2011) Reverse stress tests with bottom-up approaches. J Risk Model Valid 5(1):71–90
Article Google Scholar
Higgins D, Perera T (2018) Advancing real estate decision making: understanding known, unknown and unknowable risks. Int J Build Pathol Adapt 36(4):6–13
Google Scholar
Hillson D (2018) When risk is not a risk? IPMA, pp 6–7, viewed online at https://www.who.int/management/general/risk/WhenRiskNotRisk.pdf
International Finance Corporation (IFC) (2015) Risk culture, risk governance, and balanced incentives. Recommendations for strengthening risk management in emerging market banks. August 2015, pp 1–88. https://www.ifc.org/wps/wcm/connect/fe5f3a6f-1241-46cc-89b9-c4be75e62a7c/IFC+Risk+Culture+Governance+Incentives+report.pdf?MOD=AJPERES&CVID=lw9GOEh
Klein RW (2012) Principles for insurance regulation: an evaluation of current practices and potential reforms, The Geneva Papers on Risk and Insurance-Issues and Practice, 37, 175–199
Google Scholar
Krivkovich A, Cindy L (2013) Managing the people side of risk. McKinsey & Company, pp 1–5 online at: https://www.mckinsey.com/business-functions/risk/our-insights/managing-the-people-side-of-risk https://www.mckinsey.com/~/media/McKinsey/Business%20Functions/Risk/Our%20Insights/Managing%20the%20people%20side%20of%20risk/Managing%20the%20people%20side%20of%20risk.pdf?shouldIndex=false
Kruf JP, Grima S, Kzilkaya M, Spiteri J, Slob W, O’Dea J (2019) The PRIMO FORTE framework for good governance in public, private and civic organisations: an analysis on small EU states. Eur Res Stud J XXII(4):15–34
Google Scholar
Loguinova K (2019) A critical legal study of the ideology behind Solvency II. Springer
Book Google Scholar
Manes P (2017) Corporate governance, the approach to risk and the insurance industry under Solvency II. In: Andenas M, Avesani RG, Manes P, Vella F, Wood PR (eds) Solvency II: a dynamic challenge for the insurance market. Il Mulino
Google Scholar
Marano P (2020) The contribution of Product Oversight and Governance (POG) to the single market: a set of rules on the organization for the business conduct. In: Marano P, Noussia K (eds) Insurance distribution directive: a legal analysis. Springer, pp 55–74
Google Scholar
MFSA (2020) MFSA issues risk culture and risk appetite statements positioning risk management at the heart of its strategy. January 29, 2020. https://www.mfsa.mt/publication/mfsa-issues-risk-culture-and-risk-appetite-statements-positioning-risk-management-at-the-heart-of-its-strategy/
Micallef J, Grima S, Seychell S, Rupeika-Apoga R, Zammit ML (2020) A study of the implications of the European Securitisation Regulation 2017/2402 on Malta. Laws 9:1–26
Article Google Scholar
Mikes A (2011) From counting risk to making risk count: boundary-work in risk management. Harvard Business School Working Paper No. 11-069
Google Scholar
Milkau U (2017) Risk culture during the last 2000 years-from an aleatory society to the illusion of risk control. Int J Financ Stud 5:31
Article Google Scholar
Palermo T, Power M, Ashby S (2017) J Manag Stud 54(2):154–181
Google Scholar
PriceWaterhouseCoopers (PWC) (2019) The future of risk. The insurance risk function of the future. September 2019, pp 1–24. Viewed online at https://www.pwc.co.uk/financial-services/assets/pdf/future-of-risk-in-insurance-report.pdf
Ring PJ, Bryce C, McKinney R, Webb R (2013) Taking notice of risk culture – the regulator’s approach. J Risk Res 19(3):364–387
Article Google Scholar
Sheedy E, Zhang L, Ho Tam KC (2019) Incentives and culture in risk compliance. J Bank Finance 107:105611
Article Google Scholar
Shimpi P, Klappach H (2013) Risk culture. In: Kemper C, Flamée M, Yang C, Windels P (eds) Global perspective on insurance today. Palgrave Macmillan
Google Scholar
Sinha VK, Arena M (2020) Manifold conceptions of the internal auditing of risk culture in the financial sector. J Bus Ethics 16:81–102
Article Google Scholar
Skipper HD, Kwon WJ (2007) Risk management and insurance. Perspectives in a global economy. Blackwell Publishing
Google Scholar
Solvency II Wire Data (2011) Transforming board of directors under Solvency II -Sept 22, 2011. http://siiwdata.solvencyiiwire.com/ https://www.econstor.eu/bitstream/10419/161669/1/888205422.pdf
Van Hulle K (2019) Solvency requirements for EU insurers. Intersentia
Google Scholar

Download references

Author information

Authors and Affiliations

Department of Legal Studies, Catholic University of the Sacred Heart, Milan, Italy
Pierpaolo Marano
University of Malta, Department of Insurance, Msida, Malta
Simon Grima

Authors

Pierpaolo Marano
View author publications
You can also search for this author in PubMed Google Scholar
Simon Grima
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Pierpaolo Marano .

Editor information

Editors and Affiliations

Department of Legal Studies, Catholic University of the Sacred Heart, Milan, Italy
Pierpaolo Marano
University of Reading, School of Law, Reading, UK
Kyriaki Noussia

Rights and permissions

Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

Reprints and permissions

Copyright information

About this chapter

Cite this chapter

Marano, P., Grima, S. (2022). The Risk Management System, the Risk Culture and the Duties of the Insurers’ Directors. In: Marano, P., Noussia, K. (eds) The Governance of Insurance Undertakings . AIDA Europe Research Series on Insurance Law and Regulation, vol 6. Springer, Cham. https://doi.org/10.1007/978-3-030-85817-9_2

Download citation

DOI: https://doi.org/10.1007/978-3-030-85817-9_2
Published: 15 March 2022
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-85816-2
Online ISBN: 978-3-030-85817-9
eBook Packages: Law and CriminologyLaw and Criminology (R0)

Publish with us

Policies and ethics

The Risk Management System, the Risk Culture and the Duties of the Insurers’ Directors

Abstract

Similar content being viewed by others