Last week RSA, the UK’s second largest general insurer, announced the results of reviews by KPMG, PwC and its own Internal Audit function into the £200m black hole in its Irish business. Revelations of the debacle had led to the resignation of Group Chief Executive Simon Lee in December and a share price drop of over 25%. The reviews describe how senior managers in Ireland had ‘inappropriately collaborated’ in the accounting of premiums and reporting of large claims so the accounts did not reflect the true financial position of the business. The managers involved have since been dismissed.
Fortunately for RSA, the reviews confirm that the problem is confined to Ireland and that other parts of the Group are unaffected. They go on to say the Group system of governance includes a control framework built on the ‘good market practice of three lines of defence’. They emphasise that it is appropriate in terms of structure and design for an international insurance group of RSA’s size and complexity, and elements of its design compare favourably across the market.
So why did a conventional risk framework, in this case apparently as good as it gets, fail to pick up such a key risk to an insurer? After all, improper manipulation of premiums and claims reserves is hardly a new phenomenon. Those who know the history of the insurance industry will remember many other examples including Michael Bright’s Independent Insurance and HIH; some memories will go back as far as Emil Savundra’s Fire Auto & Marine in the 1960s. Analagous ‘financial irregularities’ regularly occur in other sectors.
An important pointer can be found in 'Roads to Ruin' the seminal Cass Business School report for Airmic and in Reputability’s follow-up report 'Deconstructing Failure'. The root causes of almost all the catastrophes studied emerged from human behaviour and the way in which humans are organised within a firm – behavioural risks and organisational risks or ‘people risks’ for short. These include people risks right up to people at board level.
Unfortunately it has recently become clear that conventional risk frameworks, including the ubiquitious 'three lines of defence' approach, provide no systematic defence against people risks. They just don’t to go there. This is partly because conventional risk management hasn’t evolved far enough. But it’s also because the area is far too dangerous for anyone below board level to delve into.
As the Parliamentary Commission on Banking Standards put it, the officially approved and widely used ‘Three Lines of Defence’ approach gives firms ‘a wholly misplaced sense of security’.
The Financial Reporting Council is one of many regulators that has tuned into the importance of behavioural and organisational risks. Their latest proposals require companies explicitly to disclose and describe significant risks with their origins in behavioural and organisational issues; and they list dozens of practical questions for boards to ask themselves about behavioural and organisational risks. The aims are to help boards oversee the practicalities of managing such risks below them and to recognise that such risks surround and permeate boards themselves.
RSA's crisis provides a timely warning to all boards. Few if any risk management systems have behavioural and organisational risks systematically in their sights let alone under control. These potentially devastating risks are unrecognised and thus unmanaged.
Boards need to gain a deeper understanding of the underlying issues before they can lead their risk teams in the right direction to bring these dangerous risks under control. Board leadership is essential. Specialist education for boards is the first step.