Transforming risk culture from the bottom up: A global insurance provider’s RCSA journey A leading global property and casualty insurance provider set out to transform its risk controls as part of an ongoing effort to promote a culture of excellence. Siloed knowledge of operational risk and controls made it difficult for the organisation to improve quality and compliance. Establishing awareness of vulnerabilities and mitigation protocols across the organisation would boost regulatory compliance, employee productivity, customer retention and cost efficiencies. To remove the silos and bridge knowledge gaps, the organisation chose to conduct a risk and control self-assessment (RCSA), a standard tool in the banking and insurance industries for determining the effectiveness of risk management and controls by leveraging collaboration across functions to understand risks, evaluate risk mitigation and identify areas for process improvement. There was a challenge, however: Insurance company RCSAs are typically high-level exercises and aren’t conducted at the depth and granularity that the organisation required to help drive a risk and control transformation. Further, no one at the insurance company had ever participated in, much less planned or led, an RCSA. And the planning and project management would be considerable, given that the assessment would need to cover the company’s entire value chain and operations spread across numerous countries. The company turned to Protiviti because of its expertise in the insurance industry and business process improvement. Breaking down the breakdowns A Protiviti team of a dozen subject matter experts prepared for the project along several lines. The team worked with the company to develop a change management plan, including comprehensive internal communications. More than 250 first-line personnel and managers representing a range of responsibilities and perspectives were identified to participate in the project. The Protiviti team drew on its knowledge of the industry and the company’s operations to develop a customised RCSA framework. This process entailed examining the company’s recent internal and external audits, compliance reviews and risk and control performance metrics to understand the company’s existing risk and control culture and practices. The Protiviti team used this insight to create and test a suite of employee training materials across functions. With this foundation, the Protiviti team guided the company through the RCSA process. Protiviti planned and facilitated a series of whiteboarding sessions over a six-month period with representative groups across the company’s value chain, including the pricing, underwriting, distribution, and claims functions. During the sessions, each group identified the areas in their function where human error or process breakdowns could have a significant negative impact, as well as the controls in place to help prevent those breakdowns from occurring. Because the whiteboarding sessions systematically explored the company’s underlying processes, the company was able to achieve a realistic and holistic view of operational risks and controls. The Protiviti team worked with the company to aggregate the findings into an enterprise risks and controls map, identifying risks in certain functions that could trigger or magnify risks in others. Protiviti met with the company’s senior leadership and the functional leads to discuss the extent to which risk and control was integrated into decision making and the management of the company. As part of these interactions, Protiviti helped leadership review and optimise its risk tolerance framework and validate the effectiveness of its controls. The Protiviti team then held workshops with the executives who would be monitoring the controls and collecting data over a three-month testing period. At the conclusion of the testing period, Protiviti aggregated the data and combined it with the qualitative findings from the whiteboarding sessions to identify gaps and weaknesses. Delivering value by uncovering risk The RCSA process uncovered opportunities for process improvement that exceeded the company’s expectations: Dozens of risk areas across the organisation were targeted for remediation. As it was based on an examination of actual practices, the RCSA captured many of the risks and weaknesses that likely would have been overlooked by traditional evaluation methods, such as Own Risk and Solvency Assessments (ORSA), financial statement audits or control reviews. Protiviti worked with the company over several months to plan and implement the improvements, which included redesigning processes to minimise risks and effectively tripling the scope of the company’s risk control framework. Beyond those benefits, the RCSA resulted in transforming the company’s culture. Employees across the organisation adopted heightened risk awareness in their day-to-day tasks and a renewed appreciation of operational best practices for mitigating those risks. Risk awareness and mitigation became an integral part of employee job descriptions. The RCSA soon became a standard component of the company’s annual operational risk management plan, which allowed the company to maintain a strong risk culture in the face of employee turnover, regulatory changes and new processes and products. Each year, personnel have become more experienced in RCSA planning and managing. By the last year of Protiviti’s three-year engagement, the company had taken ownership of the RCSA process, with only a three-person Protiviti team remaining to advise.