Strengthening risk culture: going beyond policies

Jana Zaaiman, Head of Insurance, Masthead, South Africa

Across the insurance industry, significant progress has been made in strengthening governance structures, regulatory compliance and risk management frameworks. Yet despite increasingly sophisticated policies and controls, insurers continue to face conduct failures, operational breakdowns and transformation challenges.

In many cases, the issue is not the absence of frameworks, but the absence of a strong risk culture that is consistently reflected in everyday decisions and behaviours.

Strong frameworks provide structure and direction, but they do not determine how people behave when faced with pressure, competing priorities or difficult decisions. Ultimately, it is the quality of day-to-day decisions across the business that determines whether risk is managed effectively and whether long-term sustainability can be achieved.

What risk culture looks like in practice

Risk culture goes beyond documented policies and formal governance processes. It is reflected in how people think about risk, how openly concerns are raised and how decisions are made when commercial pressures arise. It becomes visible in everyday activities such as underwriting decisions, claims handling, product design and the escalation of issues.

When risk is truly integrated into an organisation, it becomes part of normal business conversations rather than a separate compliance exercise. Employees understand not only what is permitted under policy, but also what aligns with the insurer’s values, long-term sustainability and obligations to policyholders.

For example, an underwriter may identify concerns about pricing discipline or the risk profile of a client, but still approve the business because they believe leadership is more focused on meeting growth targets than maintaining underwriting standards. Similarly, claims staff may hesitate to escalate concerns if previous challenges were dismissed as creating unnecessary delays or operational friction.

These everyday decisions and behaviours are where risk culture becomes visible in practice.

Bridging the gap between policy and practice

One of the biggest challenges insurers face is translating defined risk appetite into day-to-day decision-making. Many insurers have clearly defined risk appetite statements, but these are often difficult to apply in practical situations.

Underwriters, claims teams, product specialists and distribution partners may struggle to translate high-level risk metrics into operational decisions. In practice, employees often take their cues from what leadership rewards – and what it is willing to overlook.

Where growth targets, turnaround times or short-term profitability are prioritised without equal emphasis on risk quality, behaviours can gradually drift beyond the organisation’s stated risk appetite. This disconnect between policy and practice often becomes evident through routine underwriting exceptions, delayed escalation of concerns or controls that are bypassed to avoid delays.

In these situations, risk appetite exists as a reference document rather than a practical decision-making tool.

The role of behaviour and accountability

Behavioural risk plays a significant role in shaping outcomes. Employees are strongly influenced by leadership behaviour, incentives and organisational pressure. Where performance measures focus primarily on volume, growth or short-term financial outcomes, employees may feel encouraged to push boundaries or avoid escalating issues that could affect performance.

This is why accountability is so important. Effective risk cultures are built when individuals and teams understand that managing risk is inseparable from running the business. Accountability should extend beyond financial performance to include the quality of decision-making, adherence to risk appetite, and the way risks are identified and escalated.

Leadership behaviour is particularly important in reinforcing these expectations. Employees pay close attention to how leaders respond when difficult trade-offs arise. When leaders consistently support prudent decision-making, even when it comes at a short-term commercial cost, it sends a powerful message that risk management is a genuine organisational priority rather than simply a compliance requirement.

Embedding and measuring risk culture

Embedding risk into the business also requires alignment across all levels of the organisation. Risk culture weakens when boards emphasise long-term sustainability while operational teams experience pressure to prioritise short-term performance at all costs. Consistent messaging, aligned incentives and clear decision-making responsibilities are essential to ensure that risk expectations are reinforced throughout the organisation.

Importantly, insurers should not assume that risk culture cannot be measured simply because it relates to behaviour. While culture may not be directly quantifiable, there are clear indicators that provide insight into whether risk is truly embedded. These include the quality and timeliness of issue escalation, recurring policy overrides, staff willingness to speak up, root-cause analysis following incidents and the consistency with which controls are applied across business units.

Ultimately, insurers that succeed in strengthening risk culture understand that risk management is not something that sits alongside the business – it is part of how the business operates every day. Strong policies and governance structures remain essential, but without a culture that consistently reinforces prudent behaviour, even the best-designed frameworks will struggle to deliver the intended outcomes.