International Review of Financial Analysis Should the insurance industry be banking on risk escalation for solvency II?

Basel II introduced a three pillar approach which concentrated upon new capital ratios (Pillar I), new supervisory procedures(PillarII)anddemandedbetteroveralldisclosuretoensureeffectivemarketdisciplineandtransparency. Importantly, it introduced operational risk as a standalone area of the bank which for the ﬁ rst time was required to be measured, managed and capital allocated to calculated operational risks. Concurrently, Solvency II regulation in the insurance industry was also re-imagining regulations within the insurance industry and also developing opera- tionalriskmeasures.GiventhatBaselIIwas ﬁ rstpublishedin2004andSolvencyIIwassettogoliveinJanuary2014. ThispaperanalysesthestrategicchallengesofBaselIIintheUKbankingsectorandthenusestheresultstoinforma survey ofamajorUKinsuranceprovider.WereportthattheeffectivenessofBaselIIwasbasedaround: thereliance upon people for effective decision making; the importance of good training for empowerment of staff; the impor- tance of Board level engagement; and an individual's own world view and perceptions in ﬂ uenced the adoption of an organizational risk culture. We then take the ﬁ ndings to inform a survey utilizing structural equation modelling to analyze risk reporting and escalation in a large UK insurance company. The results indicate that attitude and un-certaintysigni ﬁ cantlyaffectindividual'sintentiontoescalateoperationalriskandthatifnotrecognizedbyinsurance companies and regulators will hinder


Introduction
During the 1970s and 1980s the banking industry, in the UK and globally, experienced a sea change with regards to banking theory, practice and regulation. These changes can be traced back as far as the liberalization of the banking and financial markets throughout the 1970s and the encroachment on each other's traditional business lines during the early 1980s. In the context of these changes, governments and regulators were keen to ensure the 'prudent behaviour' of banksas defined in regulation. Here, the importance of capital was the focus of one the first widely accepted international codes in bankingthe Basel I Accord 1988recognizing the importance of levels of capital held by banking institutions in creating confidence in the sector and staving off bank collapses. Likewise, European regulators had also recognized the importance of capital in the insurance industry with some form of capital requirements being in place since the 1970s under Solvency 1 requirements.
Yet, from its implementation, Basel I was already considered inadequate to control for the changes occurring in bank operations in both its calculations of 'capital adequacy' and its ability overall to capture the right metrics to reduce risk within the industry. It was argued that it focused too much upon credit risk, only acknowledging that "other risks … need to be taken into account" (BCBS, 1998 p.1). In light of this, the Accord was amended to include market risk in 1996 and throughout the 1990s, the Basel Committee worked on introducing a replacement in the form of Basel II.
Basel II was a major gear change for the sector, focusing on key areas in bank operations and improving capital allocations for credit and market risk (for example see Jobst, 2007;Rowe, Jovic, & Reeves, 2004;Santos, 2002;Power, 2005). Significantly, for the first time, it also introduced metrics that considered 'operational' risk as distinct from financial risk (usually encompassing liquidity, credit, interest rate and market risk) and required banks to provide capital for operational risk. Operational risk is defined as 'the risk of loss arising from inadequate or failed internal processes, or from personnel and systems, or from external events' (CEIOPS, 2009 p5). The impact of the Basel II guidelines and the rush to be Basel II compliant cannot be overemphasized and has brought about the rise of operational risk management as a standalone risk within financial institutions. Importantly, banks had to consider how to efficiently implement operational risk management in order to comply with Basel II and signal to domestic and international markets and regulators that they were an effective, efficiently operated institution.
As a result, the banking industry undertook much soul searching during the 2000s in order to discover the most appropriate ways to implement and comply with the Basel II requirements. This forms the basis of the first stage of the paper which investigates and identifies the key challenges in the implementation of Basel II and how these were addressed. We then extend our analysis based on our findings from Basel II implementation in the banking industry to examine the implementation of Solvency II in the insurance industry, which is often referred to as the Basel II for insurance companies. Solvency II was to be introduced in January 2014 but has been delayed due to implementation issues, therefore the timing of such a cross-industry investigation could not be better.
The paper is structured as follows. In the next section the paper discusses the rise of operational risk as an important element of managing risk in the banking and insurance sectors, and draws attention to the management of that risk through the structure of the three lines of defence. This is followed by a description of the methodology employed in our primary research and a discussion of the results. The paper concludes with limitations and areas for future research.

Banking, insurance and regulatory compliance
Banks and insurance companies dominate the UK financial services industry. At the beginning of this decade, the major British banking groups held £678bn of households assets in the form of personal deposits and savings and the UK insurance market was the largest in Europe, contributing £10.4bn in taxes, with 74% of all households in the UK using home contents insurance (ABI, 2011;BBA, 2012). Importantly, the two sectors are both dominated by the management of risk in their daily operations (Al-Darwish, Hafeman, Impavido, Kemp, & O'Malley, 2011;Geneva Association, 2010). Insurance company risk is linked to their ability to assess the 'correct' premiums and manage the volatility of their investments on the financial markets. (Geneva Association, 2010;Hoffman & Lehman, 2009). In contrast, banks are more exposed, as deposit takers, to liquidity risks and as lenders to credit risk (loans can account for over 60% of a UK retail banks balance sheet, see individual UK Bank annual reports) as well as undertaking extensive asset transformation (Gatzert & Wesker, 2012;Lehman & Hoffman, 2010). Nevertheless, both sectors are involved in assuming risk, risk transfer and risk management. Clearly, both sectors will also encounter similar types of daily operations in their businesses, and will share similar problems. As a result, the experience of operational risk management and compliance issues encountered in the banking sector can be extrapolated to aid operational risk management and compliance in the insurance industry.
Here, the three Pillars of Basel II (and more recently Basel III) are important. They concentrate upon capital ratios (Pillar I), supervisory procedures (Pillar II) and demand better disclosure to ensure effective market discipline upon, and transparency of, risk management practices (Pillar III). Yet the requirement to treat operational risk as a unique and distinctive risk discipline has posed difficulties of definition, implementation and strategic planning and created a major operational challenge for banks around the globe (see Bryce, Webb, & Adams, 2011;Cruz, 2004). It has been a particular issue when accounting for operational risk in capital allocations in relation to what are considered volatile and difficult to predict upstream risk events (see for example Cruz, 2002;Power, 2005). More specifically, the challenges of modelling operational risk in an environment with little historic data and applying a metric for risk capital means banks have often been torn between a focus on Pillar 1, which is quantitatively focused, and Pillar 2, which is more qualitatively focused (Bryce et al., 2011;Cruz, 2002;Hoffman, 2002). Similar issues arise in the international insurance industry, where operational risk compliance poses one of the largest current issues for insurance companies. Insurance regulators are cognizant of the learning experiences of the banking sector, and that operational risk management remains under development. However, Warrier (2007) and Flamee and Windels (2009) believe there are indications that insurance companies, with the historical experience of the Basel II compliance process in banks, may well find compliance with Solvency II less problematic. Importantly, more research in both sectors may enable this process.
Certainly, there are indications that the design of Solvency II has benefitted from banks' experience of Basel II; for example, in the adoption, as with Basel II, of a hybrid internal approach to the measurement of operational risk. Nevertheless, like banks, this approach has been limited by the expected lack of credible data and a lack of robust management infrastructure within Pillar 2 of the operational risk control/ assessment frameworks of insurance companies (Bryce et al., 2011;CEIOPS, 2009). There is also commonality in how regulators of both industries approach the measurement of risk exposures within the business environment. For example, they both prescribe a risk-based approach using a choice of internal or standardized minimum capital/ solvency requirements. This flexibility to self-regulate (Young, 2012;Young, 2013) by choosing your own internal measures recognizes the debates taking place across both industries regarding which models and statistical approaches are best suited to manage operational risk. It remains an important issue, as research by, amongst others, Cruz (2002), Frachot and Roncalli (2001), Frachot, Moudoulaud, and Roncalli (2003) and Davis (2006) provides clear empirical evidence suggesting a wide variance in the capital required depending on the selection of the approach taken.
Further, Bryce et al. (2011) have argued that a number of key challenges remain for regulatory operational risk modelling; including the collection, availability, frequency and quality of data as well as the suitability of historic losses as predictors of the future (CEIOPS, 2009). At the same time, qualitative assessments have a key role to play, and Solvency II (learning from Basel II) establishes a set of minimum requirements designed to ensure the validity of these internal risk assessments as inputs to the capital calculations (see BCBS, 2005;CEIOPS, 2009;Cruz, 2004;Davis, 2006;Frachot & Roncalli, 2002;Hoffman, 2002). Thus the CEIOPS, 2009 Directive, article 44 states: Insurance and reinsurance undertakings shall have in place an effective risk management system comprising strategies, processes and reporting procedures necessary to identify, measure, monitor, manage and report on a continuous basis the risks, at an individual and at an aggregated level, to which they are or could be exposed, and their interdependencies.
Solvency II regulation also includes requirements for institutions to address the issue of scenario analysis, which in turn raises questions around judgement, and particularly the use of expert judgement, in the validation of risk assessment and model outputs (see Hall, 2006;O'Brien, 2011;Rosqvist, 2003;Tversky & Khaneman, 1971). Importantly, regulators intend to apply a "use test", similar to Basel II, to the Solvency II framework to assess how well it is understood, applied and owned throughout insurance companies. Here, it is clear that organizations must learn from operational risk events, and both their own and others experiences.
Overall, past research indicates strong agreement on the actual operational risk framework that should be implemented to manage operational risk (see Alexander, 2003;Cruz, 2004;Davis, 2006;Hoffman, 2002), although Cruz (2004) and Blunden and Thirwell (2010) both highlight the importance of the environment into which the framework is launched and how fully implementation is achieved. In this regard, Waring and Glendon (2001) and Chang (2001) note that the key to successful implementation is the strength of the operational risk culturesomething which is fundamental to the research undertaken in this paper. Here, we will be guided by the definition provided by the Institute of risk management, which defines risk culture as: the values, beliefs, knowledge and understanding about risk shared by a group of people with a common purpose, in particular the employees of an organization or of teams or groups within an organization" (IRM, 2012 p12). Lavida and Garcia (2006) suggest that risk culture will be a major strategic challenge that confronts all institutions, which is of particular importance in this context as Davis (2006) and Waring and Glendon (2001) both suggest that the culture of risk management within an organization may affect the collection and processing of loss data.
All of this, in turn, highlights the importance of qualitative management as the foundation for quantitative assessment, and both will use the base data of the outputs from control frameworks, corporate knowledge and history as reference points (Tversky & Khaneman, 1971). With this in mind, it remains surprising how little of the literature discussing the implementation of the qualitative Pillar 2 requirements of Basel II/III or Solvency II refer to the accepted management sciences related to strategy, leadership and change management (for example Porter, 1995, 1996or Mintzberg & Quinn, 1996 or in the context of operational risk Bryce et al., 2011). The majority of good practice in the literature emphasizes process, methodology and adding value when executing the implementation of key regulatory projects (Alexander, 2003;Cruz, 2004;Davis, 2006;Wilson, 2006).
In terms of the management of risk, the three lines of defence hierarchical structure for the management of operational risk (IOR, 2010) details common guidelines for the governance of operational risk management within financial institutions (Bryce, Webb, & Cheevers, 2013). As previously stated, although the business models of insurance companies and banks may differ, the fundamentals of operational risk governance and internal control frameworks remain comparable. This can be seen, for example, in the implementation of a more robust three lines structure by Mitsui Sumitomo Insurance Company required as a consequence of a Financial Services Authority (FSA) investigation into ineffective corporate governance within the institution (FSA, 2012).
The first line of defence involves day to day risk management at the operational level, in accordance with agreed risk policies, appetite and controls. Yet, it is the execution of these policies, processes, procedures and controls as set out by the second line of defence which the first line of defence has difficulty implementing into their 'business as usual' activities (Bryce et al., 2011(Bryce et al., , 2013. Previous literature has highlighted education and training, blame culture, and lack of understanding, as key elements which affect the ability of staff in the first line of defence to engage in operational risk management (Bryce et al., 2011(Bryce et al., , 2013Power, 2007;Wahlstrom, 2006).
It is for this reason that this paper will investigate the effectiveness of this first line of defence within a UK insurance company's call centre environment as they move towards Solvency II. In order to achieve this, and recognizing that, in implementing Solvency II, insurance companies may learn from the difficulties experienced by UK banks in developing effective strategies to ensure full compliance and sustainability, we will first develop a more in-depth understanding of the issues surrounding Basel II implementation within a Major British Banking Group.

Methodology
The current research targets the dearth of research in the area of operational risk implementation within financial institutions. We begin with a qualitative approach focusing upon a major British banking group and key external stakeholders as it moved towards advanced Basel II complianceundertaking twenty thematic interviews and four additional 'in-depth' semi-structured interviews with UK bank executives. The key findings of this phase of the research are reported in this section and inform the development of the second stage methodologya survey undertaken at a large UK insurance company to help inform Solvency II implementation to which we received 111 (n = 111) completed responses. The survey was designed to utilize structural equation modelling which is presented in the proceeding section (see Pearl, 2000). Our approach as depicted by Fig. 1 below looks like this: Our survey follows the innovative approach of Elbanna, Child, and Dayan (2013) undertaking the survey within a large provider of insurance, 1 offering customer services as well as insurance sales products via three call centres and reported total revenue of over £40 million for the period 2012/2013. In order to maximize the response rate the survey was distributed via the company's intranet and the insurance company gave employees 20 min to complete the survey. This contributed to a healthy response rate of 44% which compares well to other survey response rates (Hsu & Chiu, 2004;Poulter, Chapman, Bibby, Clarke, & Crundall, 2008). Table 1 shows our descriptive statistics.

Stage one: qualitative study
Following the method generally considered to be the most appropriate to gather data on processes and decision-making within companies (Gummesson, 2000) and congruent with the sample size utilized in previous research in the area (for example see Bryce et al., 2011;Wahlstrom, 2006) our qualitative research was conducted in two phases: twenty thematic interviews within a major UK commercial bank followed by four in-depth interviews with major stakeholders of the UK Basel II implementation process.
In line with Lincoln and Guba (1985), Denzin and Lincoln (1994) and O'Loughlin, Szmigin, and Turnbull (2004) a semi-structured approach was used to maximize the depth of analysis with each individual. The four in-depth interviews were then conducted which probed deeper into areas of interest that the thematic interviews brought to our attention in line with the work of Barritt (1986), Sykes (1990) or O'Loughlin et al. (2004. Such purposive sampling allows flexibility and manipulation of themes of particular interest to our research questions (Glaser & Strauss, 1967). The selection of these participants included a senior FSA regulator during the development of Basel II for the UK, a 'grey panther' for the FSA, the global head of another Major British Banking Groups Operational Risk Consultancy arm, and finally the Chief Risk Officer of another Major British Banking Group. The objectives of the interviews were to: 1. identify the key challenges in the Basel II AMA Pillars 1 and 2, and how these were being addressed; 1 We cannot name the financial institution due to a confidentiality agreement. 2. critically analyse the requirements of implementing an operational risk framework for Basel II Pillar II; 3. generate specific items for the development of scales for stage 2 survey.
The key outcomes from this initial qualitative stage of the research emerged within the following themes: • reliance upon people for effective decision making; • the importance of good training for empowerment of staff; • the importance of Board level engagement; • an individual's own world view and perceptions influenced the adoption of an organizational risk culture.
The respondents highlighted the importance of a top-down approach to the management of the Basel II compliance, engaging 'decision making echelons' to more effectively embed processes, procedures and techniques (see also Mikes & Kaplan, 2013). Retrospectively, it is these 'decision making echelons' that have been targeted by UK regulators as to the root cause of the most recent banking crisis, in the form of poor governance (see Power, 2011or Young, 2012. Although the debate between the importance of Pillar 1 and Pillar 2 featured prominently within the qualitative data, it was evident that in the regulators development of the 'use test' they were focusing upon effective management of the firm. It seems they have a belief that somehow the implication of a 'use test' will actually make it clear that it is 'how you run your business' that remains paramount. Following the regulators public exhortations and their desire to see the models forming part of the decision-making process, we found that management were required to place the models in the context of the organization and both understand their importance and obtain employee buy in (see BCBS, 2006;Leech, 2002). However, it was emphasized that it is the employees and the 'people' within the organization which were considered most important in this context, for example, our initial research identified the role that human nature plays in creating errors and reporting them in the first line of defence. This concurs with previous research by Bryce et al. (2011Bryce et al. ( , 2013 or Wahlstrom (2006) who report that a 'no blame' pro-active risk culture will involve top level buy in, and more importantly bottom level understanding. Our research in this phase of our investigation found that "how well and how far down the organization has the framework been implemented?" was a key concern for regulators, which again is consistent with Bryce et al. (2011) and Wahlstrom (2006). However, in contrast to the academic literature of Chernobai, Jorion, and Yu (2011) or Guegan and Hassani (2012) which focuses on the importance of measuring operational risk in Pillar 1, it was clear from our Stage 1 results that Pillar 2 and the effect that implementation has on 'employees' was a more urgent priority in order to safeguard and mitigate operational risk. That is not to say that the measurement of operational risk is not relevant, as there was general agreement from all the participants that the "modelling of risk must form part of any risk management technique". Importantly, in banks, it is widely acknowledged that operational risk manifests itself primarily within the operations level (the first line of defence). However if the second line of defence are not made aware of a risk occurring via an effective escalation process filtered through employees within business operationsmeasurement quickly becomes inconsequential (Bryce et al., 2011(Bryce et al., , 2013Wahlstrom, 2006). This conceptual understanding of the operational risk escalation protocol within banks also holds true for insurance companies. It is this very 'risk event' reporting which has been highlighted by the IRM (2012) as a key indicator to a successful risk culture which has become considered to be the most effective tool of risk management (IIF, 2008). It is therefore natural to assume how and what employees consider the difficulties and aids in escalating operational risk events will be an appropriate fundamental starting point for assessing "how well and how far down the organization has the framework been implemented" from a Solvency II perspective as outlined by CEIOPS (2009, Article 44). These findings inform the development of Stage 2 of our methodology.

Stage 2: development of the conceptual protocol model
Our Stage 2 model is based on the contention that uncertainty and attitude will impact on the intention of an operative in the first line of defence to escalate operational risks to the second line of defence of an insurance company. We use the definition of risk escalation as outlined by Bryce et al. (2013, p298): "the internal process by which real or potential operational risks are reported in a manner that complies with agreed institutional policy". The use of intention as a measure of potential behaviour is based upon an approach informed by the Theory of Reasoned Action, Theory of Planned Behaviour and the more recent Technology Acceptance Model (Ajzen, 1988(Ajzen, , 1991Bryce et al., 2013;Hsu & Chiu, 2004;Lin, 2010).
We define uncertainty as a condition where the availability of information deviates from the ideal situational state by which to make a decision (see Daft & Lengel, 1986;Lipshitz & Strauss, 1997;Milliken, 1987;Shiu, Walsh, Shaw, & Hassan, 2011). Such interpretation of uncertainty can be considered either uni-dimensionally (Koufteros, Vonderembse, & Jayaram, 2005;Lanzetta, 1963) or multi-dimensionally (Shiu et al., 2011;Urbany, Dickson, & Wilkie, 1989) and builds upon the methodological work of Bryce, Webb, and Watson (2010), Bryce et al. (2013). Further, this investigation of the effects of employee uncertainty provides cross-industry applicability, as the requirement of Pillar 2 of Solvency II will inevitably lead to the requirement of staff in the first line of defence to address new processes and procedures.
As highlighted by the Stage 1 qualitative research, during Basel 2 roll-out, if implementation at the lower levels of the organization is not performed correctly it can lead to a situation where the availability of information deviates from the ideal. As such, Stage 2 takes this into consideration and investigates uncertainty in the intention to escalate operational risks using a uni-dimensional scale grounded in the disaggregated constructs as highlighted originally by Urbany et al. (1989).
For purposes of hypothesis development, Fig. 2 depicts our conceptual model. Standard statistical methods were used to test the conceptual model and Confirmatory factor analyses (CFAs) were conducted to ensure the survey items used were measuring the underlying latent constructs of attitude, uncertainty and behavioural intention. In addition, structural equation modelling (SEM) was implemented to test the relationships between the constructs and the fit of the hypothesised conceptual model as a whole, due to its ability to consider a number of regression equations simultaneously. Previous studies that have added to the finance literature using this method include the areas of mobile banking adoption (Gu, Lee, & Suh, 2009;Luarn & Lin, 2005), Insurance purchasing behaviour (Hellier, Geursen, Carr, & Rickard, 2003), Firm Capital structure (Baranoff, Papadopoulos, & Sager, 2007), and Financial services trust (Malaquias & Hwang, 2016). The use of SEM in this current study is further supported by its ability to determine the dynamically interactive relationship between the variables as outlined below in Fig. 2. CFA and SEM were undertaken via AMOS 20, with descriptive analysis provided by PASW 18. We utilize a number of hypotheses: H1. Uncertainty negatively affects intention to escalate operational risks.
The formalized procedures of staff training and professional development have been outlined in Stage 1 as a critical factor in the empowerment and effectiveness of staff to manage operational risks. Previous research considered this within banking, with the most recent studies alluding to education and training incentivizing staff to escalate events due to increased participant's certainty and awareness of the area (see Blunden & Thirwell, 2010;Bryce et al., 2011;IRM, 2012;Mikes & Kaplan, 2013;Power, 2005). Further, the IRM (2012) highlight the importance of risk management skills development and technical training as pertinent to an effective risk culture. This informs our second hypothesis: H2. Staff training has a negative effect upon employee uncertainty.
The role of attitude and more specifically attitudes towards behaviour has also been widely acknowledged as an important precursor to actual behaviour in the literature. Within the banking industry employee attitudes in driving what is now considered 'risk culture' has received significant attention both in policy and industry best practise (by amongst others Ashby, Power, &Palermo, 2012 andthe IRM, 2012). The IRM (2012) study further states that from the perspective of financial services risk attitude: 'is the chosen position adopted by an individual or group towards risk, influenced by risk perception and predisposition' (p7). To place this in the context of the current study, if a key indicator of good risk culture involves risk escalation, then positive attitudes towards that behaviour would increase intention to escalate operational risks. This therefore informs our third hypothesis: H3. Attitude has a positive effect on intention to escalate operational risks.
We test whether a significant negative relationship between uncertainty and attitude exists, which goes much further than the IRM (2012) suggestion that 'perception' and 'pre-disposition' explain development of attitudinal constructs of risk behaviour. We contend that: H4. Attitude and uncertainty are significantly negatively related to each other.
With these hypotheses in mind Table 2 below lists the final survey questions used to measure each latent construct, in the interests of brevity a full copy of the survey is available on request. All the questions were pseudo-randomly mixed together in line with Poulter et al. (2008) to reduce respondent bias.

Measurement model
The measurement model was evaluated for reliability, convergent validity and discriminant validity of the three constructs included in our model. Confirmatory factor analyses offered strong support that the survey items measured the hypothesised latent constructs of uncertainty towards risk reporting, attitude towards risk reporting, and behavioural intention to report risks. As can be seen by Table 2 above, all constructs are above 0.7 in relation to construct reliability thus indicating a good fit. Convergent validity was assessed in line with the two criteria set out by Fornell and Larcker (1981) with all factor loadings exceeding 0.7 and average variance extracted (AVE) for each construct exceeding the variance due to measurement error for that construct (that is it should exceed 0.5). Discriminant validity was also examined and accepted using the Fornell and Larcker (1981) test of AVE exceeding the squared correction between that and any other construct. In conclusion the measure for each latent construct satisfies construct validity in this current research context. Table 3 indicates that all hypothesised pathways as outlined in Fig. 2 were significant (p b 0.05) with attitude displaying the largest effect on operational risk escalation intention. The model was tested for goodness of fit with Χ 2 29.837 (p = 0.19), RMSEA = 0.047, CFI = 0.992, and NFI = 0.963. With goodness of fit tests exceeding all their common acceptable levels the model is considered an excellent fit to the data (see Barrett, 2007;Hooper, Coughlan, & Mullen, 2008;Hu & Bentler, 1999;Steiger, 2007). The explanatory power of the research model is also identified with R 2 of 0.506, thus suggesting that both attitude towards risk escalation behaviour and uncertainty account for over 50% of the variance in intention to escalate operational risks within the call centre environment.

Discussion
As previously theorized by Urbany et al. (1989) and Shiu et al. (2011) uncertainty affects intention to enact a behaviour. Our results suggest that where the availability of information deviates from the ideal situational state by which to make a decision the intention to escalate operational risk events deteriorates thus we accept H1. We therefore find, in line with the IRM (2012) that given the importance of risk escalation as an indicator of strong risk culture those institutions that can minimize this 'uncertainty' may well increase the number of events escalated within their organization. This inevitably has important consequences both for risk management, but also for overall performance as early detection and escalation is critical to the minimization of loss of earnings as also reported by Bryce et al. (2011Bryce et al. ( , 2013. This process of what Cooke (2003) refers to as 'incident learning' by risk managers within the organization can only ever be improved by ensuring events do not go unchecked or unnoticed in the first line of defence, which in this current study was the financial institution environment. Interestingly, within this first line of defence no significant differences exist between employee hierarchy in relation to attitudes or intention, however, a significant difference emerges in relation to the construct of uncertainty. Unsurprisingly call centre associates reported significantly higher scores on the uncertainty scale (M = 3.79, SD = 1.39) than call centre managers/team leaders, given that managers will be more accustomed to dealing with multiple events from associates (thus reducing uncertainty|) as they are one level above them in the reporting hierarchy (M = 3.09, SD = 1.17; t(99) = 2.44, p = 0.02). It is reassuring to observe a lack of divergence in attitude and intention between managers and their subordinates albeit not uncommon in the behavioural literature (Burks & Krupka, 2012;Krupka & Weber, 2009). Such a divergence could have indicated a lack of consistency in not only the treatment of risk events should they occur, but also in how managers and their subordinates consider the importance of reporting of risk within their work environment. It is this consistency in the values and beliefs around risk, between and across hierarchical structures, that is key to the fostering of an effective risk culture (IRM, 2012).
It has been widely recognized that employee training and professional development are critical to escalation and we report a negative and significant relationship (Spearman's rho, −0.68 p b .01) between level of agreement with the question 'the education and training that have been provided enables me to better report operational risk losses/events' and the latent construct 'uncertainty', thus we accept H2. The importance of on-going training to reduce uncertainty is evident in our current study, independent samples T-tests identified that there were no significant differences between job length and attitude and intention, but significantly higher levels of uncertainty were found in staff who had been working in their job for less time. The analyses indicates that those employees who have been working in their job for three years or less scored higher on the uncertainty scale (M = 3.86, SD = 1.37) than those working there for over three years (M = 3.10, SD = 1.22; t(99) = 2.82, p = 0.006).
In itself this result around 'tenure' and its importance to training may seem irrelevant, however the behavioural work of Blau (1960), van Maanen (1975), De Cooman et al. (2009, and Moynihan and Pandey (2007) suggests that altruistic and pro-social behaviours (in this case risk escalation intention) should decline with tenure within organizations. Given the nature of the continual training specific to risk within the workplace under investigation it is evident that this pro-social decline with tenure is unsubstantiated. In fact, as an employees tenure increases so does the amount of training they receive, thus reducing their uncertainty around risk escalation as it becomes a normative response derived from training supporting previous research (Bryce et al., 2013;IRM, 2012;Mikes & Kaplan, 2013;Power, 2005). It is not surprising that in other sectors, such as aviation, inappropriate or lack of training can be considered a precondition to unsafe acts when retrospectively forensically examining air accidents (see Olsen & Shorrock, 2010). We report that the same conditions apply in the insurance industry, particularly training outside the remit of their main duties, which in the call centre environment involves primarily sales, to improve the risk culture within those organizations. If financial regulators are increasingly interested in the 'breadth and depth of understanding of risk management' within organizations (as outlined in the Stage 1 interviews of this current study) then it will be important that training reflects this, especially if it reduces risk 'uncertainty' within a workforce as is the case in this current study.
As regards 'risk culture' receiving increased attention from institutions, the analysis of underlying attitudes that cultivate and foster positive behaviours and risk culture was important. As expected in H3, positive attitudes towards the escalation of operational risk events significantly affect intention to escalate operational risks. However the contention that 'risk perception' and 'pre-disposition' are the fundamental antecedent factors that affect attitude as outlined by the IRM (2012) fails to take into account the interrelationship of uncertainty as witnessed by the acceptance of H4 (r = −4.74, p b 0.05). This is of particular importance given the reality of working environments, as the 'awareness-based' detection (see Kontogiannis & Malakais, 2008) that is required for risk escalation clearly has at least one other significant and negative factor (uncertainty).
This could reduce attitude which is unique from 'risk perception' and 'pre-disposition' as outlined by the IRM (2012). The relationship as outlined in Fig. 2, albeit interesting, led the study in an unintended direction. From the survey it was revealed that a subset of questions as outlined below in Table 4, now baptized 'risk integrity' (Cronbach alpha = 0.754) was found to be a strong predictor of positive attitude (Beta = 0.459, p b .001) and Uncertainty (Beta = −0.497, p b .001) in their duties towards risk escalation. This is the first time, to the authors' knowledge, that a construct internal to the employee has been developed and tested which can predict traits that may be beneficial in the creation of a risk culture and management of risk by financial institutions.
The intrinsic motivation to learn about risk, willingness to exert effort to report risk, and the pride that an employee has in there risk management track record would appear to be traits that are conducive to the development of improved 'overall risk management capability'. As Wildavsky (1988) suggests: improvement in overall capability, i.e. a generalised capacity to investigate, to learn, and to act, without knowing in advance what one will be called to act upon, is a vital protection against unexpected hazards" (p.70).
With this in mind, future research investigating this 'risk integrity' concept could prove useful not only in employee recruitment but also in evaluating the effectiveness of organizational risk learning and development programmes pre/post their completion. We believe this construct aligns closely to what Arnaud and Schminke (2012) refer to as 'collective moral emotion' and could pave the way for the development of an even deeper insight into the behavioural norms and peer effects (Ahern, Duchin, & Shumway, 2014;Gino, Ayal, & Ariely, 2009;Mazar & Ariely, 2006) that surround risk management within organizations.

Conclusions
The paper followed a mixed-methods design in an interesting and scarcely researched area of financial services risk management. The ability to obtain primary qualitative and quantitative data allowed us to uncover important and interesting dimensions of the risk management process in financial institutions. In addition, it allowed us to provide enriched explanations of the behavioural intention to escalate risks. Interest in this area arises for several reasons. First, previous research in this contextual setting has found that attitude and other constructs of the theory of planned behaviour do not account for the effects of uncertainty on the risk escalation procedure. Second, knowing more about individual decision processes and what makes effective 'risk aware' employees has practical consequences for effective risk management design and best practice. Third, a plethora of new documentation surrounding best practice risk management and culture within financial institutions has been brought to bear on the academic community with little or no evidence to support it. In addition to this, if we consider the initial escalation of a risk event detailed in this paper as the first step towards the measurement and management of this event, then it is rationale to suggest that risk escalation would therefore be a precursor to 'event study' type methodologies that use operational risk events as the subject of their investigation. Finally, increased regulatory attention in the effectiveness of risk management frameworks at the lowest levels of financial institutions should clearly inform Solvency II compliance. The past should inform the future and insurance companies can learn from the banking sector.
Our results highlight the importance of uncertainty and attitude in the decision making process. Further, the existence and identification of a new employee concept 'risk integrity' allows for interesting avenues of further exploration. It is envisaged that future studies will encompass in situ experimentation and analysis of actual behaviour by way of ratification, but also encourage industry application of the concept. If it is the case within financial organizations as outlined by the qualitative interviews in stage 1 that reliance upon people for good decision-making exists, then it is only a matter of time before legislative policy and regulations reflect this. The move by regulators towards a 'use test' that measures the effectiveness of how well risk frameworks are embedded within organizations may well be that signal, which could be reinforced by the inclusion of behavioural metrics of effective risk management as outlined in this current study.
With Solvency II implementation on-going, the readiness of staff to accept new processes, and the ability to disseminate information to 'decision makers' in a fashion that enables rather than disables risk management behaviour should not be understated. This study highlights the importance of both from a qualitative and quantitative training and educational development perspective. Evidence within the current study suggests that both attitude and information certainty fostered by training and education around risk management process/procedures may well be the fundamental building blocks of a coherent and effective risk culture, and therefore risk management strategy. Table 4 Risk integrity construct and analysis.
Questions contained within the risk integrity construct I would like more information in order to understand my institution's operational risk policy (1 'strongly disagree' to 7 'strongly agree') Having a good risk management track record is important to me (1 'strongly disagree' to 7 'strongly agree') I would be prepared to invest a lot of effort in operational risk reporting (1 'strongly disagree' to 7 'strongly agree')