Taking risks is part of doing business, but the recent spate of corporate failures illustrates the need to institutionalise an effective risk culture (RC).
Throughout my career, many people have asked me what does effective RC entail? RC is a critical part of effective risk management – which is not only about systems, process and quantitative models, but more about changing human behaviour, how people think about risk, how they behave and the kind of organisational culture that exists within the business.
Simply put, RC is the shared perceptions, assumptions, beliefs and behaviour of an organisation based on how the organisation values, discusses or manages risk. These perceptions and behaviours are shaped by the policies, procedures and events that people experience; the behaviours they see being encouraged, condoned, or punished; how an organisation deals with its multiple tomorrows, uncertainties that lie ahead which might arise either in the near or the longer term. Moreover, they are shaped by how the organisation conforms to its own values and standards – its ethical behaviour.
In the recent past, we have witnessed the demise of prominent organisations as a result of governance failure. When looking at these exogenous shocks you cannot stop wondering about the risk culture of these organisations. I firmly believe that if an effective RC is in place within an organisation, materialised risk exposures and such shocks will not reach toxic levels.
Organisations with immature risk culture tend to fail at managing the future, change initiatives fail, the future for these organisations is always a surprise and are constantly reactive. While organisation with matured risk culture take risk-adjusted decisions and risks that are within their appetite levels, they are actually risk intelligent.
The following behaviours are demonstrated within the organisation with a mature risk culture:
- The organisation is responsive, it quickly and appropriately reacts and responds to new risk information and taking management action where necessary. The organisation thinks about the risk/ return trade-offs upfront when business decisions are made.
- Willingness and receptiveness to give and receive bad news. Risk issues are openly raised, questioned and highlighted. Being prepared to challenge and be challenged.
- Employees think carefully about the risks in their environment and understand how they impact the business. They can articulate and conscientiously apply the risk/opportunity trade off in their business decision making. They also feel empowered to make risk based decisions within a framework, so decisions about risk are made with clarity by the right people.
- Collaborative communication, which is the degree to which risk information flows within and across the organisation openly. Sharing of information between teams is transparent and constructive which helps the business to make better decisions, and prevent the same mistakes being made.
- Employees comply, champion and understand the value of rules and policies. They stick to rules or challenge rules that aren’t valid anymore. They understand that adherence to rules can prevent risks materialising.
- Inappropriate decisions and misleading information are pointed out and mistakes are not covered up.
A healthy RC is one that enables and rewards individuals and groups for taking the right risks that create value in an informed manner. It is, therefore, imperative to create a corporate culture which champions open communication, transparency, integrity, honesty, accountability, ownership of risk and ethical values.
How to improve risk culture
RC should become a part of the business DNA, and most importantly, there needs to be the right tone from the top. Each employee must understand or be aware of how risks need to be effectively dealt with.
Risk managers play an important role in fostering or improving RC. There are various techniques to do so, such as:
- incorporating risk and control culture as part of the conversations at critical business meetings;
- inclusion of risk management into the performance contracts of everyone throughout the organisation;
- incorporate desired risk culture values and behaviours into the overall corporate culture, to drive one comprehensive culture message;
- training/awareness sessions – using simulation, roleplaying, analytics, e-learning and gaming to create interactive risk management experience;
- collaboration and alignment with other initiatives within the organisation to improve risk culture;
- creating audience specific messages on risk management, ethics and risk and control culture;
- recognitions for management of risks;
- proactive advisory of decision makers; ongoing assessment and monitoring of risk culture; and
- addressing areas of improvement.
At the end of the day, each employee must be empowered and be better equipped to identify and manage risks within their areas of responsibilities. No matter what role one plays in the organisation, employees can assist the business to manage its risks better – by being aware and conscious of the risks that exist in their area, and by demonstrating the right risk behaviours at all times.
The organisation will become better at identifying the risks they are exposed to – the good and bad ones – and doing something about them. This will optimise the risk-return trade-offs, improve return on capital, drive up greater levels of economic profit and ultimately create long-term value. Mostly this will contribute to both effective risk management and good corporate governance.