Thursday, January 28, 2021
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Featured

How to Promote a Risk-Aware Climate in a Risk-Averse Environment

by Matt Shinkman
February 16, 2018
in Featured, Risk
view of iceberg above and below water line

with co-author Chris Matlock

Making the Investment to Shift Risk Culture

Risk culture, though difficult to define, is one of the most mentioned topics by Fortune 500 executives and for regulators across several industries. However, despite this visibility in quarterly calls, creating, measuring and influencing risk culture continues to defy easy answers for organizations. Yet – as Matt Shinkman and Chris Matlock detail – it is this very challenge that makes tackling risk culture in 2018 a strategic opportunity that pays dividends beyond compliance.

Over the past decade, organizations have made great strides in improving their risk management processes and systems. While this has generally helped senior leaders understand their biggest risk exposures, progressive organizations are now turning their attention to the need for a cultural shift where employees embed risk management in their day-to-day workflows. Our conversations with heads of enterprise risk management (ERM) at over 300 large, global organizations have surfaced a multitude of questions; yet the question, “How do I define and improve risk culture?” is one of the most common. Moreover, it’s a growing concern and interest among financial regulators globally. However, despite this heightened visibility, defining and influencing risk culture continues to defy easy answers for many organizations.

To start, there is no clear sense for what risk culture actually is or how to influence it. Discussions on risk culture sound similar to the parable about the blind men and the elephant, where each person touches a different part of the animal and makes their own judgments about what it is. As a result, we end up defining risk culture in simple terms: the deeply held assumptions, beliefs and values shared by an organization’s employees with respect to risk management.

While it may go without saying, the benefits of a strong risk culture are many as it helps employees make the right decisions and mitigates poor outcomes. Despite companies putting processes, systems and rules in place to create guardrails within which they expect employees to act, employees develop their own decision-making frameworks based in their own perceptions of their environment, within which some behaviors are important and others are not. Consequently, no set of rules can ever account for 100 percent of the decisions employees will be faced with.

Although this is a critical challenge, there are real benefits to getting it right. According to our research, employees at organizations with a strong culture of integrity are 10 times less likely to observe misconduct while being 50 percent more likely to report misconduct when it does happen. When these positive, risk-aligned decisions accumulate, poor outcomes can be averted.

But in their absence, crisis develops. Take for example, the financial meltdown of 2008, which highlighted the role that poor organizational cultures can play in creating massive risk exposures. Or, more recently, the fake account scandals in banking have made obvious that stronger systems and processes would only have slightly improved the situation. In each of these instances, the major missing element was cultural — individuals perceived risk management to be a secondary (if not lower) objective compared to personal or short-term benefit.

So how does one observe or record a group’s deeply held assumptions, beliefs and values on any issue? Is it possible for executives to peer into the minds of their employees and understand their values? While risk culture evolves slowly over long periods of time (making it difficult to influence and change), there is another way.

Enter Risk Climate

Risk climate, rather than being the sum of employee values, is what employees perceive about risk management. Similar to culture, climate has a shared quality, but it is about the group’s perceptions rather than the individual’s. These perceptions are shaped by the events, policies and procedures that members of a group experience, along with the behaviors they see being encouraged, condoned or punished. Compared to risk culture, risk climate is much easier to observe, assess and influence.

Imagine an iceberg where risk culture is the area below the waves; it is harder to see and assess and, therefore, more difficult to gauge or inflect. Risk climate on the other hand, is above the surface and more easily manageable. Therefore, in an effort to affect the risk culture of the organization in a meaningful way, the best place to start is leading with changing the risk climate.

A Mandate for Leaders

Climate is in large parts driven by leaders, including the explicit messages and implicit signals they convey through their actions. In the effort to change risk climate, senior leaders must be mindful not only of articulating their philosophy and risk management approach, but also of communicating it to as wide an audience as possible. Moreover, leaders need to set crystal-clear expectations for how they want their employees to behave with respect to risk management, combined with specific coaching and training. While one-third of C-Suite leaders receive some kind of risk management training, only 10 percent of organizations provide risk management education to front-line staff; there’s a lot of opportunity to increase risk awareness throughout the organization.

Power of Words

Formal risk appetite statements can also be effective. For example: “We will assume reasonable strategic and operational risks in the pursuit of breakthrough innovation to bring new products to market.” These types of statements allow leadership to take a stance on the types of risk the company is willing to take in order to achieve organizational objectives, in addition to the types of behaviors they will not tolerate. Many companies still exercise restraint in communicating their risk appetite beyond the board and executive team, except for those with a regulatory mandate. However, this approach is often shortsighted. The potential downside of discoverability and leaks should always be outweighed by the benefits of broader awareness and understanding of the company’s risk appetite, which speeds up the decision-making process and prevents lengthy debates around strategic initiatives.

While defining and improving risk culture might seem like a daunting task, the potential payoff of more risk-aligned decision-making and crisis aversion offers substantial upsides that make the work a no-regret investment. Shifting the focus from culture to climate offers a faster venue for organizational change, creates a framework ripe for the positive contributions of senior leaders and empowers employees to make tough, but appropriate, choices based on culture, not just process.


Tags: corporate culturedecision-makingenterprise risk management (ERM)
Previous Post

Business Innovation Could Accelerate Under a Friendlier CFPB

Next Post

10 Questions You Should Ask About Risk Management

Matt Shinkman

Matt Shinkman is Practice Vice President for Risk and Audit at Gartner, where he counsels senior risk management and strategy professionals from Fortune 500 companies on the development of their risk management teams and processes. Gartner is a research and advisory company headquartered in Stamford, CT. Gartner helps business leaders across all major functions in every industry and enterprise size with the objective insights they need to make the right decisions.

Related Posts

hand holding multicolored balloons outside

Happy Data Privacy Day!

January 28, 2021
dollar bill, stimulus check, american flag

FCA Compliance in an Era of Unprecedented Government Stimulus

January 28, 2021
open padlock on red binary background

Mitigating Legal and Reputational Risk Post-Ransomware

January 28, 2021
invisible man in black on neutral background

The Curious Absence of Corporate Monitors

January 27, 2021
Next Post
10 Questions you should ask about risk management

10 Questions You Should Ask About Risk Management

Access realtime data
Dynamic Risk Assessments with Workiva

Special Coverage

Special COVID page graphic

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management Coronavirus/COVID-19 corporate culture crisis management cyber crime cyber risk data analytics data breach data governance decision-making diversity DOJ due diligence fcpa enforcement actions financial crime GDPR GRC HIPAA information security KYC/know your customer machine learning monitoring ransomware regtech reputation risk risk assessment Sanctions SEC social media risk supply chain technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • Vendor News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights