with co-author Chris Matlock
Making the Investment to Shift Risk Culture
Risk culture, though difficult to define, is one of the most mentioned topics by Fortune 500 executives and for regulators across several industries. However, despite this visibility in quarterly calls, creating, measuring and influencing risk culture continues to defy easy answers for organizations. Yet – as Matt Shinkman and Chris Matlock detail – it is this very challenge that makes tackling risk culture in 2018 a strategic opportunity that pays dividends beyond compliance.
Over the past decade, organizations have made great strides in improving their risk management processes and systems. While this has generally helped senior leaders understand their biggest risk exposures, progressive organizations are now turning their attention to the need for a cultural shift where employees embed risk management in their day-to-day workflows. Our conversations with heads of enterprise risk management (ERM) at over 300 large, global organizations have surfaced a multitude of questions; yet the question, “How do I define and improve risk culture?” is one of the most common. Moreover, it’s a growing concern and interest among financial regulators globally. However, despite this heightened visibility, defining and influencing risk culture continues to defy easy answers for many organizations.
To start, there is no clear sense for what risk culture actually is or how to influence it. Discussions on risk culture sound similar to the parable about the blind men and the elephant, where each person touches a different part of the animal and makes their own judgments about what it is. As a result, we end up defining risk culture in simple terms: the deeply held assumptions, beliefs and values shared by an organization’s employees with respect to risk management.
While it may go without saying, the benefits of a strong risk culture are many as it helps employees make the right decisions and mitigates poor outcomes. Despite companies putting processes, systems and rules in place to create guardrails within which they expect employees to act, employees develop their own decision-making frameworks based in their own perceptions of their environment, within which some behaviors are important and others are not. Consequently, no set of rules can ever account for 100 percent of the decisions employees will be faced with.
Although this is a critical challenge, there are real benefits to getting it right. According to our research, employees at organizations with a strong culture of integrity are 10 times less likely to observe misconduct while being 50 percent more likely to report misconduct when it does happen. When these positive, risk-aligned decisions accumulate, poor outcomes can be averted.
But in their absence, crisis develops. Take for example, the financial meltdown of 2008, which highlighted the role that poor organizational cultures can play in creating massive risk exposures. Or, more recently, the fake account scandals in banking have made obvious that stronger systems and processes would only have slightly improved the situation. In each of these instances, the major missing element was cultural — individuals perceived risk management to be a secondary (if not lower) objective compared to personal or short-term benefit.
So how does one observe or record a group’s deeply held assumptions, beliefs and values on any issue? Is it possible for executives to peer into the minds of their employees and understand their values? While risk culture evolves slowly over long periods of time (making it difficult to influence and change), there is another way.
Enter Risk Climate
Risk climate, rather than being the sum of employee values, is what employees perceive about risk management. Similar to culture, climate has a shared quality, but it is about the group’s perceptions rather than the individual’s. These perceptions are shaped by the events, policies and procedures that members of a group experience, along with the behaviors they see being encouraged, condoned or punished. Compared to risk culture, risk climate is much easier to observe, assess and influence.
Imagine an iceberg where risk culture is the area below the waves; it is harder to see and assess and, therefore, more difficult to gauge or inflect. Risk climate on the other hand, is above the surface and more easily manageable. Therefore, in an effort to affect the risk culture of the organization in a meaningful way, the best place to start is leading with changing the risk climate.
A Mandate for Leaders
Climate is in large parts driven by leaders, including the explicit messages and implicit signals they convey through their actions. In the effort to change risk climate, senior leaders must be mindful not only of articulating their philosophy and risk management approach, but also of communicating it to as wide an audience as possible. Moreover, leaders need to set crystal-clear expectations for how they want their employees to behave with respect to risk management, combined with specific coaching and training. While one-third of C-Suite leaders receive some kind of risk management training, only 10 percent of organizations provide risk management education to front-line staff; there’s a lot of opportunity to increase risk awareness throughout the organization.
Power of Words
Formal risk appetite statements can also be effective. For example: “We will assume reasonable strategic and operational risks in the pursuit of breakthrough innovation to bring new products to market.” These types of statements allow leadership to take a stance on the types of risk the company is willing to take in order to achieve organizational objectives, in addition to the types of behaviors they will not tolerate. Many companies still exercise restraint in communicating their risk appetite beyond the board and executive team, except for those with a regulatory mandate. However, this approach is often shortsighted. The potential downside of discoverability and leaks should always be outweighed by the benefits of broader awareness and understanding of the company’s risk appetite, which speeds up the decision-making process and prevents lengthy debates around strategic initiatives.
While defining and improving risk culture might seem like a daunting task, the potential payoff of more risk-aligned decision-making and crisis aversion offers substantial upsides that make the work a no-regret investment. Shifting the focus from culture to climate offers a faster venue for organizational change, creates a framework ripe for the positive contributions of senior leaders and empowers employees to make tough, but appropriate, choices based on culture, not just process.