The Importance of Risk Culture

When objective parties, armed with the benefit of 20/20 hindsight, can easily see warning signs that something was either wrong or wasn’t working and that executive management either missed or chose to ignore these same warning signs, it is fair to assert that management was encumbered with a blind spot. A culture that is conducive to effective risk management encourages open and upward communication, sharing of knowledge and best practices, continuous process improvement and a strong commitment to ethical and responsible business behavior.

Effective risk management doesn’t function in a vacuum and rarely survives a leadership failure. The risk management function can review, inform, advise, monitor, measure and even resign. It cannot control, decide or abort; that’s management’s job. Without an effective internal environment in place to ensure that adequate attention is given to protecting enterprise value, entrepreneurial behavior can run amok, completely unbridled and without boundaries or constraints. By “internal environment,” we mean the total package – the control environment, management’s operating style, the incentive compensation structure, a commitment to ethical and responsible business behavior, open and transparent reporting, clear accountability for results and other aspects of the organization’s culture.

Our premise is that ensuring an effective risk culture is an important task for executive management and the Board. Unfortunately, despite its importance, risk culture is often either given lip service or simply ignored.

What is Risk Culture?

Risk culture is the “set of encouraged and acceptable behaviors, discussions, decisions and attitudes toward taking and managing risk within an institution.” Developed in conjunction with research Protiviti conducted with the Risk Management Association^[1], this definition applies to all organizations, whether public or private, for-profit or not-for-profit. Risk culture is the glue that binds all elements of risk management infrastructure together, because it reflects the shared values, goals, practices and reinforcement mechanisms that embed risk into an organization’s decision-making processes and risk management into its operating processes. In effect, it is a look into the soul of an organization to ascertain whether risk/reward trade-offs really matter.

How Do We Evaluate Risk Culture?

Risk culture may be a formidable hurdle to improving risk management performance, whether management realizes it or not. Because risk culture often evolves as the organization evolves, it may make sense for organizations to use self-assessment techniques, internal surveys, focus groups and other techniques to understand the current state of risk culture in the organization by considering the following:

• Tone of the organization – This term refers to the collective impact of the tone at the top, tone in the middle and tone at the bottom on risk management, compliance and responsible business behavior. Communications from the top have little impact if the organization’s employees see and hear a different message every day from the managers to whom they report. The greater the number of management layers in the organization, the greater the risk of incongruities in the respective tones at the top, middle and bottom. Likewise, the greater the risk of executive management being unaware of serious financial, operational and compliance risks that may be common knowledge to one or more middle managers and rank-and-file employees. Information is often distorted as it moves up and down the management chain, creating disconnected leaders.^[2]
• Physical mechanisms driving risk culture – These tangible mechanisms influence the tone of the organization and include many things comprising the risk governance structure, including corporate value statements, code of conduct and ethics programs, policies and procedures, risk committee oversight activities, incentive programs, risk assessment processes, key risk indicator reporting and performance reviews and reinforcement processes, among other things. They also include the risk appetite dialogue of the executive team and Board, as well as the decomposition of risk appetite into risk tolerances and limit structures used day-to-day in executing the corporate strategy.
• Internal attributes driving risk culture – These attributes include the attitudes, belief systems and core values that drive behavior and guide daily activities and decision making throughout the organization, particularly with respect to entrepreneurial pursuits. While not as easily “seen and touched” as physical mechanisms, they warrant careful attention. For example, behaviors around risk management and internal control accountabilities often manifest themselves in how people clear audit issues, address control weaknesses, escalate issues and resolve issues reported. The timeliness in which such activities are carried out provides powerful “tells” regarding an organization’s risk culture. So, too, does executive management’s reaction (or lack thereof) to warning signs provided by independent risk management functions.
• External attributes driving risk culture – These attributes include regulatory requirements and expectations of customers, investors and others. The extent to which an organization seeks out these requirements and expectations and aligns business processes through actionable improvements reveals a lot about its resiliency.
• Subcultures that might have an impact on risk management^[3] – Multiple subcultures permit an institution, in response to a changing business environment, to be more agile in solving problems, sharing knowledge and serving customers that a so-called unitary culture may not address. On the other hand, they can also lead to rogue, risk-taking behavior that can ultimately harm the organization.
• Relationship to overall culture – Risk culture does not operate in a vacuum. The overall organizational culture influences it in many ways, and some argue they are one and the same.

How Do We Improve Risk Culture?

As risk is about uncertainty in facing the future, it would seem logical that a desirable risk culture would position the organization to be proactive as an early mover that quickly recognizes a unique opportunity or risk and uses that knowledge to evaluate its options, either before anyone else or along with other firms that likewise seize the initiative. Such a culture would give management the advantage of time, with more decision-making options before shifts in the market invalidate critical assumptions underlying the strategy. Another example of a desirable risk culture might be one that maintains a healthy tension between the organization’s entrepreneurial activities for creating enterprise value and its activities for protecting enterprise value so that neither one is too disproportionately strong relative to the other.

Once an initial assessment of the current risk culture is completed, executive management should consider whether any organizational changes are needed and take steps to implement those changes as directed by the Board. In transitioning to a desired risk culture, executive management should try to achieve the following:

• Embed it in the organization – Risk culture should be effected through the firm’s overall risk governance process; otherwise, it becomes a nebulous appendage. To illustrate, accountabilities for risk management and desired risk management behaviors should be reinforced through committee charters, policies, job descriptions, limit structures, procedures and escalation protocols.
• Make it a priority at the highest levels – Executive management must support the desired risk culture by demonstrating the desired behaviors through their actions and decisions over time, as well as by periodically communicating value contributed by the organization’s risk culture. For example, promoting a warrior culture, fostering a “star system” with little or no accountability, shooting the bearers of bad news, ignoring the warning signs escalated by the risk management function and making decisions that everyone can see are inconsistent with the desired risk culture all send the wrong message.
• Undertake an integrated approach – Standing alone, such programs as periodic policy communications, awareness campaigns and training strategies are mere window dressings. When baked into a comprehensive program that aligns performance expectations, roles, responsibilities and compensation structures with appropriate risk taking, they reinforce critical aspects of the desired risk culture for employees.
• Periodically evaluate progress – Monitor employee behavior for new trends, attitudes or perceptions requiring attention. Track quantitative and qualitative measures of an effective risk culture using indicators such as:
  • Level of executive management sponsorship
  • Line of business ownership of risk management
  • Effectiveness of risk committee and governance processes
  • Evidence of key business decisions, taking risk and solvency into consideration
  • Quality of Board discussions on risk issues and escalated matters
  • Use of risk appetite statement and tolerances in decision making
  • Alignment and incorporation of risk into strategic planning and direction
• Be alert for signs of change, for better or worse – As noted earlier, employee surveys and focus groups are examples of tools that can provide insights when evaluating risk culture. Reports from the independent risk management function and internal audit are other sources. Consider the effects of changes in strategy and the organization as well as the occurrence of external events, including regulatory developments, when evaluating whether changes are necessary to strengthen risk culture.

Every organization is different. That is why it is important to evaluate risk culture and make necessary adjustments to shape it over time in response to change.

^[1] “Risk Culture: From Theory to Evolving Practice,” The RMA Journal, December 2013 – January 2014, Risk Management Association and Protiviti.

^[2] “Boards Should Monitor the Tone at the Bottom,” Dr. Larry Taylor, NACD Directorship, October/November 2011.

^[3] Risk Culture: From Theory to Evolving Practice.