Building an effective enterprise risk management culture
- Published: Friday, 30 July 2021 08:15
In this article, Alberto G. Alexander, Ph.D , MBCI, describes a framework to help organizations develop an effective enterprise risk management culture. He also looks at best practices for managing and maintaining a risk culture once it is place.
Organizations cannot optimize risk management simply by establishing oversight committees, audit processes and risk reports. These processes and systems, which comprise the ‘hard’ side of risk management, become, useless without the soft side: which are all the factors that influence individual decision-making and behavior/ behaviour. Together all these factors form the organization´s risk culture. In a sound risk culture, everyone not only knows and understands the policies, but also shares the values behind them. Employees and managers alike are aware of risk and adjust their behavior accordingly.
In this article some recommendations will be developed for managers to consider as guidelines for creating and fostering an enterprise risk management (ERM) culture. Following best practices for managing a business´s risk culture will also be presented.
Business decisions and actions regarding risk are shaped by a system of values and behaviors present throughout an organization that are demonstrated by the individuals or groups within it. In the context of enterprise risk management, culture is a value that impacts business decisions and determines the way the organization identifies, understands, discusses, and acts on the risks it faces and the risks it takes. ERM culture affects the decisions of management and employees, regardless of whether they consciously weigh benefits and costs.
However, organizations that do not have an enterprise risk management culture fail to reap the benefits of a functional ERM program. Because ERM culture is a product of shared values and behaviors, it is based on establishing predictability and high reliability in executing processes for managing risks. When there is no ERM culture, business units work in silos and do not align themselves to manage risks and achieve strategic objectives. The result is low reliability and lack of consistency in executing risk management processes.
One of the most important factors influencing enterprise risk management culture is the involvement of leadership and employees at all levels in adopting, accepting, and promoting ERM and ERM culture
“A strong risk culture is a prerequisite for a sustainable ERM program.” (Tuveson, Ralph, Alexander, 2020)
The enterprise risk management cultural alignment establishes a new focus for risk-based decisions that is sustainable over time and influences management and all employees. It also allows effective ERM implementation and becomes a source of sustainable competitive advantage. Finally, it inspires staff to promote integrity, enhance share-holder value, meet regulatory compliance, and generate long-term sustainability.
In a sound enterprise risk management culture, together the hard and soft sides of risk management determine the risk profile of any business. The hard side involves enablers, which establish the capacity for sound risk practice; and the soft side includes drivers, which impel the actual execution of sound risk practice.
Let’s be clear about what culture means. A scholar who has studied the subject of organizational culture for many decades is Dr. Edgard Schein (Professor Emeritus at the MIT Sloan School of Management). He defines organizational culture as:
“A pattern of shared basic assumptions that the group learned as it solved its problems of external adaptation and internal integration, that has worked well enough to be considered valid, and therefore, to be taught to new members as the correct way to perceive, think and feel in relation to these problems.”
The concept of culture is most useful if it helps to explain some of the more seemingly incomprehensible and irrational aspects of groups and organizations. The definition of culture according to Dr. Schein, puts the emphasis on shared, taken-for-granted basic assumptions held by the members of the group or organizations. In this sense, any group with a stable membership and a history of shared learning will have developed some level of culture.
“If we find in any type of organization that certain assumptions are shared across all the units of an organization, then we can legitimately speak of an organizational culture.” (Schein, Schein, 2016)
But what is really interesting is that at the same time we may find a number of discrete subcultures that have their own integrity. It is normal to find in an organization of a certain size a specific type of culture and also different subcultures.
Risk culture has long been a vague concept that practitioners and academics alike have failed to define with sufficient clarity. Leadership is a key driver: the tone from the top is crucial to establishing honesty and integrity as paramount values.
The bottom line for leaders is that if they do not become conscious of the cultures in which they are embedded, those cultures will manage them. Cultural understanding is desirable for all of us, but it is essential to leaders if they are to lead.
Risk culture can be defined as the values, shared basic assumptions, beliefs, and understanding of risk shared across an organization.
In this article, I will attempt to establish a framework for individual decision making and develop a sequence of best practices for managing a business´s risk culture. First, we will identify the key steps that each individual must take when making risk related decisions, and will pinpoint the different obstacles that can be encountered in each step. Finally, we will take a look at best practices for measuring and managing these factors and consequently improving a business´s risk culture.
Levers that impact risk and organizational culture
There is an old axiom that says: “trying to repair a problem you don´t fully understand is a fool´s errand.” Improving risk culture is no exception. Before developing strategies toward establishing a sound risk culture, we need to understand what goes into creating one in the first place.
“Elements of risk culture vary widely, depending on the organization, market, country, and regulatory environment in which an organization operates.” (Tuveson, Ralph, Alexander, 2020)
What is important to one firm may matter little to another. While these elements can be considered from a stand-alone perspective, the wider culture should understand which ones take precedence when they are in conflict, such as a situation where meeting client expectations requires omitting internal compliance processes to deliver the outcome.
Some elements to be considered are presented in Figure One and should be taken into consideration as levers that can be changed and that impact, not only risk, but organizational culture as well.
Figure one: Levers that impact risk and organizational culture
In the next part of this article, we will look at each of the steps depicted in Figure One, and identify the inherent obstacles that companies could face while executing them.
Hire the Right People
The employees of a company are fundamental to its risk culture being effective. The first step to establishing a good risk culture is to limit whom the company hires. The employees of any company are fundamental to its risk culture being effective.
Jim Collins in his book ‘Good to Great’, mentions that if “the company has the right people, then the problem of how to motivate and how to manage people properly goes away.”
Background verification checks on all candidates for employment should be carried out effectively. For the different positions in the firm, selection criteria should be established and for each criteria a predictor needs to be designed.
The background verification should consider the following aspects:
- Availability of satisfactory character references, e.g., one business and one personal.
- A verification (for completeness and accuracy) of the applicant´s resume / curriculum vitae.
- Confirmation of claimed academic and professional qualifications.
- More detailed verification, such as credit review or review of criminal records.
The typical errors made on the selection process that companies face are the following: not creating an accurate job description, failing to consider recruiting from within, relying too much on the interview, using unconscious bias, rejecting an overqualified candidate, and waiting for the perfect candidate.
Top management involvement
In risk management, even more than other corporate initiatives, the involvement of top management is critical to success. The CEO must be fully supportive of the risk management process and must set the tone, not only through words, but through actions as well. The strategic level of the company must communicate that risk management is a top priority for the company in presentations, meetings, town halls, and other settings.
“The most important issue is that top management must demonstrate commitment through actions, by exemplifying and embodying the values they espouse.” (Martin, Joanne, 2002)
The typical obstacle for this step to be effective is when top management gets confused and thinks that involvement means just communicating the importance of risk management. Management involvement has to demonstrate commitment through actions. Top management needs to use behavior modeling and needs to be a model to be imitated. Behavior modeling is a strong mechanism for learning. It is a kind of vicarious learning in which direct instruction need not occur.
A company’s board and senior management should form a clear and communicable approach to risk, which is understood by all levels of the employee hierarchy. Generally, the company business strategy and risk appetite are determined; however, often this is not then supported by a statement about the appropriate risk culture to deliver this direction.
Larger organizations should clarify who is responsible for helping develop any desired subcultures that may need to exist and that also align with the larger organizational culture. An example of this may be differences in the front office (client facing, underwriting, trading floor) compared to the back office (finance, taxation, legal, reserving). Even if the organization-wide culture is defined in a way that can be applied across all segments or units, responsibility for ensuring the culture of each unit should be clearly assigned – normally to the unit head.
Board failures are not due to lack of motivation or competence of the individuals on the boards, but are usually the result of clear structural barriers from board size to the complexity of a firm, which can lead to the failure of the board to effectively obtain, process, and share information as individuals and as a group.
Lines of accountability need to be clear and enforced, preferably to individuals rather than committees where accountability is often lost. In larger organizations, the lines of responsibility are often blurred and the aftermath of an incident may focus on the internal politics and assigning responsibility. This is especially the case when processes, data, or information flows from one team to the next and all controls along the chain fail to identify the event.
An ideal approach to assess if accountability is clearly established includes:
- A review of the risk management framework. Does it clearly identify owners of risks, controls, and processes?
- When an event occurs, is there any uncertainty about who is accountable?
- Rather than waiting for an incident or event to occur, some scenarios should be run through and should consider who would be responsible for control failures or for risks occurring that were not mitigated.
The organization might have established acceptance that certain risks should not be completely mitigated by controls. Normally this would occur because the cost of implementing controls is significantly higher than the frequency and cost of the risk actually occurring. In these instances, accountability rests with the individual who determined that the unmitigated risk was acceptable.
Frequently overlooked is consistency and wider communication of any disciplinary action. If the balance is not achieved, then the communication void will be filled by uninformed employee discussion. Management will need to assess this on a case-by-case basis, as some matters will not require wider communication.
There are several organizational barriers to accountability. The first barrier is a lack of alignment. One reason this barrier exists is because we lack understanding about alignment: what it is, what it isn’t, and how to recognize a lack of it. Another obstacle usually is clarity. Without clarity, there can be no alignment. How can an employee be aligned with leadership, when he/she is unclear about her/his role, responsibilities, priorities or direction?
Incidents and escalation
Here we are referring to (1) risk or events that were unknown but that either have occurred or could have occurred, and (2) controls that did not mitigate the risk as expected. The focus should be on the identification of what actually went wrong, what can be learned, and whether changes to processes or controls are required. It is important to deal with disciplinary action or assignment of accountability as a separate matter to encourage open discussions.
An incident should be utilized as an opportunity to challenge the risk management framework. A process should be in place to ensure that incidents occurring across the organization, either by unit or geographic location, are consolidated and reviewed for potential impact organization wide. To find efficiencies, many organizations have moved towards common systems, controls, and processes; inherently, sharing learnings of control weakness across an organization will have a compounding impact.
As a side note, internal sharing of internal audit findings, observations, or reports is a powerful way to identify potential gaps within the framework. While local management may not wish to share observations; reviewing this information from one location and considering wider organizational impact, especially if it’s an operational risk, is valuable.
Perhaps the most obvious problem faced by incident responders is the lack of context about the incident. When the incident lacks the contextual information, the response team struggles to: understand the full scale of the problem; make the initial diagnosis; assess the priority; and communicate to the other responders, management, and customers.
Organizations cannot miss any type of critical incidents, however too many notifications may cause alert fatigue. Lack of a prioritization scheme can cause response teams to spend most of their time on low priority alerts that do not involve any threat.
Incentives and remuneration
Measure and reward performance based on the desired risk culture, both financially and non-financially. Setting goals around key performance indicators will influence the culture that has been created.
When reviewing the business strategies and goals across the organization, they should be critically assessed as to whether they align with the cultural statement that has been established. All too often, the strategy is focused on growing the business through bettering customer experiences or serving their needs; however, individual goals are focused on short-term profitability and meeting key performance indicators that are not linked to customer needs.
Organizations are starting to link remuneration to the operation of the risk management framework. In this instance, failures to follow defined procedures and controls, or not having an appropriate approach to risk on each transaction impacts employee remuneration.
Training, succession planning and talent management
These elements should support and enforce the desired culture and behavior. Organizations should be conscious of their risk culture when making decisions around them.
Many people have been in the position of hiring or managing performance of individuals; however, they often naturally focus on the ability to perform the role, the individual’s attitude to work, and how the person fits into the immediate team. The wider impact on organization culture is a crucial element that is generally not considered. If the desired culture differs from the existing one, then talent management carries significant influence on the culture’s ability to change.
“Something an organization also needs to consider is how the attitude of high performers reflects on cultural attitudes or perceptions to risk and compliance.” (Jacobs, Jamie. Crockett, Hema:2021)
High performers can be naturally influential, and where their attitude is misaligned, it may become contagious and toxic. More disturbing is that their negative outlook may not be easily identified by management.
The risk culture should support the business strategy, which is built around core competencies. A close link exists between the success of a strategy’s implementation and the organization culture. If they are not already aligned, then changing one is critical to achieving the other. An easy way to gauge this is to compare how the organization wishes to be perceived by clients and the marketplace versus how these actually perceive the company.
One of the main obstacles in identifying core competencies is not using the appropriate methodology and the lack of top management involvement in the process of core competencies identification.
Some levers have been identified in terms of how to influence and manage a risk culture.
Risk culture can be defined as the ‘values, shared basic assumptions, beliefs and understanding of risk shared across an organization’. Risk culture is considered a subculture within the organizational culture of the firm, it needs to be managed, maintained, developed and controlled.
Every organization is different, which means the setting for a desired risk culture, how to change it and measure it, will differ from one organization to the next.
It is imperative that organizations create a strong risk culture so that people know what to do in most situations even if they do not have specific instructions. A poor or inconsistent risk culture could easily lead to ignoring the rules even when they´re explicit.
Creating a positive risk culture is not as nebulous a process as many may assume. Rather, it is a systematic endeavor that begins with a framework for influencing individual decision-making and follows concrete steps from integrating risk awareness into recruitment, setting the tone from the top, and establishing clear, consistent, policies that reward positive behavior, correct errors, and punish transgressions. The fact is, however, that a company with a vibrant risk culture that embraces core values will not need to rely entirely on the rules, instead tapping into the human impulse to do the right thing.
There are five key areas that every organization should focus on to build a positive risk culture:
Be proactive toward risk, don’t wait for a crisis
Senior leadership should practice routine communication throughout the organization about why managing risk is important and that being compliant just isn’t enough. Develop business continuity plans and emergency or incident response programs that promote ongoing participation.
Show support through investment in risk management
Nothing gets people’s attention like putting your money where your mouth is. Invest in training, program development, and technology to manage risk.
Create bottom-up communication
Incorporate a communication system that encourages front-line employees to identify and report potential issues or problems to management. This should allow employees to remain anonymous, if desired, and will require a response by management with the ability for automatic escalation.
Identify, prioritize, and monitor risk.
Keep employees in the know by maintaining consistent risk management processes across the organization. Also, providing frequent and detailed training for employees will promote improved understanding of the various risks that the company is exposed to and will enable employees to appropriately monitor and respond.
Frequently assess risk
Companies should routinely assess the various risks they are exposed to. This should be part of regular business operations in addition to an annual programs review. Managers at all levels should have part of their compensation tied to evaluating and mitigating their area of risk.
Enterprise risk management culture should be well defined, transparent, and consistent in the mission statement. It should be dynamic and allow proactive feedback and generate a uniform risk response. Significantly, ERM culture affects the decisions of all employees. And when those decisions run counter to organizational policies and the established risk profile, it reflects a lack of risk culture, a weak organizational identity, and, in effect, little competitive strength.
Undeniably, a strong risk culture is a prerequisite for a sustainable enterprise risk management program. The ERM cultural alignment establishes a new focus for risk-based decisions that is sustainable over time and influences management and all employees. It also allows effective ERM implementation and becomes a source of sustainable competitive advantage. Finally, it inspires staff to promote integrity, enhance shareholder value, meet regulatory compliance, and generate long-term sustainability.
Embedding a risk culture remains a significant challenge, especially for enterprises where risk management is developed in isolation. If key risks are being miscalculated, then negative impacts on business performance will inevitably result.
It is very important to remember that the processes and systems, which comprise the hard side of risk management, become, useless without the soft side: which are all the factors that influence individual decision–making and behavior.
Together all these factors form the organization´s risk culture. In a sound risk culture, everyone not only knows and understands the policies, but also shares the values behind them. Employees and managers alike are aware of risk and adjust their behavior accordingly.
Dr. Alberto G. Alexander holds a Ph.D from The University of Kansas, and a M.A., from Northern Michigan University. He is a MBCI, BCMS, ISMS and QMS, IRCA Lead Auditor and Approved Tutor. He is the managing director of the international consulting and managerial training firm Eficiencia Gerencial y Productividad located in Lima, Peru. He can be contacted at: firstname.lastname@example.org and via www.gerenciayproductividad.com He is professor at The Graduate Business School, at ESAN University, Lima, Perú and at the Panamerican Business School, Guatemala.
- Schein, Edgard, Schein, Peter. Organizational Culture and Leadership. Jossey-Bass. 2016
- Tuveson, Michelle. Ralph, Daniel. Alexander, Kern. Beyond Bad Apples: Risk Culture in Business. 2020 Kindle Edition.
- Martin, Joanne. Organizational Culture: Mapping the Terrain. Sage Publications. 2002
- Jacobs, Jamie. Crockett, Hema. Designing Exceptional Organizational Cultures: How to Develop Companies Where Employees Thrive. 2021 Kogan Page
- Collins, James. Good to Great. 2005 Harper Collins Publishers