Cultivating a robust risk culture is not just about risk culture itself, but about risk culture combined with ethics and integrity. “It is about ensuring that ethics and integrity are somewhere in there as well,” said presenter Ramesh Pillai, at a recent IERP Tea Talk. “This is important because if you think about ERM, it is about doing the right thing, and doing the right thing is about making sure you inculcate the right values. People need to have the right values, and value systems mean that there must be shared values in the organisation as well.” But as organisations start to succumb to complex, intangible risks in today’s increasingly complex environment, the risks are not so easy to touch or feel, or are hidden.
Risk management and managing risk are considered business functions that control losses and adhere to compliance standards, but professional risk managers know that it is about achieving organisational objectives and improving the quality of decision-making, he added. “Risk management is not only about protection but value creation, promoting ethical leadership, and values-based decision-making,” he said. “We are talking about getting people to do the right thing.” He cited examples of Yahoo and its cyber glitch, Wells Fargo and fake customer accounts, and Volkswagen with its emission scandal, as some examples of people not doing the right thing.
Pointing out that complex systems fail in complex ways but all failures start with human failings, he said that senior business leaders and boards have to change the way they think about risk, and how to respond. They have to move quickly to seize opportunities while continuing to protect employees, customer health and safety, and evolving to adapt to new ways like WFH and digital working. Risk culture is becoming more important than ever because companies cannot rely on reflexive muscles to predict and control risk. “A good risk culture allows an organisation to move at speed,” he stressed. “It is an organisation’s best cost-cutting effect, a critical element for institutional resilience.”
Not only that, organisations which have a mature risk and integrity culture tend to outperform their peers through economic cycles and in the face of any external shocks. They are also less likely to suffer from self-inflicted wounds in the form of operational mistakes or reputational difficulty, and tend to have more engaged and satisfied customers and employees. Urging risk professionals to understand and measure risk culture, Ramesh said that improvements could start with a diagnosis of their current position, and the addressing of risk mindsets, risk practices and contributing behaviours. Risk mindsets are the sets of assumptions about risk that individuals hold within an organisation.
Risk practices refer to the daily actions that determine the effectiveness of risk management, and contributing behaviour comprises the collective actions that build attitudes. “Companies that seek to understand risk culture can establish concrete detailed definitions that clearly spell out the specific elements of risk culture,” he said, defining ten dimensions of risk culture that were divided into four categories: acknowledgement, responsiveness, transparency and respect. Acknowledgement is about having confidence, a culture of openness, and being open to challenge, while speedy responsiveness is critical.
Transparency in communication, and tolerance, help people understand what the organisation is trying to achieve in relation to risk appetite, and how all this fits into the overall strategy of decision-making. There should always be respect for rules, fellow employees and colleagues. “Once the risks and integrity culture is defined, measurement can begin,” Ramesh said. “Leading companies assess themselves systematically be looking at mindsets, practices and behaviour, often based on interviews with units and functions, followed by comprehensive surveys.” These surveys set an organisation-wide baseline, and follow-up interviews provide further details on strengths, weaknesses and root causes.
He cautioned against using a combination of employee engagement surveys, focus groups and incident analyses of near-misses, suggesting that a dedicated risk and integrity survey be used instead. “Typical employee engagement surveys contain only a few relevant questions and do not usually uncover enough insights to create an effective measure,” he said. “These approaches do not provide a view over time, or ready comparison between organisational units. A dedicated survey is an indispensable tool for obtaining a broad measure of a company’s risk culture.” Dedicated surveys can set true initial baselines, and create hard data comparable across divisions, geographies and roles, he added.
Once an initial baseline is developed, the results should be shared with the leadership teams and the broader organisation. With the help of measured risk culture results, weaknesses may be addressed, and the leadership team, with support of the team coordinating risk culture efforts, can use the strengths, weaknesses and cultural differences identified, to agree on a set of prioritised interventions, or intervention areas. “Where possible, interventions or their application should be driven and owned by the front line to ensure that cultural change is truly lived locally and linked to the day-to-day business activities and outcome,” Ramesh stressed. “You have to make it real.”
Organisations need to move from measuring and planning, to taking action through tailored interventions to lift risk culture; successful efforts are usually the result of several kinds of action taken together. To generate meaningful, lasting changes in risk and integrity culture, leaders can use something called the influence model which has proven useful in ensuring that change programmes draw upon a breadth of approaches. Efforts to address risk culture gaps usually involve a balance of short- and long-term interventions. “Targeted short term interventions allow organisations to respond flexibly to changing needs,” he said. “Long term interventions are often formal programmes.”
The influencer model addresses different issues and ensures the right skill sets, understanding and commitment are developed, and formal reinforcement mechanisms and alignment of values are in place. He urged organisations to also learn from what happens with the competition, stressing that there were lessons to be learned that could strengthen their respective companies. Internal communications, especially, were critical, as was the right tone at the top. “Employees generally don’t listen to the talk,” he remarked. “They watch the walk. Leaders need to be cognisant of their values system because their values system is on display when they are dealing with the troops!”
Building and sustaining risk culture requires proactive attention, which means addressing risk culture before issues arise, and includes understanding how risk culture is evolving and then taking action to protect or improve it. Once a crisis with roots in risk culture hits, existing leadership including boards will generally find it difficult to lead because they themselves will become increasingly associated with the cultural problems. “People will start to blame the boards so it will become hard to dissociate yourselves from the actual problem,” Ramesh said. “The problems tend to be seen as leadership failing in the eyes of the public, investors and regulators.”
Proactive leaders may be able to see early signs of concern or even spot inadequate processes; an initial deep dive into the root causes of often seemingly isolated incidents or complaints may be helpful. By being proactive, leaders can avoid larger problems and demonstrate that they are part of the solution, and not the problem. Many organisations in today’s environment are transforming their operations, but large transformations can themselves raise risk levels and risk management practices will become disrupted, core processes will be redesigned, and teams and organisational structures will shift, and the organisation may experience ‘change fatigue.’
Describing change fatigue as the anxiety that comes with transformation, Ramesh cautioned that it can contribute its own share of risk. “But transformations also afford organisations the opportunity to reset their model to their desired risk management culture,” he said. “They must include programmes to promote desired behaviours in transparent organisation-wide efforts, as opposed to siloed business-as-usual approaches.” Acknowledging the importance of ensuring that the organisation’s risk culture was maintained, he suggested that risk culture programmes could begin with a small set of priority initiatives focusing on key issues, to create visibility and momentum for the whole programme.
It could include a plan for employees to articulate their risk concerns or a dedicated ‘Speak Up’ line, the results of which could be conveyed to the board. “This will be the first step and a gesture of commitment to the larger effort of changing culture,” he said, outlining six essential characteristics that need to be put in place, for successful risk culture programmes. Firstly, it needs to be linked with the day-to-day business activities and outcomes. Secondly, it needs dedicated ownership. “All these responsibilities need to sit centrally, either within ERM with a Chief Operating Officer, or an enterprise Chief Operating Officer, or within HR,” Ramesh explained.
Third, the case for change is visible and compelling; fourth, the effort is sustained over time; fifth, the C-Suite holds leaders accountable for success; and sixth, there is reinforcement of ethical behaviour. To succeed, leadership across the organisation needs to be actively engaged. Business unit owners should champion initiatives, and leaders need to show they are serious about change if they want their people to adopt new risk behaviour. But when it comes to the responsibility of driving culture, it’s not just the risk management team that needs to drive it. “It’s actually the line that needs to drive this,” Ramesh said. “If not, then there is no ownership and the initiatives may not have very much success.”
Also, clear communication of the boundaries of ethical support, and selection of employees who support ethical culture, are critical. “When you hire people, you need to look at their values system as well,” Ramesh advised. “This may not be checked when people are interviewed and brought into the organisation.” He suggested having rewards for ethical behaviour; most companies have penalties for unethical behaviour but tend not to have rewards for ethical behaviour. A carrot and stick approach was necessary for employees to feel a sense of responsibility and accountability; they will start to feel responsible for how others behave within their respective spheres of influence as well.
Organisational leadership must understand the pressure points that drive unethical behaviour, and develop processes to identify and remedy the areas where these pressure points occur, if it wants to inculcate a culture of risk and integrity. Concrete, proactive action must be taken to prevent stakeholder damage. “If you ignore this, it gives the perception of ‘anything goes’ and reinforces the ‘everyone for himself’ attitude, and there will be no taking of responsibility,” Ramesh said, citing Anderson, Enron, Boeing and WorldCom as some examples of the result of not taking responsibility. As senior leaders, management needed to ensure that organisations remained sustainable.
“In order to remain sustainable, our cultural health is critical,” he said. “We need to ensure that our organisations nurture their risk and integrity culture so that we can better position ourselves to better serve our stakeholders, clients, team members, and – more importantly – society, effectively. We talk about ESG in today’s environment; we are one big global family. To avert risks that could potentially prove catastrophic, by taking these steps, organisations and institutions can be prepared and reap near-term rewards and be ready for future uncertainties and challenges.”
