Cultivating Culture: Two Perspectives
IERP’s last Tea Talk for 2020 was held online, and offered perspectives on cultivating a risk-aware culture from two vastly different industries. Presenters for the afternoon event were Maheran Nor Salfarina Salim, Head, Risk Management & Governance, Finance & Enterprise Risk, Petronas Refinery Petrochemical Corporation Sdn Bhd; and Karen Foong, Chief Risk, Compliance & Security Officer, MCIS Insurance Bhd. The culture of Petronas is one of encouraging its staff, contractors, suppliers and partners to do the right thing even when no one is watching. “When people align thinking and behaviour, everything can happen,” Maheran said. “Petronas believes in shared success.”
Shared success also depends to a great extent on people doing the right thing even when no one is watching, which is something that requires having the right organisational culture. This includes having staff that know how to engage with risk. “You cannot talk about risk culture alone without having a good environment,” pointed out Maheran, adding that there are a few areas that organisations need to concentrate on when talking about culture, particularly communication at all levels. Governance, policy, framework and systems are as important; leveraging on technology may provide the tools necessary for staff to be effective.
“People need to think ethically and critically, and make good decisions at all levels – non-executives included,” she said. “Organisations should create conditions where people can speak up, act and give feedback.” There should also be space for intervention, as an indication of the firm’s commitment to inculcating a viable culture. Partners and collaborators of the firm should be informed of the policy, and the tone from the top should be what directs it. Petronas, which has more than 40,000 employees in 30 countries around the world, practises a top-down, bottom-up system where information goes from units to other levels and entities for the risk discussion.
This allows a cohesive, integrated look at risk from every angle. Constant engagement helps identify and develop a risk profile. In this way, any risk can be monitored and quickly escalated if needed. It also shows that the company takes risk seriously, and does not consider it merely a paper exercise. Petronas’ risk forums are open to everyone, something which encourages transparency. “Everyone can see how the company is managing the risk,” she said. The company also leverages on technology; it uses apps which observe and help to keep track of the system. Cybersecurity is important, as is providing feedback and recognition.
The driving force behind all this should be consistent leadership commitment that constantly considers risk prior to making any decisions. Risk should be accepted as part of daily life and be proactively managed; the organisation should encourage this, and educate staff about risk and risk management. Maheran mentioned the use of Risk Assessments for Decision Making, which utilises transparent and timely risk information that flows freely throughout the organisation without apportioning blame to any party. Risk intervention can thus be done seamlessly and proactively without waiting for any party to be specifically tasked with it. Identifying, Assessing, Managing/Mitigating and Sharing (IAMS) should be practised throughout the organisation to encourage the development of a viable risk culture.
Oil & Gas and Insurance are both highly regulated industries but the approach to risk culture in insurance is different, said second presenter Karen Foong. “Risk culture is an important fundamental tool for effective risk management,” she pointed out. “While the risk culture of SMEs is usually quite aggressive, that of the more established companies tends to be risk-averse – mainly because they have more to lose.” But despite being highly regulated, and with a more robust risk culture already in place, big businesses which were hitherto regarded as too big to fail, failed nevertheless. She cited the Wells Fargo Bank as an example.
The Bank practised setting daily sales targets for its employees, and when these daily targets were not attained, the shortfall was added to the next day’s targets. Employees were incentivised, but this led to unethical practices, including selling products to customers who didn’t meet the criteria or who really didn’t need the product or services. Its then-CFO denied that the culture of the organisation was “overbearing” – indeed, the company even had an ethics programme, as well as best practices for minimising risk and instilling values in its culture, as well as withdrawal of bonuses which had been inappropriately earned.
Wells Fargo’s aggressive company policy, coupled with a lack of oversight, led to fraud by its employees, and the firm being fined US$185 million by the US authorities for fraud. But what cost the company more was the loss of trust of its customers, stemming from what became referred to as the Wells Fargo Cross-Selling Scandal. One of the most indispensable elements of a strong risk culture is the tone from the top, Karen stressed. “It sets guiding values and an ethical climate,” she said. “And it has a trickle-down effect. Mission and values can be aligned and communicated throughout the organisation.”
She added that this also sets the company’s strategy for its risk appetite, and will help it make decisions consistent with this strategy. But senior management has to lead by example, and middle management has to be encouraged to display the right behaviour. The consistent message across the organisation should be that there will be no tolerance for bribery and corruption. Staff should also take responsibility for risk; identifying, assessing, monitoring and reporting it, or responding and escalating it as necessary. Whistleblowers should be provided with appropriate channels; enforcement such as disciplinary action is a must, for people to view it seriously.
Karen readily admitted that strengthening risk culture was a challenge. But, because it will ultimately improve decision-making, it should be undertaken. “Employees must be empowered to challenge,” she said. “The organisation must be open to dissent.” Remuneration and performance must be considered in the light of the long-term health of the company, she added, suggesting some practical steps to building a strong risk culture. This included ongoing dialogue on risk culture at management level; complete assessment of the organisation’s existing culture; and what the desired culture should look like.
Planned cultural change with tangible recommendations will only happen with top management support, together with buy-in from stakeholders and incentives, she said. The journey of developing a viable risk culture must include well-calculated and understood risk-return trade-offs and a comprehensive ERM strategy, she advised. “It’s a long journey,” she concluded. “As the organisation matures, its people will mature as well, and there will have to be changes along the way. These need to be managed through consistent communication and education.”