Board members have taken a greater interest in their company's risk management programs, trying to understand the top risks facing the organization and their risk mitigation plans. But one area of the risk management program that has not been a focus until now is a company's "risk culture," a critical element of risk management efforts and an area that board members should better understand.
What is Risk Culture, and Why it is Important?
Part of the challenge in addressing the issue is obtaining a clear understanding of what is meant by "risk culture." It can be defined as the system of values and behaviors present throughout an organization that shape risk decisions. Risk culture influences the decisions of management and employees, even if they are not consciously weighing risks and benefits.
One element of risk culture is the degree to which individuals understand that risk and compliance rules apply to everyone as they pursue their business goals. To start, that requires a common understanding of the organization and its business purpose (i.e., their raison d'Ãªtre). Today, some seem to have lost sight of those business goals, forgetting that they serve the company and shareholders, and not the other way around.
A company's risk culture is a critical element that can ensure that "doing the right thing" wins over "doing whatever it takes." In fact, in a recent KPMG International survey of almost 500 bank executives, almost half (48 percent) of respondents cited risk culture as a leading contributor to the credit crisis. Clearly, those financial institutions that have a history of strong risk culture have weathered the storm best.
Although risk culture has become a fundamental building block of good ERM practices, many companies show evidence of deficiencies in this area. For instance, more than half (58 percent) of corporate Board members and internal auditors surveyed by KPMG said that their company's employees had little or no understanding of how risk exposures should be assessed for likelihood and impact. One-third of those same respondents also said that key leaders in their organization had no formal risk management training or guidance, with only 16 percent receiving at least annual training.
Employees need to understand how to make educated risk-related decisions to ensure consistent risk behavior throughout the organization. But without training, there is no basis for critical thinking and judgment around risk decision-making. Ultimately, without a strong risk culture, an otherwise strong ERM program may nevertheless fail to consistently prevent poor decision making within the enterprise.
The first step to asserting the importance of risk culture is to begin a dialogue with management on the topic. To start the discussion, below are some recommended questions that directors can bring to their next Board meeting.
What's the true 'tone at the top'—and 'in the middle?'
A management team that places importance on risk culture is essential to creating the right risk management tone throughout the enterprise. While the phrase "tone at the top" may be over-used, there is simple truth in the idea that when leadership sets the example, others will follow. Risk culture can't be changed if the charge is coming from the risk management function alone; leadership must represent the real driver of change.
While the CEO and other "c-level" executives must be committed to risk management, it is important to realize that senior and middle management throughout the organization also set the tone and influences behavior. When KPMG conducted a focus group of its own employees, it found that "tone at the top" was often set by immediate supervisors. In order for the tone to trickle down, management at all levels should receive risk management education and training so that they clearly understand the company's approach to risk.
Furthermore, management must follow their own risk management policies so that employees will know that non-compliant behavior will not be tolerated and that the organization takes risk management seriously. For instance, a middle manager who engages in reckless transactions beyond the company's stated risk tolerance or threshold sets an example for employees that risky behavior is accepted. Management should analyze their own decision-making in light of the company's official risk policies.
Is there effective communication around ethics and risk?
Setting the appropriate "tone at the top" requires good communication. Leadership must send a message that is heard throughout all levels of the organization—not just in the boardroom. Risk culture is not something that can be changed overnight. It requires constant, consistent messages to employees that managing risk is a part of their daily responsibilities, and that it is not only valued, but critical to the company's success and survival.
Ethical behavior is a key component of a strong risk culture. A Code of Conduct can help a company effectively communicate its expectations of ethics and compliance. A Code of Conduct should set forth the organization's core values, ethical standards and expectations for its employees. It can also introduce how risk management should be incorporated in employees' day-to-day conduct.
There is evidence of a substantial link between the existence of a formal ethics programs and the ethical behavior of employees. Just last year, KPMG surveyed more than 5,000 U.S. workers and found that 55 percent of the employees whose companies had ethics and compliance programs reported witnessing wrongful activity. By comparison, 72 percent of respondents whose companies had no formal ethics and compliance program witnessed wrongful activity.
Good communication also means continual improvement in how the risk function and the business lines work together to ensure that consistent risk information is shared across the business. In addition, Board members must receive an appropriate level of corporate risk data to gauge whether current risk management practices are appropriate. Directors can only provide risk oversight if they are given timely and complete information, and when the lines of communication are open to discuss risk issues with the CRO and other senior executives.
Are employees incentivized to "do the right thing?"
Recent discussions of the failings of financial services companies have brought the issue of incentives into the spotlight. Though perhaps one of many issues in the grand debate over risk management, this topic's publicity allows companies to focus on whether their own incentive programs properly award employees for long-term prudent conduct.
When companies reward reckless conduct, or results gained through any means, the risk management message becomes diluted. Rewards for all employees at all levels, from the shop floor to the CEO, should depend on whether their actions comply with the organization's strategy and risk appetite. Further, the evaluations of CEOs, CFOs and other senior management must include their ability to promote appropriate risk behavior throughout the organization and make appropriate risk-based decisions.
Rewarding inappropriate conduct sets a bad example for how employees should conduct themselves. It also sends the message that the company does not value risk management, and that may discourage employees from reporting unethical or unwise conduct. In addition to setting appropriate standards, organizations must create formal working channels and procedures for reporting incidents, and ensure that confidentiality is upheld.
Is risk formally considered during decision-making?
While most organizations would say that they consider risk when making decisions, the reality is that this is frequently done informally, relying on an individual's understanding of and skills in risk management. For example, individuals may not always consider all the unintended consequences of their decisions, such as non-compliance with regulation in various jurisdictions, competitive product development and impact on their brand/reputation.
Organizations with a strong risk culture have a consistent and repeatable approach to risk when making key business decisions, including a discussion of risk and a review of risk scenarios that can help management, and ultimately Board members, understand the inter-relationship and impacts of risks. A discussion of risk in the formal decision-making process can help executives feel comfortable with the decisions they make, allowing them to pursue the interests of the company more assertively.
When considering decision-making, there should also be an examination of the sphere of control that managers and employees have with their decisions. Sometimes unknowingly to leadership, mid-level managers may have decision-making authority that potentially puts millions or billions of the company's money at risk.
How does your risk culture extend beyond your organization?
While it may not be reasonable to expect outside service providers to have the same risk culture as your organization, a company may set service levels and metrics to ensure that providers manage risks within your company's guidelines.
Companies need to put in place oversight of strategic partners, vendors and service providers to ensure that those support organizations are meeting their own risk standards. A company should share its risk management guiding principles with third-party suppliers or partners to influence their decision-making process. Risks and controls should be a consideration when choosing new partners, and they should be re-evaluated on a regular basis to help avoid the potential of vicarious liability by the poor decisions of an alliance partner.
Does the organization consider risk in the hiring process?
In some ways, creating the right risk culture starts during the interview process. Organizations that have thorough hiring processes can sense whether prospective employees will fit into the company's risk culture during the interview stage. It can be challenging to change a conflicting risk mindset, rather than starting with employees who share similar values and ethics.
Risk Culture Taking Shape
The questions above only scratch the surface of risk culture. As management and Boards sharpen their focus on this emerging area of enterprise risk management, more answers—and more questions—will arise as to how companies can most effectively change behavior and influence risk behavior enterprise-wide.
Having a strong risk culture means that employees know what the company stands for, the boundaries within which they can operate, and that they can discuss and debate openly which risks should be taken in order to achieve the company's long-term strategic goals.
A strong risk culture can be built over time, but it also has to be inspired. Management's actions as well as consistent, ongoing communication around ethics and risk management become the first steps to instilling such a culture because it will demonstrate that inappropriate behavior will not be tolerated. Board members can help instill such a culture by asking the right questions and providing an outside perspective on what is/is not working. Once leadership starts on the right path—and stays on it—the organization will slowly but surely follow.
This article represents the views of the authors only, and does not necessarily represent the views or professional advice of KPMG LLP.
Provided by Directorship—The Leading Publication for Boardroom Intelligence