Directorship May 12, 2009, 1:59PM EST

What's Your Company's Risk Culture?

It's important for directors to understand the risk culture because it influences the decisions of management and employees, even unconsciously

Story Tools

Board members have taken a greater interest in their company's risk management programs, trying to understand the top risks facing the organization and their risk mitigation plans. But one area of the risk management program that has not been a focus until now is a company's "risk culture," a critical element of risk management efforts and an area that board members should better understand.

What is Risk Culture, and Why it is Important?
Part of the challenge in addressing the issue is obtaining a clear understanding of what is meant by "risk culture." It can be defined as the system of values and behaviors present throughout an organization that shape risk decisions. Risk culture influences the decisions of management and employees, even if they are not consciously weighing risks and benefits.

One element of risk culture is the degree to which individuals understand that risk and compliance rules apply to everyone as they pursue their business goals. To start, that requires a common understanding of the organization and its business purpose (i.e., their raison d'être). Today, some seem to have lost sight of those business goals, forgetting that they serve the company and shareholders, and not the other way around.

A company's risk culture is a critical element that can ensure that "doing the right thing" wins over "doing whatever it takes." In fact, in a recent KPMG International survey of almost 500 bank executives, almost half (48 percent) of respondents cited risk culture as a leading contributor to the credit crisis. Clearly, those financial institutions that have a history of strong risk culture have weathered the storm best.

Although risk culture has become a fundamental building block of good ERM practices, many companies show evidence of deficiencies in this area. For instance, more than half (58 percent) of corporate Board members and internal auditors surveyed by KPMG said that their company's employees had little or no understanding of how risk exposures should be assessed for likelihood and impact. One-third of those same respondents also said that key leaders in their organization had no formal risk management training or guidance, with only 16 percent receiving at least annual training.

Employees need to understand how to make educated risk-related decisions to ensure consistent risk behavior throughout the organization. But without training, there is no basis for critical thinking and judgment around risk decision-making. Ultimately, without a strong risk culture, an otherwise strong ERM program may nevertheless fail to consistently prevent poor decision making within the enterprise.

Conversation Starters
The first step to asserting the importance of risk culture is to begin a dialogue with management on the topic. To start the discussion, below are some recommended questions that directors can bring to their next Board meeting.

• What's the true 'tone at the top'—and 'in the middle?'

A management team that places importance on risk culture is essential to creating the right risk management tone throughout the enterprise. While the phrase "tone at the top" may be over-used, there is simple truth in the idea that when leadership sets the example, others will follow. Risk culture can't be changed if the charge is coming from the risk management function alone; leadership must represent the real driver of change.

While the CEO and other "c-level" executives must be committed to risk management, it is important to realize that senior and middle management throughout the organization also set the tone and influences behavior. When KPMG conducted a focus group of its own employees, it found that "tone at the top" was often set by immediate supervisors. In order for the tone to trickle down, management at all levels should receive risk management education and training so that they clearly understand the company's approach to risk.

Furthermore, management must follow their own risk management policies so that employees will know that non-compliant behavior will not be tolerated and that the organization takes risk management seriously.