5 minute read
How to Develop a Robust Risk Culture In An Organisation
The Risk Echo
How To Develop A Robust Risk Culture In An Organization
Most organizations today have devoted significant resources for ensuring that they continue to remain competitive and meet the constantly evolving needs of their customers. This has led to an increase in the usage of data and automation to drive strategic initiatives. Risk professionals have also been forced to adapt and enhance their risk management capabilities to ensure risks are managed within acceptable tolerance limits.
Martin Sekaziga BA Com Sc, MS Accounting, CPA, CISA, CFIRS, CAM
Chief Risk Officer, Stanbic Bank Uganda
Most of the risks introduced by the changes happening today are not new, they have only been heightened. This requires a new risk management mind-set that uses data and automation to enhance the quality and effectiveness of risk analysis. However, even with improvements in risk management, there is one area that could severely damage an organization’s ability to continue as a going concern, and that is its risk culture or risk “DNA”. According to Andrew Bailey, Governor of Bank of England, the major prudential or conduct failing of our time has been attributed to a poor culture as manifested in governance, remuneration, risk management or tone from the top.
So why is risk culture important and why should organizations care?
Getting risk culture right will determine an organization’s success in identifying and mitigating risks, and could be a competitive advantage. Organizations spend a lot of resources marketing their services or product offerings to their customers. This eventually leads to brand equity that is directly correlated to how the market perceives the organization. Poor ethical behavior could quickly lead to an erosion of trust that took years to build, adversely impacting the survival prospects of the organization.
Embedding a strong risk culture requires a deliberate and sustained effort. What are some of the key areas that an organization can focus on to drive the right risk culture?
Corporate purpose and values
The first step to creating a strong risk culture is to ensure that the organization’s purpose and values have been clearly articulated and are well understood. Lack of clarity can cause confusion and lead to undesired outcomes. Corporate purpose and values should be embedded in the code of conduct, so as to guide employees to always do the right thing. Even more importantly, employees who have understood and embraced the organization’s purpose and values, are more inclined do to the right thing regardless of whether policies, procedures, or standards exist. It is built in their sub-conscious and it drives their behaviors.
Corporate purpose and values also set the foundation for how an organization’s employees engage with each other and their stakeholders.
Lastly, to be successful, organizations should have robust mechanisms in place to reenforce their values on a regular basis so as to influence a behavioral change in the manner in which employees conduct themselves.
Tone at the Top
The board and senior management have a great influence on the risk culture of any organization. A positive tone from the board and senior management for enterprise risk management goes a long way in building a strong and positive risk culture.
The tone should not only be in words but in actions, such as approving risk management policies and procedures, and supporting risk recommendations, as well as ensuring that there is an appropriate risk management structure in the organization.
The consistency with which the board and senior management demonstrate the desired behaviors is an important signal to all employees, and reinforces the behavioral expectations. The board and senior management should effectively oversee the organization’s risk culture, and matters related to risk culture should be given prominence in board and senior management governance forums, and accountability established for any outcomes that are misaligned to the organization’s values.
Active leadership engagement will provide the board with more reliable information of the general environment and how employees are practicing the organization’s values.
Establish clear lines of accountability
Everyone in the organization needs to have an appreciation of the consequences of their actions. Prudent actions can only take place in an environment where this has been clearly identified and ownership of risk has been established. One way to establish accountability is through the employee contracting process and the usage of balanced scorecards or performance dashboards to provide data insights related to whether employees are doing the right thing or not.
Employees of the organization should understand that they have a shared responsibility to escalate any issues that are misaligned to the organization’s goals. When mistakes are not reported or are covered up or when the process of holding people accountable is deemed to be ineffective, the wrong values will permeate across the organization and lead to undesired outcomes.
Performance and remuneration
Performance and remuneration programs should be risk-adjusted to reflect an employee’s demonstration of the desired values and culture. A practical way of achieving this is through the use of a balanced scorecard that considers data points related to strategic success and risk management.
Communication and awareness
Lessons learned should be used as a tool to reinforce organizational values and strengthen risk management capabilities. Communication and awareness should not be looked at as a one-time event but an iterative process that is designed to effect behavioral change.
Conduct monitoring
Organizations should build tools that provide them with the capabilities to identify, measure and assess their risk culture posture in real time. This should be aligned to their risk appetite, such that response measures are proportionate to the type of breach identified.
Conclusion
While the elements of a robust risk culture may be hard to define or even difficult to measure, the behavioral outcomes can be measured and tracked. Organizations that have been able to cultivate and establish a robust risk culture have enjoyed financial success and have gone on to build sustainable businesses that are capable of withstanding major disruptions in their operating environment.
