Is the concept of a corporate risk culture doomed to fail?

Financial institutions are being strongly encouraged by stakeholders to integrate rigorous risk management processes into their business. The aim is to assist businesses with mitigating risks. To successfully integrate risk management into the business decision process, it is necessary to have the concept and the importance of risk management understood by all employees and strongly endorsed and monitored by senior management and the board.This integration of risk management into the business decision process requires the establishment of a risk culture for the business. The risk culture can be thought of as the explicit and implicit understanding by all employees of what risks are acceptable and what risks are not, how to identify risks, and the need to communicate changes in risks across the business. A risk culture typically evolves from the integration of a risk statement endorsed by the board into the business decision processes and more likely to be implicit rather than explicit. Each company will have a different risk appetite and hence employees need to be very clear about what is expected.

However, the creation of this risk culture is not straightforward. As Simon Ashby, Tommaso Palermo and Michael Power reported in their paper Risk Culture in Financial Organisations: An Interim Report (London School of Economics and Political Science, 2012):

• “First, in contrast to public debates which emphasise values and the need to change mindsets, we learned of risk culture work streams with more of an emphasis on improving oversight structures and information flows, including performance metrics for risk and good compliance.
• “Second, from our discussions it also appeared that critical issues in risk culture were being played out in the space between what are called first and second lines of defence, suggesting that this distinction, which many take for granted, may not be helpful in advancing the debate about risk culture.
• “Third, improving risk culture was also seen by chief risk officers as a matter of improving the organisational footprint of the risk management function. This was more than just rolling out ERM systems but involved expanding the reach of informal risk processes, information sharing and escalation, and representation on key committees.
• “Fourth, we also heard concerns about a familiar issue – the role of documentation. The argument was that some documentary and evidentiary demands were creating the wrong kind of risk culture.”

The first observation would seem to indicate that businesses involved in the survey were more concerned with information flows than “values”, which we would argue is the appropriate process in the evolution and embedding of a risk culture in a business. Creating a risk culture will require significant communication and co-operation across all business units in order to identify risks inherent in the business and ensure they stay within agreed limits. “Values” is a different issue to risk culture, although we accept that values can affect the risks that might be taken on by a business.

A good example of this need is the management of operational risk, which is a highly complex process requiring estimations of the effectiveness of operational controls and consequent losses when operational risk events occur. This estimation process must reflect the dynamism of operational risks as the risks move to and from the ‘known’ state to the ‘unknown’ state. To ensure the overall operational risk exposure remains as close as possible to the businesses’ intended maximum exposure requires effective communication across business units as operational processes change or external threats are recognised.

However, the creation of an effective risk culture across the business then flies in the face of the bureaucratic structure in place in most institutions to allow growth through isolating tasks into small, manageable and seemingly independent functions. To quote an early researcher of bureaucracies (American sociologist Peter Blau, who in 1956 wrote Bureaucracy in Modern Society): “The type of organization designed to accomplish large-scale administrative tasks by systematically co-ordinating the work of many individuals is called a bureaucracy. The basic characteristics of bureaucratic organisation are specialisation, a hierarchy of authority, a system of rules, and impersonality”.

Traumatic change

All institutions adopt a bureaucratic structure in their business, as this enables employees to be trained in specific functions rather than an entire process, which would be more difficult to train them in and would introduce greater operational risk as well as human capital risks. One of the inherent consequences of a bureaucratic structure is that there is no need for communication between the functions as they are seen as independent. Any communication across the various functions is effectively delegated to a manager responsible for the entire process. An effective risk management culture, however, requires exactly the opposite assumption to that of independence of functions, requiring the various functions to identify and communicate risks being taken on, so that the overall risk tolerance is not exceeded.

The creation of a risk culture in an institution then requires the independence of the functions be broken down, a traumatic change that institutions need to manage carefully.

Although existing parallel management structures already exist in financial institutions related to financial management, these structures relate to very finite reporting, whereas risk management frequently involves less precision as to likely outcomes and especially as to timing of the outcomes. Certainly, the business units already report on a regular basis their financial results and expected future results through some reporting structure – then there is feedback, once these are consolidated and referenced to expected overall results. However, this type of reporting and management is different to that required for risk management.

Whereas financial reporting is both historical and expectational, risk management is solely expectational, with historical risk occurrences being embedded in the historical financial reporting either explicitly, in the case of specific losses or gains, or implicitly, in the case of consequential risks such as reputational risks. Also, whereas financial results do not affect other business units, risks arising in one business unit may well have flow on effects in other business units, and it is this necessary interaction that makes the creation of a risk culture for the group difficult to achieve.

Mind shift

An even greater challenge is broadening people’s conception of risk beyond that of financial risk to encompass, for example, the organisation’s profile in the media, which has huge potential for damaging an organisation’s reputation, with knock-on effects on sales and recruitment as well as the morale and engagement of existing employees. Similarly high risks are at stake if the organisation is over-reliant on key personnel, with no succession planning or little depth of strength in management. A simple question organisations can ask themselves is: ‘If I were a venture capitalist, would I invest in this company?’

For similar reasons, it is wise to separate board risk management committees from finance and audit committees, in order to go beyond financial indicators and ensure that attention is paid to leading indicators such as reputation and customer satisfaction. By the time the effect of such indicators is seen in financial key performance indicators, it may be too late to address. It will certainly take longer and be more costly to address.

The creation of an effective risk culture requires a complete reversal of the independence assumption behind a bureaucracy, and the creation of a view that all business units need to be considerate of the effects of their actions on other business units. Although this may be highly desirable from a shareholder value-creation perspective, it takes a complete mind shift within the organisation. The mind shift cannot be top-down driven, and it needs to be bottom-up accepted, which requires employees to understand and see the benefits of their collegiate behaviour. This is not easy to achieve. Financial services organisations typically have people who are highly competent technically but who do not always possess the greatest communication and people skills. This has led to a shift in the hiring of chief financial officers, who are now more likely to come from generalist backgrounds than accounting backgrounds, according to a recent KPMG survey of Asia-Pacific chief executives.

This is a welcome shift. However, the survey found that only 12% of chief executives thought that chief financial officers’ greatest contribution came from governance, risk and compliance. KPMG Malaysia’s managing partner Datuk Johan Idris said: “Chief financial officers should examine decisions through a value lens and challenge strategy from a risk perspective so that they are not bogged down in compliance and regulatory issues.”

Creating a culture where everyone understands the nature of risk, and sees it as part of their role to identify emerging risks and monitor existing risks, is a complex task. It requires organisations to be willing to listen to their employees and for employees not to be afraid of highlighting potential risks. Yet, the higher people go in an organisation, the less likely it is that people will give them negative feedback. This is particularly so in high-power distance countries such as China or Malaysia. Even where leaders are given warnings from within their companies, they may ignore them, believing in their own omniscience and infallibility. Leaders can thus be blindsided by unexpected negative events. Furthermore, it is well established that whistleblowers generally suffer from their actions, even if their actions benefit their company. To make this shift will require a considerable mind shift on the part of the company’s leadership. Some may be unable or unwilling to do so.

The nature of the organisational structure of financial institutions and the leadership skills of those who lead them will be the Achilles’ heel of attempts to create meaningful risk cultures. Those who do address the changes outlined above will reap the benefits not only of an effective risk culture, but also an engaged workforce, with the concomitant benefits of improved productivity and innovation. A risk worth taking.

John Evans and Grace McCarthy are associate professors at the University of Wollongong’s Faculty of Business