Developing corporate risk culture: it's worth it

Financial institutions are increasingly realising the need to integrate rigorous risk management processes into their businesses. However, creating a risk culture is not straightforward, especially for most financial institutions which are traditionally bureaucratic organisations.

Integrating risk management into the business decision process starts with the leadership team and requires a structured communication process and improved cooperation across the organisation.

However, traditional bureaucratic structures train employees in specific functions rather than an entire process. It seems easier, more efficient, and appears to limit the introduction of additional risks. 

Bureaucracies don’t tend to communicate across functions as they are seen as independent. Rather they tend to delegate communication to a manager responsible for the entire process.

Meeting the challenge of communication and cooperation often flies in the face of functional business units. An effective risk management culture requires exactly the opposite of bureaucratic characteristics.

To avoid exceeding overall risk tolerance, each business unit needs to identify the risks they are taking on and communicate those to others in the organisation.

Creating an effective risk culture means:

• Reversing the independence assumption behind a bureaucracy; and
• Generating an awareness that all business units need to consider the effects of their actions on other business units.

This involves breaking down the independence of the units – a change that needs careful management to leverage the benefits of a bureaucracy while reforming the culture. Creating a risk culture in an organisation requires significant communication and cooperation across all business units in order to identify inherent risks and ensure they stay within agreed limits.

For example, managing operational risks is a highly complex process. It involves evaluating operational controls and potential losses from any events – a process that needs to reflect the dynamism of operational risks and their movement between unknown and known. 

Businesses will want to make sure their overall operational risk exposure remains relatively low. As processes change or external threats are recognised, ongoing and effective communication flows across business units are needed so people can cooperate effectively.

Whereas financial reporting is both historical and expectational, risk management is solely expectational. Risk occurences in historical financial reporting are embedded either explicitly in the case of specific losses or gains or implicitly in the case of consequential risks such as reputational risks.

Also, whereas financial results do not impact other business units, risks arising in one business unit may have flow on effects to others. It is this cross-unit interaction that makes the creation of a risk culture for the group difficult to achieve.

An even greater challenge is broadening people’s concept of risk aside from the solely financial. For example, risks to an organisation’s reputation could have rolling effects on sales and recruitment, staff morale and employee engagement.

Similarly, organisations that are over-reliant on key personnel and have no succession planning or poor management might also have high risk. 

It is also wise to separate board risk management committees from finance and audit committees, in order to go beyond financial indicators.

This way, attention is paid to leading indicators (such as reputation and customer satisfaction) before their impact becomes evident in financial performance and it’s too late and too expensive to address.

The creation of an effective risk culture requires a complete reversal of the independence assumption behind a bureaucracy. It requires the creation of a view that all business units need to be considerate of the effects of their actions on other units.

While such initiatives might please the shareholders, they involve a total organisational mind shift that cannot be achieved from the top down alone.

Bottom up acceptance requires employees to understand and see the benefits of collegiate behaviour – a culture change that is hard to achieve in traditional financial services organisations with high level technical skills, but low communication or people skills.

According to a recent KPMG survey of Asia Pacific Chief Executive Officers (CEOs) , more Chief Financial Officers (CFOs) are coming from generalist backgrounds rather than accounting backgrounds – a welcome shift. However, only 12 per cent of CEOs thought that CFOs’ greatest contributions came from governance, risk and compliance.

Also, as people move up in hierarchies, those below are reluctant to give them negative feedback, particularly in countries such as China or Malaysia.  Leaders who are tempted to believe in their own omniscience can easily be blindsided by unexpected negative events, while the stories of persecuted whistleblowers are all too common.  

Organisations must be willing to listen to their employees, and employees need to be empowered to highlight potential risks. Creating an effective risk culture is a complex task that starts with the company’s leadership. Ask yourself: If I were a venture capitalist, would I invest in this company?

The leadership team needs to start by establishing and communicating a risk statement that conveys concepts and expectations, including:

• How best to identify risks;
• Organisation-specific definitions of acceptable and unacceptable risks;
• The importance of communicating changes in risks between business units; and
• The processes for communicating changed risks to other business units.

Those who make the necessary changes in organisational structure and culture will reap the compound benefits – an effective risk culture and a more engaged, productive and innovative workforce.

It’s a risk that’s well worth taking.