ken-co

A Boutique Governance, Risk, and Technology Consulting Firm
Digitization | Analytics | Risk  | GRC | SOX | ISO | SOC | Forensic Audit | Privacy Law

 

A Boutique Governance, Risk, and Technology Consulting Firm
Digitization | Analytics | Risk  | GRC | SOX | ISO | SOC | Forensic Audit | Privacy Law 

Menu

Significance of Risk Culture in an Organization

Introduction

We humans are social animals.  Our ability to organize ourselves into groups and work harmoniously together is argued to be one of the key factors that has made us the dominant species on Earth.  Though may other animals are able to work together (eg, bees, lions etc.), no other species is able to form groups of large numbers and still retain flexibility in governance the way we can (eg, Bees can work together in large numbers but are trapped within the rigid hive system.  Lions can work flexibly together but are unable to form large groups without splitting up). 

Whenever a group of people interact with each other over a period of time, a set of unwritten rules tend to take shape.  This may range from how people greet each other to the disciplinary actions taken for misconduct.  The formation of this set of unwritten rules has proven to be inevitable throughout history.  In all ages and eras groups of people have come up with these guidelines for behavior that was seldom explicitly acknowledge but always known to every member.  In time we dubbed this set of unwritten rules “Culture”.

What is Culture?

Culture in a nutshell is the “how we do things around here”. Like in all our previous attempts to form groups, companies, and organizations are no exception to the formation of their own cultures. Perhaps culture can be defined more formally as the set of behavioral patterns that are manifested within a group and reinforced by all its acting members. It is the set of values, expectations, and practices that guide and inform the actions of all members.

Importance of Culture

Formally acknowledged rules and regulations need to be well thought out, established, and communicated (verbally or through documents) to employees and staff.  If a change is required to be made to this set of rules, the process of making the change is usually time consuming and depending on the size of the organization, cumbersome.  Culture of the other hand is dynamic and ever evolving.  Moreover, culture doesn’t need to be formally communicated.  People are inherently wired to pick up on the social cues that indicate a change in the culture.

This provides culture a unique advantage over the formal set of rules.  It can allow organizations to quickly adapt to changes if the right cues are provided.  However, this also creates a potential downside.  Negative culture too can spread throughout the organization at the same rate.  If it comes to the question of whether to follow the explicitly written rule or the culturally implied rule, most people tend towards the latter.  This makes it important to carefully mold culture within an organization to be aligned with its goals.

How is Culture Molded?

The art of molding culture starts from the very top of the organization.  It is the leader who sets the standard.  What’s important to understand here is that the leader molds culture whether he/she intends to or not.  If the head of the organization is lax in his/her attitude regarding security or work ethic, undoubtedly the rest of the organization will come to mirror this behavior.  On the contrary, if he/she is hardworking and prioritizes security, the employees and staff will also tend to do so.

Perhaps the best way to think about this is to understand that a group or organization will tend to mirror the behavior and actions of its leader.  It is the leader to whom everyone turns when they are in doubt of the right form of action.  This though may not involve explicitly asking the leader what to do but may amount to mere observation.  This is why a change in leadership usually results in a change in the attitude of the entire organization.  In order to foster a good culture a leader must be cautious to speak and act in line with the desired culture and make sure that he is seen speaking and acting in this manner by everyone

 

Risk Culture

So far, my attempt has been to give you a brief yet comprehensive understanding of culture and why it is important.  Now let’s explore risk culture specifically and see why it is vital to any organization.

Risk culture can be summed up and the attitude, beliefs, and knowledge that an organization holds towards risk.  There could be many factors that contribute to the creation of an organizations risk culture:

  • Organizational attitude – This refers to the collective impact of the tone at the top, tone in the middle and tone at the bottom on risk management, compliance, and responsible business behavior. The top management has to clearly demonstrate their approach to risk and the middle management must ensure that it is made visible and evident to everyone within the organization.
  • Tangible mechanisms – These include many things forming the risk governance structure, including corporate value statements, code of conduct and ethics programs, policies and procedures, risk committee oversight activities, incentive programs, risk assessment processes, key risk indicator reporting and performance reviews and reinforcement processes, among other things.
  • External attributes – These attributes include regulatory requirements and expectations of customers, investors, and others. This aspect is particularly important for organizations dealing in industries that are categorized as sensitive such as health care.
  • Relationship with overall organizational culture – Risk culture is a part of the overall organizational culture and is deeply influenced by it. It is perhaps impossible to separate an organizations risk culture from its overall culture as the two are almost always intertwined
 

What Constitutes Strong Risk Culture?

  • Positive risk related behavior – Strong risk culture has gener0ally been associated with more desirable risk-related behavior (e.g., speaking up) and less undesirable behavior.
  • Good risk structures – Good risk structures such as policies, controls, IT infrastructure, training, and remuneration systems, etc. appear to support a strong culture and ultimately a less undesirable risk behavior. Risk structures by themselves however do not guarantee good risk culture.
  • Good communication between management and employees – Effective communication between the management and employees in necessary not just for good risk culture but also for organizational wellbeing overall. Management must be able to effectively communicate the risk appetite and relevant attributes to the employees and employees must not be afraid to speak the truth to the management regarding matters at their end.

Common Risk Culture Pathologies

  • Active rejection culture – This conviction involves the rejection of internal or external risk control guidelines and expectations as irrelevant or inconvenient. This attitude can come about if the senior management of the firm is either distracted or tacitly endorses the same through their actions.
  • Under Performance culture – This culture is linked to ignorance or an incomplete understanding of the internal or external guidelines and/or expectations and arises from a lack of focus, deficiencies in governance, risk management personnel, systems etc. This culture forms an unspoken assumption that obscurity or small size of the organization or other factors are compensating for the lack of pro-active risk management
  • Compliance culture – The focus within this control shifts to “letter of the law” compliance and there is an indifference towards the “spirit of the law”. This can range from a “minimum requirements” compliance attitude to one of “hyper-compliance”, where every requirement is meticulously met but not really internalized. This culture could have an additional disadvantage as the compulsive adherence can hinder business functions are harm the organization.
  • Culture of fear – This refers to an overly authoritarian culture where the instinctive disagreements of staff and employees are suppressed. Essentially all responsibility for risk management rests with the senior ranks.
  • Overconfident culture – This is more of a secondary pathology. High performing firms with good knowledge of internal and external guidelines and expectations may make the conscious decision to operate at the margin of safety in the assumption that risks are adequately mitigated. However, the often chaotic nature of risk might cause harm if there is no sufficient room for error.
  •  
 

Some Underlying Reasons for Weak Risk Culture

  • Short termism – With a short-term horizon individuals (or whole units) may make a (possibly rational) re-evaluation of their risk buffers for given risk tolerance and decide to magnify gains.
  • Penalties or lack of rewards – Skilled personnel with intrinsically sound risk culture may opt to stay in the sidelines because acting on their views may lead to penalties or be simply ignored. A minimum requirements culture is then seen as a safe haven
  • Lack of requirement clarity – Staff are not clear as to what is the expectation around risk management because this is not clearly defined and/or communicated by senior executives
  • Lack of adequate skills or knowledge – This can be an important factor for both management and staff. For example, a formal compliance culture may establish units where people are more concerned with not being “seen” as non-compliant and they do not have their own views or convictions around risk management. This can lead to a check list approach without un understanding of the inherent reasons for the risk culture practices and this would not allow individuals to make good decisions when even the slightest ambiguity arises.
  •  
 

Measuring Risk Culture

Qualitative methods – Arguably the best way to measure and understand an organizations culture is through direct observation.  Most of the time people may be unaware of many of the assumptions that affect their behavior and may take them for granted. 

An issue with using qualitative methods is that the results may not be directly comparable with those of other similar organizations.  This is due to the fact that even organizations engaged in same or similar businesses may have very different cultures.

Quantitative Methods – Quantitative methods use standardized approaches of analysis through statistical tools. These methods do not provide in-depth observations but are more objective and allow the comparison of different situations.  Examples of some quantitative methods are engagement surveys, indicator dashboards, validations etc.

Improving Risk Culture

As stated before, culture can be molded and improved with the right efforts.  Developing an organizations risk culture to proactively recognize both unique opportunities and risks in the environment is and achievable and definitely a desirable goal.  This involves the following:

  • Formally embed desired practices – Accountabilities for risk management and desired risk management behaviors should be reinforced through committee charters, policies, job descriptions, limit structures, procedures, and escalation protocols. This step must be undertaken with a clear vision and must not leave room for ambiguity.
  • Executive involvement – After the practices have been defined and documented, the executive management must support the desired risk culture by demonstrating the desired behaviors through their actions and decisions over time, as well as by periodically communicating value contributed by the organization’s risk culture.
  • Alignment with other organizational aspects – Defining the risk culture in isolation and not aligning them to the rest of the organizational practices and aspects may be effective and sometimes may even be counterproductive. When integrated with a comprehensive program that aligns performance expectations, roles, responsibilities, and compensation structures with appropriate risk taking, they reinforce critical aspects of the desired risk culture for employees.
  • Periodic evaluation – Perhaps the most important among these steps is periodic evaluation. As we have seen before, culture is ever evolving.  This makes it necessary to constantly be vigilant to the current status of things within the organization.  The management must constantly look for signs of change and adjust the approach as required.
  • Consistent messages and actions – Once a clear idea has been established as to what the risk culture should be, the same should be communicated appropriately and reinforced through action of the management. Actions must be strictly in line with the communicated goals.

Challenges to Strong Risk Culture Implementation

  • Organizational Complexity – Generally the larger the organization, the more difficult it is to change its culture. The number of employees alone can have an inversely proportional impact on the ease of implementing cultural changes.
  • Lack of top management commitment – As we have seen, no lasting cultural change is possible without the active involvement of the top management. This is perhaps the biggest of the challenges to implementing a strong risk culture.  If the top management is not fully on board, all other efforts may prove to be in vain.
  • Employee reluctance – Change can be uncomfortable no matter how small. Employees who are set in their ways maybe be reluctant to adopt better risk culture practices as this may involve more responsibility or changes in their roles.
  • Stakeholder reluctance – It is possible that a change in the risk culture may be objected to by the organization’s customers, shareholders etc. This may be due to varying factors such as lack of complete information, varying risk tolerance etc.
 

Examples of adverse effects of weak risk culture:

  • In 2018, Uber was fined over $20 million dollars for the loss of confidential customer data. Senior leaders, including the CEO, were fired, and customers switched over to competitors
  • The Cambridge Analytica scandal at Facebook, which involved massive misuse of private and personal data, resulted in the largest stock market drop in value in history – $120 billion.
  • Wells Fargo’s fake customer accounts scandal of 2018 resulted in over $1 billion in fines
 

Risk Culture as a Competitive Advantage

A proactive risk culture could serve as a significant competitive advantage for organizations.  The ability to foresee challenges and take action before competitors can give the organization a first mover advantage which might prove crucial to success and long-term survival. 

Another factor that is indispensable for long term survival is the adherence to an ethical standard.  An organization that does not keep itself and its people in check against unfair and unethical practices is bound to end in ruin.  Whatever interim benefits are gained by the use of these unfair practices will be more than lost in the long run.  Therefore, a strong risk culture that fosters vigilance both internally and externally can serve the organization well over the years.

 

Concluding

This paper has been an exploration of the significance of risk culture.  I have attempted to give an explanation of the core idea behind risk culture by starting from the nature of culture itself, where it comes from and how it can be leveraged to our advantage.  We have seen both the advantages of strong risk culture and the consequences of an ignorance towards it.

At the end of the day, good risk culture come down to whether or not a person has the knowledge of what is “right” and “wrong” and then whether they choose to do the “right thing”.  The risk culture must be clear on defining right and wrong, promoting them throughout the organization and reenforcing them through decisive action regularly.   This should come from corporate values, manifested in the risk appetite and policies, practices and behaviors of our senior management and board. The uncertain “grey” area between right and wrong should be minimized as far as possible.

Culture as whole is perhaps an elusive concept.  It is one of those ideas that everyone intuitively understands but is hard to explain.  It has been proven time and time again that culture is a strong contributing factor to the success of an organization.  There are sufficient examples to show that a strong and positive culture could compensate for disadvantages in areas that were traditionally considered more important.  The effort that an organization puts into actively molding a strong and positive culture is bound to pay off in the end in the form of better opportunities, rewards, reputation, and customer satisfaction. As rightly said by Peter Drucker famously said, “Culture can eat strategy for breakfast!

Author

The author CA Narasimhan Elangovan, is a practising CA and partner KEN & Co. He is a GRC Professional, a Digital transformation catalyst and an author. He believes in the power of technology to solve everyday problems. He can be reached at narasimhan@ken-co.in

 
Open chat
Powered by Joinchat