Building an effective risk culture is much more than changing your organizational culture in line with your vision, mission, corporate values and risk appetite — you must factor in the interests of competing national cultures, sub-cultures, Maslow’s theory on individual self-actualization and the informal groups in the company.
The interactions among all of these are not predictable, and variables cannot accurately be isolated.
An effective risk culture is not a matter of risk assessment or level of compliance; it is a matter of “conviction” — a corporate state of mind where human beings can take well-informed risk decisions because they want to, not because they have to.
ERM policies, systems and reporting dashboards are all part of the foundation for good risk management. Once you have all of these in place, you can start building an effective risk culture. Remember also that there is too much complexity and subjectivity in culture to assume that individual reactions and responses can be aggregated to reflect or give an accurate picture of the whole organization’s risk culture. You cannot “pop” an effective risk culture in the microwave; it takes a lot of preparation, dedication and time to get it to perfection.
You can have the best staff retention rates in the industry or the most awards for long service — both of these can also indicate a high risk of employee fraud. According to ACFE research: 53% of fraudsters have more than five years of service and the median loss for fraudsters with six to 10 years of service is $200 000. 52% of fraudsters are between 31 and 45 years old, and older fraudsters tend to cause larger losses.
Scanning the horizon might just be the most important thing to do. You cannot control or stop what is coming; you have to prepare to respond to it. So many organizations spend large amounts of money to focus and report only on what is happening inside the organization, where they actually have control. Your biggest risks are outside of the organization, where you have no control.
Key elements for the future of your risk strategy should include internal networking; you have to talk to the informal groups and their informal leaders just as much as you do talk to the executives and managers, maybe even more. The real business does not always get done in the formal “boxes and lines” structure.
Just as important are the aspects of desk research and external networking. To have a good risk management strategy and action plan, you have to know everything about your industry, markets, competitors, supply chain, alternative supply chain, global risks in a connected world and many more. Failure to adapt your business model to the ever-changing internal and external risk environments will lead straight to the corporate graveyard.
The future of risk management is just: “risk management through people.” You can have the best systems, great models and scenario analysis with elaborate dashboards; at the end of the day a person will take a decision.
Are your employees aiming at more than one target, or do you have a clearly defined risk for reward strategy and risk appetite statement to guide them? Business strategy and risk culture are parts of an interdependent system.
Start working on your success by training every employee with some basic risk management skills.
As my Moody’s colleague Sarah Tennyson wrote last year: “Enterprise-wide risk management requires a shift in the behavior and mindset of employees across an organization. To realize the full benefits of improved systems, tools and analytical skills, people need to learn new ways of perceiving situations, interpreting data, making decisions, influencing and negotiating.”
This was originally published at Zawya.