When the question of whether ERM is a success or failure comes up, it raises a further question: Why aren’t companies doing a better job of measuring the value it generates?
The reasons that the value of ERM is not quantified by companies include:
It is extremely hard to know when a loss did not happen because of ERM.
It is just as hard to quantify the cost of loss that did not happen.
It is difficult to quantify the “soft” benefits of enhanced reputation because ERM is practiced or because of improved strategic alignment in the organization; ERM requires an understanding of the company’s strategic goals and objectives to identify the risks that might derail their achievement.
It is often hard to justify the time and expense of measuring something that is not easy to measure.
Having acknowledged some of these obstacles, the only way that companies will know if their ERM efforts are successful is to create some measurement scheme that makes sense for their particular situation. Without measurement, how would a company know not only if it wants to continue an ERM implementation but also how much to invest in it.
Let us look at a few possible approaches to measuring the value of ERM:
Once an ERM process has gained some level of maturity in an organization, this approach would take the form of looking at fairly common and reliable metrics on a before-ERM and after-ERM basis. (There are ERM maturity models, developed by experts, that can be used to evaluate how far along the path to full or optimal implementation a company has progressed.) In fact, each of the approaches described would only be reasonable if the ERM process had been in place and well-executed for some period.
Naturally, there will multiple variables, not just the practice of ERM, that play into these metrics, but that is true for most metrics, and explanations can and should accompany the numbers to explain such variables.
Such metrics would include: 1) number of insurance claims, 2) number of worker injuries, 3) number of lawsuits related to a risk/loss events, 4) number of days or hours production is lost because of a risk/loss event, 5) cost of insurance and 6) total cost of risk (TCOR). Thus, when reviewed before and after ERM, the metrics can be charted to show absolute changes in value as well as trend lines. It might even be possible to notice on a relative basis that there are fewer risk-related surprises brought to management’s attention because ERM effectively identified risks while there was still time to deal with them.
Each company will be able to come up with its own unique metrics based on what it is currently capturing, what it could capture and what is important to its business operations.
The value of ERM would be evident or could be computed from the before-and-after metrics.
“What If” Approach
In the “what if” approach, one or more of the most significant risks in the risk register, which did not materialize when expected because of mitigation by the company, would be selected. Perhaps this was a regulatory change that would have harmed a product line, but the company took lobbying efforts or did product redesign because the risk was appropriately identified, prioritized and mitigated.
The amount of the loss that the risk would have likely have produced would be computed. Even if it were an insured loss, the estimate would take into account such things as the potential increase in insurance rates, management time and all other attendant expenses not covered.
Since the risk did not produce a loss, the amount of the “what if” loss is the value of ERM.
Alternatively, a significant loss event that affected key competitors but did not affect the company using ERM could be used to assess value. Perhaps it was a natural catastrophe that the company was better protected for or a demographic shift that the company anticipated and reacted to because of ERM.
To get at ERM’s value, the company would have to approximate what the risk, if ignored, would have cost.
Lacking Any Other Explanation Approach
In “The Valuation Implications of Enterprise Risk Management Maturity,” a wholly independent and peer-reviewed research project conducted by Mark Farrell of Queen’s University Management School and Dr. Ronan Gallagher of University of Edinburgh Business School, published in The Journal of Risk and Insurance, using data from the RIMS Risk Maturity Model,the case is made that, failing any other explanation, the companies with greater maturity have higher valuations because of it. Specifically, the study found that there was “clear and significant statistical correlation between mature enterprise risk management practices and a firm’s value.” Organizations exhibiting mature risk management practices-as assessed with the RIMS Risk Maturity Model-realize a valuation premium of 25%.
Yet another approach that does not rely on metrics, per se, is a discretionary approach. In other words, the board, CEO or C-suite could attribute a value to ERM that is based on the recognition that the ERM process has, for example: 1) created a risk aware culture, 2) helped to identify and ameliorate risk, 3) made recovery from risks that have materialized much faster and more efficiently and 4) enhanced the brand among stakeholders.
The discretionary approach does require that management is involved in the ERM process, has an open mind about its contribution and will articulate its conclusions about ERM’s value so that the entire organization is aware of this assessment. Without management’s giving voice to its success, the question of whether it is a success or failure will haunt ERM.
There are undoubtedly other approaches that could be used. The key point is that companies that have invested in introducing ERM should do so in a vigorous way and should measure and communicate its value. This will ensure that the entire organization maintains a commitment to this important process.
Most of us have heard the phrase: “Culture eats strategy for breakfast.” It could be restated as, “Your actions speak louder than your words.” This means that management can dream up any strategy they want, but their behaviors and actions are what create the culture of an organization.
Culture drives how efficient an organization’s processes are. Culture drives the success or failure of an organization. Culture is the product of leadership decisions or the lack of decisions.
The best-articulated corporate vision and strategy are of no value if they cannot engage the hearts, minds and work habits of employees at all levels and convey a purpose beyond just profit.
A vision states where an organization wants to go; a strategy defines the path to get there; and the work culture describes how business processes are actually executed along the path toward the vision. The health of a work culture can range from a contagiously high-performance work culture to mediocre or all the way down to a disruptive, confrontational culture that can’t get much done on time or done right the first time. A disruptive culture can trump the best vision and strategies every time. On the other hand, if a work culture is nurtured and groomed to align with a carefully crafted vision and strategy, the positive momentum could be unstoppable.
Figure 1 shows possible scenarios of vision, strategy, culture and performance alignment and misalignment. Business process performance (small white arrows) is more correlated with the work culture (small red arrows) than with the vision or strategy (big blue arrow) of an organization. Work culture — not vision or strategy — culture drives business performance. The challenge presented by this dilemma is that the work culture is an invisible force that is hard to measure. It shows its good side when you watch it and only displays its bad sides when you look away. The work culture is the product of complex cascade effects inside an organization and is as much affected by leadership actions as it is by the lack of appropriate actions. If left unattended, it will create its own random world of hidden agendas, which will probably not be aligned with the priorities of the organization.
Figure 1 – 3 Possible scenarios of vision, strategy, culture and performance alignment
Corporate visions and strategies are usually rolled out in formal three- to five-year plans. Work culture management and monitoring is too often not in sync with that plan and referred as an “HR thing,” even though it is the gate-keeper of business performance. If you do not understand and actively manage the work culture, it will manage you.
Measuring Cascade Effects Risks
It would be wonderful if we could just plug a measurement device into an organization to check its health and the risks of cascade effects (Figure 2). The work culture defines how employees work with each other through communication, coordination and cooperation. It generates multiple slow-motion and rapid chain reactions, ripple effects and cascade effects that greatly affect the mood and attitude of the organization. It predestines an organization for success or failure.
Figure 2 – The challenge of measuring work culture health and risks
How can we measure the health of invisible cultural chain reactions that can drive the success, mediocrity or failure of an entire corporation? I suggest a series of management and employee surveys and brainstorming assessments to test for the presence of 56 different elements of risk that can be present at any level in an organization. (See Figure 3 for a partial view of the survey.) The culture assessment tool shown in Figure 3 should be used for at least three different levels of management in an organization. These three levels of perception will offer triangulation data points, which will show how common or diverse the perceptions are that describe the organizational culture.
Figure 3 – Partial view of a gamified organizational health survey
The Organizational Force-Fields That Drive Success or Failure
Chain reactions, domino effects, ripple effects and snowball effects are similar in that they are defined by the single acts that created them. Once triggered, they will play out their effects depending on the amount of resistance the system presents against them. Cascade effects are different. They are fueled by a hierarchy of multiple interacting triggers at different levels in the system. Time delays between cause and effect are common, making the direct correlations between cause and effect more difficult to identify. Each element of the cascade effect can create dramatic outputs involving as many as three degrees of separation, rippling through an organization. There are three types of organizational cascade effects:
Destructive tsunamis of non-cooperation and negativity
Expanding groups of status quo herd followers
Constructive waves of cooperation, empowerment, motivation and positivity
If all of the cascade effects are present in an organization at the same time, the result will be conflict, employee frustration and lack of momentum in the right direction. A random mix containing equal parts of motivated, frustrated, positive and cynical employees co-located for 40 hours a week is not a formula for success; it is a recipe for mediocrity or even disaster.
Positive Organizational Cascades
These are acts of positivity that multiply and can also spread from person to person. In 2010, researchers from the University of California, San Diego and Harvard published the results from their experiments in an article titled: “Cooperative behavior cascades in human social networks.” They showed that cooperative behavior can be just as contagious as bad behavior. They showed that positivity can spread from person to person to person by displaying random acts of cooperation, generosity and other positive behaviors. This creates a cascade of cooperation that influences dozens of people who were not involved in the initial trigger event.
Mediocrity and Consensus Cascades
These cascades are the result of contagious personal decisions to blend in with the crowd and not make any waves (also known as “group think”). Many researchers, including those from the computer science department at Carnegie Mellon University, have confirmed this phenomenon. Forces in organizations and society like peer pressure, blending in, the herd mentality and the band-wagon effect can cause an individual to follow the herd, even if that violates personal preferences and value systems of what is right and what is wrong. This is often done to save one’s reputation in a group and gain acceptance. Efforts to achieve team consensus can create the same phenomena, resulting in conclusions that might not always be the best ones. Teams can assign a “devil’s advocate” role to a participant to deliberately challenge “herd decisions” to counter this cascade effect.
In 2013, Forbes wrote an article titled: “Brainstorming is Dead…,” which summarized recent criticism by many about how creative people can get suppressed by other personalities during brainstorming events when the main priority is to get consensus on all brainstorming conclusions. Forcing consensus is as useful as it is dangerous. To avoid ineffective and dangerous group-think cascade effects, group decisions should build on each other’s ideas, when possible, to create innovative hybrid solutions and not pick one idea and totally discount another idea that might have a flicker of genius.
Negative Organizational Cascades
These are acts of negativity that multiply and spread from person to person in an organization. Risky, combative and uncooperative behaviors all have the unfortunate ability to multiply and spread to three degrees of separation from the original act. This can have a negative impact on dozens and even hundreds of downstream people not involved in the initial negative triggering acts. Negative human interactions can break the bonds of humanity and teamwork. These cascades can destroy the work culture, effectiveness and performance of an entire organization.
The Broad Influence of Cascades
Behavioral researchers have demonstrated with team experiments that positive, mediocrity and negative cascades can all have affect three degrees of separation (friends of friends of friends). Other researchers and computer models have determined that only three to four degrees of separation is what separates everyone in the USA, and only six degrees of separation separate everyone in the world. Exceptions to this rule are the secluded tribes in the Amazon jungle and other remote places. Yes, the world is smaller than we think, and actions really do speak much louder than words. Actions and behaviors can reach beyond the horizon and into different time zones.
The Organizational Forces Survey
The Organizational ForcesSurvey tests the health of the individual organizational forces that drive chain reactions, cascades and other behavior propagation phenomena. This survey asks participants to assess the presence of positive and negative organizational forces shown in Figure 4 by identifying the forces they believe to be present. This survey is given to all levels of employees and management.
Figure 4 – The Organizational Forces Survey used to assess the health of the work culture.
Figure 5 shows an example of survey responses, using the form in Figure 4, that were attained from the survey for three different levels in an organization: top leadership, middle management and non-management. One sign of healthy communications between management and employees is when organizational risk assessments are similar between different levels in the organization. However, that is not the case here.
In this survey response example, top leadership rated the health of the work culture as overwhelmingly positive (green). They perceived their environment to be a Grand Organization in the making. Unfortunately, non-management employee responses to this survey were at the opposite end of the scale (red). They rated the forces in the organization as overwhelmingly negative, filled with high risk and knocking on the door of a Grand Disaster. Middle management rated the work culture as mediocre (yellow), with some responses slightly positive and others slightly negative. This group of employees was apparently influenced by perceptions of top leadership and non-management.
Figure 5 – The range of survey responses from various levels in this organization shows major discrepancies in their perception of the health for the organizational work culture.
Grand investigations are often done after a loss of life disaster occurs, such as a NASA space shuttle disaster, a passenger airplane crash or an accidental employee death on the job. However, it is hard to find this level of effort and analysis applied to prevent such disasters. Deep and thorough disaster investigations often find flawed undisciplined leadership practices and organizational cultures at the root of the problems. It is also common to discover a zealous ambition to grow the business without really ensuring that a healthy work culture foundation is put in place to safely support such expansion.
Huge opportunities for organizational productivity improvements still exist today by cultivating a high-performance work culture. Breakthroughs can be made when organizations appreciate the fact that “culture eats strategy for breakfast,” a phrase coined by Peter Drucker, a famous management consultant, educator and author. True organizational greatness can be achieved when organizations look beyond trying to just manage the bottom line and learn how to manage, analyze and monitor the cultural forces and cascade effects that drive success or failure.
A grand vision and strategy can only revolutionize a company when the work culture is healthy, engaged and aligned with those concepts. Taboos on talk must be broken. Open, frequent and candid communications must exist between all levels in the organization. Employee issues and concerns must be addressed in a timely manner as proof that a functioning communication and countermeasure system are in place. Only then can an organization really have a chance to break its barriers to greatness.
This is Paper 4 in a series of five on risk appetite and associated questions. The author believes that enterprise risk management (ERM) will remain locked in organizational silos until boards comprehend the links between risk and strategy. This is achieved either through painful crises or through the less expensive development of a risk appetite framework (RAF). Understanding of risk appetite is in our view very much a work in progress for many organizations, but RAF development and approval can lead boards to demand action from executives.
Paper 1, the shortest paper, makes a number of general observations based on experience in working with a wide variety of companies. Paper 2 describes the risk landscape, measurable and unmeasurable uncertainties and the evolution of risk management. Paper 3 answers questions relating to the need for risk appetite frameworks and describes in some detail the relationship between risk appetite frameworks and strategy. This article, Paper 4, answers further questions on risk appetite and goes into some detail on the questions of risk culture and risk maturity. Paper 5 describes the characteristics of a risk appetite statement and provides a detailed summary of how to operate based on the links between risk and strategy.
How are risk appetite, risk tolerance and risk limits related to one another? A range of differences in philosophy are influencing the gradual determination of internationally accepted definitions. Notwithstanding, we recommend the definitions and the sequence of diagrams and explanations given in the Institute of Risk Management’s (IRM) guidance, which are
A number of models exist that seek to describe the relationship between risk appetite, tolerance and risk; for instance, the Ernest and Young Risk Pyramid below:
How are organizations using risk limits and risk tolerances around those limits? Our experience in working with clients shows that organizations are continuing to struggle with basic risk concepts, definitions, language, responsibilities, reporting and delivery. Accordingly, while risk limits are set to contain risk-taking practices, lack of common language and loose interpretation of concepts is causing confusion within organizations and leading to limits being seen as negotiable within the context of risk tolerances. As a corporate discipline, risk management is in its infancy, and the quality of risk practitioners is generally poor. Risk limits are perceived negatively by business practitioners, who use their limited knowledge of risk tolerances to argue for greater flexibility in applying limits.
How do organizations facilitate early warning of potential breaches of risk appetite? In practice, we find that there is limited facilitation. Rather, business people see the concept of risk as limiting practices that drive value and, thus, adopt the business school mantra of “seeking forgiveness rather than permission.” This is made easier in organizations where risk is seen as a nuisance and impediment to business and where appreciation of quality risk management is not apparent at senior levels. Business generators tend to view risk as friendly and flexible, designed to support business generation. Thus, risk limits are treated like speed limits on the public highway, more for observation than observance. Accordingly, we find few cases where early warnings are seen as anything other than flashing lights on the dashboard. In many cases, early warnings result in a case’s being presented to the risk committee for raising limits, rather than resulting in severe braking to ensure conformity in risk management.
Much of the foregoing represents the cultural challenge of embedding risk as a serious discipline rather than a faux science treated as an add-on. This reflects the nascent nature of risk management and its failure to be seen at board level as front and central to strategy and its effective and safe execution. Culture and “tone from the top” are critical here. So is strong support for risk executives at senior management level and an appreciation that risk management is akin to the medical profession, where hygiene is embedded in all procedures and provides a safe and secure means of conducting business, rather than being an impediment. The absence of good-quality risk officers and of universally accepted definitions of risk also undermine the discipline in organizations where there are few effective sanctions against limits being broken.
How do organizations assess risk culture? Optimal risk culture is designed and nurtured on building blocks practically described as blocks ABC:
The building blocks are briefly summarized as follows:
Training, values and beliefs, reporting and continuous improvement directed at outcomes driving attitudes displayed by people, which
Influence their behaviors and thus the quality of their discussions and decision making, thereby
Manifesting as demonstrably credible risk culture.
Other than retrospective analysis of poor risk culture following various corporate crises, there is a limited body of reliable knowledge, and experience, on assessing “existing risk culture” and successfully navigating to a “target risk culture.” The IRM’s “Risk Culture, Under the Microscope: Guidance for Boards” describes multiple interactions:
Diagnostic tools are available to track the components described within the framework above. In our experience, however, such is the poor state of risk maturity in very many organizations that they are not sufficiently advanced to practically determine how they might chart a course from the existing to the target state of risk culture.
In 2011, the Financial Reporting Council produced the report: “Boards and Risk: A Summary of Discussions with Companies, Investors and Advisors.” In the section on risk and control culture, the report said:
It was recognized that risk and control culture was one of the issues on which it was most difficult for boards to get assurance, although boards appeared to be making more efforts to do so.
The risk management and internal audit functions could play an important role, as could reports from and discussions with senior management, but some directors felt that there was no substitute for going on to the shop floor and seeing for themselves. It was otherwise very difficult to judge whether risk awareness was truly embedded or whether it was seen as a compliance exercise. This, in turn, assumed that non-executive directors had a sufficient understanding of the business, which some participants noted may not always be the case.
One common approach was to ensure that responsibility for managing specific risks was clearly allocated to individuals at all levels of the organization, with their performance measured and reflected in how they were rewarded.
In some companies, the remuneration committee had been given responsibility for considering how to align the company’s approach to risk and control with its remuneration and incentives. Examples were also given of the head of the risk management or internal audit function submitting reports to that committee, for example on how the company was performing against certain key risks, or being invited to comment on the details of proposed incentive schemes. More recently, the Financial Stability Board (FSB) in its “Peer Review Report on Risk Governance,” published in February 2013, identified ‘’business conduct’’ as a new risk category and said, “One of the key lessons from the crisis (GFC) was that reputational risk was severely underestimated; hence, there is more focus on business conduct and the suitability of products, e.g., the type of products sold and to whom they are sold. As the crisis showed, consumer products such as residential mortgage loans could become a source of financial instability.” In consulting and developing guidance for regulators, the FSB emphasizes the importance of risk culture as a principal influencer reducing the risk of misselling financial services products that can end up in the wrong hands with detrimental prospects for consumers in particular and society in general. Clearly, conduct risk is systemic, and inherently so when considered in the context of big data; that is to say, conduct risk is very unlikely to exist in isolation within an organization.
Separately, the FSB has articulated what it considers to be the foundation elements of a strong risk culture in its publications on risk governance, risk appetite and compensation. It has broken down the indicators into four parts, which need to be considered collectively and as mutually reinforcing. The four parts are:
Tone from the top: The board of directors and senior managers are the starting point for setting the financial institution’s core values and risk culture, and their behavior must reflect the values being espoused. The leadership of the institution should systematically develop, monitor and assess the culture of the financial institution.
Accountability: Successful risk management requires employees at all levels to understand the core values of the institution’s risk culture and its approach to risk, be capable of performing their prescribed roles and be aware that they are held accountable for their actions in relation to the institution’s risk-taking behavior. Staff acceptance of risk-related goals and related values is seen as essential.
Effective challenge: A sound risk culture promotes an environment of effective challenge in which decision-making processes promote a range of views, allow for testing of current practices and stimulate a positive, critical attitude among employees and an environment of open and constructive engagement.
Incentives: Performance and talent management should encourage and reinforce maintenance of the financial institution’s desired risk management behavior. Financial and non-financial incentives should support the core values and risk culture at all levels of the financial institution.
Clearly, there is consistency in thinking as to the importance of risk culture and its core attributes. Monitoring risk culture is, however, very challenging, indeed. To the particular question of communicating risk culture to stakeholders, we question whether this can be done credibly in the absence of finding proxies for attitudes and behaviors described in the ABC risk culture building blocks described above. Our experience tells us that risk maturity capability requirements are today well-understood, reliable and credible proxies for risk culture. On this basis, we recommend that organizations travel the better known road of “risk maturity,” for which there are a number of capable maturity models in existence.
We believe there to be a demonstrably credible correlation between full maturity (optimizing value through aligning risk and strategy with corporate objectives) and board ownership of the risk appetite framework, building resilience (defending operations, business model and reputation) and risk culture. The RMI Risk Maturity Index correlates:
Level of alignment of risks to strategy, objectives and execution,
Risk role affirmations at each maturity level,
Risk culture affirmations (practices confirmed by internal and external attestors),
Risk defense affirmations (practices confirmed by internal and external attestors),
Board and organizational processes, and
Value realized at three levels: a) the investor, b) the organization and c) stakeholders.
Progression from one level to the next requires a blend of internal and external independent attestations, which are facilitated with the aid of a database containing structured question sets. Risk maturity scores are weighted according to the:
Quality of answers provided to questions,
Availability of demonstrably credible evidence supporting answers,
Rigor and consistency of risk data,
We believe that risk maturity attestation by seasoned practitioners will provide evidence-based assurance as to organizational risk culture.
Building an effective risk culture is much more than changing your organizational culture in line with your vision, mission, corporate values and risk appetite — you must factor in the interests of competing national cultures, sub-cultures, Maslow’s theory on individual self-actualization and the informal groups in the company.
The interactions among all of these are not predictable, and variables cannot accurately be isolated.
An effective risk culture is not a matter of risk assessment or level of compliance; it is a matter of “conviction” — a corporate state of mind where human beings can take well-informed risk decisions because they want to, not because they have to.
ERM policies, systems and reporting dashboards are all part of the foundation for good risk management. Once you have all of these in place, you can start building an effective risk culture. Remember also that there is too much complexity and subjectivity in culture to assume that individual reactions and responses can be aggregated to reflect or give an accurate picture of the whole organization’s risk culture. You cannot “pop” an effective risk culture in the microwave; it takes a lot of preparation, dedication and time to get it to perfection.
You can have the best staff retention rates in the industry or the most awards for long service — both of these can also indicate a high risk of employee fraud. According to ACFE research: 53% of fraudsters have more than five years of service and the median loss for fraudsters with six to 10 years of service is $200 000. 52% of fraudsters are between 31 and 45 years old, and older fraudsters tend to cause larger losses.
Scanning the horizon might just be the most important thing to do. You cannot control or stop what is coming; you have to prepare to respond to it. So many organizations spend large amounts of money to focus and report only on what is happening inside the organization, where they actually have control. Your biggest risks are outside of the organization, where you have no control.
Key elements for the future of your risk strategy should include internal networking; you have to talk to the informal groups and their informal leaders just as much as you do talk to the executives and managers, maybe even more. The real business does not always get done in the formal “boxes and lines” structure.
Just as important are the aspects of desk research and external networking. To have a good risk management strategy and action plan, you have to know everything about your industry, markets, competitors, supply chain, alternative supply chain, global risks in a connected world and many more. Failure to adapt your business model to the ever-changing internal and external risk environments will lead straight to the corporate graveyard.
The future of risk management is just: “risk management through people.” You can have the best systems, great models and scenario analysis with elaborate dashboards; at the end of the day a person will take a decision.
Are your employees aiming at more than one target, or do you have a clearly defined risk for reward strategy and risk appetite statement to guide them? Business strategy and risk culture are parts of an interdependent system.
Start working on your success by training every employee with some basic risk management skills.
As my Moody’s colleague Sarah Tennyson wrote last year: “Enterprise-wide risk management requires a shift in the behavior and mindset of employees across an organization. To realize the full benefits of improved systems, tools and analytical skills, people need to learn new ways of perceiving situations, interpreting data, making decisions, influencing and negotiating.”
Having returned from a week in Dubai, where I co-chaired the 4th Annual Middle East and North African ERM Conference and led a two-day workshop on risk and strategy, I am pleased to report that ERM is alive and well half-way around the world. This reinforces my similar experience at the same forum (2nd annual) in 2012. While there may be a perception of free-flowing money and excess in this region, it is clear that key companies in many industries, including finance, energy and healthcare, face most of the same challenges in driving effective risk management strategies and programs as many of the companies in the West. Even though many risk leaders in the Middle East gained their educational backgrounds in Western institutions, where in many cases ERM is still a suspect discipline, many have nevertheless gained significant traction with advanced risk management strategies in their companies.
An interesting angle was revealed at the MENA conference that raises challenging questions for many of these practitioners. It emerged first as an informal, anecdotal comment about the challenge of raising the profile and effectiveness of risk management functions where there was little or no tolerance for risk. While most risk professionals face this challenge at one point or another in their careers, it appears more widespread in this region. The question is: why, and how to do you manage through this dilemma?
First, recognize that all organizations have a risk attitude that ranges from extreme risk aversion to a radically risk-seeking culture — you have a risk culture by default, if you don’t actively design and implement the risk culture you desire. Most often, the actual risk attitude plays itself out in risk-taking behaviors that form the basis for a risk-appetite framework and strategy. Within the context of a risk culture, which is defined primarily by the risk-taking behaviors of employees, every person has a risk attitude and appetite for risk.
The collection of these appetites and associated risk-taking behaviors can lead to what the MENA region seems to reflect, namely little or no tolerance for certain risks. That risk culture will frequently lead to performance issues or product/service pricing challenges that affect competitiveness and reputation. While it is appropriate to avoid certain risks, doing so is generally a bad choice when growth through innovation is desired; risk-taking comes with that strategy.
So attendees at MENA and others who wrestle with risk aversion should realize that this is incompatible with long-term success in a competitive environment. As a result, they should commit to developing a consensus for a risk culture that aligns with an appetite for risk that is consistent with balanced or prudent risk taking.