Tag Archives: risk culture

Thinking Differently: Building a Risk Culture

“Young and old are dropping themselves from Wall Street at a pace we have not seen before” (sudden spade of suicides in 2014).

“High -flying executives end up crash-landing in jail.”

or

“Your competitive advantage lies in the hearts and minds of your employees.”

Deciding on a title for this piece was more difficult than writing it, but in the end it all comes down to thinking differently. We have to change the way we think about risk management and get away from the view that systems, processes and committees are the keys to effective risk management.

Business leaders are slowly waking up to the concept of risk culture building, but it might be too late for some, and throwing money at the problem will also not help; time is what you need to invest here. The time has come for you to hospitalize the whole business and cure the disease of greed (and some others). Business success is anyway no longer measured by profits only.

Many consultants and executives tried to define risk culture, but it is almost impossible because of all the worldviews, cultures, sub-cultures and generations out there in your business world. It is a lot easier to define risk culture building: the process of growth and continuous improvement in the way each and every person in an organization will respond to a given situation to mitigate, control and optimize that risk to the benefit of the organization.

The biggest business failures in recent times were also not related to money; most were as a result of operational risk failures and, in particular, failures of people risk. A quick analysis of the biggest business losses in history highlights the causes as being one of two key people risk elements: “lack of management oversight” or “because of a management override.”

Business leaders either did not do their jobs or completely misused their power and authority, often to cover up their personal lack of ethics or misconduct.

Business (and other) leaders must fundamentally change the way they think about risk management; you cannot suddenly “bolt on” an effective risk culture. Do not make the same mistake you made when you saw risk management as an implementation project and spent a fortune on systems and processes to get a risk report that is as useful as driving a car without looking through the windshield. You can have the best dashboard and rear-view mirror (last month’s risk report), but if you make business decisions based on those you do not get very far.

Organizations spent vast amounts of money to hire consultants to implement risk management as a project, believing that it can be done that way. Risk management cannot be implemented; it is a process of building and continuous improvement in an environment that is constantly changing. Business is no longer life in the fast lane; it is life in the on-coming traffic, and, sadly, some organizations still try to drive while looking in the rear-view mirror. Risk management can also not be a project; building an effective risk culture has only one possible end- date: the day you go out of business.

Many organizations are heading toward this day by doing very little about risk management. If you are not good at risk management or not doing anything about building an effective risk culture, you will be exploited by those who are better at it. Many organizations are speeding up the process by working toward getting all risks “green”;  if everything is “green,” you are not taking enough risk to get enough reward and stay in business. As the famous racecar driver Mario Andretti put it:” If everything seems under control, you are just not going fast enough.”

The risk profile of any organization must steadily increase over time, move from green to amber and onward to red, for those who run their businesses according to traffic lights. As you get better at risk management, you must take more risk for more reward.

If you are not getting better at risk management, don’t try to get more reward. It does not work that way!

11 Things That Matter Most in Managing Risk

Having just returned from another industry gathering where practitioners are trying to get a read on the keys to success in risk management, I thought I’d share some thoughts that I often include in my presentations and RIMS workshops.

Suffice it to say, no two practitioners are doing exactly the same thing nor following a template-based strategy if they’re having much success. I offer this introduction  to say two things: There is no one right way to practice risk management, and, by extension, the best risk strategies are those that are aligned with, if not custom-designed to fit, the priorities of the organizations for which they are intended.

One thing is nearly certain: A risk strategy can’t be successfully executed without a risk framework to make actionable those strategies that inform success. A framework might best be guided by one of the risk standards that are increasingly informing how the work can best be done, but a standard is not a prerequisite to success. By contrast, a risk culture is a prerequisite.

Your corporate culture represents the ways in which management and governance prefer employees to behave. It is typically tied to a set of values such as honesty, integrity and excellence. But do you realize that you also have a risk culture, even if you haven’t purposely defined and implemented one?

Whether your organization is risk-averse, risk-assumptive or somewhere in between these two extremes, your employees have risk taking and managing behaviors that, without a specific design and strategy for the risk culture you desire, will not likely be the behaviors or culture you most need and ideally desire. Therefore, communicating on risk culture can be most valuable to your long-term risk-management effectiveness.

What matters most in achieving this desired state? Well, rather than produce another list of top 10 items, here are 11 things that, in my opinion, matter most in effectively managing risk. If you operate with these elements in place, you will be more likely to have an effective strategy that other leaders will both contribute to and enable through resources.

Downside Protection: This is job one. The first priority is to make sure reasonably preventable loss is addressed through both mitigations and financing tactics. Management and governance rightly assume this is under way.

Influence and Gumption: Every senior risk leader must have the respect to be heard and the gumption to push back on risk owners and stakeholders with whom he may disagree.

Consistency: With risk process and sub-processes being the way in which the work gets executed, it is essential that they are consistently applied by all users.

Process Rigor: Processes that produce results and have impact require a rigorous approach to how they are designed, measured for effectiveness and continuously improved.

Data Interpretability: There must be actionable information about results and impact.

Communication Clarity: Beginning with a clear definition of risk itself, an entire sub-strategy for communicating your messaging will ensure you reach the ”right recipients at the right time with the right message.”

Reliable Measurability: Not every risk can or should be quantitatively measured, but, when you do, make sure the measure is as believable as possible.

Value Creation: Recognizing and leveraging risk for gain is the necessary evolution of the discipline’s practitioners if they ever hope to move beyond the tactical.

Embedded Risk Culture: Driving consistent and aligned risk-taking behaviors and decisions across the enterprise can only be achieved by embedding a well-defined and disciplined risk culture.

Managing to Appetite and Capacity: Risk cannot be effectively managed without a clear view into how much risk you are taking, want to take and have the capacity to take or assume.

Aligning Risk and Performance: The ultimate outcome for risk professionals is to manage risk relative to performance. Alignment, if not integration, between risk and performance is essential to achieving short- and long-term goals.

So there you have it: the 11 things that matter most in managing risk effectively. Sure, there are many other tactical elements of a good risk strategy and framework, but I believe they will naturally flow out of these elements when put into practice with the  proper senior level mandate and regular reinforcement of the strategy.