In the aftermath of the Enron and WorldCom accounting fraud scandals, the US Congress took it upon itself to introduce tighter industry regulations by passing the Sarbanes-Oxley Act in 2002. While legislative action like this is necessary to maintain the hygiene of a given sector, it is often only provoked by events that were entirely preventable in the first place.
Seldom does 12 months go by without some industry-shaking revelation of scandal or fraud grabbing the world’s attention. The list of companies whose reputations have cratered – or whose businesses have collapsed – in the wake of widespread misconduct is always growing, and each is a case of a systematic internal failure of risk management.
Conventional wisdom will tell you that the fish tends to rot from the head: when an organisation is caught in a scandal, it’s the senior figures who are most culpable. This is true to an extent, but the reality is not so simple. It may be easier to assume it was simply a few bad apples who engaged in wrongdoing but, more often than not, the fault also lies in the organisational environment that did not sufficiently safeguard against risky behaviour.
It has been shown time and again that culture is a far more effective safeguard than strategy or process
These are things that, in theory, every company should already have in place. Indeed, a superficial reading of most companies’ annual reports will include language suggesting such a system is already in use. In practice, however, having policies in place – even if employees are widely aware of them – does not by itself ensure they are considered as a day-to-day necessity.
Change takes time
A transformation in the way an organisation manages risk does not happen suddenly. Short of a complete managerial overhaul, there will never be an overnight reorientation of an organisational mindset. It is not enough for the C-suite, for instance, to decide to install a risk management mechanism. While this may work as a public relations measure, it is purely cosmetic if it is not accompanied by the kind of organisational mentality that would make it seem necessary in the eyes of employees.
A risk management system will only work effectively if there is a strong risk culture underpinning it. In the absence of a sufficiently strong risk culture, there is no guarantee that risk management mechanisms will be taken seriously – or regarded as necessary – by either those directly monitoring them or the employees going about their regular day-to-day duties.
The first step that must be taken – as with any endeavour in which there is a problem that needs to be fixed – is to determine the nature of the existing culture. Once the present situation has been identified, the second step is to analyse and evaluate the culture to determine what the organisation wants it to look like moving forward. The final piece of the process is the crafting of an action plan to implement the culture the business wants.
Identifying a culture
Edgar Schein, the former MIT professor renowned for his contribution to the understanding of corporate culture, identified three elements that determine the cultural architecture of an organisation: artefacts and symbols, espoused values, and basic underlying assumptions.
On the surface, the artefacts and symbols are the most outwardly visible aspects of a business’ approach to risk management. They describe the proactive measures put in place to mitigate risk, including the publication of guidelines, the establishment of reporting mechanisms and the release of a risk report in tandem with the annual report. This is followed by an organisation’s espoused values, which are more visible than basic underlying assumptions. They describe the goals, aspirations and moral orientation depicted within the group.
At the most fundamental level, the basic assumptions are the underlying, interwoven norms that we often take for granted. They are not just based on the organisation itself, but rather how people interact with one another. Basic assumptions determine the behaviour, perception and feelings within an organisation.
A risk management system will only work effectively if there is a strong risk culture underpinning it
Identifying what each of these levels looks like within a company’s risk culture can be done through a three-step model. The first step involves the questioning of all employees with regards to the risk culture, making employees more aware of both the topic and what is expected. Second, organisations should carry out more in-depth workshops with selective employees to identify basic assumptions. Finally, the last step involves one-on-one interviews with senior management.
Evaluation and implementation
Once there is a sufficient understanding of the existing risk culture within an organisation, there must be an evaluation of what needs to be changed and, more importantly, what a desirable culture looks like for the company in question. When determining which kind of risk culture would be most desirable to a particular organisation, it is important to keep in mind the factors that influence it.
Generally speaking, an effective risk culture involves having company-wide coordination with regards to accepted guidelines, so as to encourage the safeguarding of employees’ activities. In aggregate, having a well-integrated risk culture fosters a stronger sense of belonging among employees, which ultimately results in a higher level of motivation at all levels.
The final step is the actual implementation of the action plan. It is crucial to keep in mind the interconnectivity of the elements in a risk culture. That is to say, changing a single element of a risk culture without having an effect on the wider system is something that is both futile in terms of bringing about meaningful change, and near impossible to do even if attempted.
Changes can be made on the surface level to initiate a cultural change. These include the introduction of a risk policy – as well as the mechanisms to implement it – the integration of measures for employees and the introduction of some form of risk suggestion system.
In order to maintain this change and ensure it permeates the whole organisation, however, there must also be ongoing monitoring and calibration. This includes keeping on top of any unforeseen and even negative consequences that may stem from the culture change. Monitoring is also necessary to ensure risk management systems are operating consistently throughout the organisation.
Risk and responsibility are not mutually exclusive, and it has been shown time and again that culture is a far more effective safeguard than strategy or process. Any business that wants to grow will have to take on a certain level of risk, without which – as they say – there is little reward. With a culture that identifies and adequately responds to risk, however, even great chances can be taken on without catastrophic consequences.