CEO's and top managers take considerable interest in their company's risk management programs. They make assessments to identify the most significant risks factors that challenge their organization and focus on updating their risk mitigation plans. However, one key factor that is not always considered in their risk management program is the "risk culture." It is a critical element of risk management that top managers should understand. Risk culture influences how managers and employees make decisions based on risks and benefits.
A company's risk culture is a critical element that can ensure that "doing the right thing" wins over "doing what it takes." Based on results from KPMG International Survey, more than half of corporate Board members and internal auditors said that their company's employees have little or no understanding of how risk exposures should be assessed for impact to their organization. One-third of the respondents said that the key leaders in their organization have no formal training in risk management or guidance. Thus, employees need to understand how to make educated risk-related decisions to ensure that risk behavior is consistent throughout the organization. Managers and employees without training will be unable to apply critical thinking and judgment to better make decisions. A strong risk culture results in a more collaborate enterprise that benefits the survivability of the organization.
There are several steps that Board members need to take to assert risk culture. First, the management team needs to establish the true "tone at the top" and "in the middle." The management team needs to establish good leaders who can set the example that other will follow. Leadership is a real driver for changing the risk culture. Management needs to follow their own risk management policies s that the employees can fully understand that non-compliant behavior will not tolerated.
Second, leadership must effectively communicate acceptable ethical behavior throughout all levels of the organization. Ethical behavior is a key element of a strong risk culture. A Code of Conduct should establish the organization's core values, ethical standards and expectations for its employees. It can introduce how risk management should be incorporated in the day-to-day conduct of employees.
Third, organizations can build a strong risk culture using a consistent and repeatable approach to risk when making key business decisions. This approach includes a discussion of risk and a review of risk scenarios that help management and Board members understand the inter-relationship and impacts of risks. A discussion of risk in the formal decision-making process can help executives feel more comfortable about the decisions they make, thus allowing them to make more assertive decisions.
An company with a strong risk culture means that the employees are aware what the company stands for, and the boundaries in which they can operate. They should be allowed to address risks openly in a formal discussion, thus to help mangers achieve the company's long-term strategic goals. A risk culture that can be communicated effectively to all employees as part of their daily responsibilities is critical to the company's success and survival.
The article has some key recommendations to manage risk through mitigating a risk culture within the organization. It is closely related to the concept of implementation where the development team of new information system requires technical experience of risk management. The concept of making changes to human behavior is significant to making project management work more effectively.
Reference: Farrell, John Michael and Angela Hoon, What's Your Company's Risk Culture? Business Week, 12 May 2009.
Website: http://www.businessweek.com/managing/content/may2009/ca20090512_720476.htm
Thanks Bob for the article. Given that I am working in the financial industry, especially in a broker/dealer, we embrace high risk culture. Management constantly reminds us to take risk in investment so that we remember to convey this message to our clients. After all, we will not be in business if no one is willing to invest and the stock market is always a risky place. I agree with the article that it does need to be a top down approach, upper management need to lead by examples.
ReplyDeleteGreat summary Bob! I do find that a lot of organizations don’t really consider formal risk training. You would think since risk is such a huge part of how an organization either succeeds or fails that they would spend more time on the topic. I think that many corporations that aren’t obviously dealing with high risk such as the financial industry don’t think about risk as much as they should. No matter what sector you are in risk training is an important part of a company’s culture.
ReplyDeleteThe concept of risk management reminded me of the Destroy Your Business Initiative employed by GE when looking to transform into an e-business. Looking into all the potential risk factors that could destroy one's business is critical for survival. The three points made here are excellent; effective leaders who know how to communicate with their employees are very important. Only they have the ability to integrate the concept of risk management into their firm's culture, which is one of the greatest ways to help that firm succeed.
ReplyDelete