The essential ingredient to effective risk management: the culture
About a year ago, Michael Rasmussen and I made a presentation to the Society of Actuaries’ Risk Symposium on the topic of “Creating a Risk Management Culture”. (PDF of slides is available here.) I have always felt this was a seriously overlooked aspect of risk management, and the research I conducted prior to that presentation certainly reinforced that belief.
In the presentation, I quoted from the RiskMinds 2009 Risk Managers’ Survey:
The most remarkable finding of the survey is that most risk professionals – on the whole a highly analytical, data rational group – believe the banking crisis was caused not so much by technical failures as by failures in organisational culture and ethics.
Most risk professionals saw the technical factors which might cause a crisis well in advance. The risks were reported but senior executives chose to prioritise sales. That they did so is put down to individual or collective greed, fuelled by remuneration practices that encouraged excessive risk taking. That they were allowed to do so is explained by inadequate oversight by non‐executives and regulators and organisational cultures which inhibited effective challenge to risk taking.
Internally, the most important area for improvement is the culture in which risk management takes place (including vision, values, management style and operating principles).
In the majority of cases the culture was described as being only somewhat supportive or supportive of:
- Effective risk management and governance of risk (65.2%);
- Raising risks, challenging the status quo or widely held assumptions (68.2%).”
The Risk Management Association Enterprise Risk Council defines risk culture.
Risk Culture is the ‘tone at the top’ shaped by the values, strategies, objectives, beliefs, risk tolerances and attitudes that form how everyone .. views the trade off between risk and return. The risk culture … determines how individuals and business units take risks.
While some risk-taking will be governed by rules and controls, much is governed directly by culture – where rules and controls are not effective, fail or where they do not apply.”
What does this all tell us? That you can implement all the policies, standards, processes, and organization you want. But if the culture of the organization is not one that respects the value of understanding risk and using that information to drive quality decisions, if executives ignore the risks they are taking (perhaps for personal reward), if decision-makers (including the board) choose not to hear the voice of the risk manager, then risk management will fail.
One aspect that my friend Richard Anderson shared with me is the notion of “risk clockspeed”, which is the subject of research by Keith Smith. The notion is that sometimes the time between identifying a potential adverse event and when it might occur is very short. In fact, the time available for reacting is so short that following a process for assessing and evaluating the risk is not feasible. Therefore, managers will decide how to respond in a very reactive mode, based on their inclination towards accepting or avoiding risk. Their personal risk culture will dictate their actions – which may result in a risk response that is not consistent with the organization’s risk culture or the approved risk appetite. You can see more on this topic here.
I favor the ISO 31000:2009 risk management standard. But I don’t believe the global standard addresses the topic of risk culture satisfactorily. The standard certainly talks about understanding the internal context for risk management (which includes the risk culture), but does not provide guidance on how to assess whether the culture is defective – and what to do if it is lacking.
The December 2010 issue of Risk Management Professional (www.rmprofessional.com) included an article on “Developing a risk culture”. The editor has graciously sent me a PDF version of the article (downloadable in two parts: page 1 and page 2). The author is Alex Hindson, chairman of the Institute of Risk Management and discusses a diagnostic tool for risk culture. You can also see a presentation on the topic by Alex here.
Bloomberg Businessweek had a useful article in May 2009. Written for directors, it includes not only a description of risk culture but a number of questions that can help understand and assess the risk culture.
I am interested in hearing how people assess the risk culture within their organization, how that affects the design and operation of risk management, and how you go about improving the culture.