André Smit
The key to building a “good risk culture” is to understand and articulate the cultural outcomes that will drive the performance and support the delivery of an organisation’s strategy. It needs to be acknowledged that this “good” risk culture is actually the aggregate view of many sub-cultures which relate to different business activities. Risk culture is not another level of governance or an exercise in compliance. Instead, it is about how an individual responds to a given situation of risk. It lives in the hearts and minds of employees and cannot be implemented as a policy or programme because no commonly held blueprint or “one-size-fits-all” framework for it exist.
Every organisation has a risk culture, which can be defined as an organisation’s norms, collective attitudes and behaviours of its people that influence risks and impact outcomes. Risk culture provides a lens through which to view general concerns about culture, risk-taking, risk management and risk optimisation activities. A sound risk culture will support the right risk outcomes, while a weak risk culture will promote undesirable outcomes — for customers and/or the organisation itself.
Having a written “culture”, is not evidence of the targeted culture being embedded or experienced by employees and other stakeholders. An organisation’s experienced culture can be described from the consistent, observable patterns of an organisation’s behaviour. This raises the question of whether structures, processes, and incentives drive the formation of culture, or whether culture is the expression of the behavioural output responding to structures, processes, and incentives. Regardless, culture evolves over time as it is affected by a range of internal and external factors and the organisation’s responses to those factors. The factors usually associated with a good business culture such as integrity, transparency, openness to communicating risks and opportunities, respect, accountability, customer and employee focus, and learning from mistakes, are also markers of a sound risk culture.
Deficiencies in leadership, competence, communication and culture have been blamed for many industrial accidents, environmental disasters and financial crises. A memorable environmental disaster that illustrates a lack of transparency and a bad risk culture is the BP Deep Water Horizon oil spill of 2010. The meltdown of the financial markets in 2008, where rogue traders caused millions in losses, can also be traced back to bad people risk management that resulted in flaws in behaviour.
Equally, an inappropriate risk culture is the result of bad people risk management, which does not always result in excessive risk-taking. Kodak’s strategic failure to reinvent itself and exploit digital technology in a changing world, led to bankruptcy. Its culture meant that Kodak was too risk averse and in a series of bad decisions, developed procedures and policies to maintain the status quo rather than adapt and evolve. Subsequently, corporate governance requirements around the world increasingly demand that Boards of organisations understand and address their risk cultures.
The Board has a responsibility to set, communicate and enforce a risk culture that influences and directs the strategy and objectives of the business. This starts with the risk behaviours, attitudes and culture of the Board itself and translates into actions cascading through the organisation. The Board of Directors should regularly troubleshoot these behaviours to build a risk culture in the organisation that adds to its resilience, inspires employees, and builds consumer and market trust, not only in its own economic interest but also in that of their shareholders.
All organisations need to take risks to achieve their objectives. However, establishing a consistent and enterprise-wide risk management framework, supported by a strong risk culture, builds business resilience and minimises potential losses. It also helps an organisation identify and take advantage of the opportunities, and ultimately gain competitive advantage.
*André Smit is the Head of Risk Management; Enterprise Risk Management at Bank Windhoek