Operational and Integrated Risk Manage ...
Introduction to Operational Risk and Resilience Risk Governance Risk Identification Risk Measurement and... Read More
After completing this reading, you should be able to:
Risk culture is a system of values and behaviors that shapes the risk decisions of a business. It defines the norms and traditions of the behavior of employees or employers in an organization that determines how they identify, understand, discuss, and manage the risks that a business faces and the risks it takes.
In the case of a bank, risk culture is the bank’s “norms, attitudes, and behavior related to risk awareness, risk-taking, and risk management and controls that shape decision on risks.” It influences the decisions of employers and employees during their day-to-day activities, even when they are not consciously analyzing and weighing risks. It also has a bearing on the risks they assume.
Corporate culture is the beliefs and behaviors that determine how an organization’s employees and management interact and handle business transactions. Many times, organizational culture is implied, but not expressly defined. It develops organically through time from all the cumulative behavior and norms of the people that the business employs.
Culture is the result of shared values, business experiences, behavior, and beliefs, as well as strategic decisions. It is much more than a management style; it is a set of experiences, opinions, and behavioral patterns. It is created and developed when a team of employees or people working together learn to cope with the changing outside world and internal systems.
Corporate culture deals with different approaches. One approach considers external outputs such as the environment, architecture, technology, office layout, dress code, behavioral standards, official documents, and company symbols.
These aspects reflect the core values of the organization and explain or justify the behavior of individuals. Culture can be very effective but also resistant to the need for change and is therefore seen as a complex concept for any organization.
Risk culture is an element of corporate culture. It is the aspects of corporate culture that relate to risk. The culture of an organization is neither unique nor uniform throughout the company.
Different subcultures exist at different levels of an organization. These variations are brought about by the variety of operations, roles, and activities performed by each organization and each department. For instance, the point of view on the environment taken by the risk management department can be substantially different from that taken by the marketing department.
Risk culture is not static but a process that is continuously repeating and renewing itself. Both risk culture and corporate culture evolve through time to the events that affect an organization’s internal operations and to the external environment within which the organization operates.
Several factors determine a firm’s risk culture and corporate culture. These include:
Commitment and support from top management play a significant role in influencing success in almost any initiative within an organization. Corporate culture and risk culture require the acknowledgment that they are an essential reality from an organization’s leadership for the right culture to take shape.
Consistency in communication, decision-making, and ultimate actions is critical in the avoidance of misinterpretation. Employees may otherwise adopt what they see, and not what they are told.
Building a sound risk culture is a process that should involve the entire business and not just the supervisory team. An organization’s board should form a clear and communicable approach to risk, which is understood by all levels of the employees.
Changes in both external and internal conditions usually lead to changes in the culture of a business. Such changes also inform the changes to be made within the organization.
The existing lines of accountability need to be clear and enforced, preferably to individuals and not just committees where accountability is often lost.
The focus should be on identifying what went wrong, what can be learned, and whether it is necessary to initiate changes in processes or controls. Dealing with disciplinary or assignment of accountability as a separate matter encourages openness from employees.
Performance measurement and rewards should be based on an organization’s desired risk culture. This should be both financial and non-financial. Setting goals based on key performance indicators will influence the culture you wish to create.
Training and employee talent management in an organization will support and enforce the desired risk culture and behavior, if properly utilized. An organization should be conscious of the existing or desired risk culture when making decisions on these aspects.
Understand your risk appetite, and should a loss occur within this appetite, acknowledge that it happened, learn from it and move on. Many organizations expect perfection, especially in operational processes. This makes them end up with very many controls, leading to bureaucracy. This deters employees from enforcing the desired framework. Find the right balance.
The risk culture should be implemented in such a way that it supports the business strategy and core competency. There is a close link between the success of strategy implementation and the corporate culture. If they are not already aligned, then changing one is critical to changing the other. The organization’s risk culture should mirror what the clients perceive.
Qualitative methods allow for an in-depth investigation. However, they also limit the comparability of results.
Direct observation may be the only way to understand a culture since many of its aspects are silent. Additionally, people within an organization are not aware of how many assumptions affect their behavior. In addition, they take for granted that it applies to everyone in the sector.
Sometimes, the cognitive beliefs of whoever is carrying out the study may influence their evaluation capacity. Due to this, a problem of objectivity prevents the possibility for other researchers to replicate the analysis and confirm the results.
Quantitative methods use standardized approaches of analysis through statistical tools. These methods do not provide in-depth observations but are more objective and allow the comparison of different situations.
Quantitative methods have been primarily used to evaluate culture indirectly, by observing developments in risk governance and the link between risk governance and the company’s risk-return combinations. They include:
Many firms use annual employee engagement surveys, supplemented by culture and other surveys.
Some organizations use a range of indicators, sometimes consolidated into “culture dashboards”, such as:
Organizations use a range of methods to validate progress or performance and confirm understanding. These methods include:
Risk culture is a key element of an organization’s enterprise risk management framework, which encompasses the general awareness, attitudes, and behavior of an organization’s employees toward risk and how risk is managed within the organization. It is a key indicator of how widely an organization’s risk management policies and practices have been adopted.
Strong risk culture has generally been associated with more desirable risk-related behavior (e.g., speaking up) and less undesirable behavior.
Personal characteristics are important when it comes to a strong risk culture. Long-tenured and less risk-tolerant employees and employees with a positive attitude towards risk management are more likely to display desirable risk-related behavior. Those with high personal risk tolerance are more likely to display undesirable risk-related behavior.
Good risk structures such as policies, controls, IT infrastructure, training, remuneration systems, etc. appear to support a strong culture and ultimately, a less undesirable risk behavior. Good risk structures do not necessarily guarantee good behavior. There have been suggestions that structures such as remuneration are interpreted through the lens of culture.
Senior staff tends to have a significantly more favorable perception of culture than junior staff. This highlights the importance of anonymous and independent risk culture assessments where staff feel safe to reveal their true beliefs.
Changing the culture of a complex organization like a bank is possible. Even then, it is difficult and requires awareness of the need for change, many resources, and a long time.
Addressing cultural issues must be the responsibility of the board and management of firms. This will determine how the entire organization views these issues. Supervisors and regulators cannot, by themselves, determine culture. They, however, have an important monitoring function.
The process of cultural change is ambitious since it involves many players. It is usually challenging to bring all the different forces on board in an effort to promote a new risk culture shared by both the regulatory authorities and clientele.
The implementation of a risk culture needs to be integrated into business decisions. This is sometimes difficult as all stakeholders, including a firm’s customers and shareholders, may need to be involved in supporting these changes.
The tone at the top is not always supported by consistent actions that demonstrate proper alignment between the proposed changes and the subsequent actions. The differences in these aspects pose challenges for organizations seeking to establish consistent expectations across the institution.
Risk culture influences an organization’s performance and competitiveness, while changes in business objectives and strategies often have a bearing on the risk culture. There is, therefore, an interaction between the two concepts.
The banking sector, for example, has seen an evolution in its corporate structure. This is because of changes that the sector has gone through, moving from public institutions to profit-oriented private entities. Regulations have also increased the range of banking services offered and, indirectly, competition. The new culture of supervisors is based on collaboration with banks and this relationship may have positive effects in terms of business performance.
The financial behavior of families and firms has also undergone drastic changes. For instance, families’ propensity to save has decreased. Families today tend to invest more in financial instruments inside or outside their home countries. Firms, on the other hand, are adopting new forms of financing, by acting directly on the capital markets.
In some cases, the culture in financial institutions has demonstrated the ability to integrate organizations’ know-how and new market opportunities. For example, the entry of banks into the insurance business was difficult, because of their limited experience with sophisticated products.
On the other hand, insurers had limited experience with bank retail client requirements. The problem was solved through successful alliances in which banks used their distribution capacity and insurers developed simpler products.
Culture has also driven the creation of new approaches to deal with increasing competition. A culture of distribution has replaced the pre-existing culture of production. Due to this change, management has been able to shift the focus from efficient service development toward an effective selling system, thereby creating a new kind of risk culture.
In the new context, culture is a resource rather than a limitation. If taken into consideration, it can ensure the success of events such as mergers and acquisitions.
Culture may be used to improve firm performance and stability. Nowadays, it is challenging to develop and implement a strategy. This is due to the intrinsic variability of the market, with controls becoming increasingly complicated due to a broader range of business activities and functions. In this context, culture can create shared values to drive individual behavior in pursuing the organizational strategy and assisting the role of internal controls.
Risk culture can result in a competitive advantage for firms with better cultures and conducts. This is particularly with regard to client reputation and the ability to attract employees and investors.
Organizations can succeed if they accept that culture is core to their business models and if they decide that fixing culture is key to their economic sustainability. A good risk culture should not just be about complying with regulations but rather creating something that will help to prevent or resolve problems.
Since risk is an inherent aspect of business function, risk culture has an impact on the risk-taking propensity and policies, types of risk assessment/performance ratio, and final decisions.
Organizations need to develop their risk culture beyond regulatory guidelines so that they can support their corporate strategy, strengthen their core skills, and turn risks into opportunities.
Practice Question
Who is responsible for an organization’s risk culture?
A. Everyone who works at the organization.
B. Industry regulators.
C. The CEO.
D. The CEO and the Board of Directors.
The correct answer is A.
In a risk intelligent organization, everyone in the organization understands its approach to risk, and they take personal responsibility for managing risk in their work every day. That’s part of the definition of risk intelligence. At the same time, there are a handful of people who have elevated responsibilities for risk culture.
B is incorrect: Industry regulators may give guidelines on what is expected, but is not responsible for the organization’s risk culture.
C is incorrect: The CEO may set the pace, and even set the tone for risk culture, but if he alone is responsible for the risk culture, then its implementation will not be successful.
D is incorrect: The Board of Directors, just like the CEO, may set the tone within the organization. However, if they assume resposnsibility at the expense of the rest of the company workforce, then implementation will not be successful.