When security breaches or risk management breakdowns occur, culture is often blamed. From General Motors and Target to the financial crisis of 2008 and the launch of Healthcare.gov, culture has been identified as the culprit behind a failure to share unpleasant or difficult messages with leadership and for establishing the wrong incentives.
In some ways, culture has become a convenient excuse. When the precise cause of a negative event cannot be clearly identified, culture is an explanation everyone seems to understand and accept. Yet culture rarely gets the credit when things go well.
What do we really mean when we identify culture as the cause of corporate crises? Culture may be best described as a set of beliefs, attitudes and behaviors shared by groups of people or organizations. It is a company’s style of doing business: the way it treats people, the unwritten rules with which it operates and the assumptions behind its objectives. In a risk management context, culture can be a powerful motivation for more informed decision-making or, conversely, a powerful de-motivator that defers critical decision-making and lets small problems turn into nightmares. Companies must carefully examine the implications of their modus operandi, clarifying underlying rules and assumptions and defining responsibilities for specific risks.
How can companies address cultural risk and shape a risk-savvy organization? These five steps can lead the way toward making risk management culture a more tangible part of everyday operations:
1. Don’t wait for a crisis. Companies must view risk management as a proactive, ongoing discipline, rather than a matter of cleaning up messes that have already been made. Too many organizations have learned this the hard way. Communications from an organization’s highest levels need to make it clear that risk management is everyone’s job and that mere compliance is not enough.
2. Show support with sufficient investment in risk management initiatives. Called the “money talks” principle, appropriate funding sends the clearest message that risk management matters. As with step one, this is also about raising the risk management profile as an essential element of the business. These investments can include an emphasis on strategic planning and development of robust ERM frameworks, investment in tools and technology, and allocation of staffing and resources.
3. Identify, prioritize and monitor risks throughout the company. The more complex an enterprise, the more challenging its ongoing risk management. Risk management breaks down when one part of a company does not know what another division is doing. Consistency is important. Every line of business, product line or geographical unit must adopt similar approaches for rating their particular risks. This will promote better understanding of how various risks may be interrelated or compounded across organizational boundaries. Further, it will help engage the business in the process of risk management. Ideally, business unit leaders will embrace ERM as part of their job-something they do, rather than something that is done to them.
4. Create “bottom-up” channels to enable immediate remediation or rewards. While solid risk-informed cultures begin with strong leadership, they live and die through active, front-line participation. When workers and staff are encouraged to keep their eyes and ears open, well-defined enterprise risk management policies and strategies are operationalized. Companies should consider rewarding employees with bonuses and other incentives when they report potentially damaging issues or problems, thereby preventing small risks from turning into major crises. Further, employees need to be trained to understand key risks and equipped with the means to identify and communicate what they see.
5. Regularly evaluate the risk portfolio and proactively engage business leaders to examine risks fully. This final step is meant to institutionalize the process of risk management. Risk management can and should be included in the evaluation of managers and executives and factored into their incentive compensation. At different levels and parts of the organization, there may be misconceptions about the nature of various risks. For instance, sales and marketing teams may be more concerned about reputation risk, while supply chain teams are naturally more focused on third-party risk. ERM teams need to ensure that everyone understands the spectrum of risks, including financial, operational, technological, reputational, third-party and regulatory risks.