The role of the head of enterprise risk management (ERM) is no longer simply to run a risk management program-it is to create the right risk culture across the organization. In fact, according to Moody's, "Enhancing risk culture is one of the most credit-positive actions management can take, but is also one of the hardest things to implement and to observe."With all this focus on enhancing risk culture, why does it continue to be such a challenge? The problem is that, when most ERM teams think about "enhancing risk culture," they focus on increasing risk awareness as a means to reduce overall enterprise exposure. This doesn't get to the heart of the problem, however. These organizations are overlooking the idea that increasing awareness of risks—especially the downside—is likely to make employees more risk averse, which may not be the most appropriate risk posture. What organizations should do is get everyone to think like a risk manager.
Progressive ERM teams think about risk culture differently. They endeavor to drive a culture of appropriate risk-taking. These companies move beyond awareness, creating an atmosphere where employees are always making risk-informed decisions. To help bring this to life, here are a few examples of how some companies influence behaviors within their organizations to establish an appropriate risk culture.
Estimating Risk Perceptions
While most ERM teams characterize their companies as risk averse, it is nonetheless important to understand the preferences and perspectives of key leaders when it comes to risk-taking relative to the company's business model, the overall risk-reward balance and related metrics. Effectively communicating leadership's risk preferences can help shape the behaviors and decisions made by rank-and-file employees.
One company's ERM team addresses this by using a quantitative approach. They follow a four-step process to present a variety of situations to risk owners and collect their feedback. First, a survey is distributed to senior leaders and business unit risk committees with a message about ERM's approach and what they hope to achieve by collecting perception data. Next, a draft risk appetite framework is developed based on completed survey analysis. Specific data cuts for lines of business, geographies and data-mining are then collected to inform senior leaders about the varied perceptions of risk. Finally, the data is presented to senior leaders in a report so that perception gaps between exhibited risk preferences, articulated risk preferences and the current risk appetite can be discussed and minimized.
Getting on the Same Page
While the focus for one company is to collect risk preference data from risk owners, another company conducts a gap analysis to uncover critical discrepancies in risk perception between management and the board. This higher-level analysis is instrumental in creating uniform expectations for employees to follow. This company also uses a four-step process to conduct its gap analysis. First, internal audit interviews executives and board members to identify the top risks facing the company. Responses are narrowed down to the top 20 company risks. The internal audit team then surveys management and the board to determine their ratings (high, moderate, low) for these risks. Finally, a gap analysis is performed to show the differences in risk perception between management and board.
Upon completion of the interviews, risks that receive a high rating from either party are prioritized for discussion before the audit committee and the committee receives a snapshot of management's risk activities. This gap analysis ensures that internal audit and the audit committee focus on risks requiring the most attention, leading quickly to productive discussions on pertinent issues.
Guiding Behaviors
Many ERM teams focus on measuring and affecting the cultures of their organizations through training, communication, outreach and tool development. While each of these activities are key to a strong risk culture, few companies look at the benefits that assessing and aligning risk perceptions can provide when it comes to driving appropriate risk-taking behavior.
Helping senior leaders assess significant deviations in risk perception can lead to outcomes in which risk-taking is better understood and more uniform throughout the organization. Building that consensus is important to help set expectations for a culture that is not just "risk-aware," but also "risk-appropriate." If done right, aligning risk perceptions can help everyone in the organization to think like a risk manager.