Most executives take managing risk quite seriously, the better to avoid the kinds of crises that can destroy value, ruin reputations, and even bring a company down. Especially in the wake of the global financial crisis, many have strived to put in place more thorough risk-related processes and oversight structures in order to detect and correct fraud, safety breaches, operational errors, and overleveraging long before they become full-blown disasters.
Yet processes and oversight structures, albeit essential, are only part of the story. Some organizations have found that crises can continue to emerge when they neglect to manage the frontline attitudes and behaviors that are their first line of defense against risk. This so-called risk culture is the milieu within which the human decisions that govern the day-to-day activities of every organization are made; even decisions that are small and seemingly innocuous can be critical. Having a strong risk culture does not necessarily mean taking less risk. Companies with the most effective risk cultures might, in fact, take a lot of risk, acquiring new businesses, entering new markets, and investing in organic growth. Those with an ineffective risk culture might be taking too little.
Of course, it is unlikely that any program will completely safeguard a company against unforeseen events or bad actors. But we believe it is possible to create a culture that makes it harder for an outlier, be it an event or an offender, to put the company at risk. In our risk-culture-profiling work with 30 global companies, supported by 20 detailed case studies, we have found that the most effective managers of risk exhibit certain traits – which enable them to respond quickly, whether by avoiding risks or taking advantage of them. We have also observed companies that take concrete steps to begin building an effective risk culture – often starting with data they already have.
Traits of Strong Risk Cultures
The most effective risk managers we have observed act quickly to move risk issues up the chain of command as they emerge, breaking through rigid governance mechanisms to get the right experts involved whether or not, for example, they sit on a formal risk-management committee. They can respond to risk adroitly because they have fostered a culture that acknowledges risks for what they are, for better or for worse; they have encouraged transparency, making early signs of unexpected events more visible; and they have reinforced respect for internal controls, both in designing them and in adhering to them.
Acknowledging Risk: It takes a certain confidence among managers to acknowledge risks. Doing so – especially to the point of discussing them internally, as well as with shareholders or even regulators – requires that managers rely on their own policies and procedures to work through issues that could lead to crisis, embarrassment, or loss.