Creating Enterprise-Wide Risk Awareness - Are Your Clients Building Prudent ‘Risk Cultures’?, January 2010
Azerbeycan
Site Map
Homepage RSM International About Us Our Services Contact
 
Global Challenges  
 
 

Creating Enterprise-Wide Risk Awareness - Are Your Clients Building Prudent ‘Risk Cultures’?, January 2010

The collapse of Enron and other corporate scandals in the early 2000s demonstrated how imprudent company cultures can lead to unethical practices and outright fraud. The more recent implosion of Lehman Brothers showed how a culture of risk-taking pervaded financial institutions and precipitated the global financial meltdown.

 
Risk management consultants play a key role in helping companies prevent fraud by installing an effective and vibrant risk culture in companies. A healthy risk culture gives employees a stake in risk management. Employees’ basic principles, values, and attitudes – as well as their understanding of how to deal with risk – shape a company’s risk culture. An appropriate risk culture is necessary for corporate risk management procedures to work effectively.
 
Compliance with the Sarbanes-Oxley Act (SOX) requires that employees directly involved in internal controls be fully aware of risks. For the company’s internal control system to fulfill its purpose, employees must operate within a well-established, enterprise-wide risk culture. The tone at the top – the ethical atmosphere that the organisation’s leadership creates – is fundamental. But exemplary leadership does not automatically lead to an effective risk culture, nor does it guarantee a properly functioning internal control system.
 
This article addresses enterprise managers’ opportunities and obligations to build strong risk cultures and how risk management consultants can support those efforts.
 
Shaping risk culture
Annual reports typically convey the impression that companies have implemented effective risk management procedures. But risk culture is often neglected as an integral part of corporate risk management.
 
According to the model of corporate culture developed by Professor Edgar Schein of the MIT Sloan School of Management, three elements determine the risk culture of an enterprise: (1) Basic assumptions, (2) Values, and (3) Artifacts and Creations. (“Coming to a New Awareness of Organisational Culture,” Sloan Management Review, Winter 1984).
 
Basic assumptions are the foundation of corporate culture. They are the invisible matters of organisational and environmental relations that are commonly taken for granted. Employees’ perceptions, thoughts, and feelings about risks shape a company’s risk culture.
 
Values determine employees’ moral and behavioural standards. Principles, unwritten guidelines, and taboos that employees respect come from these values. Often these values are only partially visible from employees’ outward conduct.
 
Artifacts and creations are the tangible components of a company’s risk management system. They include a risk manual, a risk manager, risk committee, published risk principles and guidelines, an IT-based risk reporting system, and a printed risk report included in the annual report as well as employee risk workshops. Such items are clearly visible and allow risk managers to understand the existing risk culture of an enterprise. The presence or absence of artifacts and creations enable managers to evaluate and shape the company’s risk culture.
 
Four steps for shaping risk culture
A plan for shaping risk culture in an enterprise should contain four steps:
 
1.     Create a team to lead the process
2.     Evaluate the existing risk culture
3.     Determine what the desired risk culture should look like
4.     Devise and implement an action plan to build the new risk culture
 
Create a risk culture team
Management should appoint a person independent of the enterprise (possibly an external risk management consultant) to lead the risk culture team. Members can include not only top management and the risk-controlling department, but also board members and internal/external auditors.
 
Evaluate the Existing Culture
Ultimately, employees should diagnose their company’s risk culture free of external forces imposing views on them. However, the members of the risk culture team should be responsible for discovering the employees’ views on the existing risk culture and what it should become.
 
The team should speak with all company employees so the entire staff is sensitised to the risk-culture topic. Standardised and anonymous questionnaires usually elicit more honest responses to questions about the “risk appetite” of the company.
 
The independent coordinator and the members of the risk-culture team should prepare an analysis workshop for selected upper management and cultural leaders to help uncover the invisible basic assumptions that are fundamental to the enterprise’s values.
 
In addition to the analysis workshop, the risk culture team should individually interview each member of top management to promote high interactivity and frankness. These interviews prompt senior managers to think deeply about the range of possibilities for shaping a new risk culture.
 
The members of the risk culture team then conduct a critical review of the existing culture based on the results of the enterprise-wide survey, the analysis workshop, and the individual interviews.
 
Determine Desired Risk Culture
The profile of the target culture will be based on the same factors that were used to evaluate the existing culture. Reorientation of the company culture is possible only if there is a compelling reason and a shared understanding of the need for cultural change among managers and employees. The foremost goal of cultural reorientation is to sensitise every employee to the necessity of conscious handling of corporate risks.
 
Action Plan
The fourth step in the risk culture programme is the formulation of an actionable plan to realise the new cultural vision. Senior management is responsible for implementing and monitoring this plan. New orientation patterns are accompanied by new signals and formats as well as an update of artifacts and creations.
 
Securing “buy in” from employees is crucial to the success of the action plan. They must know their input was instrumental in creating new policies and that their continued involvement is essential. Transparency and communication are key to making this happen. All employees must understand that they each have a continuing role to play. Management should reward risk-sensitive behaviour that helps build the target culture and dissuades unethical behavior.
 
Once the action plan begins to initiate cultural change in the enterprise, it is common to see unanticipated consequences. Erroneous trends (such as irritated employees or adverse cultural developments) can surface that require monitoring and correction. A new risk culture is vulnerable to undesired changes. Management must therefore continuously observe and evaluate newly implemented risk-culture measures.
 
 
Rewards of success
A well conceived risk culture creates enterprise-wide accepted guidelines for managing risks. It simplifies coordination among all employees and clarifies how each individual should handle his or her job regarding risks. Operating in a strong culture, employees take ownership of their risks and even that of their co-workers.
 
A healthy risk culture conveys solidarity; employees believe that they are an integral part of the corporate culture. It engenders a strong sense of belonging and motivates individual workers to become active participants in the welfare of their company.
 
A dynamic risk culture increases employees’ awareness of corporate risks. Not only will employees become supportive of the basic structures and processes of risk management, they will also become mindful of the fact that they are an important part of a risk management system that deters fraud and reduces threats to business continuity.
 
  Short Cut

 

Creating Enterprise-Wide Risk Awareness - Are Your Clients Building Prudent ‘Risk Cultures’?, January 2010

 

Economic Growth Prospects in Central and Eastern Europe

 

Labour Market Trends in the Wake of the Great Recession, October 2009

 

Turkey in the Euro Mediterranean Area, August 2009

 

IT Risk Management - Meeting the changing requirements and demands of today's business enterprises, July 2009

 

Survey of European Business Leaders: European business in the wake of global recession, May 2009

 

Global Climate Change: Corporate Risks and Growth Opportunities, April 2009

 

Overcoming the cultural challenges of company successions, December 2008

 

Exploring Chile's export markets, August 2008

 

Understanding commercial relations between China and the EU, August 2008

 

Taking advantage of China’s rapid economic growth, July 2008

 

Understanding the impact of dollar fluctuations on Canadian businesses, June 2008

 

Knowing whether or not to float on AIM? May 2008

 

Dealing with the fallout of the global financial crisis, April 2008

 

Harnessing the power of India's IT services, April 2008
 
Homepage | RSM International | About Us | Our Services | Contact
Legal and Privacy Policy
Web Tasarım: Grapixel New Media