26 September 2016 by Julia Graham
Understand the why, what and how of risk culture, says Julia Graham
Risk taking is a driving force in any business and the role of senior management in managing risks successfully is of critical importance. The FRC’s risk guidance, published in October 2014, states that the board should take ‘ultimate responsibility for risk’. Its most recent risk guidance, ‘Corporate Culture and the Role of Boards’ goes further in stating that senior executives should ‘get out of the boardroom’ to understand how their firms are behaving.
The importance of this is backed up by research commissioned by Airmic, ‘Roads to Ruin (2011)’, which studied the underlying causes of high-profile corporate crises. One trait common to almost all case studies is ‘board risk blindness’ which results from a ‘risk glass ceiling’. In other words, risk information does not flow freely up to senior management, usually due to cultural and structural barriers. The result is a failure of the board to properly recognise and engage with risks inherent in the business.
French bank Societe Generale provides a good example. In 2008 it discovered a rogue trader had lost an amount now determined at €5 billion. It turned out that over 70 oddities with his trading had been reported internally but the compliance officer had been unable to challenge the trader or get the attention of his seniors.
Recognising board risk blindness is not always easy and it requires coordination across the company. The latest research from Airmic indicates that the interface between functions on risk management is still not as mature as it might be. In particular, risk professionals and governance professionals are natural partners and could both benefit from greater collaboration.
Two of the key indicators for assessing board risk blindness are tracking how and when people speak up, how their words are responded to and how risk responsibilities are embedded in role responsibilities and reward systems. These are areas where risk and governance can add value by working closely together.
Airmic’s follow-up research, ‘Roads to Resilience (2014)’, finds that the key to achieving resilience is to focus on behaviour and culture. The following five common principles of resilience emerged:
These principles enable a culture that has a high level of risk awareness to identify trends and correctly analyse, evaluate and respond to risks, thereby avoiding board
Risk culture is not new but it has gained traction as a concept since the financial crisis. Risk culture is dynamic; it can be a mixture of formal and informal processes and may exist in more than one form. However, it is important that risk culture is set within the overall framework of the organisation’s vision, mission, corporate culture and risk management system. Yet most importantly, it comes from the boardroom.
Airmic’s research finds that the qualities embedded in resilient organisations help them succeed in other respects, including profitability and shareholder return. As Sir Win Bischoff, Chairman of the FRC, states in the latest FRC culture report, ‘A strong culture will endure in times of stress and mitigate the impact. This is essential in dealing effectively with risk and maintaining resilient performance.’
A healthy culture protects firms, enabling organisations to deal more effectively with expected and unexpected risks. Consequently, resilience should be at the heart of the strategy and business model in every organisation. The next step for the risk community is to further understand the why, what and how of risk culture, and to develop standards for best practice in the assessment, measurement and reporting of this complex subject.