Embedding risk management in culture

Since the 2008 crisis, financial institutions have spent hundreds of millions of dollars on risk management. But too often their reforms have been short-lived because they failed to change the underlying culture.

Almost every financial institution has come to understand the need to address operational risk management (ORM). But some companies’ responses are bureaucratic arrangements that merely fulfill the letter of the law; they may succeed in avoiding regulatory penalties but remain vulnerable to the next unpredictable market event.

Instead, an organization needs alignment on the dimensions of its risk profile, how to manage its inherent risks and how to eliminate exposure to unnecessary risks. The best risk management programs will help a financial institution integrate this risk awareness into its culture and thus into the day-to-day lives of all of its employees. Top competitors know that businesses with risk-focused cultures, leadership and organizational structures outperformed their peers during the 2008 crisis and that you need to make risk tradeoffs visible throughout your organization.

Three Lines of Defense

Most ORM programs seek company-wide understanding of the “three lines of defense.” In the first line, business operations own and manage risk; in the second line, risk control and compliance oversees risk; and in the third, independent assurance conducts audits and reviews. But at a financial institution with a run-of-the-mill ORM program, that understanding is theoretical; instead, “somebody” is designated to do that work.

In contrast, we recently worked with a financial institution that was going through a full-scale cultural transformation, during which every employee was instructed as to which line of defense they belonged. Each had explicit responsibilities related to that role, which was part of their profile on the company intranet and was often expressed in ways that could be tracked and measured.

In other words, effective risk culture makes risk choices real on a day-to-day basis. Because people throughout the organization must make significant risk-based decisions daily, a company’s approach to risk must be fully integrated into its strategy, business model and business practices.

In our experience, an effective risk management program uses a framework that holistically addresses all elements of ORM: culture, methodology, governance, processes and tools/technology. One or more of these five elements are common to many programs, but the key to success is the degree to which risk management culture seeps down into the other four. The culture must be visible in the methodology and governance; it must inform the processes and tools. Culture needs to be tangible, not just words on a piece of paper.

For example, in a financial institution with a healthy risk culture, risk liaisons in each business unit are present when strategy is being defined, processes improved or new products launched. The risk liaison is not informed in a report after the fact, but has a seat at the table. Just as a tech-savvy company gives an IT person a seat at that table, and a marketing-savvy company gives marketing a seat, a risk-savvy company makes its risk experts meaningful stakeholders.

Such attitudes trickle down from the top. Any risk culture transformation requires a top-down initiative to spread risk management visibility and accountability throughout the enterprise. An effective risk culture results from senior leaders who take risk seriously, and have respect for the role that risk liaisons play.

An effective risk culture helps the entire organization establish a common language for describing risks. With common language comes common understanding. An effective risk culture also provides employees with the tools to identify, manage, and mitigate risk, ensuring that appropriate safeguards are in place at all levels.

Risk Culture Awareness

Today, many financial institutions lack standardized management and reporting of operational risks, thus ending up with poor transparency and uninformed decisions. Many have inadequate compliance with new operational risk regulations. Furthermore, many are also inefficient because of their complex and overlapping risk governance approaches.

However, rather than addressing reporting, compliance, or governance tactically, financial institutions need to realize that these problems are symptoms of a deeper ailment, which is the lack of risk awareness in the culture. With that realization, a company can then promote a sound risk culture that motivates, promotes, and supports the best policies and procedures.

In our experience, such risk management transformations work in three phases: laying the foundation, measuring the impact, and embedding the change. Success of such a program depends on leaders who set a strong tone, employees who have individual accountability, an environment that fosters open communication, and incentives that incorporate risk perspectives.

But there are very difficult challenges to overcome. Laying a solid foundation requires significant top-down direction and time commitment, but also considerable cross-functional coordination, which can be difficult to achieve in siloed organizations with significant internal politics. A common short-cut is to define the culture program too narrowly – failing to cover the full employee lifecycle from recruiting to day-to-day work to training, which yields insufficient results.

Measuring the program’s impacts also requires concerted management effort because documenting and tracking culture is what distinguishes the fluff from the culture programs that become truly embedded. We worked at one company that uses pulse surveys to quickly assess employees’ risk awareness. Indeed, this company explicitly measures every aspect of its risk culture program. For example, explicitly defined values make up 30% of performance ratings and risk sensitivity is used as a tie-breaker in bumping employees up to the next performance bracket.

The final phase, embedding the change, is all about sticking power, because it’s easy to make a culture program a one-off once you’ve achieved some results. However, short-lived bursts tend to have short-lived impacts as a firm gradually defaults back to business as usual. Deeply embedding ongoing cultural change may require investing in a full time, permanent team.

So, the transformation process is not easy – cultural change never is. But the key to transforming any aspect of corporate culture is to treat the transformation like any other program. It must be tied to strategic objectives (rather than being a bolt-on project), must be led from the top across the enterprise (not from Human Resources (HR) or a specific function), and must clearly specify its goals, the stakeholders who will achieve those goals, required enablers, and measurements that can quantify progress.

Mr.  Chandiramani and Ms. Bhardwaj are principals with the Financial Institutions Practice and Mr. Sethi a partner leading the Strategic IT Practice for the Americas of A.T. Kearney, a global management consulting firm. They can be reached at [email protected], [email protected] and [email protected] respectively.