Developing a Risk-Based Company Culture Requires Board Involvement
Steven Minsky | Aug. 31, 2016
Last year, we blogged about how to develop a successful ERM program. An important goal is fostering a risk-based company culture. This means everyone, not just the appointed risk managers, assimilates risk awareness and works it into their job description. That said, there are many factors that contribute to a healthy, risk-managing culture.
One of those factors is board support. We often stress that “front-line” employees (who oversee everyday activities) are a vital yet often overlooked resource for risk identification. A healthy company culture, benefits from top-down involvement. Specifically, “Boards are obligated to be directly involved in strengthening a corporate culture that encourages ethical behavior,” according to the Risk & Compliance Journal.
The value of a risk-based company culture is its ability to help achieve both top-down and bottom-up objectives. This eliminates any lack of alignment – the primary cause of wasted resources, missed opportunities, and compliance problems – between senior leadership and front lines. Enterprise risk management reporting structures also help maintain information integrity when that information is shared cross-functionally. Without a risk-based approach, when information reaches the board it is inevitably summarized across silos and lacks operational context.
ERM-style reporting requires both information “producers” and information “consumers” (roles that are by no means fixed). A “tone from the top” makes it easier to engage front-line managers by providing context as information moves across the organization. When information is pushed back up, it’s with new insights from those in governance and operations. Providing this context ensures reports are useful and understandable to everyone, including senior management.
Boards should develop a risk-based company culture first by implementing appropriate information collection and reporting systems. The goal is to make it easy for different levels/silos to escalate information appropriately, which encourages collaboration. Direct interaction with front-line management isn’t practical – or even possible – but nonetheless, boards are held responsible for material mistakes and missed opportunities that happen at any level.
These events are also called surprises, and in business, all surprises are bad. A board’s best bet is to ensure quality information is delivered to the right people, at the right time, and with the proper context.
The best way to quickly and reliably escalate information is with risk management software that bridges the gaps between departments and levels. ERM software comes equipped a taxonomy that automatically links risks, requirements, goals, resources, and processes. It also offers email and other system integration, task notification, automatic alerts, and more.
Does a Risk-Based Company Culture Inhibit Value Creation?
Some boards have expressed concern that risk management may be just another compliance burden, and that it could hinder effectiveness and innovation.
As it turns out, organizations with sustainable risk management programs have a proven 25% increase in market value – on average – compared to industry peers without such programs.
As I discussed in a recent article published in The Wall Street Journal’s Risk & Compliance Journal, a risk-based company culture “shouldn’t be stifling anything.” In fact, risk-based concepts like regular risk assessments “should be enabling innovation as they can help better align the company’s goals to its risk management processes.”
Dr. Paul Walker, professor in enterprise risk management at St. John’s University, has heard from numerous executives that “to not understand risk is old-fashioned and the wrong way to do business…Risk management leads to value and more disciplined companies that over the long run outperform those that don’t manage risk.” He adds that by better incorporating risk and compliance into business operations, executives have “a better tool set to innovate so they don’t get into those situations.”
There is a simple way to determine if a board’s focus on risk reduction dampens productivity. Look up a company’s “customer satisfaction, health and safety record over time, qualified audit reports, regulatory sanctions…,” etc. When a company performs well in these categories and emphasizes the measurement of its risk culture, investors should rest assured.
One last point that’s important to remember: just because a company says its risk culture is healthy doesn’t mean it has strong governance or transcends departments and other working silos. Measure your own organization’s risk management competency with the free RIMS Risk Maturity Model (RMM), a best-practice benchmarking tool.