Five Questions on Cultivating a Risk Intelligent culture
Even though many organizations have spent years developing and implementing risk management frameworks, policies, procedures and sophisticated technologies, some of them are still experiencing significant, unexpected problems far more often than they would like. On any given week, a glance at the business headlines offers ample reason for concern. So what’s missing? For many, the infrastructure is in place — but the culture is weak. And no matter how good the risk infrastructure, risk management is essentially a people issue, because people take responsibility for managing risk. Smart organizations have developed a culture of Risk Intelligence to gain the edge.
So what should business leaders who are looking to shore up their organization’s risk culture have in mind as they move ahead? Below, we ask Deloitte Consulting LLP’s Eddie Barrett and Deloitte & Touche LLP's Scott Baret some important questions for getting started.
Then, Michael Fuchs, principal, Deloitte Consulting LLP and Consulting Leader for Governance, Risk and Compliance lends his perspective on the expanding role of Human Resources (HR) in managing risk.
|Question||Eddie and Scott's take|
|What does it mean to have a Risk Intelligent culture?||Scott: It may help to consider the difference between a risk culture, which organizations have by default, and a Risk Intelligent culture, which requires planning and focused effort. Leaders should actively shape their risk culture into something purposeful that is aligned with business strategy — and where each employee understands how to make the right risk-based decisions.|
|Who is responsible for an organization’s risk culture?||
Eddie: In a Risk Intelligent organization, everyone in the organization understands its approach to risk and they take personal responsibility for managing risk in their work every day. That’s part of the definition of Risk Intelligence.
At the same time, there are a handful of people who typically have elevated responsibilities for risk culture. The Chief Executive Officer usually takes the lead on risk culture, along with input and support from the Chief Human Resources Officer and the Chief Risk Officer. Increasingly, the board is assuming proactive responsibility for risk culture, as the importance of people and culture in preventing major missteps becomes increasingly apparent.
|What are the main things companies can do to improve or strengthen risk culture?||Eddie: At a high level, there are four main areas you should be prepared to take on. First, efforts to change the risk culture often begin with building risk competence among existing and new employees. You should also be prepared to focus on how people are motivated to manage risks — starting with incentives, rewards, and performance management. Also look to strengthen relationships within the organization — peer-to-peer, leader-to-leader, you name it. And finally, the organization itself is often the culprit. From compliance and procedures to ethical expectations and governance, be prepared to set organization-wide changes in motion.|
|Changing culture is a big undertaking. Where does it make sense to start?||Eddie: We often find that while company leaders know they have a problem with risk culture, they can’t put their finger on exactly where or what the problem is. So while it’s tempting to dive in and start making changes, an assessment is a good place to get started. Find out where your strengths and weaknesses are — the facts, not just intuition — and build out a prioritized action plan from there.|
|We already have a risk management function in place, along with other controls. Is evaluating our risk culture really worth the effort?||
Scott: Given the level of scrutiny regarding risk culture we’re seeing from regulators, investors, shareholders, and, increasingly, the general public, simply being able to point to risk infrastructure isn’t enough. These audiences want to see tangible evidence of cultural change.
In that sense, culture is an all-important safety net. No matter what risk frameworks, policies, procedures or technologies you might have in place, or be missing, in the face of an unexpected challenge, an organization that has built a Risk Intelligent culture is more likely to respond in the right way to the unexpected.
A Closer Look: The expanding role of HR in managing risk
Michael Fuchs, principal, Deloitte Consulting LLP and Consulting Leader for Governance, Risk and Compliance
Consider the enormous risks that resulted in catastrophic events for companies over the past few years. (Take your pick – there are plenty of examples, unfortunately.) Now think about how many of them were the result of bad decisions on the part of a handful of people. While systemic risk is a very real issue, in many cases the human factor is the culprit — an eye-opening thought when you consider that many of these companies had well-established Enterprise Risk Management (ERM) functions, processes and controls in place. What was missing in many of these cases was the cultural and organizational components that can help guard against ineffective or just plain poor decision-making on the part of individuals. The complexity of how effectively to enhance and improve the ability of people to make Risk Intelligent decisions requires HR insights and skillsets to pull it off.
Risk isn’t a new concept to HR. Many of the regulatory and operational risks facing any organization are in the direct line of sight of HR, which is why the HR function has increasingly sought to partner with legal, internal audit, and risk teams. But there is a growing recognition that HR risks go well beyond labor laws, employee policies, and payroll administration. People risks can have an impact on virtually any critical decision that a company makes, and should be considered as part of any business plan.
What role does HR have to play in the fight to reduce people risks? For starters, HR is sitting on a wealth of data that can help organizations manage their risks more effectively. This data could be used to feed advanced analytics programs to generate new insights about current risks. Employee turnover data, for example, can be used to identify red flags on hidden risks such as incompetent management, fraud, or sexual harassment. With those insights, business and HR leaders may have what they need to head off problems before they escalate.
Data-generated insights are changing the way HR leaders view a host of activities they’ve been engaged in for years. How do changes to the HR function and HR policies impact overall risk? Do incentive compensation programs adequately link proper risk-taking and rewards? Do they inadvertently contribute to unhealthy risk-taking at the individual level? In seeking the answers to questions like these, HR leaders are changing the role that their organizations play in managing people risks.
For many, it’s an evolution that can’t come soon enough, as people risks — not just HR risks — face a higher level of scrutiny than ever before.
Download the Risk Angle above.