RISK MANAGEMENT to quantify . However you can measure the behaviors and outcomes they produce . Risk mature organizations approach this by looking at three different areas :
Intended behaviors : The behaviors that the organization expects in order for its vision and values to be achieved . If you want a strong culture you need to set out a common purpose which is inspiring , relevant to all stakeholders , linked to your strategy and values , and embraced by leaders and their teams .
Espoused behaviors : The processes , policies and controls that the organization creates to influence people ’ s behaviors . For example , consider how specific behaviors are rewarded in pay , or how expected behavior is emphasized in leadership communications .
Actual behaviors : What are people doing ? What decisions are they making ? What is their demeanor ? What are their top priorities ? Leaders ’ actions have a significant impact on the messages individuals receive about what is valued , but it is also critical to grasp the organization ’ s broader working procedures and routines .
The key to success is aligning the three behaviors . Even clearly articulated values do not always imply appropriate behavior on the ground . The ramifications for your organization can be substantial if there is a mismatch between the intended , espoused and actual behaviors .
Have the right and consistent tone from the top
The tone should be one of being proactive in risk management rather than waiting for a crisis .
Senior leadership should communicate regularly with all employees about the need for risk management in totality - just being compliant isn ’ t enough . Top leadership should drive the development and implementation of business continuity plans and emergency or incident response programs that promote ongoing participation across the entire organization ( from the front lines all the way up to the boardroom with risk management expectations also explicitly extended to all third-party suppliers / intermediaries ).
The aforesaid is explained in detail in one of the risk management models known as “ Three Lines of Defense ”.
“ When it comes to taking the correct risks , it ’ s important to remember that in order to reach their goals , businesses must actively “ take ” and manage risks . A consistent and uniform tendency toward continuous risk avoidance is not characteristic of strong risk cultures .”
This model basically articulates the role of the first line of defense ( in handling business activities ), second line of defense ( in handling risk management and other control activities ) and the third line of defense ( in handling internal audit ). The three lines should all work in concert to promote a stronger risk culture and eliminate inefficiencies and overlaps . When applied properly , the “ Three Lines of Defense ” create dialogue and analysis that prevents organizations from overlooking risk factors that could ultimately cause financial or other related disaster ; as well as allow them to be proactive in how they manage risk within all functions of the organization .
Take the “ right risks ”
Only actively take risks that are consistent with your organization ’ s risk appetite , risk-taking capacity , and risk-taking expertise . These are risks that are necessary for the organization ’ s strategy , objectives and mission to be achieved , and for which the organization is suitably rewarded . When it comes to taking the correct risks , it ’ s important to remember that in order to reach their goals , businesses must actively “ take ” and manage risks . A consistent and uniform tendency toward continuous risk avoidance is not characteristic of strong risk cultures .
The “ right way ”
This implies risk-taking follows robust risk assessment / measurement processes , is subject to proportionate ongoing risk oversight and control and the manner of risk-taking is aligned with organizational values as defined by the governance structure .
What benefits do we envision from a strong risk culture ?
Brian Schwartz in his 2018 journal article “ How banks can succeed through a strong risk culture ” ( Schwartz , Oct 1 , 2018 ) reminds us that “ creating a strong risk culture makes risk taking more transparent and aligns it to strategy ”.
Borrowing from Shwartz ’ s thought , a strong risk culture should thus help the organization on these three fronts : Determine the degree to which organizational policies are internalized by staff and exhibited into day-to-day behavior ; Determine staff response to threats or situations / opportunities that fall outside well prescribed operating guidelines ; Influence the firm ’ s reputation with regulators , clients and the broader market .
The last element is crucial since a strong reputation has a direct impact on an organization ’ s capacity to function and its value . Depending on the size of the organization , it may also have an impact on its funding costs as a poor risk culture increases the risks to external investors / partners , who may not be able to effectively diversify that risk .
Is risk culture maturity achievable ?
The status quo is not an option . Organizations need to not only consider investing in a corporate culture that prioritizes risk management , ethical behavior and smart decision making , but more importantly , use those elements to establish new performance measures .
Lyndon Johnson , the 36th president of the United States , once said : “ What convinces is conviction ; believe in the argument you ’ re advancing . If you don ’ t , you ’ re as good as dead . The other person will sense that something isn ’ t there , and no chain of reasoning , no matter how logical or elegant or brilliant , will win your case for you .”
Our teams will only adopt a robust risk culture if they see their leaders believing in it and embracing it . ■
Reuben Kisigwa is a strategic consultant and a certified competency based curriculum developer . You can engage him vide mail at :
RKisigwa @ gmail . com .