Michael D. Moberly April 26, 2012
This post is not about regurgitating the requisites for achieving a risk intelligent company, rather, its how to develop a sustainable risk intelligent ‘company culture’!
Unconventional approaches to risk management make sense today, says Rick Funston (Principal, Deloitte). Risk intelligence, he says, is the ability to effectively distinguish between two types of risks, i.e., the risks that must be…
- avoided (for a company) to survive, by preventing significant losses or harm, and
- taken (in order for a company) to thrive by gaining competitive advantage.
Risk intelligence, Stephen Wagner and Rick Funston state in their appropriately titled book ‘Surviving and Thriving in Uncertainty: Creating the Risk Intelligent Enterprise’ embodies the ability to translate the above distinctions into better and more practical business decision making and actions to improve company’s:
- resilience to adverse (risk) events/acts
- agility to recognize and take advantage of business opportunities in which some level of risk is present.
An initial and important step toward developing a ’risk intelligent company culture’ is recognizing that risk is not solely or exclusively an external phenomena, i.e., all risk does not originate outside a company.
According to Deloitte’s, The People Side Of Risk Intelligence: Aligning Talent And Risk Management, risk virtually touches every aspect of employee (HR) management, and therefore, employees affect virtually every aspect of risk management. That appears to be the makings of a fairly substantial value proposition basis for ‘kick starting’ a intelligent company culture.
So, a second, and equally important step toward achieving a risk intelligent company culture is recognizing that a company’s value can be favorably affected by integrating – merging risk management and human resource management. The rationale for doing this, in my judgment, is embedded in the reality that a significant percentage of (company) risks actually evolve from – are inherent to employee behaviors, attitudes, and actions, which includes, Wagner and Funston add, management teams and boards.
Effective risk management, the Deloitte report suggests, and I might add, a risk intelligent company culture, commences at the point in which the following converge, i.e.,
Risk Governance – how a company (a.) treats risk, (b.) whether and/or how it assumes responsibility for risk oversight, and (c.) how it incorporates (factors) risk in its strategic decisions and planning…
Risk Infrastructure Management – whether a company’s management team understands how to design, implement, monitor, and sustain an effective risk management program relative to the products or services produced and the type/nature, and locations of its business transactions…
Risk Ownership – whether a company’s employees and management team understands what their risk identification and mitigation responsibilities actually are, i.e., whether they internalize some) responsibility and/or assume some level of ownership for identifying, measuring, monitoring, and reporting risk…
In light of the economic fact that U.S. businesses lose an estimated 7% of their annual revenue to various forms of occupational fraud, notwithstanding losses attributed to intangible (IP) asset misappropriation, infringement, product counterfeiting, etc., a well-managed risk intelligent workforce can be a valuable (intangible) asset for any company.
A good starting point, say Wagner and Funston is to critically assess a company’s ‘unwritten rules’ relative to…
- what (employee) behaviors are actually being rewarded by applying these ‘unwritten rules’?
- do all employees, including management team and board, understand the company’s risk management priorities, objectives, and the strategic reasons behind them?
- are company – employee incentives aligned with the company’s risk management priorities?
In a risk intelligent company, management teams and boards assume an obligation to understand what the proverbial ‘unwritten company rules’, i.e., what they are and how they’re being interpreted-executed by employees. One does not have to look far to see the adverse consequences – effects on companies when there is a strong (under-the-radar) operational reliance on ’unwritten rules’ as to how things actually get done and how, or if, the risks associated with those ‘unwritten rules’ are being managed? So, analyzing the responses to the above questions insofar as how they may influence and/or perpetuate a company’s propensity to avoid or engage in risk taking is important.
Obviously then, becoming more intelligent (and objective) about the persistent, embedded, and asymmetric risks most companies routinely incur in a global-based economy and business transaction environment, is an important prelude to creating a risk intelligent company culture.
Management teams and boards, in my view, must assume a responsibility for elevating and cultivating a company-wide awareness of risk that fosters risk intelligent behaviors at all levels, which begins by:
1. adopting a common definition of risk that’s in accordance with national standards and best practices as well as being company specific.
2. clearly defining the roles, responsibilities, and authority (for managing and monitoring risk) with appropriate levels of transparency.
Lastly, it’s essential to recognize, insofar as developing a ‘risk intelligent company culture’ that (a.) a change in (company) culture generally follows a (employee) behavior change, and (b.) culture and behavior changes are less a product of formal risk policies, controls, and pronouncements, than they are the result of effective incentives and rewards.
This post was inspired by and adapted by Michael D. Moberly from a paper produced by Deloitte titled ‘The People Side Of Risk Intelligence: Aligning Talent And Risk Management’ and a fine book authored by Stephen Wagner and Rick Funston, appropriately titled ‘Surviving and Thriving in Uncertainty: Creating the Risk Intelligent Enterprise’.