We use cookies and other similar technologies (Cookies) to enhance your experience and to provide you with relevant content and ads. By using our website, you are agreeing to the use of Cookies. You can change your settings at any time. Cookie Policy.

Manage Tomorrow's Surprises Today

Steven Minsky

Developing a Risk-Based Company Culture Requires Board Involvement

Vote 0 Votes

Last year, we blogged about how to develop a successful ERM program. An important goal is fostering a risk-based company culture. This means everyone, not just the appointed risk managers, assimilates risk awareness and works it into their job description. That said, there are many factors that contribute to a healthy, risk-managing culture.

One of those factors is board support. We often stress that "front-line" employees (who oversee everyday activities) are a vital yet often overlooked resource for risk identification. A healthy company culture, benefits from top-down involvement.  Specifically, "Boards are obligated to be directly involved in strengthening a corporate culture that encourages ethical behavior," according to the Risk & Compliance Journal.

Risk-Based Company Culture.PNG

The value of a risk-based company culture is its ability to help achieve both top-down and bottom-up objectives. This eliminates any lack of alignment - the primary cause of wasted resources, missed opportunities, and compliance problems - between senior leadership and front lines. ERM reporting structures also help maintain information integrity when that information is shared cross-functionally. Without a risk-based approach, when information reaches the board it is inevitably summarized across silos and lacks operational context.

ERM-style reporting requires both information "producers" and information "consumers" (roles that are by no means fixed). A "tone from the top" makes it easier to engage front-line managers by providing context as information moves across the organization. When information is pushed back up, it's with new insights from those in governance and operations. Providing this context ensures reports are useful and understandable to everyone, including senior management.

Boards should develop a risk-based company culture first by implementing appropriate information collection and reporting systems. The goal is to make it easy for different levels/silos to escalate information appropriately, which encourages collaboration. Direct interaction with front-line management isn't practical - or even possible - but nonetheless, boards are held responsible for material mistakes and missed opportunities that happen at any level.

These events are also called surprises, and in business, all surprises are bad. A board's best bet is to ensure quality information is delivered to the right people, at the right time, and with the proper context.

The best way to quickly and reliably escalate information is with risk management software that bridges the gaps between departments and levels. ERM software comes equipped a taxonomy that automatically links risks, requirements, goals, resources, and processes. It also offers email and other system integration, task notification, automatic alerts, and more.

Does a Risk-Based Company Culture Inhibit Value Creation?

Some boards have expressed concern that risk management may be just another compliance burden, and that it could hinder effectiveness and innovation.

As it turns out, organizations with sustainable risk management programs have a proven 25% increase in market value - on average - compared to industry peers without such programs.

As I discussed in a recent article published in The Wall Street Journal's Risk & Compliance Journal, a risk-based company culture "shouldn't be stifling anything." In fact, risk-based concepts like regular risk assessments "should be enabling innovation as they can help better align the company's goals to its risk management processes."

Dr. Paul Walker, professor in enterprise risk management at St. John's University, has heard from numerous executives that "to not understand risk is old-fashioned and the wrong way to do business...Risk management leads to value and more disciplined companies that over the long run outperform those that don't manage risk." He adds that by better incorporating risk and compliance into business operations, executives have "a better tool set to innovate so they don't get into those situations."

There is a simple way to determine if a board's focus on risk reduction dampens productivity. Look up a company's "customer satisfaction, health and safety record over time, qualified audit reports, regulatory sanctions...," etc. When a company performs well in these categories and emphasizes the measurement of its risk culture, investors should rest assured.

One last point that's important to remember: just because a company says its risk culture is healthy doesn't mean it has strong governance or transcends departments and other working silos. Measure your own organization's risk management competency with the free RIMS Risk Maturity Model (RMM), a best-practice benchmarking tool.

Read our other blog post to learn more about building a risk management program that supports innovation. Also, read what Dr. Paul Walker and I have to say on this topic in our recent interview in The Wall Street Journal.

Leave a comment

In this blog, risk expert Steven Minsky highlights the differences between traditional risk management and true enterprise risk management, which is about helping things happen rather than preventing them from happening. Manage Tomorrow's Surprises Today is designed to help you think about risk in new ways and learn how to benefit practically from this rapidly evolving field.

Steven Minsky

Steven is the CEO of LogicManager, Inc. the leading provider of ERM software solutions. Steven is the architect of the RIMS Risk Maturity Model for ERM, author of the RIMS State of ERM Report among many other papers, and a RIMS Fellow (RF) instructor on ERM. Steven has conducted ERM and RIMS Risk Maturity Model training for hundreds of organizations around the globe. Steven is a patent author of risk and process management technology and holds MBA and MA degrees from the University of Pennsylvania’s Wharton School of Business and The Joseph H. Lauder Institute of International Management. You can reach Steven at steven.minsky@logicmanager.com.

Recently Commented On

Monthly Archives