Throughout my career, many people have asked me what does effective RC entail? RC is a critical part of effective risk management – which is not only about systems, process and quantitative models, but more about changing human behaviour, how people think about risk, how they behave and the kind of organisational culture that exists within the business.
Simply put, RC is the shared perceptions, assumptions, beliefs and behaviour of an organisation based on how the organisation values, discusses or manages risk. These perceptions and behaviours are shaped by the policies, procedures and events that people experience; the behaviours they see being encouraged, condoned, or punished; how an organisation deals with its multiple tomorrows, uncertainties that lie ahead which might arise either in the near or the longer term. Moreover, they are shaped by how the organisation conforms to its own values and standards – its ethical behaviour.
In the recent past, we have witnessed the demise of prominent organisations as a result of governance failure. When looking at these exogenous shocks you cannot stop wondering about the risk culture of these organisations. I firmly believe that if an effective RC is in place within an organisation, materialised risk exposures and such shocks will not reach toxic levels.
Organisations with immature risk culture tend to fail at managing the future, change initiatives fail, the future for these organisations is always a surprise and are constantly reactive. While organisation with matured risk culture take risk-adjusted decisions and risks that are within their appetite levels, they are actually risk intelligent.
The following behaviours are demonstrated within the organisation with a mature risk culture:
A healthy RC is one that enables and rewards individuals and groups for taking the right risks that create value in an informed manner. It is, therefore, imperative to create a corporate culture which champions open communication, transparency, integrity, honesty, accountability, ownership of risk and ethical values.
RC should become a part of the business DNA, and most importantly, there needs to be the right tone from the top. Each employee must understand or be aware of how risks need to be effectively dealt with.
Risk managers play an important role in fostering or improving RC. There are various techniques to do so, such as:
At the end of the day, each employee must be empowered and be better equipped to identify and manage risks within their areas of responsibilities. No matter what role one plays in the organisation, employees can assist the business to manage its risks better – by being aware and conscious of the risks that exist in their area, and by demonstrating the right risk behaviours at all times.
The organisation will become better at identifying the risks they are exposed to – the good and bad ones – and doing something about them. This will optimise the risk-return trade-offs, improve return on capital, drive up greater levels of economic profit and ultimately create long-term value. Mostly this will contribute to both effective risk management and good corporate governance.