Defining Culture

The definition of culture used for this chapter is based on a question: “What determines how decisions are made in an organization?” The key to culture, in the context of ERM, is the impact it has on business decisions. A strong culture is one in which decisions are made in a disciplined way, taking into account considerations of risk and reward on an informed basis. This decision-making culture extends throughout the organization, from the largest strategic decisions to the most routine day-to-day business decisions.

Note that “disciplined decision making” in an ERM context does not mean that no risk is taken, or that risk is minimized. Rather, it means that decisions that create undue risk—either because they take the organization out of its defined risk appetite, or because the reward is not sufficient for the risk taken—are avoided. That does not mean that mistakes or misjudgments may not occur, but it means that the process ensured the consideration of the correct elements with the goal of optimizing the risk-return profile of the organization.

The Goals of Culture

The goal of a risk-aware culture is to ensure that all business decision makers understand and behave, recognizing:

• The importance of identifying and assessing risks in current and potential business activities.
• The importance of communicating current and potential risks.
• The importance of taking risk and reward into account in business decisions.

Again, it is worth stating that the goal is to ensure that decisions taken throughout the organization are taken with these goals in mind. That means that the risk-aware culture must extend throughout the organization, and not be limited to a group either outside of—or even senior to—the individuals responsible for making business decisions for the organization.

The Importance of Culture

If one accepts that the goal of ERM is to ensure that business decisions are made to optimize stakeholder value through optimizing risk and reward, then a strong risk-aware culture is a necessary condition for success in ERM. If any elements are missing, then:

• Not all relevant risks may be identified and assessed.
• Decision makers may not be aware of some risks as decisions are being made.
• Decisions may be made ignoring certain risks.

Clearly, if these circumstances were to occur, then the organization cannot be sure that good risk-adjusted business decisions were consistently being made. Therefore, the organization cannot have a strong ERM framework.

When the Chips Are Down

Culture can be observed in a positive sense—that is, a decision-making process may be mapped out that reflects considerations about risk: risks involved with the business decision are identified, and sound risk-adjusted decisions that add value may be observed. This kind of process may, and often does, occur in almost every organization, either deliberately as the result of the creation of a risk-aware culture (whether explicitly recognized as such), or simply because organizations must have some processes that involve disciplined approaches.

However, the telling point occurs when there is pressure to make a decision that involves trade-offs between short-term gains and long-term risk-adjusted value. Short-term gains may involve sales—meeting or exceeding sales targets and market expectations; accounting gains resulting from transactions that create accounting earnings; or even personal incentive targets. If there is significant pressure to relax the organization’s risk requirements, and the organization makes a decision that is clearly counter to the risk policies and desired risk profile of the organization, it cannot have a strong risk culture.

This may occur at any level of an organization. It may occur at the top of an organization if an acquisition is being considered, and considerations of risk fall victim to the ego of the participants. They may be put aside because the participants in the transaction have “fallen in love with the deal,” and cannot bear the thought of backing out of the transaction given the work that has been put into it and the potential benefits of the transaction. These benefits may already be crystallizing in individuals’ minds as they contemplate the shape of the post-transaction business. Rewards may also incent this type of behavior. These may be tangible rewards—bonuses and salary increases—or they may be intangible because the participants in successful transactions are those recognized in the organization, given higher profiles and promotions.

At lower levels of an organization, incentives may also play a part in rewarding behaviors that involve undue risk. Individuals seeking to maximize their bonuses may take risks, particularly if their bonus is based on immediate results and downplays long-term profitability and risk. For example, a sales manager whose bonus is entirely or largely based on sales results alone has no motivation to look at risk and reward. In fact, the organization is implicitly telling the sales manager that it is sales results that are important to the organization and that by achieving and exceeding his sales targets, he has every right to believe that he is adding value to the organization.

For example, in the insurance industry certain products have substantially more risk than other products. They may also have significantly different profitability profiles. However, the commission to the agent or distributor may be the same. The message to the agent is that sales of the different products are equally valuable to the organization. This may be completely false, but it is not the distributor’s role to question the organization with respect to its products. If the sales manager’s income is based on an override of the commissions that the agents receive for selling the products, then the message to him or her is the same.

Naturally, there is a point at which simplicity of compensation structures and comparative structures within an industry must be recognized. However, organizations must have the information to determine what the consequences of their compensation structures are likely to be. In the insurance example, it may not be practical or realistic for the company to offer lower commissions on its riskier or less-profitable products to the selling agent. However, the sales managers should certainly be compensated based on the risk-adjusted profitability of the business. That again implies that the organization has and uses the information to measure the risk-adjusted profitability of the business.

Other motivations for poor risk taking may be externally driven. Competitor organizations may—apparently successfully—be taking risk. Stock analysts and other commentators may give these companies credit for this business, and their stock values may increase as a result. Additionally, just because an inappropriate risk is taken does not mean that it will not pay off. It is annoying to see poor decisions lead to good results! Nevertheless, an organization that wishes to create a strong risk culture must continue to be disciplined in the face of these pressures. That will necessarily entail strong internal and external communications—identifying why decisions that appear successful are not being taken.

There is much discussion about the cause of the subprime mortgage lending crisis and the associated and widespread market disruptions that have occurred. This is not an attempt to provide a comprehensive view of the causes of the crisis. However, at its core, the crisis resulted from plain and simple bad business. This business should not have been done in disciplined organizations. Making loans to individuals who do not have the resources to pay the true costs of the loan, and who are inappropriately leveraging their assets is fundamentally bad business. As organizations experienced success with this model (as property values increased, hiding the degree of exposure and leverage), other organizations were pressured to enter the game by the short-term thinking of the financial markets, which reward short-term business growth at the expense of long-term value and risk.

Financial and risk management models, rating agencies, regulators, and many others may take, and may legitimately share in some of the blame for the crisis, but the underlying causes were related to bad business motivated by short-term gains that were rewarded in the financial markets. How does an organization stay disciplined in the face of the market pressures that exist? It is extremely difficult to stand firm in the face of these pressures, particularly when an organization is public, and the markets determine who is deemed successful using inappropriate criteria.

Organizations must communicate effectively, both within the organization and to external stakeholders, the reasons for decisions to avoid businesses that are determined to be poor risks. Internally, this can be reinforced through compensation systems that reward long-term risk-adjusted value.

Culture Can Discourage Good Risk Taking

Culture may also result in suboptimization by discouraging appropriate risk taking. This can occur by punishing people for taking risks that do not work out, whether or not they were correct to make the decision to take the risk.

A well-known example of this in a sports context took place during the 1980 baseball playoffs between the New York Yankees and the Kansas City Royals. The Yankees had a speedy runner (Willie Randolph) on first base representing the run that would tie the game. There were two outs in the eighth inning. A ball was hit to the corner of the outfield, and the runner on first base got a good start. The third base coach recognized that the runner was a strong runner, and that the fielder who was fielding the ball was a weak thrower. The fielder would have to throw the ball to another fielder who would then relay the ball to the catcher to try to tag out the runner. Given that there were two outs, the chances of another hitter being successful in hitting safely and scoring the runner were he to stop at third were much less than 50 percent. In other words, the third base coach made a good risk-based decision to send the runner around third base toward home plate to try to score. However, in the actual event, the fielder made a good throw to the infielder who made a perfect relay to the catcher, just tagging out the runner before he would have scored. The result was that the third base coach was fired the next day. Clearly, this type of good risk-based decision making was not encouraged in the New York Yankees organization.

Similar instances occur in business. For example, decisions taken to hedge exposures to certain risks may be criticized when the risk does not materialize, particularly if other companies have taken the risk and been rewarded for doing so. This may lead to inappropriate risk taking to avoid the criticism of having spent time and resources on hedging.

Good risk-taking organizations recognize that not all well-thought-out risks will succeed. Farson and Keyes (Harvard Business Review, August 2002) refer to leaders in organizations that encourage strong risk taking as “failure-tolerant” leaders. Such leaders recognize that good decisions based on disciplined approaches are the right decisions, whether they work out, while sloppy, undisciplined decisions are wrong regardless of whether they result in profit.

Behavioral Elements

Actions speak louder than words. This is a simple but profound expression, and it applies directly in the area of organizational culture. Processes that exist on paper, but are not applied in practice, will be viewed as unimportant within an organization. It is only when a process is taken seriously that it actually reinforces the desired culture.

Organizations must expect the results that are encouraged both explicitly and implicitly through behaviors that are rewarded. If, for example, bonuses and promotions result from achieving sales targets at the expense of organizational risk, then the implicit message to staff is that the risk discipline of the organization is second to sales results, and the company must expect that staff will behave in a way consistent with the results that are rewarded, regardless of what may exist on paper with respect to risk discipline. In order to create and sustain a strong risk-aware culture, it is important to be deliberate and explicit about the behaviors that are expected in the organization.

Process Elements

Having stated above that behavioral elements are primary, it is vital to create robust processes that encourage the defined behaviors. These processes include measurement, monitoring, reporting, and governance.

Defining the Elements

The first step to creating a risk-aware culture is to know what elements that culture should contain. There have been attempts to define the elements of a risk-aware culture. Risk Manager magazine (Issue 3, February 2004) contained the following list of characteristics:

• Strong leadership within the organization and its projects.
• Devolving risk management to the workplace.
• Participative management style.
• Utilizing knowledge of all staff and team members.
• Encouraging staff to be accountable for their actions.
• Enabling capture of risk at all levels of the organization or area/project chosen for the risk assessment.
• Determining controls before risks occur.
• Improving communication and teamwork.
• Encouraging risk awareness across the organization.

This list describes some of the attributes of an organization that has a risk-aware culture. Another approach is to define the elements of a culture that should result in these desirable characteristics. The following is a list of elements developed as part of an ERM framework in one organization that the author of this chapter worked in:

• Acting with integrity.
• Understanding impacts on customers.
• Embedded risk management—discipline.
• Full and transparent communication.
• Collaborative decision making.
• Alignment of incentives and rewards.

It is important that an organization develop cultural elements that it believes will lead to sound decision making and that it is willing to commit to encouraging and rewarding within the organization.

Measuring and Monitoring

Results in most business endeavors are achieved by having measures of success and monitoring progress toward goals using these measures. The same can be true for progress toward cultural goals as well as financial objectives or the implementation of operational objectives. Measurement can be based on nonfinancial information, and on information that is not in the organization’s financial accounts. For example, if a defined element of an organization’s risk culture is “participative management style,” or “collaborative decision making,” there is likely no source of information available except to ask people within the organization about how decisions are made.

The structure and handling of a survey to glean information about such processes in an organization is critical to its success. The survey must be nonthreatening—individuals must be free to give honest answers to questions without fear of reprisal. Guaranteed anonymity is an important characteristic of a successful survey. The survey must also be repeatable—that is, consistent responses producing reliable trends should be generated when the survey is repeated. To measure progress, it is necessary to perform the survey periodically. The survey must also pose questions that are designed to get at the heart of the cultural elements that it is designed to identify and measure. It is beyond the scope of this chapter to determine how to best structure a survey to get the desired objective results. However, such expertise is available, and should be sought to ensure valid results.

Involvement and Buy-In

Implementing a strong risk-aware culture requires the buy-in of those in the organization. A step that can significantly increase the success of the buy-in process is the involvement of the organization, or at least key people within the organization, in the definition of the desired culture. Involvement in the creation of an objective is one of the best ways to create buy-in for any goal. People will generally develop ownership of goals and objectives that they work to create.

Openness

A strong risk culture cannot exist in an organization that discourages open communication. Full and transparent communication is an integral part of a risk-aware culture. Ideas and questions must be encouraged, and not explicitly or implicitly discouraged. Negative behavior can occur in many ways:

• Individuals, particularly senior-level ones, may dominate discussions with the implication that other points of view are discouraged.
• There may be topics that are “taboo” in organizations, discouraging openness in questioning business models or approaches.
• Models may be seen as “unquestionable,” or answers about their functioning and use may be brushed off by technical specialists.
• Organizations may get tunnel vision as a result of the overly homogeneous composition of decision-making groups, when it is often a question from a different perspective that causes an “ah ha” in understanding.
• Shooting the messenger is an obvious way of discouraging people from bringing issues to the fore.
• Decisions may be made based on emotion, or pleasing senior-level people, rather than based on facts—clearly discussions should not be closed without fact-based evidence.

Strong organizations will display the opposites of these approaches, encouraging the raising of issues and questioning from differing perspectives on any topics, and basing decisions as far as possible on fact.

Tone from the Top

Virtually every organizational change objective will identify “tone from the top” as a key element. With culture, tone is critical, and the support must be behavioral as well as simply providing funding or resources. It is up to leadership to effectively define the culture of the organization by encouraging, discouraging, and exhibiting certain behaviors.

Alignment of Incentives and Rewards—Walking the Talk

Incentives and rewards, and the importance of their alignment with corporate objectives, cannot be overemphasized. Employees will exhibit behaviors that are rewarded and/or that minimize stress in the workplace. Incentive compensation systems implicitly put value on certain results. Employees have every right to assume that the goals identified in the incentive compensation system are those that the employer wishes them to achieve to add value to the organization. If these goals do not include proper recognition of risk and reward, then the organization will reap what it sows, and take on inappropriate risk.

Rewards cannot always be in the form of compensation. Organizations reward behaviors through promotions and recognition. While an organization may give lip service to risk, and to risk-based decision making, the stronger messages are given by those behaviors that are actually rewarded within the organization.