Unit 3: Risk Culture, Ethics And Behaviour Flashcards
How can the reputational risk presented by employees, management or director misbehaviour be addressed?
This risk is addressed by considering corporate social responsibility and business ethics. The best way to ensure a robust risk culture, business ethics, and social responsibility within an organisation is to have corporate directors and executives who lead by example and set the tone from the top.
What are the dangers of following risk policies and procedures blindly?
Many case studies of disasters have shown that following risk policies and procedures blindly, irrespective of the context, may be as disastrous as having no policy at all. Some disasters have been mitigated by individuals using their best risk judgement, going against the written procedure.
Why are rule books, codes of ethics, policies and procedures not enough?
There are 5 main problems with rules:
1) Mechanics not dynamics - rules can only ever deal with the mechanics of business, they cannot on their own influence the beliefs and behaviours that create the culture of the organisation.
2) understanding the rules - Rules can get very complex. The legal profession train for years in order to understand and interpret, normally, just one aspect of the law. However, many in key decision making positions within companies do not see understanding and interpreting the rules as their primary role. Even when training is provided we cannot be certain the individual has fully understood.
3) the loss of wisdom, the ticking of boxes - rules can create a tick box approach and remove and element of responsibility.
4) gaming - once a rule is established it is human nature to work out how to take advantage of it. The more complex it is the more ambiguity. Whole industries have developed to work out how to game these rules. E.g tax rules.
5) Maintaining the rules - rules have to be maintained. The more rules there are the more burdensome this becomes.
So it is evident that to be effective rules need to be supported by the culture in which they operate. In certain cultures rules might have the opposite effect to the one intended.
How can issues with risk culture be addressed?
Since all organisations are made up of individuals, it seems natural to start with each employees personal predisposition or attitude to risk, sense of ethics and beliefs, which could be assessed through interviews or surveys (Steinberg, 2011)
These influence employee behaviours, which can be observed in the work place. These behaviours- together with examples set by leaders and the norms and rules of the company (not only written procedures but how they are applied, followed and enforced in practice) - determine its organisational culture.
How does IRM recommend improving risk culture?
By adopting the ‘Double S’ model developed by Goffee and Jones (1998) and applying it to risk management, IRM proposes to assess an organisations culture along two dimensional: sociability (how well people get along in the organisation), and solidarity (how strongly people are focused on accomplishing tasks to achieve goals and team performance). See Double S (Sociability v Solidarity) model.
From all these influences result the organisations risk culture. The IRM recommends that organisations self-assess their risk culture in four areas: tone at the top, governance, competency and decision making (Risk Culture Aspects Model diagram)
Describe the IRM Risk Culture Aspects Model
The four areas of the risk aspect model are built from eight important elements.
Tone from the top:
•Risk Leadership
• how the organisation responds to bad news
Governance :
• the clarity of accountability for management risk
• the transparency and timeliness of risk information
Competency:
• the status, resources and empowerment of the risk function
• risk skills - the embedding of risk management skills across the organisation
Decision Making:
• well informed risk decisions
• appropriate risk taking rewarded and performance management linked to risk taking
How does David Cole, CFO, Swiss Re define risk culture?
“The expected behaviours needed to provide confidence that a company is operating in accordance with its stated risk tolerance”.
He adds that “risk culture underpins all aspects of risk management “, Cole, 2014)
What four elements underpin risk culture at Swiss Re?
- Controlled risk taking: a risk control framework that includes exposure limits, contract restrictions and referral processes reinforced by performance reviews, incentives and remuneration.
- Clear accountability: a delegation of authority in which everyone is asked to assume their decisions, reinforced through incentives that are aligned with business objectives.
- Independent risk controlling function: transparently giving risk management, internal audit and external audit unrestricted access to risk origination, modelling, management and controls.
- Transparency: fostering knowledge sharing through regular dialogue, facilitation processes and reporting, with a goal to create mutual trust on risk and avoid surprises.
“As the ability to demonstrate a strong risk culture is becoming a foundation for market confidence, the risk manager’s contribution creates essential value for the company” (Cole, 2014)
Describe the IRMs 10 point practice plan for implementing risk culture changes
1) Evaluate the current risk culture
2) consider how many risk cultures might be present
3) Analyse the findings of the evaluation
4) Define a target for the desired future risk culture
5) Consider the consequences of the required culture change
6) Scope out a risk culture change programme
7) Risk assess the culture change programme
8) Plan how this will be delivered in practice
9) Evaluate progress as the basis of continuous improvement
10) Recognise that the journey is as important as the destination in the formation of a risk culture
What risk culture changes occurred that after the 2008 financial crisis?
Sometimes a change in risk culture requires a more fundamental change in organisational culture. One company that considered ‘tone from the top’ and communication when it initiated such a change is Deutsche Bank. Considering that the 2008 financial crisis had undermined its clients trust in the bank it undertook a multi year cultural change.
What timeframe is expected for a change of risk culture?
Enterprise Risk Management - and particularly work on risk culture is a change management program. Therefore change management techniques and disciplines apply. While it might take a year to implement a risk management framework, changing a risk culture may take three to five years, or even more.
What process is recommended by IRM to change a risk culture?
In Risk Culture Under the Microscope, Guidance for Boards(2012a), the IRM recommends that firms:
• Evaluate the current risk culture
• Measure the impact of the current risk culture
• Determine what would improve the organisations risk culture
• Plan and implement a cultural change
• Monitor and adapt to changes
How can employees be incentivised to do the right thing?
One of the effective tools to move an organisation towards a desired risk culture, and maintain it, is the performance appraisal, pay review and promotion system.
The IRM risk aspects model specifically covers reward as a key element of risk culture.
Following the 2008 financial crisis, much attention has been given to the influence of compensation on risk taking behaviours. KPMG (2009) indicate that the “majority of CROs, risk professionals and other senior managers… acknowledge that the industry as a whole had an inadequate framework for controlling risk. They also admit that the prevailing organisational culture did not stop excessive risk taking, fuelled by a system of profit based rewards that failed to protect the needs to depositors”.
Define Corporate Social Responsibility.
CSR has been defined by many scholars, for example, Kelly and Ashwin defined it as a measure of the impact that an organisation has on society and the environment as a result of its actions, and the extent to which the organisation recognises and acts on the responsibilities it has in relation to this impact (Kelly and Ashwin 2013).
The UK Governments Department for Business Innovation and Skills (2014) defines what it calls more simply ‘corporate responsibility’ as “the voluntary action businesses take over and above the legal requirements to manage and enhance economic, environmental and societal impacts”.
What risks most often cause loss of reputation?
Loss of reputation is most often caused by internal risks; those arising from people, processes, policies and procedures, particularly from bad actions or decisions (or lack thereof) of employees, management or directors. It is thought that CSR and ethics are good tools to manage reputation risk and safeguard the long term value of organisations.
