Risk culture has been a hot topic of late. For example, it’s common to hear claims that culture is the most undervalued aspect of risk, or that it is the element most critical for the Board’s management of risks. If that seems a stretch, consider our recent credit crunch, and see the film, The Big Short. The importance of culture in corporate risk may be the one thing on which we all agree – all but a few die-hard quants.
Despite agreement on the importance of risk culture, the topic gets rather thin coverage in many frameworks. What then, might an ideal risk culture be?
On most accounts, risk culture involves the values, norms, beliefs, ethics and attitudes about risk shared by a group. Most writings on the topic also include the claim that senior management must be the driver of change to an effective risk culture. It’s a plausible claim, since there are few alternative sources. Regulatory bodies don’t seem to have that effect on employees, and organic growth of optimal risk culture seems unlikely.
Two fields I have experience in – aviation and pharmaceuticals – immediately come to mind. In aviation, risk is deeply embedded at nearly all levels of organizations. Oddly, the aviation industry started out with an affable relationship with its regulator. It has cooled slightly in recent decades, but is still today far from contentious. In pharmaceuticals, risk culture is poorly developed, and relationships with the FDA are often adversarial.
This dichotomy likely stems more from accidental environmental factors than from any inherent differences in dispositions or competencies between the fields. Commercial aviation was lucky enough to emerge at a time when the FAA was so resource-strapped that it was forced into a tight partnership with aircraft builders – a situation from which we all benefited greatly. The early FDA had a much broader scope, and was regulating a vastly larger number of suppliers (food, drugs, tobacco, etc.) who were much less virtuous. The FDA’s short leash had the unwanted side-effect of fostering a culture where risk management is equated with regulatory compliance. Attempts to move beyond that state (e.g., in ICH Q8, 9, and 10) have been slow to progress.
Lessons from the comparison between the two fields? To start, risk culture is real. Safety risk in passenger flight has fallen by a factor of a thousand or more, in a risk culture that extends from subcontractors to pilots to controllers. Technological advances cannot claim all the credit for this. Aviation workers are proud of their work. The motivation for doing the right thing is intrinsic, and the goals of workers align reasonably well with those of management and regulators.
Second, no external agent (agency) can supply your firm with risk-avoidance. A regulator might protect society from a firm’s evils and errors, but it won’t protect the firm from itself. The FDA only cares about a pharma firm’s bottom line to the extent that it seeks to prevent drug-availability crises.
The uncommonly beneficial state of risk culture in commercial aviation, which was not imposed, but grew organically, could be taken as an argument that kick-starting something similar in a random firm will be impossible. It need not be. But it will require a different tool kit than what’s in the standard ERM bag, because we’re now squarely in the realm of Change Management.
Michael Beer and John Kotter are my two favorite Change Management writers (Beer hates the term). They disagree on quite a lot; but they agree that any time the CEO needs to push a cultural change downstream, he first has to be seen as walking the walk. That is, there must be a vision; and management must embody it. The vision need not be mystical, Beer points out.
Further, employees must believe top and middle management is committed to the vision; and that management isn’t shallow, or deceiving themselves with hogwash about yet another strategic initiative.
Kotter and Beer, along with Bert Spector and Russell Eisenstat, all agree that under-communicating the vision – in this case, the risk culture objective – is a leading cause of failed transformation efforts. Frequent communications, using every possible channel, over a long period, are essential. The purpose is not to coerce workers into compliance. It is to demonstrate the relevance of the vision and to train by example. Kotter notes that even with several communications per week, if management behavior is antithetical to the vision, cynicism spreads fast, and no one believes the communications.
Drawing on the aviation example, I think we might strengthen the Change Management experts’ points for the specific area of risk culture by observing that clear goals, purpose, autonomy, continuous feedback, and a sense of control greatly add to development of inner standards and pride of work. These intrinsic motivators apply at levels from factory workers to the CFO. Worker engagement leads to trust; and trust promotes acceptance of shared values, norms, beliefs, and ethics, which is what definitions or risk culture rightly tell us should be our goal.
– – – – –
Are you in the San Francisco Bay area?
If so, consider joining the Risk Management meetup group.
Risk management has evolved separately in various industries. This group aims to cross-pollinate, compare and contrast the methods and concepts of diverse areas of risk including enterprise risk (ERM), project risk, safety, product reliability, aerospace and nuclear, financial and credit risk, market, data and reputation risk.
This meetup will build community among risk professionals – internal auditors and practitioners, external consultants, job seekers, and students – by providing forums and events that showcase current trends, case studies, and best practices in our profession with a focus on practical application and advancing the state of the art.