The collapse of Enron and other corporate scandals in the early 2000s demonstrated how imprudent company cultures can lead to unethical practices and outright fraud. The more recent implosion of Lehman Brothers showed how a culture of risk-taking pervaded financial institutions and precipitated the global financial meltdown.
Risk management consultants play a key role in helping companies prevent fraud by installing an effective and vibrant risk culture in companies. A healthy risk culture gives employees a stake in risk management. Employees’ basic principles, values, and attitudes – as well as their understanding of how to deal with risk – shape a company’s risk culture. An appropriate risk culture is necessary for corporate risk management procedures to work effectively.
Compliance with the Sarbanes-Oxley Act (SOX) requires that employees directly involved in internal controls be fully aware of risks. For the company’s internal control system to fulfill its purpose, employees must operate within a well-established, enterprise-wide risk culture. The tone at the top – the ethical atmosphere that the organisation’s leadership creates – is fundamental. But exemplary leadership does not automatically lead to an effective risk culture, nor does it guarantee a properly functioning internal control system.
This article addresses enterprise managers’ opportunities and obligations to build strong risk cultures and how risk management consultants can support those efforts.
Shaping risk culture
Annual reports typically convey the impression that companies have implemented effective risk management procedures. But risk culture is often neglected as an integral part of corporate risk management.
According to the model of corporate culture developed by Professor Edgar Schein of the MIT Sloan School of Management, three elements determine the risk culture of an enterprise: (1) Basic assumptions, (2) Values, and (3) Artifacts and Creations. (“Coming to a New Awareness of Organisational Culture,” Sloan Management Review, Winter 1984).
Basic assumptions are the foundation of corporate culture. They are the invisible matters of organisational and environmental relations that are commonly taken for granted. Employees’ perceptions, thoughts, and feelings about risks shape a company’s risk culture.
Values determine employees’ moral and behavioural standards. Principles, unwritten guidelines, and taboos that employees respect come from these values. Often these values are only partially visible from employees’ outward conduct.
Artifacts and creations are the tangible components of a company’s risk management system. They include a risk manual, a risk manager, risk committee, published risk principles and guidelines, an IT-based risk reporting system, and a printed risk report included in the annual report as well as employee risk workshops. Such items are clearly visible and allow risk managers to understand the existing risk culture of an enterprise. The presence or absence of artifacts and creations enable managers to evaluate and shape the company’s risk culture.
Four steps for shaping risk culture
A plan for shaping risk culture in an enterprise should contain four steps:
- Create a team to lead the process
- Evaluate the existing risk culture
- Determine what the desired risk culture should look like
- Devise and implement an action plan to build the new risk culture
Create a risk culture team
Management should appoint a person independent of the enterprise (possibly an external risk management consultant) to lead the risk culture team. Members can include not only top management and the risk-controlling department, but also board members and internal/external auditors.
Evaluate the Existing Culture
Ultimately, employees should diagnose their company’s risk culture free of external forces imposing views on them. However, the members of the risk culture team should be responsible for discovering the employees’ views on the existing risk culture and what it should become.
The team should speak with all company employees so the entire staff is sensitised to the risk-culture topic. Standardised and anonymous questionnaires usually elicit more honest responses to questions about the “risk appetite” of the company.
The independent coordinator and the members of the risk-culture team should prepare an analysis workshop for selected upper management and cultural leaders to help uncover the invisible basic assumptions that are fundamental to the enterprise’s values.
In addition to the analysis workshop, the risk culture team should individually interview each member of top management to promote high interactivity and frankness. These interviews prompt senior managers to think deeply about the range of possibilities for shaping a new risk culture.
The members of the risk culture team then conduct a critical review of the existing culture based on the results of the enterprise-wide survey, the analysis workshop, and the individual interviews.
Determine Desired Risk Culture
The profile of the target culture will be based on the same factors that were used to evaluate the existing culture. Reorientation of the company culture is possible only if there is a compelling reason and a shared understanding of the need for cultural change among managers and employees. The foremost goal of cultural reorientation is to sensitise every employee to the necessity of conscious handling of corporate risks.
The fourth step in the risk culture programme is the formulation of an actionable plan to realise the new cultural vision. Senior management is responsible for implementing and monitoring this plan. New orientation patterns are accompanied by new signals and formats as well as an update of artifacts and creations.
Securing “buy in” from employees is crucial to the success of the action plan. They must know their input was instrumental in creating new policies and that their continued involvement is essential. Transparency and communication are key to making this happen. All employees must understand that they each have a continuing role to play. Management should reward risk-sensitive behaviour that helps build the target culture and dissuades unethical behavior.
Once the action plan begins to initiate cultural change in the enterprise, it is common to see unanticipated consequences. Erroneous trends (such as irritated employees or adverse cultural developments) can surface that require monitoring and correction. A new risk culture is vulnerable to undesired changes. Management must therefore continuously observe and evaluate newly implemented risk-culture measures.
The figure overleaf summarises the factors and effects of an appropriate risk culture.
Rewards of success
A well conceived risk culture creates enterprise-wide accepted guidelines for managing risks. It simplifies coordination among all employees and clarifies how each individual should handle his or her job regarding risks. Operating in a strong culture, employees take ownership of their risks and even that of their co-workers.
A healthy risk culture conveys solidarity; employees believe that they are an integral part of the corporate culture. It engenders a strong sense of belonging and motivates individual workers to become active participants in the welfare of their company.
A dynamic risk culture increases employees’ awareness of corporate risks. Not only will employees become supportive of the basic structures and processes of risk management, they will also become mindful of the fact that they are an important part of a risk management system that deters fraud and reduces threats to business continuity.
This is a shortened and revised version of an article first published in Fraud Magazine, November/December 2009. The author is Oliver Bungartz, Head of Enterprise Risk Management (ERM) Services at RSM Germany. His e-mail address is firstname.lastname@example.org.
Oliver Bungartz, Ph.D, CIA, CISA, CFE, CGAP, CCSA.
Before taking over the Head of “Enterprise Risk Management (ERM)” at RSM Germany, Oliver worked for the “Risk Advisory Services (RAS)” Department of MAZARS Hemmelrath and the Technical University of Munich (TUM). Internal Auditing, Risk Management, Internal Control Systems and Corporate Governance are the main areas of his activities. His list of publications contains e.g. the following topics: Risk Reporting, Risk Culture, Enterprise Risk Management, Internal Control Systems, (Internal) Auditing and Accounting.
Oliver gained wide practical experience by participating in multiple Sarbanes-Oxley Act (SOX) 404, Internal Audit, Internal Controls and Risk Management engagements for clients working in different industries and countries (e.g. Austria, Switzerland, Italy, Spain, Poland, Slovak Republic, Russia, Netherlands, UK).
Oliver is a Certified Internal Auditor (CIA), Certified Information Systems Auditor (CISA), Certified Government Auditing Professional (CGAP), Certified Information Security Manager (CISM), Certified Fraud Examiner (CFE) and holds the Certification in Control Self- Assessment (CCSA). He is a member of the “International Accounting Research Institute”, of the “Risk Management Association e.V. (RMA)”, of the German Institute of Internal Auditors (IIA), the “Information Systems Audit and Control Association (ISACA)” and the “Association of Certified Fraud Examiners (ACFE)”. The IIA in Germany and in the USA registered him as an officially certified Quality Assessor / Validator.
Technical University of Munich (TUM), Munich/Germany, Doctor of Economics (Ph.D.)
Westfälische-Wilhelms-University (WWU), Muenster / Germany. Diploma in Business Administration
Oliver Bungartz, Ph.D.
Head of Enterprise Risk Management