We have all seen the brazen headlines depicting the latest fraud scandal and organisations crumbling as a result. We are saturated with recommendations, codes, standards and acts concerning Corporate Governance and Risk Management. Honing the risk-conscious culture in today’s uncertain, tech-boom world is ever more crucial to avoid the next headline pointing at you.
Risk awareness for all employees is vital for successful risk management and fraud prevention. Underpinning this idea, is compliance with the Sarbanes-Oxley (SOX) Act with regards to internal controls as this requires almost everyone within the business to be aware of potential risks, regardless of their position. The “tone at the top” may be fundamental but it does not guarantee an effective internal control system – these may be perfectly designed yet rendered useless unless each and every employee is aware of risks and an appropriate risk culture has been established throughout the entire organisation – only then will an internal control system fulfill its desired purpose.
An entity’s risk appetite is just one aspect of risk culture. Risk culture and the control environment are not mutually exclusive. Risk culture helps employees to understand and follow internal controls and the same applies inversely; the control environment is heavily influenced by the risk culture. Establishing a risk-conscious culture can be therefore considered key for SOX compliance as well as a successful fraud prevention programme.
1. Shaping risk culture as an important part of corporate culture
There are finite and detailed recommendations for risk management in economic literature and organisations’ annual reports would suggest that every business has implemented a system for managing risks. However, risk culture as a significant aspect of risk management seems to have been neglected by both the literature and reporting enterprises. The underlying norms, values and attitudes of employees, as well as their understanding and experience of dealing with risk determine the risk culture of an enterprise. Risk management is primarily influenced by risk culture as an important part of corporate culture which begs the question: how can you influence the risk culture of an organisation?
Shaping risk culture encompasses activities that lead to a proper appropriate and desirable risk culture. The creation of a risk culture must follow the evolutionary character of corporate culture. Expediting the cultural change process resulting in an immediate cultural change that still meets its objectives i.e. a “cultural revolution”, is unlikely. A cultural revolution is rare and occurs only by exception e.g. by changing the entire management of an organisation.
The plan for shaping the risk culture of an organisation should be carried out in three stages:
- Firstly, identify the existing risk culture
- Secondly, an analysis and evaluation of this should take place which will result in determining a desirable risk culture going forward
- Lastly, an action plan will allow for the implementation of the new risk culture.
2. Identification of the existing risk culture
According to Edgar Schein’s model of corporate culture, there are three levels that determine and describe the risk culture of an enterprise:
- Basic assumptions
- Artefacts and creations
Basic assumptions are the foundation of corporate culture. They are invisible, preconscious and taken for granted. Basic assumptions are intrinsic to organisational relations; they are the basis of human nature, the nature of human activity and relationships and, most importantly, the nature of reality and truth. Embodied are the concepts of time, space and how people relate to each other. The basic perceptions, thoughts and feelings of employees about risks as well as the inherent way employees experience risks are the basic assumptions of a risk culture.
The level of values attempts to cover all basic assumptions. Values are reflected in moral conceptions and behavioral standards, maxims, unwritten guidelines and proscriptions that all have an impact on employees. Values, the second level of corporate culture, are partially visible.
The final level, artifacts and creations contains forms of appearance that are clearly visible but often not decipherable. Examples of artifacts and creations of a risk management system include: a risk manual, the existence of a risk manager/risk committee, the publication of risk principles and guidelines, an IT-based risk reporting system, a printed risk report included in the annual report as well as the delivery of risk workshops. Visible forms of a risk management system allow for conclusions on the existing risk culture of an enterprise. The artifacts and creations level enables the description, the evaluation and the shaping of a risk culture.
The identification of the existing culture assumes a changed level of awareness that sensitises the employees for corporate risks. Sensitisation of employees for the risks of their enterprise supports the basic structures and processes of risk management. Risk awareness of employees can be interpreted as an expression of a risk-orientated corporate culture. A greater level of risk awareness is achieved through the appointment of powerful cultural leaders. Board members, the C-suite, management, internal and external auditors will also influence risk culture. Ultimately, risk culture is influenced by all employees.
A three-step model is proposed in the identification of the existing risk culture:
(1) Questioning of all employees
All employees in the organisation should be questioned in relation to risk culture. Through this process, not only will everyone become aware of the risk culture topic but a sense of what the new risk culture should look like will also be sought.
(2) Analysis and Interpretation workshop
A workshop with designated employees helps to find basic assumptions underlying the true rules (level of Norms and Values in the model of risk culture) of the enterprise.
(3) Questioning of the C-Suite / Management
One-to-one interviews should be the method of questioning used with management as these enable a deeper analysis through increased Interactivity. Obtaining a truthful and genuine account from management is the highest priority.
Identification of the existing risk culture is primarily achieved through observations. All steps of the identification stage can be supported by external consultants for assuring independence of the conclusions reached. The denouement of the existing risk culture must always be reached via members of the organisation and must not be forced or influenced upon employees from outside the business.
The identification of the existing risk culture is an assumption and provides the basis for the evaluation stage. It will also demonstrate what the new risk culture should look like.
3. Evaluation of the existing culture to determine a new risk culture
A critical review of the existing culture forms the basis of a planned change in risk culture. Cultural change is only possible so long as there is sufficient reason and an understanding of its necessity. The change is supposed to move existing risk culture towards the pre-determined desired culture. The evolution of culture should contribute to a conscious handling of risks by every employee throughout the hierarchy of the organisation.
Factors of influence for a risk culture are strongly interdependent. An adequate and desirable risk culture results in:
Risk culture should create enterprise-wide accepted guidelines for managing risks.
Risk culture should convey harmony and unity thereby encouraging the overall safeguarding of an employee’s activities.
Motivation is closely connected to integration. Cultural integration increases a sense of belonging and perception, both of which motivate employees.
Consideration of all these factors are necessary in shaping a risk culture that encourages and enables comprehensive risk management.
4. Action plan for shaping risk culture
Measures for cultural development include all activities that contribute to a goal-orientated cultural change. Activities for change result from a comparison between the existing risk culture and the desired risk culture. Cultural change has an impact on all factors of risk culture. To influence a specific element of risk culture is neither possible nor desirable. Measures of cultural change influence multiple factors of risk culture. This highlights the varied perspective of a risk culture. Possible measures for changing a risk culture include the:
(1) Introduction and implementation of a risk policy
(2) Integration of employees and other personnel measures
(3) Introduction of a risk suggestion system
The proposed measures and tools can only initiate cultural change. Initiating a change in risk culture can have unexpected affects. Any negative consequences of the change can be identified, discussed and corrected, if necessary. Owing to this, monitoring of changes is vital. In order to ensure the new risk culture remains constant, the newly implemented measures must be stabilised.
'A high level of risk awareness of management, an appropriate corporate risk culture and the establishment of an integrated risk management system are all of the necessary requirements to sustain the success of an organisation for the future. '
5. Appropriate risk culture; a necessary condition for an effective risk management
An appropriate risk culture is required before a risk management system is able to work effectively. Corporate risk culture should always be monitored as it is open to fluctuation.
Risk culture consists of three levels: (1) Basic assumptions, (2) Values and (3) Artifacts and creations. The existing risk culture should be analysed using the different stages described above. The various factors of risk culture are used to evaluate existing risk culture in the enterprise. Consideration of all risk culture factors lead to the desired new risk culture which should follow three stages: coordination, integration and motivation. Introduction of new orientation patterns, signals and display formats tend to result in the willingness for cultural change. Cultural change can be introduced through risk policies, personnel measures and a risk-suggestion system. The process of cultural change is characterised by intensive observation and monitoring of measures for changing risk culture in the enterprise.
A high level of risk awareness of management, an appropriate corporate risk culture and the establishment of an integrated risk management system are all of the necessary requirements to sustain the success of an organisation for the future. They will also support in the avoidance of fraud and threats that could jeopardise business continuity.
Peter Drucker coined the term “culture eats strategy for breakfast”, and later, allegedly, went on to say that it gets its appetite from purpose. Another Peter, (Davis) declared that, in fact, “culture eats process for breakfast”. Before getting peckish, I’ll leave you with this – an appropriate corporate risk culture trumps it all.
Dr. Oliver Bungartz
Partner, Head of Risk Advisory Services, RSM Germany