According to you, developing a strong risk culture is a new risk management fad, hyperbole or a necessity? Moreover, if it is a necessity why are organizations not focusing on it? In my view, building a risk culture within the organization helps in achieving the strategic objectives of the company. Hence, while we think that the focus on risk culture is required to address operational and financial risks, it gains paramount importance for managing strategic risks. Now this statement may sound somewhat unconvincing to some of you, so here are the reasons for the same.
As I had mentioned in the previous posts, corporate world is not doing a good job in formulating strategies. According to McKinsey survey, just 6.5% organizations have effective measures to develop strategies. Secondly, 32% in effective group and 51% in other group state that decision makers are averse to taking risks and see emerging business opportunities as riskier. As per the survey “Fall guys: Risk management in the front line – A report from the Economist Intelligence Unit Sponsored by ACE and KPMG” – just 41% of the organizations involve risk management function in formulating and implementing corporate strategy. The obvious point we are missing in this data is that CEOs and boards do not have the right information on associated risks for the selected strategies. The reasons are that either nobody down the line is aware of them or is unwilling to inform CXOs. Both these issues arise due to lack of a risk culture within the organization.
Let us study how this problem on lack of information and/or communication on risks occur within the organization. A risk culture can be measured by the degree to which employees of the organization understand that all their business decisions result in some risks which need to be mitigated and have to be within the purview of legal laws. A KPMG survey on Risk Culture highlighted that “58% of corporate Board members and internal auditors stated that their company’s employees had little or no understanding of how risk exposures should be assessed for likelihood and impact. One-third of those same respondents also said that key leaders in their organization had no formal risk management training or guidance, with only 16 percent receiving at least annual training.” The results show that employees do not consider risks consciously or unconsciously while making decisions. Hence, from top to bottom of the organization makes decisions without a clear understanding of associated risks.
In case of operational decisions if the employee does not weigh risks, the decision can go awry later. Now add to this the problem of the organization having deviant organization culture or a passive aggressive culture. Here, the employees will have a “can do” attitude rather than “do the right thing attitude”. Management rewards employees for complete obedience instead of sharing ideas, the employees will not inform CXOs that their baby is ugly. The employees’ cleanup upward information flow of bad messages and ensure political correctness. Hence, the collective information available with CXOs to make strategic decisions is biased towards their perceived viewpoints and to some extent maybe inaccurate.
The vicious circle works in a manner where everyone massages the information. For example, in organization ABC the national marketing head gave instructions to regional marketing head to sell X product. The regional marketing head sees various challenges in selling X product in the specific region because of local culture, however refrains from informing the national marketing head. He believes that his explanation will be considered as excuses not to market the product and he may be terminated because of it. Now the national marketing head has an incorrect view sales targets of X product as he overlooks the hesitation he noticed in the regional heads message. He happily presents the rosy picture to the CEO and board. The board approves another strategy based on this information. As in the whole chain, no one has highlighted and discussed risks; the likelihood of failure of the strategic decision is high.
Some of the risks are not easy to understand and without a good risk culture, the red flags are ignored. A recent case is the Cadbury advertisement “Move over Naomi there is a new diva in town” Naomi Campbell reacted with dismay saying – “It’s upsetting to be described as chocolate, not just for me but for all black women and black people,” she said. “I do not find any humor in this. It is insulting and hurtful.” Whether the advertisement is racist or not is a secondary issue. Someone in Cadbury should have realized that a woman wouldn’t appreciate being objectified and compared to a food item however delicious it is. Common sense, I would say. Think of it, if a female compliments a man saying – You are like a pomegranate, hard from the outside, juicy inside. Would my male readers do a count as to how many find it flattering? Cadbury belatedly realized the obvious and apologized subsequently after suffering reputation and brand damage. While I am not aware of internal workings of Cadbury this incident shows that risks may not have been appropriately analyzed in decision-making.
Building a risk culture should be a imperative in the organization and if it is not then the risk managers and senior management are unable to see the forest from the trees. A healthy risk culture ensures leadership team gives consistent and clear messages regarding risk appetite, discusses ‘what can go wrong’ for each decision, prefers to do the right thing, rewards ethical decisions and punishes employees for inappropriate risk taking and unethical decisions. Make risk culture the corporate DNA.