Corporate Culture and Risk Management

According to an April New York Times article, “Uber’s core company values included making bold bets, being “obsessed” with the customer, and to “always be hustling.” The company emphasized meritocracy, setting employees up as rivals and overlooking transgressions of its high performers. At its worst, Uber maintained an “unrestrained culture” that has since resulted in several allegations of harassment. A published blog post by engineer Susan Fowler, indicated that “the culture was stoked—and even fostered—by those at the top of the company.”

Adoption of a strong risk culture
An effective risk culture is not a matter of risk assessment or level of compliance; it is a matter of “conviction” – a corporate state of mind where human beings can take well-informed risk decisions because they want to, not because they have to.—@RiskCultureBuilder on Twitter

The “tone at the top” describes the climate and overall philosophy set by the board of directors and executive team to drive the culture and behaviors of all employees. In companies ranging from Uber to small businesses, this tone permeates the enterprise in a number of ways, including executive communications and onboarding and learning programs, as well as the policies and procedures designed to empower and/or control employee decision-making. The right tone stresses a high standard of ethics and a culture of compliance, but should be balanced with a message that empowers managers to take risks—appropriately—in the pursuit of short- and long-term rewards for the business.

Translating the tone into a strong risk culture requires reinforcement to employees defining how their decisions and actions affect the broader mission of the company. Then, through change management and strong accountability, culture and risk management can be aligned to keep everyone “rowing in the same direction.”

Drivers of risk culture
Many companies today have defined a “culture statement,” put it down on paper, and socialized it to employees. This is only the first step in driving employees to make the right risk management decisions, however. Consider a few of the levers that companies can pull to drive behaviors towards a stronger risk culture:

  • Performance management and compensation – Are corporate and employee goals tied to desired risk management outcomes?
  • Corporate governance – From the board of directors down, are enough questions being asked? Is there too much reliance on historical data?
  • Management reporting – Is attention to certain metrics—often short-term in nature—driving decisions that could cannibalize long-term outcomes?
  • Investor Relations – Are reasonable expectations being set with a company’s shareholders when it comes to risk versus reward?

While company leaders can help drive the desired corporate culture, this alone will not guarantee good risk management decisions every day. All employees must be taught risk management techniques, and relevant risk management skills should be built into the company’s overarching competency model. A risk culture that positions employees as an integral part of risk management will drive more successful and predictable business outcomes.

During his keynote presentation at the 2016 TMG Executive Summit, cybersecurity expert Brian Krebs reinforced this point when referring to the risk culture needed to deal with cyber risk: “…layers of technology are not enough to stop a data breach…security is only as effective as the people managing it.” Although achieving a strong risk culture is no small undertaking, the benefits will be significant as more and more risks are mitigated before impact.

RIMS Risk Maturity Model: Performance Management

In the study measuring effects of enterprise risk management (ERM) maturity—as  defined by the RIMS Risk Maturity Model (RMM) assessment—no attribute had a more meaningful impact on bottom line corporate value than Performance Management. The correlation is not an accident. While many organizations say they have an effective handle on risk, their ability to execute the policies and procedures they’ve put into place are severely lacking.

The sixth RMM attribute of ERM Maturity, Performance Management, measures the ability for an organization to execute vision and strategy through the effective use of a balanced scorecard.

Balanced Scorecard

The root of the balanced scorecard concept lies in the desire to turn complex but passive strategic plans into marching orders and commitment that can be executed on a daily basis. The methods of accomplishing this result are familiar to risk managers: developing standardized criteria, prioritizing activities, and monitoring results.

To execute the Balanced Scorecard concept, corporations typically have a whole host of measures for monitoring control activity effectiveness, but what is consistently lacking is a means to measure the effectiveness of how the control activity is addressing performance goals. Risk bridges this gap.

The Role of Risk

Every business faces the challenge of cutting costs and making changes. After all, all activities are critically important to someone. So how do you assure that the greater good of the organization gets prioritized?

Linking risk to performance for a risk adjusted decision addresses this challenge.

Examples of performance management in the absence of a risk-based Balanced Scorecard are widespread. BP knew back in 2002 that a lack of pipeline maintenance could result in “catastrophe,” but management instead prioritized the short term operational budget in the interests of cutting maintenance costs. More recently, the U.S. government has dealt with criminal investigations into the Veterans Health Administration’s inability to deliver care to U.S. veterans, due to “significant and chronic system failures.” In the case of the VA scandal, monitoring metrics were improperly controlled and focused on the wrong measures of success. The result was falsified reports created in the interest of demonstrating compliance with policy, rather than execution of strategy.

A Seat at the Table

Involving risk in strategic decision making is the essence of performance management. In every failure we’ve documented, the risks were known, but rarely given a seat at the table. Organizations with mature enterprise risk management (ERM) programs have empowered their risk managers to take action and use ERM tools to support and provide transparency to the organization’s strategic plan.

To learn how Enterprise Risk Management adds transparency and discipline to an organizations strategic planning and performance management process, watch our webinar, “What is Strategic ERM.