RISK MANAGEMENT AND ORGANIZATIONAL CULTURE:
TOWARDS AN UNDERSTANDING OF MANAGING THE
RISK CULTURE
by H.H.J. Heule s1908324 Supervisor: prof. dr. D.M. Swagerman Co-assessor: B. van der Kolk, MScUniversity of Groningen
Faculty of Economics and Business
MSc. Business Administration - Organizational & Management Control
June 29th, 2014
2
Abstract
A central topic in addressing the shortcomings of risk management turns out to be the failing organizational culture. This exploratory study is set out to improve understanding of the risk culture by investigation of the way in which it was development, through interviews with several internal and external risk management experts. Using interpretation and subjective judgment, several factors in developing and influencing the organizational risk culture have been identified and discussed. These further facilitate potential improvements in risk management practices and enable opportunities for future research. Important factors include the right tone at the top with motivation and support, clear objectives and a clear risk attitude, setting the risk management structure, promoting risk awareness, showing value addition, confrontation and asking questions, communication and storytelling. Lastly, the limitations of this study are discussed.
3
Content
Introduction ...5
Research question ... 7
Purpose and relevance ... 7
Structure ... 8
1. Theory ...9
1.1 Risk ... 9
1.2 Positioning towards risk ... 10
1.3 Risk management ... 12 1.4 Organizational culture ... 14 1.5 Risk culture ... 15 1.6 Organizational change ... 16 1.7 Management control ... 16 1.8 Concluding theory ... 17 2. Methodology ... 19 2.1 Philosophy ... 19 2.2 Data collection ... 20 2.3 Respondents ... 22 2.4 Analysis ... 23 3. Results ... 24 3.1 Industries ... 24 3.2 Changing times ... 25 3.3 Duality of risk ... 26
3.4 Tone at the top ... 26
3.5 Value addition ... 30
3.6 Asking questions & confrontation ... 31
4
3.8 Concluding results ... 35
4. Discussion ... 36
4.1 The tone at the top ... 37
4.2 Clear objectives and risk attitude ... 38
4.3 Setting structure ... 39
4.4 Promoting risk awareness ... 42
4.5 Showing value addition ... 43
4.6 Confront & ask questions ... 43
4.7 Communicate ... 44
4.8 Tell stories ... 46
5. Conclusion ... 48
6. Limitations & future research ... 49
Final words ... 50
References ... 52
Appendix ... 61
“Culture eats strategy for breakfast.”
5
Introduction
The discussion of risk management has developed greatly over the past decade, vividly amplified as a result of the financial crisis (2007-2008). The Institute of International Finance (IIF, 2009) delved into the shortcomings in business practices that were responsible for these global turbulences. In particular, a leading factor turned out to be the lack of a comprehensive approach to firm-wide risk management. The importance of risk and its appliance has been a known and mature management issue for some firms, but regulatory developments have made disclosure of risk management a requirement (e.g. Sarbanes-Oxley Act, Securities and Exchange Commission). National and international regulators are also focusing more attention on the ability of firms to demonstrate that they have an effective risk management culture (Davidson, Mackenzie Wilkinson and Asselin-Miller, 2012). Furthermore, Power, Ashby and Palermo (2013) stated it as a wide agreement that failures of culture, which permitted excessive and uncontrolled risk-taking and a loss of focus on end clients, were at the heart of the financial crisis.
6 Frameworks, processes and standards for risk management, although essential, are not enough to assure that firms reliably manage their risks and meet their strategic objectives (IRM, 2012). The NBA (Nederlandse Beroepsvereniging van Accountants, 2013) even claims that large Dutch organizations focus too much on risk by formal controls, and strongly advised to motivate and stimulate employees by focusing at culture and behavior. Formal methods for managing risks are not in themselves enough to make a reliable difference to the performance of organizations. Furthermore, the IRM (2012b) described why risk culture is important and stated: “Rules can accidently or deliberately be misunderstood and misapplied. The ‘missing link’ in understanding how to balance risk and reward successfully in decision-making is the organization’s risk culture.” (p. 8).
The ISO 31000 risk management standard also refers several times to the need for managing risk to be integrated into the organization’s culture (ISO, 2009). Some organizations have found that crises can continue to emerge when they neglect to manage the frontline attitudes and behaviors that are their first line of defense against risk. Risk culture significantly affects the capability to take strategic risk decisions and deliver on performance promises (IRM, 2012). Namely, financial service firms with a strong risk culture had relatively stronger performance during the most recent financial crisis, according to a report by Oliver Wyman and the RMA Journal (2010). The need to understand, measure and enhance this risk culture of organizations is increasing (Davidson, Mackenzie Wilkinson and Asselin-Miller, 2012). This awareness also occurs within firms: a recent study revealed that more than half of senior risk executives believe their organizations need to do more to instill a strong risk culture, through a sustained effort over a long period of time (In 74 firms across 36 countries, Ernst and Young, 2013).
7
Research question
Formal controls are a basis for risk management but need appropriate culture and behavior to succeed. In the end, it is about reaching support and understanding of risk in all levels of the organization leading to controlled risk taking, making risk management of strategic value to the organization (COSO, 2009). Thus, there is a need for managers to become aware and to understand cultural aspects in managing risk, to eventually guide and align risk management and behavior in an appropriate fashion. This study is set out to discover and analyze in which way the risk culture was developed throughout various organizations, how way actions were taken by management to influence the risk culture. The unit of analysis in this study is on the individual level, namely the risk manager or consultant with long term experience and insights on the development of risk management. Based on interviews with these risk management experts, data is gathered on how risk culture is developed and actively influenced. By using this data and collected theory, this study displays an analysis of risk culture specifying factors influencing its development. The following research question is set:
In which way have organizations developed their risk culture?
Given the problem that is stated, an exploratory approach is set, which is discussed further in the section of methodology. A focus is placed on how management influenced their risk culture.
Purpose and relevance
8
Structure
9
1. Theory
Aven (2013) mentions a struggle with terminology in the risk management area, as there are a number of diverging ideas and taxonomies of risk and related concepts around. The difficulty of managing risk may be fueled by ambiguities in definitions and an incorrect grasp of risk and risk management. So firstly, to effectively discuss risk management and related concepts, an attempt is made to provide clear and understandable descriptions through existing literature.
1.1 Risk
Risk can be seen as the uncertainty about and severity of the consequences of an activity (Aven, 2013). ISO (2009) describes risk as the effect of uncertainty on objectives, where an effect is a deviation from a positive and/or negative expectation. According to ISO, risk is often expressed in terms of a combination of the consequences of an event and the associated likelihood of occurrence. Similarly, COSO (2004) defines risk as the possibility that an event will occur affecting the achievement of objectives; described by likelihood and impact. These descriptions are short and clear, but their universality reduces the ease of comprehending the concept. Rather, Hubbard (2007) uses an apt illustration: “Where uncertainty is the lack of total certainty, e.g. regarding tomorrow’s weather, a risk is a state of uncertainty with respect to possible threat or opportunity, e.g. a possible project delay because of tomorrow’s weather.” (p. 39). Moreover, it is quite common to think of risk from a negative perspective and to define it by reference to negative consequences only. Therefore, most management of risk is focused on the prevention and mitigation of harm (Knight, 1921; Hubbard, 2007). Risk may involve a threat but however, it is not less important to be aware of the opportunity it may also comprise.
10 Risks can be direct or indirect, systematic or unsystematic, inherent or incidental, internal or external, short-term or long-term and have a high-impact or low-impact. Classification of risk types is important not only for directing the priorities and attention of risk managers, but also for helping to build models of cause and effect, and designing risk measurement and management systems (Drew and Kendrick, 2007). Risk classification depends on context, industry and chosen strategy. Certain risks can be quantified using statistics and well-documented metrics, whereas qualitative risks are often more complicated and difficult to measure.
Risk is often presented in terms of probability and impact, varying from high to low. Taleb (2007) describes a low probability, high impact risk as a ‘black swan’, a rare occurrence with extreme consequences, of which the development may be identified retrospectively. Lastly, Diebold, Doherty and Herring (2010) categorize risk in three types: those known, unknown and unknowable. These different framings illustrate diverse perspectives which could be helpful in classifying risk.
From an organizational viewpoint it may be relevant to link risk to decision making. Sitkin and Pablo (1992) discuss decision making and risk, stating that decisions are riskier to the extent that (a) their expected outcomes are more uncertain, (b) decision goals are more difficult to achieve, or (c) the potential outcome set includes some extreme consequences. Relating option (c) to the financial crisis, it is reasonable to assume that few people have considered this extreme consequence of their collective decision-making. Options are essential in decision-making and risk. It is the awareness of a risk that accentuates decision making and the option to accept, treat, hand over or reject.
1.2 Positioning towards risk
Existing literature explicates various concepts to word the position towards risk that is held by organizations, on individual-, group- and companywide level. Risk appetite, risk acceptability, risk tolerability and risk attitude are frequently used phrasings each with its own sway and feel.
11 with physical appetites such as for food or drink but it doesn’t work. We have appetites for things we like or even need, whereas risk is generally seen as a bad thing by definition, though often a necessary evil. Furthermore, the word “appetite” suggests something personal and instinctive rather than a part of good, thoughtful, rational management of an organization in the interests of its stakeholders.” (p. 1). Leitch (2010) further states that using a clearer, more self-explanatory term makes it easier to understand risk. Although a thoughtful, rational management of risks is indeed something to strive towards, a personal and instinctive aspect should not necessarily be discarded. On the contrary, groups and individuals could indeed hold a very personal and instinctive position towards risk. The term appetite however does incline to a positive, perhaps provocative perception, and a neutral phrase is arguably more suitable to reflect no such bias. Both ‘risk acceptability’ and ‘risk tolerability’ however portray an aversion towards risk. This is quite logical as most people have a tendency to risk aversion, since risk interferes with certainty and comfort and is mostly associated with negative consequences. As discussed, risk also comprises an opportunity aspect to be taken into account. From here, there is reason to avoid mentioned terms and use the phrase ‘risk attitude’ as the most adequate, neutral position towards risk. An attitude is known as the way you view or tend to behave towards something, often seen as a state of mind. Maio and Haddock (2009) explored the ‘attitude’ concept and described how an evaluative judgment plays a role, next to a certain direction and strength of the attitude. When an attitude is formed, an evaluation takes place, an issue is favored or disfavored (the direction) towards a certain extent (strength). Perceiving risk for example, can invoke a liking or disliking, possibly resulting in risk-seeking or risk-avoiding behavior.
12
1.3 Risk management
To put it simply, the objective of risk management is to maximize the potential of success and minimize the probability of future losses (Ranong, 2009). It is a continuous process, with procedures that support improved decision making by contributing a greater insight into risks and their potential impact. Managing risk effectively can help organizations perform in uncertain surroundings (Shimizu, Park and Choi, 2014). It may aid in finding a balance between risk taking and risk mitigation. As such, mapping out chances and opportunities are seen as an important aspect. Interestingly, Mehta (2010) describes how risk management can be seen as a matter of common sense, as doing your job well, structured in a formal way. Essentially, business management is about considering and taking risk to accomplish certain goals. Along these lines, managing risk is the essence of business and is equally old as business itself. It is no brain surgery or rocket science; rather, risk management may be seen as a different but rich perspective on doing business.
A thorough approach to corporate risk management is known as Enterprise Risk Management (ERM). Rather than managing risks individually, ERM aims to view all risks “together within a coordinated and strategic framework” (Nocco and Stulz, 2006; p. 1). One might find risk maps based on risk identification and assessment processes, stress tests based on data collection and statistical analysis, and scenario analyses based on scenario prognosis and planning (Mikes, 2009). ERM is put in place to make risks more visible to all stakeholders, before impact, to accentuate and enable evaluation and challenging of decision-making (Mehta, 2010). It improves risk management by promoting awareness of sources of risk, and by aligning strategic and operational decision making across the entity with the company’s risk attitude. It is considered that there is no single approach to ERM that can be considered the ‘holy grail’ for all companies in all sectors. By carefully tailoring the approach to a company’s individual characteristics however, it can become an extremely powerful tool to reach strategic objectives (Heiligtag, Schlosser and Stegemann, 2014).
13 This critique matches the prior discussion on a biased positioning towards risk. Moreover, ignoring external uncertainties and social implications seems like a serious issue. The least you would expect, then, is a feasible standard to work with. Nonetheless, Ballou and Heitger (2005) stated the opposite: “One concern regarding the COSO ERM framework is that its overreaching nature can appear overwhelming for some organizations, particularly those that are small in size or have not previously established an ERM culture” (p. 1). Similarly, Kurniawanti (2010) argued that the key element of organizational culture in implementing ERM is not sufficiently answered to by COSO’s suggested steps. It seems strange that such a widely used framework may be flawed in these crucial aspects.
Organizations should be focused on the way in which risk is presented for decision making, and how judgment and logic is shaped. For example, prospect theory suggests that depending on the context of a previous loss or win, either risk-seeking or risk-averse behavior may result from the same decision option. Alternative framings of the same risky decision elements can lead to different risk taking behaviors (Kahneman and Tversky, 1979).
Several researchers have also demonstrated biases that lead people to significantly underestimate the spectrum of available consequences from risk, and despite an awareness of risk, individuals tend to underestimate the unfavorable outcomes (Hammond, Keeney, and Raiffa 2006; Kahneman, Lovallo, and Sibony 2011). Juliusson, Karlsson and Garling (2005) described how people make decisions based on an irrational escalation of commitment, that is, individuals invest larger amounts of time, money, and effort into a decision to which they feel committed. Similarly, ‘groupthink’ for example hinders critical evaluation and reasoning of risks within groups. These mentioned cognitive biases are thinking patterns based on observations and generalizations that may lead to memory errors, inaccurate judgments, and
faulty logic (Evans, Barston and Pollard, 1983; West, Toplak and Stanovich, 2008).They explain why so
many organizations overlook or misread ambiguous threats and fail to foresee how bad things can happen to their good strategies (Mikes and Kaplan, 2014). This illustrates an irrational aspect affecting behavior, which points out the need in risk management for appropriate understanding of these irregularities. In response, using the right controls will be essential to counter biases and promote the desired risk attitude and decision making, to be carried out by every organizational level and member.
14 primary concern in each of these frameworks (Kimbrough and Componation, 2009). It is surprising however, how little attention is paid to ways of addressing this culture.
1.4 Organizational culture
Organizations can be seen as “socially constructed realities” whose rules, procedures and structure provide a frame of reference for seeing and interpreting the world (Morgan, 1997). An organization then can have its own norms, standards and expectations that influence employee behavior.
Culture relates to informal aspects being influenced by the official elements such as rules and procedures. Schein (2004) describes organizational culture as “The deeper level of basic assumptions and beliefs that are shared by members of an organization, that operate unconsciously, and that define in a basic ‘taken for granted’ fashion an organization’s view of itself and its environment.” These taken for granted assumptions can be related to risk, regarding how people assume uncertainty, likelihood and impact of decisions. Moreover, the unconscious aspect seems interesting to note, as people may very well not be aware of risk and its implications. Cameron (2004) further mentions that culture is unexposed most of the time because it is not challenged or consciously expressed.
What is valued by the organization may simply not be perfectly aligned with what is valued by the individual. Practically, people hold certain ideas and value-preferences, where norms and beliefs become shared traditions to be communicated within groups (Bush, 2003). Whereas an entire organization can be seen as a group, various groups also exist within the organization. Morgan (1997) suggests that “there may be different and competing value systems that create a mosaic of organizational realities rather than a uniform corporate culture” (p. 137). Different realities in one organization may exist in harmony, but from a risk perspective it may be necessary to stimulate the attitude and value towards risk that is set at the top. Different values and beliefs may result in different ways of perceiving risk, which will influence the related attitude. A failing cultivation of risk can result in different understandings between organizational members, which may prevent the necessary culture of risk awareness (Kurniawanti, 2010).
15
1.5 Risk culture
Deloitte (2012) describes embedding risk management in the organizational culture, and encourages to see risk management not as an isolated project, but rather, as an element of the way of doing business. Notably interesting for this study is how the way of doing business, this deeper level of basic assumptions, relates to perception of and dealing with risk. Deloitte (2012) further describes risk culture comprising of the general awareness, attitudes, and behaviors of employees towards risk and how risk is managed. It is the organizational climate in which daily decisions are made, and even small and seemingly harmless decisions can be critical (Krivkovich and Levy, 2013). Risk culture determines the ability for individuals and groups to identify and understand, openly discuss and act on the organization’s current and future risks (IIF, 2009).
The risk culture can be a hindrance and a benefit for risk management (IRM, 2012b). Deloitte (2012) further accentuates that a firm’s risk culture can be a liability to some, while it shapes a competitive advantage for others. Relating back to organizational culture in general, it is clear that the taken for granted assumptions in light of risk shape a fundamental item to understand and improve risk management. Bringing these assumptions to a consciousness, to articulate them, could be a constructive first step. Furthermore, Ashby, Palermo and Power (2012) discuss risk culture as a fascinating but challenging topic, and state that “…it is [the] problem of visibility, of making risk culture visible, that is at the heart of current regulatory and organizational focus.” (p. 7)
The IIF (2012) described how a risk culture can be communicated through training, collaboration and prioritizing risk throughout the daily operations.The IIF further states however that challenges remain in implementing recommendations on a practical level to build a strong risk culture. Two years later, Heiligtag, Schlosser and Stegemann (2014) found that many companies still struggle to build and continuously improve their risk culture.
16
1.6 Organizational change
To improve an organizations functioning and its risk management, the state of being will most likely need to be transferred to a different state, implying an organizational change. Whereas culture is the main item of discussion in this study, Cameron and Quinn (1999) stated how organizational
improvement and culture are related: “A dependence of organizational improvement on culture change
is due to the fact that when the values, orientations, definitions, and goals stay constant – even when procedures and strategies are altered – organizations return quickly to the status quo. Without an alteration of the fundamental goals, values, and expectations of organizations or individuals, change remains superficial and of short duration.” (p. 8) Thus, addressing the risk culture could be a great opportunity to improve risk management practices.
Cameron (2004) further discusses that strong cultures may be able to blind people to realities and possibilities, potentially inhibiting organizational change. He further stated that most people are not aware of their culture until it is challenged, until a different culture is experienced, or until culture is made visible and explicit (Cameron, 2004).
Lastly, Pfister (2009) describes how Individuals bring in certain values which will interact with organizational values. If they overlap, willingness to follow the organizational objectives will be high. If personal and organizational values conflict, then the individual will make a choice. The stronger the organizational values, the less likely the individual will pursue the individual values. From here, there are several reasonable options from an organizational perspective, for example to align individual and organizational values, or to reinforce the latter.
1.7 Management control
17 Pfister (2009) describes how corrupt cultures may be the result of control failures and a lack of understanding the organizational culture. He further mentioned that a culture needs to be influenced to enable effective controls. Moreover, Kurniawanti (2010) investigated ERM implementation and concluded that a firm is better to devote their internal control related efforts to firstly establish an appropriate organizational culture before implementing ERM.
Malmi and Brown (2008) developed a control framework and placed ‘cultural controls’ as encompassing factor, providing a context for underlying controls. Cultural controls can be situated within the frame of ‘soft controls’, defined by Roth (1998) as “People’s integrity and ethical values; organizational commitment to competence; management’s philosophy and operating style; management’s understanding and management of risk; and communication.” (p. 45).
Soft controls are aimed at influencing intrinsic, intangible items such as personality and beliefs. More specifically, certain behavioral competencies known as ‘soft skills’ may be trained or deployed in order to affect mentioned items. Soft skills include providing clear communication and meaningful feedback, resolving and /or managing conflicts, understanding human behavior in group settings, and facilitating the sharing of information and knowledge (Jain and Syed Anjuman, 2013). These skills seem essential in shaping an appropriate culture for risk management.
1.8 Concluding theory
Risk management, arguably as old as business is, can greatly contribute to improving performance in organizations (Gates, Nicolas and Walker, 2012; Segal, 2011; Baxter, Bedard, Hoitash and Yezegel, 2013). ERM in specific offers a holistic approach to manage risks company wide. However, consideration is needed for the various costs, effort, and challenges that are related to the implementation of ERM (Harner, 2013). It is clear that many existing frameworks and implementations of risk management are flawed, which will arguably hinder effective improvement of importance and encourage further costs, effort and challenges. The literature review pointed out how cultural and social aspects in organizations are of great relevance, but little of these items are currently addressed by risk management. Particularly characteristic of organizational culture seems the unconscious state of taken for granted assumptions.
18 for granted assumptions related to weighing options; judging and decision-making are challenged in the context of risk. Essentially, employees need to achieve the attitude towards risk that is appropriate for their firm, to instill the right risk taking behavior. One of the issues at hand is how to influence the way in which people judge and assess a situation, concerning their awareness, attitude and behavior towards risk. Central to risk management is how the risk attitude is set and further communicated throughout the organization. Specifically, the risk culture encompasses the attitude, awareness, behavior and decision-making related to risk. Goto (2007) further described that it is common practice to assume objectivity in risk, even though, between people, a different understanding of risk may exist. He further stated that failures in risk management often relate to incorrect risk-taking decision making, and stressed the need to acknowledge the subjective aspect of risk.
19
2. Methodology
“There is no such thing as a totally objective and value free investigation.” (Hopper and Powell, 1985; p. 429)
As such, potential sources of subjectivity will be discussed. One of the benefits of identifying subjectivity is to reflect on how it influences an objective comprehension of the matter at hand. The exploratory nature of this study, using interviews, leads to impressions, indications of the exposed problem. No objective truth is pursued, but rather, an exploration sets out a trend and introduces possibilities for future research. This section will portray the method of research in line with the nature of this study, by discussing the collection of data and the use of theory and logic.
2.1 Philosophy
The manner in which the investigator views the world affects the entire research process, from conceptualizing a problem, to collecting and analyzing data, to interpreting the findings and addressing meaning (Merriam, 1988). Two main philosophical bases or paradigms used in business research are the positivist approach and the interpretivist approach. Positivist research stems from natural sciences and quantitative data, seeing the world constructed through discrete, observable events to be viewed by an independent researcher. On the contrary, interpretative research stresses the subjective nature of the social world and attempts to understand it mostly from the frame of reference of those being studied, through qualitative data in contextually specific situations (Burrel and Morgan, 1979). This latter perspective will be used in this research as it is appropriate for uncovering underlying motivations, feelings, values, attitudes and perceptions. With an emphasis on open-mindedness and curiosity, qualitative research provides the platform to interpret and construct meanings from data, phenomena and especially human behavior. This approach aims for greater depth but adversely allows less precision (Sprey, 1995). This corresponds with the rather ungraspable nature of both risk management and risk culture. These concepts ask for a research method which provides a “thick description” of the phenomena in practice, with a qualitative and exploratory nature.
20 Culture and behavior emerge far and wide as a crucial factor in failing risk management. It is introduced that the risk culture of firms may form a key element in understanding where to improve risk management and to guide appropriate behavior. However, little research exists on this risk management culture. Responding, this study aims to explore the ground of shaping culture in risk management, aiming to answer the question: In which way have organizations developed their risk
culture?
The purpose of this study is to improve understanding of the way organizational culture is developed in the context of risk management. The focus is on exploration of the field, not to pursue objective, quantifiable truths or generally applicable findings. This study is set up to explore the way in which organizations have developed their risk culture. In order to portray the right feeling, an appropriate method is necessary to reflect exploration and open-mindedness. As such, the qualitative method of interviewing suits this need well, to delve into the mind of risk experts and uncover points of interest. It is the use of interviews that allows further questioning, allows the interviewee to explain their point of view and reasoning behind facts, enabling the possibility to question new emerging items. Conclusions are drawn with caution, and any results will not be simply generalizable. Concepts are identified and related, and impressions are explained and illustrated to provide new insights into the development of a risk culture.
It is the presentation of acquired impressions that shape the basis to convince the reader of what is important in the topic of developing a risk culture. This study sets out the impressions that are gathered through interpretation, presenting a feel of the conversations that were held. The focus lies on interpretation, achieving a qualitative judgment based on interviews. Providing indications, a trend is displayed and these findings will form stimuli for new research. Furthermore, it is noted that the exploratory nature of this study has come at the expense of a lacking sharp and demarcated focus.
2.2 Data collection
21 views, experiences, opinions and perceptions he or she finds relevant. Interviewing provides a free form, enabling the exploring nature of this study. The personal face-to-face setting is optimal to invoke a story, rather than a reciting of an annual report. Furthermore, ‘probing’, a way of asking follow-up questions, enables clarification and additional information on given answers, and may help explore sensitive issues (Hutchinson and Skodol-Wilson, 1992).
The aim has been to initiate a conversation with an unobtrusive approach, to encourage the risk expert to talk freely and spontaneous. A frame of sixteen open-ended questions shaped a semi-structured guideline, enabling the interviewee to further steer the conversation. The sixteen questions held four different perspectives: risk appetite/attitude, risk strategy, risk culture and reputation risk. These four perspectives relate to four different students, each conducting their own research for their master’s thesis in Business Administration. Interviews were held in pairs of two, allowing complementary questioning and note taking where needed. The interview guideline represented four questions for this study, stated as following:
- How has the risk culture taken shape? - How is this culture actively influenced?
- How has this culture been related to the risk attitude?
- How have day-to-day activities been influenced regarding the risk culture?
After reassuring anonymity of the respondent, permission was asked for recording. These audio-recordings enabled more thorough analysis as the conversations could be re-listened again and again. Four out of 21 interviewees, namely (3), (9), (12) and (21), preferred no recording. Instead, extensive notes were taken in replace by both interviewers. Interviews lasted between 54 – 110 minutes, were conducted in Dutch and translated to English afterwards. Aside from personal preferences for anonymity, the subject of risk management can be a delicate one and specific firm information has been handled with care. Studied firms were held anonymous in its entirety. This has been essential to have the interviewees speak freely and comfortable. As mentioned, notes were taken and used later in combination with audio-recordings. Lastly, annual reports were used as a secondary source of data, providing background information on the firm’s activities. Notable to mention here is that these reports were likely read by the interviewees, and thus are not entirely Independent sources.
22 methods for data collection are mentioned: interviews, notes and annual reports. Also, multiple researchers have collected the data, a total of 4, who conducted the interviews in pairs of two. Furthermore, two potential threats to a valid and accurate data collection are data collector characteristics and data collector bias, referring to an unconscious distortion of data during the collection process. Gredler (2000) provided an approach to counter these threats for interview-based studies and are followed in this study. A certain standardization of the interview procedure has taken place. The researchers (1) have asked the questions to all participants in the same manner, (2) put the interviewees at ease by asking a general, easy-to-answer question first, (3) conducted all interviews in a location in which the individual feels comfortable, and (4) ensured the interviewee that their particular answers cannot be identified with them.
2.3 Respondents
Interviews were held with many risk experts from various firms. A focus was placed on large (international) organizations rooted in the Netherlands, where the entire research process has taken place. Eighteen enterprises were investigated with a turnover of 0.5 – 100+ billion euros. Reasonably, rich insights will be more available in an organization with history, substantial personnel and experience. This type of firm would likely have a greater need for a risk management system, thus more likely to share insights.
Aside from commercial organizations where an internal risk management view was investigated, risk consultants were asked for their experience and perspectives, offering a detailed external viewpoint as well. Using this approach, a diversity of perspectives has been collected from various organizational functions. A range of different kinds of organizations have been found to cooperate with this study, varying from insurance, banking, accounting to production of raw materials like oil and gas. In light of the fact that the differences between organizations were not a main point of attention, not much attention will be given to the different roots, but rather, a general distinction will be made between the financial and operational industry, and the external consultancy or advisory interviews. An outline of the specific types of organizations and interviewee functions is displayed in the appendix, table 1.
23
2.4 Analysis
Patterns, commonalities and contrasting information is compared and weighed to instill logical reasoning from data and theory. Data is conceptually analyzed by means of interpretation and comparison. Recurring patterns and important issues between interviews are thoroughly identified and analyzed in audio analysis. Statements made by the interviewees are weighed by their frequency and magnitude, where frequency relates to how often and how many interviewers discussed a certain theme, whereas magnitude relates to emphasis and importance as addressed by the interviewee.
24
3. Results
What follows is a section portraying the main findings from interviewing, which will form the base of empirical data. A brief description will provide information on the two types of industries in which the respondents are active. When the interviews were being conducted, four topics have been discussed relating to four different studies on risk management. Throughout the conversations, the risk experts have made various remarks concerning risk management in general, from which a relevant selection will be presented afterwards. They include changing times and the duality of risk. Afterwards, the research question will be targetedby displaying a collection of rich and relevant quotes, which, as discussed, are key illustrations of the qualitative data. These are sorted in various themes that have emerged throughout the analysis of data.
3.1 Industries
The organizations have ground in separate industries. These contextual differences will help illustrate the variety of risk management approaches that have been investigated. As the term risk is applicable in many facets, many different types of risk exist each with its own implications and gravity. Different industries face different risks, clearly influencing the organizations culture and daily operations. These industries have a different basis of existence, know different stakeholders and are faced with different concerns. This creates a contrast in the ‘playing field’, where power and purpose are founded in different manners.
3.1.1 Financial services
25
3.1.2 Operational services
These comprise of firms characterized by taking on projects In general, and have a great emphasis on health- and safety-risks as they are exposed to practical ground-level dangers. Industry accidents involve injuries and casualties through failing productions and natural forces. Taking on a project may encompass the largest risk in itself, from which operational risks need to be mitigated. For instance, firms are involved in manufacturing, energy or mechanical engineering. Many seem to experience a ‘safety culture’, as business is directly related to risky operations.
3.1.3 Consulting
In contrast, two interviewees were not managing risks internally, but provided consult and or advice to various firms. They elaborated on common practices and explained frequent approaches to risk management.
3.2 Changing times
Nearly all risk experts have mentioned the complex and changing world in which businesses need to remain standing. They stated various factors that illustrate just a portion of the complicated environment that has changed so rapidly over the last decade. For example, from a booming economy with high demand, numerous industries are battling for orders and contracts. Competition has increased and expectations are increasing still, while tolerance has diminished to new lows. Some experts mention that the world has become less predictable, and more outspoken. Firms are continuously placed under a magnifying glass, under strict monitoring, legislation and regulation. Firms need to be socially responsible and aim for sustainability. Information is travelling fast and technology is offering both opportunities and threats. New risks are evolving in a complicated environment, digitally dependent and prone to ‘cyber attacks’. This world is characterized by less stability and more financial insecurities, in which risk management has received an increasing amount of attention. An external risk consultant (6)
stated the following: “Risk management is catching on. More and more examples emerge from leading
26
3.3 Duality of risk
As discussed before, the notion of risk may evoke a negative tone, but also affects an aspect of opportunity. A certain two folded nature (or duality) of risk has also been identified frequently in the interviews. From the operations industry, a safety, environment & social performance executive (20)
said: “We make very sure to discern between opportunities and threats, between desired and undesired
risk. For one thing, safety is engrained in our existence and we are continuously aware of exposure to danger. On the other hand, we don’t want everyone to become entirely risk-averse. New things need to be explored and invented, requiring a very open and risk-seeking attitude. … It quite depends on your department and function what your personal risks are.”
Similarly, the following chief risk officer (11) of the financial industry describes the opportunity side of risk: “Despite an increase of regulation and overall cautiousness, you need people looking for new ways to improve your business. Innovation and creativity stays very important, for both your business and society at large.”
3.4 Tone at the top
What emerged as a central theme in almost every interview was the need of support from higher management, the board of directors. This is often related to as ‘tone at the top’. A risk manager (10) from the financial industry explained: “Truly essential [for risk management] is the board’s willingness, their desire and wanting to put risk management on the map. … Tone at the top, that’s what people will
follow.” Another risk manager (12), from the operations industry, named it a crucial and decisive factor:
“Our board of directors has been the decisive factor in thoroughly changing the way risk is managed, the way people care about risk on lower levels. Tone at the top has been crucial.” And an external risk management advisor (17) recommended to have someone motivated, influential, to carry out a risk culture: “The most important part for the right risk culture is to have someone in top management
taking a stand, someone who thinks it is important, willing to carry it out.” Lastly, the following chief risk
27
3.4.1 Objective-based
Having clear objectives and a positioning towards risk were pointed out as a necessary base. An external risk management advisor (17) pointed out: “Objectives shape the fundamental part of what you are striving towards. If these are too vague, everything that results from your objectives will be vague too. You need sharp and clear cut objectives allowing precise risks to be identified.”
A safety, environment & social performance executive (20) in the operations industry described ‘shifting’ between goal and process, derived from a divisional objective: “For every division we set up an objective. We then extensively investigate what may influence this objective, either positive or negative. We try to teach a discipline, where people constantly shift between current process and the envisioned goal.” To make risk clear, objectives need to be clear. Furthermore, a certain position towards risk, attitude, or appetite has been discussed. It is found that some firms did not have a clear position set. Also, an external risk consultant (6) talked about risk culture and risk management in general, and pointed this out to be a prevailing item: “A common pitfall is the lack of a clear risk appetite, a starting point. Another frequent pitfall is thinking you’re ready when you’ve established a risk assessment. But it’s only the first step, to further build on and to make aid decision-making, tradeoffs and considerations.”
3.4.2 Awareness
The theme of creating awareness clearly emerged throughout every interview that was conducted. It has been pointed out as an elemental part of the risk culture. Many methods were mentioned on how to stimulate this awareness of risk, in combination with other aspects of a risk culture. These will be discussed further on. Simply knowing, or being concerned about risks, was seen as a fundamental item. A risk manager (10) of the financial industry said “Your primary role as a risk manager is to create awareness of decision making, to accentuate possible outcomes, linking risk to a specific decision.”
28 A Health, safety & environment manager (1) from the operations industry further pointed out: “To create risk awareness throughout your organization, you need information from past experiences to clearly illustrate the gravity of risks and safety, and to provide rational proof for the right actions.”
The following risk manager (12) from operations was one of many to talk about storytelling as a way of exchanging information, to create awareness: “Awareness was created by storytelling, using bad or failed projects as illustrating items.”
3.4.3 Risk management structure
The interviews revealed how firms developed their structure, often regarding integration or decentralization of risk management. This impacted the way people were involved in dealing with risks, how they were held responsible.
A financial industry risk manager (10) spoke of integrating risk management throughout the usual way of doing business: “Business controllers, compliance & risk officers are all involved in the same meetings. We apply risk management throughout the control cycle, not as an isolated component, but integrated in the usual way of doing business.” Further on, it was said that some people needed assistance in managing risk: “On lower levels, it was clear that not every manager had the same feel for risk management. In response, we assisted them by placing risk controllers at their side.”
A risk manager (12) from operations described how risk management has changed in their firm, mainly regarding responsibility. Top-down remarks were seen as intrusive, and divisions didn’t like the interference: “People first thought, ‘We are doing well, why change?’ and ‘What have you got to do with it?’. Divisions thought central management was interfering with their business, throwing a spanner in the works. Later on, we decentralized more responsibilities for risk management to division level, stimulating a sense of risk awareness on operational level. We stepped back, letting them handle their
stuff.” Correspondingly, an operations industry risk manager (19) describes a change from an isolated
29
management advisor (17) noted: “You have to respect the judgment of those doing the job. A statement
that something’s impossible is probably worth more from operations than from someone in the office.”
Lastly, a safety, environment & social performance executive (20) in the operations industry talked about how they changed the way risk was incorporated in meetings. To stimulate risk management as a part of usual practice, they integrated it: “We used to have regular meetings and standalone ‘risk meetings’, but we’ve now integrated them. We want risk to be a part of the usual items, as an element in everyday mainstream discussions.”
3.4.4 Following the process
Following the procedure, sticking to the rules, tying consequences and using incentives are topics that clearly arose from the interviews. A risk manager (12) from operations describes how risk was actively integrated in daily practices by complying with rules, by making sure the procedure was followed: “It has been difficult to change our culture, to fundamentally integrate risk management. Most people looked at it and saw a nuisance, it was inconvenient to them. In the end, we haven’t changed much about the risk tool itself, but our board changed the governance, tightened it up. Control measures increased, people needed to show more information, and less was tolerated. This time, the processes that were
put in place were actually followed. Rules simply needed to be complied with.” Similarly, another risk
manager (4) from operations talked about sticking to the procedure: “Risk management requires structure and sticking to procedures. Following the planned steps over and over causes predictability of outcomes and therefor stability.”
The topic of consequences was mentioned frequently, and the following risk manager (19) from operations stated:“Many people don’t feel the consequences for risks they take. Ideally, you want these consequences to be tied to the risk taker. In some cases, incentives help.”
3.4.5 Selecting personnel
30 Moreover, a risk manager (19) from operations discussed how risk can be a function of the people you hire. This was among few, but it has been noted more often how the acquisition of certain types of people plays a role in the culture and risk management in general. Not just their attitude, but also their capabilities and experience may matter: “You hire people because of their expertise, knowledge and skills. You have to choose the right guys who know what they’re doing. Uncertainty and risk depend on selecting the right experts.”
3.5 Value addition
Various experts talked about employees not perceiving the value of risk management. This may well be linked to not complying with rules and having no concern for risk. Some people don’t see the reason to adopt risk management, of which a risk manager (4) in the operations industry stated: “Rules and structures about risk management are thoroughly setup, but are simply not complied with. People don’t read evaluations, or they question the value of certain procedures as they are just not convinced. They
don’t see the use.” He further mentioned a lack of motivation and time as a factor: “These ‘risk
team-meetings’ need to happen more often, but little motivation exists for doing so. ‘Too much time is
needed’ and they are thought of as a hassle.” This ‘not seeing the use’ was a recurring item and many
interviewees recognized it. An operations industry risk manager (19) talked about potential larger impacts from individual actions, and that many don’t see this issue.
“Many employees do not comprehend the possible organization wide consequences of their actions. It is important for them to understand their share in the organization, their personal relevance and the possibility of large impacts from their actions. When small things happen often enough they accumulate to larger proportions. We link these small operational risks to potential high impacts.”
A Health, safety & environment manager (1) from operations mentioned to present information, hard
data, to provide reason: “I see many people wonder: ‘why focus on road safety so much if we all know
how to drive?’ There’s a gap, a missing reason people can’t think of. We need to present them that reason. By showing hard data on the number of road accidents we reach our employees, and convince them of the importance of road safety.”
31 A finance and control manager (15) from operations described the need to explain why change is
necessary and to point out improvements: “It’s important to convince people why they need to change
and where they can improve. If you can convince them of the reason, they will be motivated to act accordingly. This is a real challenge, as many people simply don’t see the necessity to deal with these issues.”
To clarify value, storytelling may be of use to illustrate benefits. An external risk consultant (6) stated:
“You want small changes in workload, great changes in process. [Risk management] is a means to an end, to improve effectiveness. You want people telling positive stories, illustrating the benefits [of risk management].”
3.6 Asking questions & confrontation
Another theme that surfaced was asking questions, to increase awareness of risks and how to deal with them. Questioning, but also storytelling for example, has been named to confront people with risks. This ‘confrontation’ has been stated to create a risk awareness and have people think about how they deal with risk. It helps to increase consciousness, indicating new insights and points of attention. A finance
and control manager (15) from operations stated: “We ask our employees ‘What keeps you awake at
night?’. This is a very simple method making risk discussable and letting people think about what specifically applies to them. It also enables us to identify and collect risks.”
Interestingly, asking ‘what keeps you awake at night’ has emerged frequently. A financial industry risk manager (10) stated: “Creating awareness, influencing the right risk attitude is quite simple really; you just need to ask the right questions. What keeps you awake at night? How are you going to deal with these items? How do you know you’ve succeeded? What’s going to change?”
Moreover, proof, specification of actions, and relating to safety were examples of ways to confront. A health, safety & environment manager (1) from operations stated: “We confront employees with stories; show them what is important and what could happen. We use examples of things that went wrong; we provide rational proof for the right actions. It’s important to connect unsafety and risk with very specific actions and daily items.”
32
3.6.1 Tangibility
Furthermore, interviewees pointed out that risk can be very abstract and hard to comprehend. As mentioned earlier, specification of risk, connecting it to direct actions and decisions, may be of use to increase comprehension and influence behavior. In this context, it became clear that tangibility was a possible key element in translating abstract risk to actionable items. The following risk manager (13) from operations stated the importance of tangibility, and mentioned how he often interacted with
people not motivated to deal with risk at is was not understood: “Some people just don’t want to see,
don’t want to be concerned and are not interested because anything large, complex and unable to hold in your hand is just too difficult.”
A financial industry risk manager (10) described very concise how tangibility and risk can be related,
naming several methods which were often discussed in most interviews: “The ease of comprehending
your risk is related to its tangibility. When you are dealing with toxic substances or with financial data, it’s quite different. Tangibility makes risk distinct and discussable. We try to simplify, make it personally relevant and integrate it in daily business. … Our answer is to discuss, explain, and show success stories, using evident, physical and comprehensible examples. Making it tangible is a key element to increase consciousness of risk.”
3.6.2 Scandals, incidents & accidents
Many risk experts spoke of various happenings such as scandals, incidents or accidents. They pointed out some changes it caused, among which many related to the risk culture. It generally caused a sense of confrontation among employees, pointing out possible consequences of their daily activities. This in turn, influenced the culture. A control director (3) from the financial industry stated a positive influence:
“Scandals are good for your risk appetite; people actually become more aware of risks.”
An operations industry risk manager (4) said that their firm used accidents to create an awareness, to prevent future recurrences: “By publicly displaying accidents and failures in reports, with visual material, we show potential consequences of daily work activities. It is of little use to be secretive about these accidents, in the contrary, by showing what has happened we hope to prevent recurrence in the future
by confronting both clients and employees.” Even more, the following external risk management advisor
(17) stated to celebrate failure: “Failing projects are reason to celebrate. They make a lot discussable.”
33
without experiencing an accident. But when it does happen however, a tragic incident for example, the people involved will carry it around for the rest of their lives. They’re fixated on preventing such a thing, forever. This feeling, a type of discomfort, a ‘chronic unease’, is something we expect especially for leaders to carry out: Constantly asking ‘The situation is alright now, but what could go wrong?’”
On the other end, a risk manager (12) in operations suggested that ‘good times’ may actually hinder a full comprehension of risk: “As long as it goes well you’re not fully getting the picture of what might go wrong.”
3.7 Communication
Communication has been a central topic of the interviews to help share perspectives and concerns. Discussions and meetings, involving different functions, to share perspectives and concerns were frequently pointed out. Diversity in teams and meetings, but also face-to-face contact was seen as essential to increase a mutual understanding of perspectives, concerns and risks. For example, the following operations industry risk manager (4) said: “You need diverse viewpoints for a holistic identification and prioritization of risks, where you might also involve external parties like clients or suppliers. Preventing a tunnel vision is essential. … We put stakeholders from various departments together. Face-to-face meetings help bring about a mutual understanding of each other’s expertise and insights. Moreover, this way you get a better grasp of the complete picture and you know the concerns and implications from different fields (legal, sales, operations etc.).”
Similarly, a finance and control manager (15) from the operations industry names communication as an
important item to overcome a lack of awareness: “Communication between departments is very
important. People are just not aware of each other’s activities and operations.”
A control director (3) in the financial industry also names reviewing, reporting and diverse teams to promote risk awareness: “Daily operations to promote risk awareness are quality reviews, reporting, and team interactions. It is important to mix teams using different levels of expertise and positions.”
Moreover, the following Health, safety & environment manager (1) from the operations industry
mentions face-to-face meetings to align perceptions and dealing with risk: “A simple but effective way
34 Trainings have been mentioned frequently by numerous interviewees to shape the appropriate attitude, awareness and behavior. More specifically, the following chief risk officer (11) from the financial
industry mentioned how they promote discussion and training in ethics: “We influence our culture by
providing dilemmas, daily items, asking how people what they would do and how they would act. This way we train ethical thinking, using external situations not specifically related to business. By putting together various kinds of people from all over the firm, you fuel discussions as you certainly have contrasting opinions. You make people think about their morals and how they might differ and interact
with others.“ Lastly, the following external risk management advisor (17) stated, among many, how
interacting through discussion was necessary for the right risk culture, with a variety of people, challenging the status quo: “You need discussion, and diversity is very valuable to promote countervailing power.”
4.7.1 Transparency
Interviewees pressed on the need for an open atmosphere, to promote transparency. This seems necessary to recognize risk, to enable quick escalation; but also to accept mistakes and move on. An external risk management advisor (17) mentioned the value of acknowledging a problem and making issues discussable: “Not very often do managers acknowledge that they don’t have the solution for a problem. Many top managers actually typify this kind of behavior as a weakness. This is something I try to address: It is very valuable to acknowledge the fact that you’re having a problem, and to ask for help. It is essential to ‘sound the alarm’ in an early stage, and to make issues discussable.” He further discussed the possibility to make mistakes, and that punishing may harm transparency: “People deal differently with bad or good news. Bad news is simply an unpopular item, and often tuned down. When someone points out something bad, you shouldn’t punish him or her. This would only harm the idea of transparency. … You need to be able to make mistakes every now and then.”
A Health, safety & environment manager (1) from the operations industry ties openness to the recognition of risk and a ‘no-blame’ culture: “Promoting openness is essential for the recognition of possible risks. This has to be linked to a ‘no-blame’ culture, people need to feel they’re not forced towards a direction or will be punished.”
Similarly, a financial industry chief risk officer (11) advised to focus on moving forward and to act
quickly: “Many risks won’t be stopped, but you can make sure you know how you will act when they
35
forward. Accept a mistake and just go on. Risk management is about dealing with mistakes. Don’t hide them, but act immediately. “
Correspondingly, the following risk & compliance officer (16) from the financial industry stated:
“Compared to earlier practices, we’ve developed a more open and transparent business [After certain scandals, fines]. It’s better to recognize mistakes early on and act quickly, instead of covering things up.”
3.7.2 ‘Sounding the alarm’
In line with transparency, various interviewees stated the need to act quickly, to ‘sound the alarm’ in an
early stage. “People must learn to recognize the situation when something is wrong. Then, they need to
escalate quickly, notify relevant colleagues.” as stated by a chief risk officer (11) of the financial industry.
An external risk management advisor (17) found that some people wait too long, whereas quick communication is desired: “In many situations, people report only when something inevitably is going to happen. This is contrary to what you need, which is early signaling to be able to prevent.”
Lastly, an external risk consultant (6) also mentions speed and points to a lack of knowing when to
escalate: “For many lower level employees, it is unclear when management wants to hear about risk,
when things need to escalate. ‘They surely know’ – but no. It’s often too late when top management hears about it.”
3.8 Concluding results
To start with, various themes emerged that were seen as essential factors relating to the development of a risk culture. These outlined topics will be further discussed in the next chapter.
36
4. Discussion
Risk management has emerged as a rich business perspective throughout the last decade. Formal frameworks and processes have been developed as guiding tools, but structural flaws in risk management are still unanswered to. Mikes and Kaplan (2014) criticize existing research on adoption of ERM-frameworks, as scholars have ignored how these frameworks were implemented by the organization’s leadership and employees. Moreover, they argue that the effectiveness of risk management ultimately depends less on the guiding framework than on the people who set up, coordinate, and contribute to risk management processes: “It is people, not frameworks, that identify, analyze, and act on risk information.” (Mikes and Kaplan, 2014; p. 10).
Using insights from an extensive pool of in-depth interviews and the existing literature on culture in risk management, the aim of this study is to enrich the understanding of how risk culture is shaped. The use of theory will help illustrate possible explanations and will be compared to the results. Various points of interest have been identified in interviews conveying experiences of internal and external risk experts. To start with, firms operate in a range of varying conditions unique to each and every one of them. However, some aspects in developing a risk culture arose repeatedly, of which a set of themes have been identified.
37
4.1 The tone at the top
Interviewees pointed out a requirement of support, a basic starting point ‘to put risk management on the map’. Many risk experts explained this fundamental ‘tone at the top’ as a key catalyst for risk management. COSO (2004) also mentioned ‘tone at the top’ as the basis for internal control. It is characterized by the willingness of the board to put emphasis on certain values, not just communicating but also applying a set of expectations. They are expected to lead by example in developing values, a philosophy, and an operating style in the pursuit of the entity’s objectives. Additionally, the board usually determines the organizational risk attitude, sets up objectives, goals, and decides on ‘the right behavior’. To begin with, it is essential for this part of the organization to have a motivation for risk management. Statements of ethical values and a strong attitude toward risk management are important but do not independently establish a ‘tone at the top.’ Rather, the organization is likely to respond to decisions or actions that demonstrate actual risk culture rather than declarations about risk culture (IIF, 2009).
One way to clarify the perceived importance of risk management is to devote a function towards risk management, e.g. a risk officer. Kimbrough and Componation (2009) studied ERM practices and found that those firms who had a risk officer were more likely to be satisfied with ERM implementation speed and effectiveness. He concluded stressing the need for management support and stated that not having a risk officer corresponded with a sense of void regarding senior management support for ERM. Making someone responsible for risk management, putting a person in charge, suits Cameron’s (2004) idea of ownership and addressing a leader for change. He argues that all organizational change requires leadership, champions, and owners. “Culture change does not occur randomly or inadvertently in organizations, and it requires leaders who are consciously and consistently directing the process. … Accountability is maintained best when specific individuals are designated as owners of the initiative.” (p. 20). Accordingly, the board and/or a risk officer need to shape this leadership, and share it with lower level management. Next, the most central issue for leaders will be how to get at the deeper levels of the culture, addressing the process of the assumptions made at that level (Schein, 2004).
