Strengthening Risk Culture to Challenge Risk-Taking:

Economic disasters always lead to questions of “why wasn’t the disaster predicted and prevented?”.  Part of the answer lies in management and board of director insistence and reliance on a reactive, rather than a proactive approach to risk management.  A recent thought paper, A Risk Challenge Culture, published by Institute of Management Accountants (IMA) focuses on the importance of creating a “risk challenge culture” and how organizations are making culture changes to limit undesirable risk-taking as much as feasibly possible.  

The paper, which is authored by Paul L. Walker, William G. Shenkir, and Thomas L. Barton (see link to full paper below), highlights a number of ways to help improve an organization’s risk culture:

  •  Exercising Professional Skepticism to Strengthen Risk Culture
  •  Expanding Board Diversity to Enhance Risk Culture
  •  Establishing Expectations of the Board for Risk Oversight
  •  Reducing Information Asymmetries about Risks
  •  Recognizing How Bias in Decision Making Affects Risk Oversight
  •  Watching for Signs that Highlight Symptoms of Weakened Risk Culture
  •  Communicating Risk Appetite to Express Risk Culture

This abstract summarizes some of the key points in the IMA thought paper.

Exercising Professional Skepticism to Strengthen Risk Culture  

The term “professional skepticism” is used in audit to make sure CPAs are inquisitive in making sure financials are fairly stated.  This term also relates to the oversight of risks by not only the board and senior management, but employees across the whole institution. The thought paper proposes that all employees should be asking themselves the question of ‘what if …?’. This requires no training or skill-set, but a person’s willingness to see beyond what is in front of them and for them to employ a questioning mind and critical assessment of information. 

Expanding Board Diversity Enhances Risk Culture  

For a risk challenge culture to be successful, it must come from the very top:  the board of directors.  If the board of directors does not have sufficient knowledge and competencies to manage the potential and present risks, the board may become a risk in and of itself!  The thought paper argues that  a diverse board of directors is one of the most effective ways to minimize the chance of ‘groupthink’ where everyone agrees with the most opinionated or highest ranked person in the room.  

Establishing Expectations of the Board for Risk Oversight 

The board plays a incredibly important role in establishing expectations of senior management and the rest of the organization for risk oversight. The tenor of conversations about risk taking and risk oversight can make or break an organization’s effectiveness in navigating the risk landscape. If the board doesn’t proactively set expectations for how conversations about risk should occur, it may allow management to under-invest in its efforts to identify, assess, and manage some of the organization’s most critical risk exposures.

Reducing Information Asymmetries about Risks  

Because of their day-to-day involvement in the organization, management has a tremendous information advantage over the board of directors. But, if left unaddressed, the board may be missing important information about risks on the horizon that may not be shared by management with the board. Thus, boards should be alert of instances where information appears to be withheld and they should address those concerns and their expectations for risk information sharing immediately.

Recognizing How Bias in Decision Making Affects Risk Oversight 

Bias can unwittingly be a part of decision making, often leading to a risk that is not identified or dealt with properly.  The paper points out five biases that should be avoided in an organization’s bid to monitor risk:

  • Anchoring - picking out one piece of information, and basing everything around that
  • Loss Aversion - worrying more about minimizing risk than seeking gains
  • Overconfidence - an unwarranted belief in one’s solution to a problem
  • Confirmation - handpicking evidence that suits your pre-made decision
  • Rushed problem solving - trying to provide a solution to a problem without taking the appropriate amount of time

If these points are acknowledged, then a risk challenge culture can become more effective as it will be minimizing bias.

Watching for Signs that Highlight Symptoms of Weakened Risk Culture

As the board interacts with management, it should be constantly monitoring those interchanges to determine how those interactions might be signaling both strengths and weaknesses in the organization’s risk culture. Output from an ERM process may provide tremendous insight about the overall state and effectiveness of the organization’s risk culture. Simply watching the dialogue between the board and management may provide a number of clues about the organization’s overall risk management culture. Lack of transparency and excessive disagreement about risk taking may speak volumes.  

Communicating Risk Appetite to Express Risk Culture

Only 33% of businesses make use of a risk-appetite statement. This statement should show a company’s policy on how much risk it is willing to take on in chasing gains.  The article explains that this should be the ‘mechanism’ for the board and senior management to convey the policy to all employees.  However, each company will have different boundaries they set for risk-appetite; this will depend on the industry and many other factors that the board will take into account.

Pulling it All Together to Enhance Risk Culture

So, what do all these safeguards and thought processes do for an organization?  They create a culture where questions are asked, issues are investigated appropriately and, as a result, risks identified.  It does not mean organizations should avoid taking risks, as risk taking can contribute to a business’s growth. Rather it means that the risks will be better understood and managed, allowing for smarter decision making over the long-term.

Click here to download the source paper for this abstract.

Link: A Risk Culture Challenge Published by IMA

Read ERM articles as soon as we post them

Keep up-to-date with current developments in ERM. Subscribe to the ERM Newsletter.

Privacy Policy

ERM Enterprise Risk Management Initiative 2014-09-01