Risk Culture: Risk Department Steps In to Lead the Efforts
Risk culture, arguably the least visible but most vital aspect of risk management, is not a new concept for Operational risk practitioners.
It is an integral part of the discipline, and features in the first principle of the Basel Committee sound practices, refreshed and strengthened in 2021.
By design, all the elements of an Operational risk framework inevitably touch upon cultural themes such as transparency, accountability and no blame. Organizations where the right values have been embedded are less likely to suffer damaging operational risk events, and stand a better chance of dealing with them effectively if they do occur.
Historically, cultural efforts in most organizations have been (and still are) led by the Human Resources (HR) function. Lately, however, there has been a positive shift towards Risk Departments being more engaged and demonstrating leadership when it comes to organizational risk culture.
A live poll conducted by the Best Practice Operational Risk Forum in May 2021 revealed that the majority of Operational risk professionals are closely involved, with 39% of respondents leading the programs, 22% participating and 39% at least somewhat involved (fig 1).
Fig 1 Source: Best Practice Operational Risk Forum
Delving a bit deeper, it is useful to understand what these efforts include, and how broadly - or narrowly - risk culture is defined.
Risk culture, according to the Financial Stability Board, concerns itself primarily with risk awareness, risk taking and risk management.
Often, organizations focus on a firm’s broader culture (rather than its risk culture), with efforts centered around developing and promoting the right behaviors and mindsets.
Also, in recent years the ancillary terms conduct and conduct risk have become more prominent in supervisory publications, speeches and discussions. The focus here is on detrimental outcomes for customers and markets.
The concepts of culture, risk culture and conduct are closely intertwined, and organizational programs have a slightly different focus, depending on the firm’s priorities, geographical location, and regulatory environment. The Best Practice Operational risk forum examined and evaluated the scope (fig 2):
- Conduct and behaviors are at the heart of institutions’ cultural efforts, in line with the regulatory focus;
- Not surprisingly, this is closely followed by more traditional aspects of risk culture, which include attitudes towards risk management;
- What was historically an HR-led space of employee wellbeing, is now actively influenced by the Risk Department. Here, Operational risk function stepped in to monitor the level of people risk via Key Risk Indicators (KRIs) and promote the discussion to the top of the senior managements' agenda. This is a prominent development triggered primarily by the COVID-19 pandemic, where people risk remains elevated and staff wellbeing is a key topic for firms;
- In contrast, Diversity and Inclusion (D&I), the least developed component, needs more focus.
Fig 2 Source: Best Practice Operational Risk Forum
D&I is an interesting part of the equation. This topic is far from new, and there is an understandable interest from HR supported by an ever-growing list of studies confirming that a diverse and inclusive workforce ‘unlocks innovation and drives market growth’, as noted by the Harvard Business Review; as well as provides companies with a ‘competitive edge over their peers’, per Forbes.
From a risk management perspective, there are two additional aspects.
Firstly, the COVID-19 pandemic has exacerbated inequities and historic challenges of diverse groups. Organizations need to consider how this risk is recognized and managed. A recent report from McKinsey suggests that “diverse employees are struggling the most” and “fear losing ground at work”. In this context, the focus on D&I goes hand in hand with the Risk Function’s overall involvement in the monitoring and management of people risk.
Secondly, D&I is escalating in importance as a result of the ESG (Environmental, Social and Governance) developments, where D&I is a significant part of ‘S’. In most firms, it’s the Chief Risk Officer (CRO) who assumes the responsibility for spearheading organizational ESG activities, and D&I naturally becomes a topic of the risk agendas and risk conversations.
Overall, the COVID-19 pandemic is placing a strain on maintaining firms’ risk culture, even for organizations that purport to have a winning set of values, attitudes and behaviors.
Enforced and prolonged working from home led to partial loss of informal interactions, which in turn, somewhat eroded corporate cohesiveness. The D&I in many firms also slipped down the list of priorities.
Adopting a constructive approach, practitioners discussed what activities could give a boost to a firms’ practices. Right tone from the top repeatedly appears at the top of live polls and continues to be deemed the most impactful for maintaining and boosting organizational risk culture (fig 3).
Fig 3 Source: Best Practice Operational Risk Forum
Acting on this poll, does it look like a picture-perfect textbook answer, as tone from the top is cited in most if not all research papers, publications and articles on risk culture?
The Best Practice Operational Risk Forum concluded that it does represent practitioners’ views; leadership and direction from senior executives – closely followed by guidance and training from the Risk function - makes a remarkable difference.
In conclusion, there is a positive shift in Risk Departments being more engaged and demonstrating leadership when it comes to organizational risk culture. As it relates to D&I, CROs and Heads of Operational Risk increasingly act as chairs of D&I Committees, and hopefully the topic will continue to receive focus and remain a prominent feature of risk management.