This document discusses the concept of risk culture and how it has become an important factor in organizational failures and crises. It provides definitions of risk culture and examines how risk culture relates to and overlaps with organizational culture. It also discusses how risk culture can be measured and managed, using both qualitative and quantitative methods. Financial services is given as an example industry where weaknesses in risk culture have been identified as contributing to problems. The document advocates for organizations to carefully consider how rewards and incentives may influence or shape risk culture.
While references to risk culture are relatively new, weaknesses in risk awareness and management have been identified as contributing factors in major world events like the global financial crisis. Firms have launched reviews of areas like product complexity and incentive schemes to address these weaknesses, but more work remains to be done. Embedding a consistent risk culture throughout a company's business units can be challenging. Measuring risk culture is important for managing it effectively, and there are well-developed approaches for doing so, such as interviews, focus groups, and surveys.
The incorporation of sustainability risks into the risk culture | Albert Vila...Albert Vilariño
Post published on Medium on 3/3/17.
https://medium.com/@albert.vilarino/the-incorporation-of-sustainability-risks-into-the-risk-culture-b18aa1e39add#.cd2l4nh2x
This document discusses improving organizational risk management. It begins by describing traditional risk management principles like risk sharing and diversification. However, it notes that modern interconnected organizations face novel risks from factors like tightly coupled systems and networks. These nontraditional risks can have unexpectedly large cascading impacts. The document then examines how questions of trust and uncertainty about other parties' commitments and reliability introduce political, economic and organizational risks. It argues traditional risk management needs augmenting to address risks arising from limited trustworthiness between organizations.
Multinational companies face an array of evolving risks that are becoming more diverse, complex, and challenging to address. Traditional risk management focused on insurance placement and claims management, while strategic risk management sees risk management supporting corporate goals and opportunities. To develop strategic risk management, companies must foster collaboration, clearly define risk understanding and tolerance, and manage emerging challenges like reputational, political, and compliance risks. They must also hire skilled risk managers who can work across functions and adapt local strategies to diverse markets and regulations. As systems globally interconnect, risk cannot be confined to one area and must be addressed holistically.
A brief and clear argumentation in favour of the personalisation approach in risk management procedures in large companies.
Taken from "Making better risk management decisions" by J. Birkinshaw and H. Jenkins.
Regulators and boards have increased their focus on risk culture in light of conduct failures in the financial industry. They expect banks and insurers to foster appropriate risk cultures through actions such as setting the right tone from senior management and boards, strengthening accountability, and aligning incentives and HR policies with risk appetite. Assessing and improving risk culture is an ongoing challenge that requires defining a framework, conducting assessments of current culture, prioritizing initiatives to change behaviors where needed, and continuously monitoring culture over time.
The document discusses the importance of reputation resilience planning for businesses. It argues that reputation is an intangible asset determined by stakeholder perceptions, not owned by the organization. While operational resilience focuses on continuing operations during crises, reputation resilience requires sustaining positive stakeholder views. The Sony hack is used as an example of how a crisis can damage a company's reputation. The document advocates for integrating reputation risk management into overall risk processes to improve reputation competence across an organization.
This document summarizes a presentation on leading risk culture change by Linda Conrad of Zurich, Paul Walker of St. John's University, and Johan Willaert of Agfa Corporate Center. It discusses establishing leadership support for enterprise risk management (ERM), defining the scope of risk initiatives, mapping strategic risks, conducting risk assessments, setting action plans, and periodically reviewing risk management processes. The presentation emphasizes aligning ERM with business strategy, quantifying risks, gaining senior management buy-in, and communicating with stakeholders to develop a proactive risk culture.
While references to risk culture are relatively new, weaknesses in risk awareness and management have been identified as contributing factors in major world events like the global financial crisis. Firms have launched reviews of areas like product complexity and incentive schemes to address these weaknesses, but more work remains to be done. Embedding a consistent risk culture throughout a company's business units can be challenging. Measuring risk culture is important for managing it effectively, and there are well-developed approaches for doing so, such as interviews, focus groups, and surveys.
The incorporation of sustainability risks into the risk culture | Albert Vila...Albert Vilariño
Post published on Medium on 3/3/17.
https://medium.com/@albert.vilarino/the-incorporation-of-sustainability-risks-into-the-risk-culture-b18aa1e39add#.cd2l4nh2x
This document discusses improving organizational risk management. It begins by describing traditional risk management principles like risk sharing and diversification. However, it notes that modern interconnected organizations face novel risks from factors like tightly coupled systems and networks. These nontraditional risks can have unexpectedly large cascading impacts. The document then examines how questions of trust and uncertainty about other parties' commitments and reliability introduce political, economic and organizational risks. It argues traditional risk management needs augmenting to address risks arising from limited trustworthiness between organizations.
Multinational companies face an array of evolving risks that are becoming more diverse, complex, and challenging to address. Traditional risk management focused on insurance placement and claims management, while strategic risk management sees risk management supporting corporate goals and opportunities. To develop strategic risk management, companies must foster collaboration, clearly define risk understanding and tolerance, and manage emerging challenges like reputational, political, and compliance risks. They must also hire skilled risk managers who can work across functions and adapt local strategies to diverse markets and regulations. As systems globally interconnect, risk cannot be confined to one area and must be addressed holistically.
A brief and clear argumentation in favour of the personalisation approach in risk management procedures in large companies.
Taken from "Making better risk management decisions" by J. Birkinshaw and H. Jenkins.
Regulators and boards have increased their focus on risk culture in light of conduct failures in the financial industry. They expect banks and insurers to foster appropriate risk cultures through actions such as setting the right tone from senior management and boards, strengthening accountability, and aligning incentives and HR policies with risk appetite. Assessing and improving risk culture is an ongoing challenge that requires defining a framework, conducting assessments of current culture, prioritizing initiatives to change behaviors where needed, and continuously monitoring culture over time.
The document discusses the importance of reputation resilience planning for businesses. It argues that reputation is an intangible asset determined by stakeholder perceptions, not owned by the organization. While operational resilience focuses on continuing operations during crises, reputation resilience requires sustaining positive stakeholder views. The Sony hack is used as an example of how a crisis can damage a company's reputation. The document advocates for integrating reputation risk management into overall risk processes to improve reputation competence across an organization.
This document summarizes a presentation on leading risk culture change by Linda Conrad of Zurich, Paul Walker of St. John's University, and Johan Willaert of Agfa Corporate Center. It discusses establishing leadership support for enterprise risk management (ERM), defining the scope of risk initiatives, mapping strategic risks, conducting risk assessments, setting action plans, and periodically reviewing risk management processes. The presentation emphasizes aligning ERM with business strategy, quantifying risks, gaining senior management buy-in, and communicating with stakeholders to develop a proactive risk culture.
Common Risk Management failures include lack of organizational integration, outdated risk measurement capabilities, and failure to view risk management as an enabler of long-term competitive advantage rather than just a preventative measure. Major challenges in establishing effective ERM include organizational silos, growing and changing risks, and cost pressures. As risk management becomes more strategic, companies are expected to increase spending to improve risk capabilities across the organization.
The importance of managing reputational risks.Albert Vilariño
The document discusses the importance of managing reputational risks for organizations. It states that reputation contributes over 25% on average to a company's market value and is a key driver of stakeholder behavior. It also notes that reputational risks have risen in recent risk surveys to become a top concern for executives. The document recommends that organizations conduct a thorough analysis of their reputational risks, prioritize them, and put plans in place to minimize high impact risks. It also emphasizes using a proactive rather than reactive approach to crisis management to mitigate reputational damage.
The document discusses OSACO Group, which provides services to help organizations address risks caused by human fallibility. This includes assisting financial institutions, sports organizations, humanitarian groups, businesses operating abroad, and media companies. OSACO helps clients anticipate where problems may occur due to human errors or misdeeds, put processes and controls in place to prevent or minimize issues, and restore integrity and trust if issues do happen. The company brings expertise in compliance, governance, risk management, investigations and training to address challenges such as financial crimes, corruption, and risks to personnel safety.
OSACO is a firm that specializes in managing human risks within organizations. They recognize that while people are capable of great things, they are also fallible and mistakes will happen. OSACO works to anticipate problems, minimize risks, and restore integrity and trust after issues occur. Their goal is to help organizations learn from mistakes in order to continuously improve how they address human factors and failures. OSACO provides services across multiple sectors, including business, finance, humanitarian work, sports, and media.
W6 making decisions in risky situations - simon pollardlgconf11
The document discusses key themes around risk and decision-making in local government based on interviews with practitioners. The main themes that emerged are: organizational learning, responsibility, processes, uncertainty, communication, bridging strategy and operations, and weighing evidence. Risk governance is important to create value and balance accountability, learning, and acceptable behavior. Decision-making involves uncertainty that requires both formal evidence and local knowledge to understand issues.
Exploring risk management disclosure practices in non profit organisations in...Alexander Decker
This document summarizes a study that examines risk disclosure practices in annual reports of 50 non-profit organizations (NPOs) registered in Malaysia. The study analyzed disclosures across six types of risks: organizational, operational, compliance, financial, reputation, and money laundering. Results found that NPOs provided more disclosure for mandatory financial items but lower voluntary disclosure for other risk types. Overall, there was a lack of risk disclosure that could increase risks harming the organizations. The study aims to provide feedback for NPOs to improve risk management and help regulators strengthen disclosure requirements.
This document discusses challenges facing enterprise risk management (ERM) professionals. Interviews with ERM executives revealed common themes of feeling diminished relevance, questioning their significance to leadership, and dealing with uncertainty in their roles. When times are tough, organizations seek more validation of ERM's value. Relationships can become strained during debates over ERM ownership. The document calls for ERM professionals to reflect on stress management techniques and maintaining resilience amid these challenges.
Managing Risk in Perilous Times- Practical Steps to Accelerate RecoveryFindWhitePapers
The document discusses lessons that can be learned from the financial crisis regarding effective risk management. It argues that risk management needs greater authority, senior executive leadership, and sufficient risk expertise at high levels. It also stresses the importance of combining quantitative risk model outputs with human judgment, paying attention to the quality of data used in models, and using stress testing and scenario planning to prepare for potential risks and events.
Since the onset of the global financial crisis in 2008, businesses around the world have faced a barrage of new risk-related challenges.
The macroeconomic environment of recent years, marked by the global financial crisis, fiscal uncertainty in the US and sovereign debt problems in Europe, has also helped to make companies more riskaverse, leading them to swap bold investment decisions for more cautious behaviour and cash hoarding. The tide is turning, however, with most expecting 2014 to mark a return to growth...
This document summarizes interviews with cybersecurity professionals about the current state of cyber risks. The interviewees discuss how senior leaders' understanding of cyber risk has improved but still faces challenges from technical complexity and uncertainty. The biggest barriers to protection are underfunding security and lack of user awareness training. A "bad day" would involve a major data breach or systems outage. The threats of organized crime, state-sponsored attacks, and exploiting human weaknesses will continue to evolve rapidly. Information sharing and early education are opportunities to stay ahead of this threat.
This document provides a summary of a report on managing risk in challenging economic times. It makes the following key points:
1. Risk managers at financial institutions warned of growing risks in the years leading up to the financial crisis but lacked the authority to curb excessive risk-taking driven by profit motives.
2. The report examines 10 practical lessons for improving risk management practices, including giving risk managers greater authority, ensuring risk expertise at senior levels, and balancing risk factors across all business units.
3. Interviews with industry and academic experts informed the report's findings. It provides questions for companies outside of finance to consider regarding their own risk governance and risk oversight practices.
Operational risk management is becoming an important part of corporate governance frameworks. It aims to proactively identify, assess, and manage risks to improve transparency, efficiency, and shareholder value while protecting reputation. Recent regulatory scrutiny and fines show the importance of properly managing operational risks. Actuaries are well-suited to lead operational risk management due to their understanding of risk assessment and financial impacts.
The document summarizes the findings of a 2014 global survey on reputation risk conducted by Deloitte and Forbes Insights. Some key findings include:
- 87% of over 300 executives surveyed rated reputation risk as more important than other strategic risks facing their companies.
- Responsibility for managing reputation risk resides primarily with senior leadership, including the CEO, CRO, board of directors, and CFO.
- The top drivers of reputation risk are ethics/integrity issues, security risks, and product/service risks related to safety, health and the environment.
- Companies are investing more in tools and capabilities to improve their management of reputation risk.
Understanding and Managing Reputation RiskSteve Leigh
The document describes a reputation risk tracking tool that uses big data analysis to identify risks and opportunities related to a company's reputation. The tool analyzes risks across six categories and tracks changes over multiple years to identify trends. Clients use the insights to manage reputation risks, make informed decisions, and measure and monitor risks proactively. The tool provides customized analysis and reputation risk assessments.
This document provides guidance for chief information security officers (CISOs) on engaging with their organization's board of directors regarding cybersecurity. It notes that boards are increasingly involved in overseeing security due to regulatory pressures and high-profile data breaches. The document offers advice on how CISOs can establish effective communication with boards, including translating technical security topics into business impacts and risks, benchmarking the organization's security posture against industry peers, and quantifying security issues and their associated costs and risk exposure. The goal is for CISOs to gain board support for their security programs and help boards understand security's strategic importance in reducing risks to the business.
Moving from Process to Purpose, Risk Management after COVID19 chungarisk
This document provides summaries of key concepts in risk management and decision making.
It begins with definitions of situational awareness, mental simulation, and naturalistic decision making. These concepts emphasize gathering information, anticipating outcomes, and making decisions under uncertainty.
The document then discusses features of naturalistic decision making, including ill-defined goals, uncertainty, shifting priorities, and high stakes. It notes decision makers must react to changing conditions and work within dynamic organizations. Several models are highlighted, emphasizing recognition of patterns and situation assessment.
In closing, the document outlines four strategies for managing positive risks and opportunities: pursue, optimize, exploit, and share ownership with others. This emphasizes both accepting advantages and actively working to increase
Enterprise risk management (ERM) takes a comprehensive, top-down approach to identifying and managing an organization's risks. It considers strategic, operational, pure and speculative risks across the entire organization rather than managing risks in silos. A typical ERM process involves identifying benefits, acquiring board support, developing risk procedures, determining risk appetite, and fostering a risk-aware culture. Barriers to effective ERM include difficulties defining risk appetite and a lack of requests to change risk management approaches. The 2012 Super Bowl in Indianapolis demonstrated how ERM can be applied to large-scale event planning and produce positive results. Future adoption of ERM may be slow as it is considered a "soft" aspect, but its principles are becoming
New Risk Management Paradigm for Not-For-ProfitsDavid X Martin
The document discusses the new risk paradigm for not-for-profit organizations. It explains that not-for-profits now face greater risks due to increased competition, demands from consumers and funders, and contracts that pay based on outcomes rather than services provided. This requires not-for-profits to take a more strategic, integrated approach to risk management. Senior management must ensure risks are identified and measured, risk exposures are appropriate and aligned with objectives, and the organization is dynamic and can respond to changes. An effective risk culture must also be established where risk management is embedded in decision-making and oversight at all levels.
STRATEGIC PLANNINGManaging Risks A NewFrameworkby Rob.docxsusanschei
STRATEGIC PLANNING
Managing Risks: A New
Framework
by Robert S. Kaplan and Anette Mikes
FROM THE JUNE 2012 ISSUE
W
Editors’ Note: Since this issue of HBR went to press, JP Morgan, whose risk management practices are
highlighted in this article, revealed significant trading losses at one of its units. The authors provide
their commentary on this turn of events in their contribution to HBR’s Insight Center on Managing
Risky Behavior.
hen Tony Hayward became CEO of BP, in 2007, he vowed to make safety his top
priority. Among the new rules he instituted were the requirements that all
employees use lids on coffee cups while walking and refrain from texting while
driving. Three years later, on Hayward’s watch, the Deepwater Horizon oil rig exploded in the Gulf
of Mexico, causing one of the worst man-made disasters in history. A U.S. investigation commission
attributed the disaster to management failures that crippled “the ability of individuals involved to
identify the risks they faced and to properly evaluate, communicate, and address them.” Hayward’s
story reflects a common problem. Despite all the rhetoric and money invested in it, risk
management is too often treated as a compliance issue that can be solved by drawing up lots of rules
and making sure that all employees follow them. Many such rules, of course, are sensible and do
reduce some risks that could severely damage a company. But rules-based risk management will not
diminish either the likelihood or the impact of a disaster such as Deepwater Horizon, just as it did
not prevent the failure of many financial institutions during the 2007–2008 credit crisis.
Identifying and Managing
Preventable Risks
In this article, we present a new categorization of risk that allows executives to tell which risks can
be managed through a rules-based model and which require alternative approaches. We examine
the individual and organizational challenges inherent in generating open, constructive discussions
about managing the risks related to strategic choices and argue that companies need to anchor these
discussions in their strategy formulation and implementation processes. We conclude by looking at
how organizations can identify and prepare for nonpreventable risks that arise externally to their
strategy and operations.
Managing Risk: Rules or Dialogue?
The first step in creating an effective risk-management system is to understand the qualitative
distinctions among the types of risks that organizations face. Our field research shows that risks fall
into one of three categories. Risk events from any category can be fatal to a company’s strategy and
even to its survival.
Category I: Preventable risks.
These are internal risks, arising from within the organization, that are controllable and ought to be
eliminated or avoided. Examples are the risks from employees’ and managers’ unauthorized, illegal,
unethical, incorrect, or inappropriate actions and the risks from br.
Common Risk Management failures include lack of organizational integration, outdated risk measurement capabilities, and failure to view risk management as an enabler of long-term competitive advantage rather than just a preventative measure. Major challenges in establishing effective ERM include organizational silos, growing and changing risks, and cost pressures. As risk management becomes more strategic, companies are expected to increase spending to improve risk capabilities across the organization.
The importance of managing reputational risks.Albert Vilariño
The document discusses the importance of managing reputational risks for organizations. It states that reputation contributes over 25% on average to a company's market value and is a key driver of stakeholder behavior. It also notes that reputational risks have risen in recent risk surveys to become a top concern for executives. The document recommends that organizations conduct a thorough analysis of their reputational risks, prioritize them, and put plans in place to minimize high impact risks. It also emphasizes using a proactive rather than reactive approach to crisis management to mitigate reputational damage.
The document discusses OSACO Group, which provides services to help organizations address risks caused by human fallibility. This includes assisting financial institutions, sports organizations, humanitarian groups, businesses operating abroad, and media companies. OSACO helps clients anticipate where problems may occur due to human errors or misdeeds, put processes and controls in place to prevent or minimize issues, and restore integrity and trust if issues do happen. The company brings expertise in compliance, governance, risk management, investigations and training to address challenges such as financial crimes, corruption, and risks to personnel safety.
OSACO is a firm that specializes in managing human risks within organizations. They recognize that while people are capable of great things, they are also fallible and mistakes will happen. OSACO works to anticipate problems, minimize risks, and restore integrity and trust after issues occur. Their goal is to help organizations learn from mistakes in order to continuously improve how they address human factors and failures. OSACO provides services across multiple sectors, including business, finance, humanitarian work, sports, and media.
W6 making decisions in risky situations - simon pollardlgconf11
The document discusses key themes around risk and decision-making in local government based on interviews with practitioners. The main themes that emerged are: organizational learning, responsibility, processes, uncertainty, communication, bridging strategy and operations, and weighing evidence. Risk governance is important to create value and balance accountability, learning, and acceptable behavior. Decision-making involves uncertainty that requires both formal evidence and local knowledge to understand issues.
Exploring risk management disclosure practices in non profit organisations in...Alexander Decker
This document summarizes a study that examines risk disclosure practices in annual reports of 50 non-profit organizations (NPOs) registered in Malaysia. The study analyzed disclosures across six types of risks: organizational, operational, compliance, financial, reputation, and money laundering. Results found that NPOs provided more disclosure for mandatory financial items but lower voluntary disclosure for other risk types. Overall, there was a lack of risk disclosure that could increase risks harming the organizations. The study aims to provide feedback for NPOs to improve risk management and help regulators strengthen disclosure requirements.
This document discusses challenges facing enterprise risk management (ERM) professionals. Interviews with ERM executives revealed common themes of feeling diminished relevance, questioning their significance to leadership, and dealing with uncertainty in their roles. When times are tough, organizations seek more validation of ERM's value. Relationships can become strained during debates over ERM ownership. The document calls for ERM professionals to reflect on stress management techniques and maintaining resilience amid these challenges.
Managing Risk in Perilous Times- Practical Steps to Accelerate RecoveryFindWhitePapers
The document discusses lessons that can be learned from the financial crisis regarding effective risk management. It argues that risk management needs greater authority, senior executive leadership, and sufficient risk expertise at high levels. It also stresses the importance of combining quantitative risk model outputs with human judgment, paying attention to the quality of data used in models, and using stress testing and scenario planning to prepare for potential risks and events.
Since the onset of the global financial crisis in 2008, businesses around the world have faced a barrage of new risk-related challenges.
The macroeconomic environment of recent years, marked by the global financial crisis, fiscal uncertainty in the US and sovereign debt problems in Europe, has also helped to make companies more riskaverse, leading them to swap bold investment decisions for more cautious behaviour and cash hoarding. The tide is turning, however, with most expecting 2014 to mark a return to growth...
This document summarizes interviews with cybersecurity professionals about the current state of cyber risks. The interviewees discuss how senior leaders' understanding of cyber risk has improved but still faces challenges from technical complexity and uncertainty. The biggest barriers to protection are underfunding security and lack of user awareness training. A "bad day" would involve a major data breach or systems outage. The threats of organized crime, state-sponsored attacks, and exploiting human weaknesses will continue to evolve rapidly. Information sharing and early education are opportunities to stay ahead of this threat.
This document provides a summary of a report on managing risk in challenging economic times. It makes the following key points:
1. Risk managers at financial institutions warned of growing risks in the years leading up to the financial crisis but lacked the authority to curb excessive risk-taking driven by profit motives.
2. The report examines 10 practical lessons for improving risk management practices, including giving risk managers greater authority, ensuring risk expertise at senior levels, and balancing risk factors across all business units.
3. Interviews with industry and academic experts informed the report's findings. It provides questions for companies outside of finance to consider regarding their own risk governance and risk oversight practices.
Operational risk management is becoming an important part of corporate governance frameworks. It aims to proactively identify, assess, and manage risks to improve transparency, efficiency, and shareholder value while protecting reputation. Recent regulatory scrutiny and fines show the importance of properly managing operational risks. Actuaries are well-suited to lead operational risk management due to their understanding of risk assessment and financial impacts.
The document summarizes the findings of a 2014 global survey on reputation risk conducted by Deloitte and Forbes Insights. Some key findings include:
- 87% of over 300 executives surveyed rated reputation risk as more important than other strategic risks facing their companies.
- Responsibility for managing reputation risk resides primarily with senior leadership, including the CEO, CRO, board of directors, and CFO.
- The top drivers of reputation risk are ethics/integrity issues, security risks, and product/service risks related to safety, health and the environment.
- Companies are investing more in tools and capabilities to improve their management of reputation risk.
Understanding and Managing Reputation RiskSteve Leigh
The document describes a reputation risk tracking tool that uses big data analysis to identify risks and opportunities related to a company's reputation. The tool analyzes risks across six categories and tracks changes over multiple years to identify trends. Clients use the insights to manage reputation risks, make informed decisions, and measure and monitor risks proactively. The tool provides customized analysis and reputation risk assessments.
This document provides guidance for chief information security officers (CISOs) on engaging with their organization's board of directors regarding cybersecurity. It notes that boards are increasingly involved in overseeing security due to regulatory pressures and high-profile data breaches. The document offers advice on how CISOs can establish effective communication with boards, including translating technical security topics into business impacts and risks, benchmarking the organization's security posture against industry peers, and quantifying security issues and their associated costs and risk exposure. The goal is for CISOs to gain board support for their security programs and help boards understand security's strategic importance in reducing risks to the business.
Moving from Process to Purpose, Risk Management after COVID19 chungarisk
This document provides summaries of key concepts in risk management and decision making.
It begins with definitions of situational awareness, mental simulation, and naturalistic decision making. These concepts emphasize gathering information, anticipating outcomes, and making decisions under uncertainty.
The document then discusses features of naturalistic decision making, including ill-defined goals, uncertainty, shifting priorities, and high stakes. It notes decision makers must react to changing conditions and work within dynamic organizations. Several models are highlighted, emphasizing recognition of patterns and situation assessment.
In closing, the document outlines four strategies for managing positive risks and opportunities: pursue, optimize, exploit, and share ownership with others. This emphasizes both accepting advantages and actively working to increase
Enterprise risk management (ERM) takes a comprehensive, top-down approach to identifying and managing an organization's risks. It considers strategic, operational, pure and speculative risks across the entire organization rather than managing risks in silos. A typical ERM process involves identifying benefits, acquiring board support, developing risk procedures, determining risk appetite, and fostering a risk-aware culture. Barriers to effective ERM include difficulties defining risk appetite and a lack of requests to change risk management approaches. The 2012 Super Bowl in Indianapolis demonstrated how ERM can be applied to large-scale event planning and produce positive results. Future adoption of ERM may be slow as it is considered a "soft" aspect, but its principles are becoming
New Risk Management Paradigm for Not-For-ProfitsDavid X Martin
The document discusses the new risk paradigm for not-for-profit organizations. It explains that not-for-profits now face greater risks due to increased competition, demands from consumers and funders, and contracts that pay based on outcomes rather than services provided. This requires not-for-profits to take a more strategic, integrated approach to risk management. Senior management must ensure risks are identified and measured, risk exposures are appropriate and aligned with objectives, and the organization is dynamic and can respond to changes. An effective risk culture must also be established where risk management is embedded in decision-making and oversight at all levels.
STRATEGIC PLANNINGManaging Risks A NewFrameworkby Rob.docxsusanschei
STRATEGIC PLANNING
Managing Risks: A New
Framework
by Robert S. Kaplan and Anette Mikes
FROM THE JUNE 2012 ISSUE
W
Editors’ Note: Since this issue of HBR went to press, JP Morgan, whose risk management practices are
highlighted in this article, revealed significant trading losses at one of its units. The authors provide
their commentary on this turn of events in their contribution to HBR’s Insight Center on Managing
Risky Behavior.
hen Tony Hayward became CEO of BP, in 2007, he vowed to make safety his top
priority. Among the new rules he instituted were the requirements that all
employees use lids on coffee cups while walking and refrain from texting while
driving. Three years later, on Hayward’s watch, the Deepwater Horizon oil rig exploded in the Gulf
of Mexico, causing one of the worst man-made disasters in history. A U.S. investigation commission
attributed the disaster to management failures that crippled “the ability of individuals involved to
identify the risks they faced and to properly evaluate, communicate, and address them.” Hayward’s
story reflects a common problem. Despite all the rhetoric and money invested in it, risk
management is too often treated as a compliance issue that can be solved by drawing up lots of rules
and making sure that all employees follow them. Many such rules, of course, are sensible and do
reduce some risks that could severely damage a company. But rules-based risk management will not
diminish either the likelihood or the impact of a disaster such as Deepwater Horizon, just as it did
not prevent the failure of many financial institutions during the 2007–2008 credit crisis.
Identifying and Managing
Preventable Risks
In this article, we present a new categorization of risk that allows executives to tell which risks can
be managed through a rules-based model and which require alternative approaches. We examine
the individual and organizational challenges inherent in generating open, constructive discussions
about managing the risks related to strategic choices and argue that companies need to anchor these
discussions in their strategy formulation and implementation processes. We conclude by looking at
how organizations can identify and prepare for nonpreventable risks that arise externally to their
strategy and operations.
Managing Risk: Rules or Dialogue?
The first step in creating an effective risk-management system is to understand the qualitative
distinctions among the types of risks that organizations face. Our field research shows that risks fall
into one of three categories. Risk events from any category can be fatal to a company’s strategy and
even to its survival.
Category I: Preventable risks.
These are internal risks, arising from within the organization, that are controllable and ought to be
eliminated or avoided. Examples are the risks from employees’ and managers’ unauthorized, illegal,
unethical, incorrect, or inappropriate actions and the risks from br.
Audits have changed their traditional focus from cost control towards a global strategy of risk management, governance, value creation, and organizational culture. Auditing is a representative element of corporate culture because it defines how companies think and act, but manage decisions are the true reflection of how a company thinks and acts. Thus, this area expands its importance thanks to its direct participation in risk management and value creation.
1. The document provides guidance for boards on understanding and improving an organization's risk culture.
2. It defines risk culture as the values, beliefs, knowledge, and understanding about risk that are shared by a group within an organization.
3. A good risk culture enables informed risk-taking, rewards appropriate risk behaviors, and encourages transparency around risk information and reporting.
ASSESSING THE RELATIONSHIP EFFECTIVE RISK ANALYSIS HAVE ON BUSINESS SUCCESSRobin Beregovska
This document discusses risk analysis and its importance for business success. It begins by defining risk and explaining the history and evolution of risk management. The main points are:
1) Risk analysis identifies and analyzes issues that could jeopardize a business or project's success. It allows companies to assess risks and determine the best choices.
2) Conducting risk analysis provides several benefits like easier risk identification, higher quality decision-making data, improved communication, and more accurate budgeting.
3) While subjective and improbable risks are criticisms, overall risk analysis is a crucial process that helps companies achieve their objectives and minimize negative impacts.
This document discusses how organizations can sustain an enterprise risk management (ERM) program and maintain a competitive advantage through developing an ERM culture. It defines ERM culture as a system of values and behaviors throughout an organization that shape how it identifies, understands, discusses and acts on risks. Key aspects of a strong ERM culture include committed leadership, incentives for risk awareness, information sharing, and learning opportunities. The document analyzes case studies of how several organizations assessed and improved their ERM cultures.
The Chief Risk Officer (CRO) role has evolved from initially focusing on risk control to taking a broader enterprise risk management approach. To be effective, the CRO must balance the roles of police officer, teacher, counselor, and business leader. There is no single model for how the CRO should be structured in an organization, but typically they report either to the CEO or CFO. Appointing an effective CRO is important for companies to make better risk and investment decisions.
This document discusses the importance of risk management in public and private institutions. It argues that risk management is crucial for maintaining society's trust in these institutions by systematically identifying and minimizing risks to prevent crises and losses of resources. The document outlines several risk management standards and principles, highlighting the ISO 31000 standard. Effective risk management requires organizations to understand their risks, implement professional risk processes, and communicate about risk management.
Thoughts on Direction of Ops Risk Management -V4 0Amrut Joshi
The document discusses risk management and operational risk. It provides context on the tumultuous global economic environment of the last decade which brought focus to risk management. However, some question if current risk management practices are adequate given failures still occurred. The document then discusses various studies on risk management and findings that risks are about human decisions. Therefore, influencing business decisions is important to manage risks and avoid failures. It introduces the concept of "behavioural risk management" and capturing the experience of being embedded within business to influence decisions from the first line of defence.
Convergence-based Approach for Managing Operational Risk and Security In Toda...Marc S. Sokol
This white paper provides a multidimensional approach that inspires convergence of resources, thinking and collaboration by business and support operations professionals across the organization to implement and maintain a holistic and efficient risk management program. As a result, the program can be integrated into every day business decisions and the culture of a company maximizing value and business decision capability. Through this integration, an organization will ensure sustained and optimal enterprise stewardship and full alignment with its risk tolerance.
Manigent Aligning Risk Appetite And ExposureAndrew Smart
This document discusses aligning an organization's risk appetite and risk exposure through strategic execution. It argues that successful strategy execution in the post-credit crisis world requires balancing risk appetite and exposure within the context of clear strategic objectives. The document provides a roadmap for organizations to determine strategic objectives, define risk appetite, identify key risks, review risk appetite in light of key risks, conduct risk assessments, and map risk exposure to risk appetite using a risk appetite and exposure matrix. Following this process allows organizations to integrate risk management into strategic decision making.
Paradigm Paralysis in ERM & IA EB7_p48-51 Tim Leech v2Tim Leech
The document discusses the need for a paradigm shift in enterprise risk management (ERM) and internal audit approaches from a risk-centric model to an objective-centric model. It argues the current risk-centric models that rely on risk registers are flawed because they look at risks in isolation rather than linking them to organizational objectives. It proposes boards require management to regularly report on residual risk status linked to key value creation and preservation objectives. This would position management as primarily responsible for risk assessment rather than traditional ERM and internal audit groups. It acknowledges there are significant barriers to change, including guidance materials, skills gaps, and reluctance to change entrenched practices.
Due to the current instability in the business world, organizations should be able to anticipate changes and have coherent responses at hand to effective manage risks, create value, build good relations, increase profit and improve competitive positioning.
A report titled Exploring Strategic Risk issued in 2013 for Forbes Insights by Deloitte, contains some very important conclusions for the business community. 300 executives from around the world were interviewed for the study, in an attempt to find out their vision of the risk strategy and current changes and analysing how organizations should face these new challenges.
Sometimes it is difficult to link risks to a specific financial impact and not all data are pertinent to the evaluation of emerging risks. That's why companies have to be aware of internal risks and manage them well in order to be able to manage external risks and invest into strategic assets such as human capital, clients and innovation.
This insight explains the case of the financial services as the sector that less trust generates due to its short-sightedness, lack of values and lack of professional education that resulted in corruption and bad practices, which compromised the financial sector.
The report A Crisis of Culture: Valuing Ethics and Knowledge in Financial Services examines the role of integrity and knowledge in restoring culture in the financial services industry. The conclusions appear in the full version of this document.
The financial industry is just one example in the wider panorama. Lack of values is widespread and creates significant risks. Bad practices trigger problems such as loss of profit, loss of reputation and even loss of shareholders, clients and employees.
The crisis, as well as the arrival of new technologies, urges companies to maintain their good practices and emphasize aspects as ethics, leadership, commitment, performance, transparency and sustainability.
The digital revolution and social networks encourage companies to be more transparent: companies meet their promises and obligations, deliver a coherent dialogue and improve the relationship with their stakeholders.
Application of values raises the possibility of good results and profits for companies through improvement of their reputation and business as well as optimization of resources. This certainly creates competitive advantages, establishes a strong cultural connection and improves employees’ motivation.
Before taking any decision, an institution should keep in mind the fact that it needs implicit and explicit public approval. Good business management implies risk management, creating a climate of trust, good will, credibility, social commitment and empathy between stakeholders and the company.
This document discusses how to navigate uncertainty and complexity by turning risks into opportunities. It argues that successful leaders and organizations see opportunities where others see uncertainty and complexity. They have an entrepreneurial risk appetite, confidence, and refined decision-making abilities. To achieve this, having a network of trusted advisors is critical for making better, faster decisions. The document provides examples of how to identify opportunities within risks and disruptions, and stresses the importance of adapting to thrive in changing environments.
Chaitanya Kosaraju Week 4 discussionCOLLAPSETop of FormHan.docxketurahhazelhurst
Chaitanya Kosaraju
Week 4 discussion
COLLAPSE
Top of Form
Handling risks in an all-encompassing manner is testing, and building a successful system for its administration is testing. It is fascinating to take note of that there is considerably more understanding from the center gathering and different analysts about what successful hazard the executives resembles than how to do it. Some of the characteristics and functions of an effective risk management program are:
Focus on what is important: The main inquiry we should pose is 'What are we attempting to protect? "There's no ideal bundle, and some leftover hazard should consistently be taken." A third included "Dangers are unavoidable, however it's the manner by which they're dealt with—our reaction, possibility plans, group preparation, and flexibility. Consequently, the focal point of effective risk management ought not to be tied in with saying "no" to a hazard, yet how to state "yes," along these lines fabricating an increasingly deft endeavor. Many trust the time has come to perceive that hazard can't be overseen exclusively through controls, strategies, and innovation yet that all workers must comprehend the ideas and objectives of hazard the board in light of the fact that the undertaking will consistently need to depend on their judgment somewhat. Therefore they will in general representative numerous parts of hazard the executives to lower levels in the association, accordingly anticipating the improvement of any more extended term, by and large vision
Expect changes over time: In acknowledgment of anticipated changes, most member associations have a required hazard evaluation at key stages in the framework improvement procedure to catch the hazard picture associated with a specific undertaking at a few in time and many have normal, progressing audits of required operational controls on a yearly or half-yearly premise to do something very similar.
View risks from multiple levels and perspectives: Rather than managing security incidents in an each one in turn way, it is essential to do main driver examination so as to comprehend chances in an increasingly multifaceted manner. Until now, chance administration has would in general spotlight to a great extent on the operational and strategic levels and not saw in a vital manner. Moreover, hazard, security, and consistence are frequently intermixed in individuals' minds. Each of these is a substantial and novel focal point through which to view hazard and ought not to be viewed just like the equivalent. Observing and adjusting to new universal principles and laws, finishing by and large wellbeing checks, and investigation of potential dangers are other new components of hazard that ought to be fused into a company's general way to deal with hazard the board.
Bottom of Form
Hi All
The appropriate risk response will be different from organization to organization, depending on how management views the risk in terms of magnitude. T ...
The COVID-19 pandemic has taught us the need to rethink towards future risk and possibly how to mitigate or deal with such risk. To do this, the right risk culture needs to be embedded into the organization’s setting. In recent times, there has been an increase in regulatory pressure for effective risk management governance and strategy. An inspiring risk governance and strategy will never be realized without the backing of a strong risk culture. This paper discusses risk culture within an organization and rethinking risk culture in a post-pandemic era.
I need response to Discussion post in 200 words.docxwrite4
This document discusses efficient frontier analysis and strategic risk management. It provides context for how efficient frontier analysis can help organizations identify projects that determine appropriate risks and investments. Strategic risk management allows organizations to better understand risk across divisions to inform decision making. Quantitative financial and behavioral models are increasingly used to analyze risk portfolios. Strategic risk management creates opportunities for interaction across an organization to holistically assess risk.
I need response to Discussion post in 200 words.docxsdfghj21
This document discusses efficient frontier analysis and strategic risk management. It provides context for how efficient frontier analysis can help organizations identify projects that determine appropriate risks and investments. Strategic risk management allows organizations to better understand risk across divisions to inform decision making. Quantitative financial and behavioral models are increasingly used to analyze risk portfolios. Strategic risk management creates opportunities for interaction across an organization to holistically assess risk.
Similar to Perspectives-Risk-culture-starts-to-come-of-age (20)
I need response to Discussion post in 200 words.docx
Perspectives-Risk-culture-starts-to-come-of-age
1. While references to the concept of risk culture are relatively new, shortcomings in risk awareness and management
have become identified as fundamental causal factors in recent world events, such as the global economic crisis
and major industrial accidents.
Perspectives
Risk culture starts
to come of age
2. 2 willistowerswatson.com
The attention focused on the
determinants of, and influences on,
risk culture has become progressively
greater in recent years, thanks
substantially to continuing autopsies
of the 2008 global financial crisis. Yet,
for all the discussion, there remains no
universally agreed definition. Perhaps
the most frequently cited example is
the Institute of Risk Management’s1
:
“Risk culture is a term describing the
values, beliefs, knowledge, attitudes
and understanding about risk shared
by a group of people with a common
purpose, in particular the employees
of an organisation.”
As those working within the field
would readily acknowledge, the
difficulty with any definition is that
risk culture will vary widely from one
context to another, depending on
factors such as broader organisational
objectives and behaviour, sector of
operation, and the nature of risk. The
challenge for firms looking to improve
how they evaluate and react to risk is
to identify what works for them.
Risk culture and
organisational culture
The nature of the relationship
between organisational culture and
risk culture is a matter of debate and
perspective. Some people view risk
culture as a sub-set of organisational
culture; for others it overlaps with, but
also extends beyond, the traditional
boundaries of organisational culture.
For yet others, risk culture is simply
organisational culture viewed through
a risk lens.
But there are several principles from
organisational culture more generally
that have an important bearing on risk
culture, including:
ƒƒ Culture matters: Organisational
culture really does make a difference.
Although culture is sometimes
regarded as ‘soft’, it plays a powerful
role in determining behaviour and
organisational effectiveness. To
emphasise this point, among the
more colourful opinions expressed
along these lines are:
“Culture eats strategy for breakfast”
often attributed to the management
writer Peter Drucker2
and:
“Culture, more than rule books,
determines how an organisation
behaves”
from business leader, Warren Buffett
in a Financial Times interview3
.
ƒƒ Much of culture lies beneath the
surface: Some aspects of culture,
such as the management reporting
line, are quite visible and readily
apparent. Others, such as the
unwritten lore, informal relationships
and people’s personal attitudes are
more hidden beneath the surface.
ƒƒ There is no ‘best’ culture:
Cultures vary between (and within)
organisations – and they should.
A company competing on the
basis of its creativity will need
Risk culture starts to come of age
a different culture to succeed than
another competing on the basis
of operational efficiency.
ƒƒ Culture can be articulated,
measured and managed: To some,
the very notion of organisational
culture seems ethereal and difficult
to describe, let alone quantify or
manage. However, there are well
developed approaches that provide
effective ways to do just this.
Practical application:
Financial services
Moving from theory to practice,
the financial services industry is
perhaps understandably the most
obvious sector where risk culture has
come under the closest scrutiny in
recent times.
There is little doubt that an important
contributor to the financial crisis of
2008 was the prevalence of a culture
that promoted the pursuit of short-
term profits at the expense of long-
term value generation, which was
exacerbated by being entrenched into
individuals’ rewards. This view was
supported by a survey4
which found
that most risk professionals believed
the banking crisis was caused not
so much by technical failures as by
failures in organisational culture and
ethics, with 85% citing remuneration
practices as important or very
important. Although the role of reward
may sometimes be overstated, it
can clearly play an important part in
shaping culture and behaviour.
While references to the concept of risk culture are relatively new,
shortcomings in risk awareness and management have become identified
as fundamental causal factors in recent world events, such as the global
economic crisis and major industrial accidents.
3. 3 Risk culture startst to come of age
In recent years, firms have launched
reviews of their operational and
governance models to address
weaknesses that were considered
to have contributed to the increased
and often unrecognised risks. These
reviews have addressed a wide range
of areas, including product complexity,
incentive schemes and oversight.
More, however, remains to be done.
Embedding a consistent risk culture
beyond the boardroom and into
business units can prove particularly
challenging. While the Board and
the Chief Risk Officer (CRO) have
overall responsibility for ensuring this
happens, the direct responsibility for
risk management and the risk culture
lies with operational management.
There may be a tendency to assume
that because someone has ‘Risk’ in
their title they must take on all risk
responsibility. In reality, it is the role
of senior management to set the
tone and encourage and empower
employees to behave in line with the
desired risk culture.
But in many cases new governance
and processes are driven by recent
events and external pressures, rather
than a longer-term view of a culture
of risk awareness that balances the
downside risk with well-managed
opportunities that could result in
significant competitive advantages.
What marks out the latter is the
leadership of Boards and CROs,
as well as other risk specialists, to
clearly articulate a balanced, business
orientated view of risk as a basis for
educating and advising the rest of
the business. Talent management,
communication and education
programmes are critical to a successful
risk culture, typically requiring a long-
term commitment from operational
management as much as the risk team.
It should not be forgotten that
much of risk culture resides in
people’s attitudes, beliefs, habits and
relationships and is hidden ‘beneath
the surface’, which affects the
manner in which policies, systems
and processes are approached in
practice, and therefore their success.
As an example, following a significant
risk event, Towers Watson was asked
to review a financial services company’s
governance procedures, to evaluate
whether appropriate decision making
processes and levels of authority
were in place. The conclusion reached
could also apply to many incidents
in the sector over the last few years:
‘There was nothing wrong with their
governance procedures – apart from
the fact that they didn’t use them.’
Although the system of internal
committees and decision-making
processes was well defined, in practice
decisions had been influenced by
conversations in the corridors and by
the strength of relationships between
individuals. A clear lesson from this
is that an organisation’s formal risk
governance processes and its risk
culture need to be in tune with each
other to be effective and the design
and implementation of the risk
management system should take
full account of the culture.
4. 4 willistowerswatson.com
Measuring risk culture
For all the mounting evidence of the
value of culture in how organisations
behave, some managers, and some
risk managers in particular, have shied
away from the concept of risk culture,
not knowing quite how to approach
it. For those from an engineering or
actuarial background, for example,
the notion of trying to measure such
an apparently ethereal concept can
be troubling. But, in keeping with the
mantra ‘what gets measured gets
managed’, if risk culture is to be
effectively managed, it surely needs
to be measured. Fortunately, there are
well developed approaches that can
do just this.
At the less formalised/ad hoc end
of the spectrum, organisations have
tended to rely on existing data sources,
such as drawing on information from
generic staff surveys, policies and
values statements, as well as relying
on subjective personal impressions.
A more structured qualitative
approach offers a great deal more
insight. This typically takes the form
of a series of senior level interviews,
combined with focus groups from
across the organisation. Such an
approach can be applied widely
across a large organisation but also
lends itself to smaller business units.
Safety culture
In other sectors such as energy,
oil and gas, construction,
transportation and logistics,
mining, and manufacturing, safety
is frequently cited as the number
one business priority. Where safety
incidents have occurred, large or
small, investigations have often
identified organisational culture as an
underlying cause. But what aspects
of culture are most important in
developing a strong safety culture?
In research conducted by Willis
Towers Watson, employees of
businesses recognised for their
safety records reported positive,
open relationships with their line
managers, who were seen as
technically knowledgeable, receptive
and responsive to input and were
forthcoming with recognition for
good work. Good line management
was found to create a sense of
empowerment. Individual employees
were able to take responsibility
through delegated authority and
access to relevant information.
They were encouraged to develop
innovative solutions to problems.
Positive safety environments were
also found to have a stronger
emphasis on collaboration and
teamwork – which were found to be
especially important in exceptionally
busy environments.
Notably, it is important to capture
both the senior, strategic perspective
and those from the middle- and
front-line roles as each has access
to a different set of information and
experiences that are very relevant to
the risk culture.
Much as the insights from a qualitative
approach such as this are very helpful
in identifying issues to be addressed,
it does not lend itself to quantification,
and so it is difficult to determine
the extent of an issue, to compare
within or between organisations
or to track progress accurately. A
complementary survey approach is
able to meet these needs, and many
organisations are now using risk
culture surveys to monitor this critical
aspect of their business. These range
from simple generic questionnaires to
those that are tailor-designed to meet
the specific needs of the organisation.
Surveys provide a readily scalable
approach, so can be applied across
organisations of all sizes.
5. 5 Risk culture startst to come of age
Organisations naturally differ
from one another in terms of their
strategies, products/services,
markets, heritage, structures and
processes – so it is only sensible that
their cultures would and should differ
too. Where possible, it is therefore
preferable to design a measurement
approach to fit the specific needs of
the organisation. If using a survey,
this means designing a set of
questions that reflect the particular
issue most important to the effective
operation of that organisation.
More sophisticated statistical analysis
of a well-designed survey can even
provide insights into the underlying
dynamics of the prevailing risk culture,
for example, identifying high impact
topics that are the biggest influence
on people’s attitudes, and so inform
effective change plans. An example is
illustrated in Figure 1.
As well as providing the insights
described above, in our experience,
a systematic approach to measuring
risk culture often also has several
less direct but equally beneficial
consequences.
Firstly, to the extent that it is visible
across the organisation, it raises the
profile of an important, but sometimes
overlooked topic. Leader sponsorship
of a risk culture initiative demonstrates
that it is taken seriously and helps
convey a positive tone from the top.
We have also found that introducing
a risk culture measurement process
makes the topic much more
accessible and tangible to both
internal and external stakeholders.
It provides a common language and
set of constructs that managers can
use to discuss the topic in a clear and
constructive way, and helps investors
or regulators, for example, understand
the value of the existing risk culture.
In essence, measuring risk culture
begins to give leaders, managers and
employees the concepts and insights
they need to begin managing risk
culture effectively.
Risk information
and reporting
Leadership
Processes,
controls and systems
Governance
Risk strategy
Risk attitudes
Risk awareness
Figure 1. Drivers of risk attitudes
6. 6 willistowerswatson.com
There is no question that rewards –
and variable incentive compensation
in particular – can and do drive
behaviour. In this way, rewards can be
a powerful tool. The problem, however,
is that rewards won’t necessarily
always drive the desired behaviours
or outcomes.
This has led many organisations to
focus on the risks, or potential risks,
created by rewards. Examples of such
risks might include:
ƒƒ A CEO or senior leadership team
that takes actions to maximise the
stock price in the short-term, thus
risking long-term profitability and
growth, because their rewards are
linked to earnings per share
ƒƒ A leadership team that makes
overly generous assumptions in
recognising revenue in order to
produce better results that drive
higher bonuses
ƒƒ A sales team that pushes through
a large volume of orders, generating
high commissions, without
considering whether those sales
are properly aligned with customer
needs, and without care as to
whether those orders are later
cancelled or goods are returned
because their compensation is linked
to gross sales rather than net sales
ƒƒ Call centre staff who are rewarded
based on meeting objectives related
to the average length of each call.
Managing risk culture
With the appropriate insights, support
and resources it is possible to manage
organisational culture – it just can’t
be done overnight. A few key guiding
principles include:
ƒƒ There should be a clear and
compelling vision and strategy that
people can understand and buy into
ƒƒ The desired culture should be
articulated and modelled from the
highest level in the organisation
ƒƒ Companies should pay attention
to the ‘hidden’ side of culture that
lies beneath the surface, listen to
people’s concerns, understand their
personal interests and fears and
respond to these. Some aspects
of culture (such as systems,
procedures and processes) offer
managers the opportunity to address
them directly, whereas others (such
as people’s attitudes and beliefs) can
only be impacted indirectly
ƒƒ Existing systems, processes
and policies tend to support the
status quo, so these should be
reviewed and modified to reflect
required cultural changes, including
approaches to:
ƒƒ Education and communication
ƒƒ Management information
ƒƒ Leadership
ƒƒ Governance
ƒƒ Reward and performance
management
Fresh approaches to these facets
of an organisation give leaders and
managers a greater chance to bring
about sustained change in the less
visible parts of culture, such as
beliefs, attitudes and relationships.
Although experience shows that
leaders and managers can remould
the risk culture of an organisation,
there are also limitations on what
can be achieved, and it is also easy
for some actions to bring about
unintended consequences. Nowhere
is this the case more than in the use
of incentives and rewards to influence
risk culture.
Rewards and performance
management
There are countless examples, and
not just from the 2008 financial crisis,
in a wide range of industries, where
incentives – and the culture that
went with them – were felt to have
contributed at least in part to very
negative outcomes. Among the more
spectacular examples are the failures
of Barings Bank, the ‘double suicide’ of
Enron and Arthur Andersen, the failure
of Lehman Brothers, and for BP both
the Texas City oil refinery accident
and more recently the Deepwater
Horizon spill. The most damaging
of these cases often involved not
just one or two ‘bad apples’ but
rather stemmed from practices that
were tolerated – if not encouraged
– as part of the cultural fabric of
the organisation.
7. 7 Risk culture startst to come of age
Risk identification
This involves identifying the sources of
incentive risk, which requires creating
an inventory of all the incentive plans
that are currently being used in the
organisation. While this may sound like
a simple task, in large multinational
organisations there can be tens or
even hundreds of different ‘local’ plans
(either local to a geography, a business
unit, or a function).
Risk analysis
This is focused on understanding the
causes and sources of incentive risk.
There are a variety of methods and
tools that organisations use to analyse
the risk of their incentive plans – some
involve very quantitative, formulaic
scoring algorithms, while others take
a more qualitative approach. However,
the most important factors tend to
revolve around two categories:
Importantly, the real risk of these
situations is faced by the company,
not the individuals taking these
actions. For the company, the potential
outcomes of the employee’s actions
(and the related uncertainty) can be
much more far-ranging – unsatisfied
customers, additional costs to resolve
complaints, reputational damage,
a potential loss of customers and
revenue, and potential legal action
along with related fines, settlements,
and legal costs. In the most extreme
situations, as noted above, it has led to
the failure of the company.
The current focus on incentives, we
would argue, is both prudent but also
dangerous. It is prudent because we
know that poorly designed incentives
can create bad outcomes. But it is
also dangerous for two reasons:
ƒƒ It leads to a false notion that
incentives can be used to
‘control’ risk
ƒƒ It places an unreasonable burden on
incentives and rewards in general to
serve as the primary (or exclusive)
tool to manage behaviour – ignoring
the role played more broadly by the
organisation’s risk culture.
Incentives create rather than
control risk
No incentive or reward programme
design can be used to control risk.
Rather, incentives – any incentive
– create risk. Changing the design
of the incentive plan can reduce or
eliminate certain risks, but at the same
time it creates other new risks.
This is not to suggest, however,
that firms should not worry about
their reward design and just get
on with things. Conducting a
comprehensive risk assessment of
incentive programmes is a process
that companies will find beneficial
periodically, as outlined below.
ƒƒ Technical plan design details (for
example, the use of thresholds
and caps, the degree of upside
opportunity and acceleration in
pay-outs, the existence of
clawbacks and deferrals, and the
types of measures rewarded).
ƒƒ The materiality of the plans in
question (for example, the relative
amount any one person can earn,
as well as the size of the population
impacted and the total costs
involved).
Risk prioritisation
Having completed the risk analysis, it
is then possible to identify the incentive
plans that require further attention.
The matrix in Figure 2 provides a
simple means of prioritising incentive
plan risk for many organisations. It
looks at two dimensions.
Figure 2. Incentive risk probabilty
CATEGORY 3
Low risk:
No governance
or design
changes required
CATEGORY 2
Moderate risk:
Plans may require
governance or
design change
CATEGORY 1
High risk:
Plans may require
governance or
design change
Planlikelihood
Business Consequences
HighModerateLow
HighModerateLow
Plan A
Plan B
8. 8 willistowerswatson.com
Incentive plan risk – while specific
criteria will vary from one organisation
and one industry to another, these
would generally align with the two
categories identified above under risk
analysis (technical incentive design
and materiality).
Business impact risk – This is a
function of the degree of risk the
business itself faces in the course
of its operations. For example, in
a financial services firm, one key
consideration is the extent to which
the firm is committing capital and
underwriting risks (where the potential
returns could be quite volatile and
unknown), or if it is operating in more
of a fee-based mode (where it is
quite clear at the time of the sale
exactly how much money the firm will
make). In an industrial environment, it
might relate to the degree of danger
involved in the firm’s production
facilities and operations. In both
cases, it is important to understand
the extent to which the jobs in
question can impact potential risk
outcomes based on decisions they
are making, where such decisions
are likely to be influenced at least in
part by the behaviours driven by their
incentive plans. The business itself
may have high risks (for example, a
potentially dangerous manufacturing
environment), but the impact that
plant employees have on this risk is
substantially different than the impact
that salespeople will have on it.
Actions to treat incentive risk
Changing the design of the incentive
plan is one potential course of action.
For instance, a business may decide
that using an uncapped incentive plan
for certain jobs creates too great of a
risk of windfalls that are not reflective
of the effort required to drive the
result. Or it may find that a plan
contains a ‘cliff’ mechanism, whereby
earnings increase dramatically upon
reaching a key milestone – which, in
the case of a sales plan, may increase
the risk of mis-selling in order to get
over this hurdle. But in other cases,
it may be felt that such features
are important and the risks can be
managed through other means. This is
where two other important elements
come into play – incentive governance,
and performance management.
Incentive governance
Incentive governance refers to the
oversight and control processes
in place to monitor and manage
the incentive plan. We think of it
as all of the things that need to
happen throughout the lifecycle
of an incentive plan – starting with
the establishment of principles and
objectives that should underpin the
plan design, moving through the
plan design process, goal setting,
budgeting, and then administering
and managing the plan throughout
the year.
In the above examples, a company
that decides the value of not having
caps outweighs the risk of putting
them in place could establish an
incentive governance process that
requires formal review and approval
of all incentive earnings before
they are paid. They could establish
a process whereby any individual
payments above £X value, or
above X% of the target payout, are
automatically reviewed. In the case
of an extraordinarily large payout, this
gives the company the opportunity
to confirm the validity of the situation.
And they may also include language
in the incentive plan terms and
conditions stipulating that although
the intent of the plan is to operate in
an uncapped fashion, payments above
X level will be reviewed and must be
approved by management before
they are made.
Performance management
There is a fundamental law of
incentives that all too many
organisations are quick to overlook –
namely, you can’t pay for everything
you need someone to do. If you try
to do so, you end up with an incentive
plan that is overcomplicated and
fails to drive the desired behaviour.
Incentives can be a powerful
motivator and driver of certain results
and outcomes, but not all. And part of
the way that incentive plan risk can
and must be controlled is through
the role that managers play – the
types of goals and objectives they
set, the way they provide feedback,
and how they coach and direct the
team’s performance (as well as when
and how they provide recognition).
Clear guidelines, criteria, and tools
need to be developed to support
9. 9 Risk culture startst to come of age
The impact of risk culture
on incentives
The retail industry provides a
particularly good example of
the link between risk culture
and incentives. Many retail
organisations are placing greater
emphasis on customer service
as a means of differentiating
themselves in an increasingly
commoditised world. In so doing,
they also question whether using
a highly variable commission
plan for their store staff creates
a potential conflict between how
their employees are paid and the
focus they want them to place on
serving customers and creating
a positive customer ‘experience’.
Some retailers have felt very
strongly that they need to place
more emphasis on base salary,
and have a relatively small incentive
which is linked entirely to team
(store) results, with particularly
strong emphasis on customer
satisfaction scores.
However, one leading retailer has
taken a very different approach.
It has traditionally paid a large
portion of compensation in
the form of an individual sales
commission. Top sellers have
been able to earn very handsome
rewards – resulting in significant
differentiation in earnings between
lower and higher performers. At
the same time, this organisation is
also routinely seen as leading the
industry in its customer orientation
and responsiveness. It sets a
standard to which many others
aspire. And yet it pays its staff in
a way that would seemingly create
a high likelihood of misalignment of
interests between employees and
customers.
But somehow, it all works. Why?
Because of the overriding impact
of the organisation’s culture. The
culture of customer service is so
deeply embedded in this company
that store staff would not even
think of taking an action that would
drive their commission if they felt
it was not also helping to serve the
customer and meet the customer’s
needs. This means, at times,
spending time with a customer to
take back an item being returned,
or to manage a very small value
transaction, when instead the
salesperson could potentially be
selling a very high value designer
bag. The culture is such that if
someone was seen to be taking
a ‘pushy’ approach to customers,
failing to listen and serve, not only
would their manager address this
in the performance management
process, but they would be
ostracised and disrespected by
their co-workers.
This is of course not to say that no
one who has ever worked for this
firm has ever ‘pushed’ a sale based
on the commission that could be
earned, while failing to serve the
customer appropriately. But those
who have a pattern of doing so are
dealt with quickly and efficiently –
and they either shape up or ship
out very quickly.
managers in this regard. Individuals
who are behaving in a way that
merely maximises their earnings while
creating inappropriate risk for the
company or its customers need to be
addressed promptly, first via feedback
and coaching, and eventually, if
required (and certainly in more
egregious cases), through the threat
of possible termination. Tolerating
certain behaviour just because the
incentive plan ‘pays’ for it must be
viewed as inexcusable – and is a sure
sign that there is not a healthy risk
culture in the organisation.
Talent management and
risk culture
While the role of reward programmes
in shaping risk culture has taken
on a very high profile, the impact of
other aspects of talent management
has perhaps been underplayed. In
practice, though, there is much that
can be done throughout the talent
management ‘life cycle’ to help shape
and promote a positive risk culture.
From the first contact with potential
recruits, through their induction,
development, progression and
even departure from the business,
employees’ experiences will influence
the risk culture of the business.
In building and maintaining a positive
organisational risk culture it is worth
paying attention to each of these
aspects and the impact they have
on shaping people’s understanding
and attitudes.
10. 10 willistowerswatson.com
Conclusions
Although the term ‘risk culture’ is
used by people in a variety of ways,
we consider the broad concept to be
fundamental to an organisation’s ability
to manage its risks and so to achieve
its strategic objectives. This is best
demonstrated by briefly considering
the contrary – there are simply too
many cases of organisations (and
their stakeholders) suffering from the
consequences of a poor risk culture.
Just as no two organisations are
exactly alike, there is no single ideal
risk culture. Rather, each organisation
should develop its own understanding
of the risk culture that works best
in its own circumstances, for
example, in relation to its long-term
objectives, shorter-term plans and
risk environment.
Much of an organisation’s risk culture
lies ‘beneath the surface’, so important
cultural characteristics may not be
immediately apparent, but they can be
identified, measured and understood
using a range of qualitative and
quantitative approaches.
This is particularly important for
organisations in assessing their risk
profile as the risk assessments will be
based on sets of experience data and
assumptions, including assumptions
on how people will behave in different
scenarios, which will reflect underlying
attitudes and beliefs.
Armed with a better understanding of
the prevailing situation, leaders and
managers have access to a range
of levers that they can use to shape
the culture (including risk culture)
of their organisation to help them to
improve their overall management
of risk. These include things like
training, communication, management
information reporting and governance
as well as the full spectrum of talent
management and rewards approaches.
However, managing culture is not easy
and attempts to shape culture are
prone to unintended consequences.
In particular, attempts to use incentive
/ reward systems as a silver bullet to
control risk culture are ill-founded.
While financial reward can play an
important role in shaping risk culture
it is important to realise that that a
more holistic approach is needed
to bring about a more robust and
appropriate risk culture in most
organisations.
Reliable external pipeline
for volume roles, and
internal progression for
specialist/senior roles
Assess candidates against risk
competencies
Performance definition
includes risk-based
competencies and
outcomes
Reward the right
behaviours not just the
right results; incentives
aligned with risk appetite
Risk competencies play a key
role in career development
programmes
Mitigate human capital
risk by ensuring effective
talent pipeline
Leaders tasked with
demonstrating, promoting
and celebrating sound
judgement, encouraging
open dialogue and
process improvement and
adherence to risk policies
Attract, retain, engage
and reward talented
employees who exercise
sound judgement based
on risk frameworks
and business values
Talent
Acquisition/
Sourcing
Performance
Management
Compensation
and Rewards
Career
Management
Succession
Management
Leadership
and Capability
Development
Workforce
Planning
Figure 3. Talent Management programmes help
accelerate the transition to the desired risk culture…
11. 11 Risk culture startst to come of age
Notes
This paper is a summary of a chapter
on risk culture contributed by the
authors in the recently published
book ‘Enterprise Risk Management:
A common framework for the entire
organization’, published by Elsevier.
1 The Institute of Risk Management,
Risk Culture: https://www.theirm.org/
media/885907/Risk_Culture_A5_
WEB15_Oct_2012.pdf
2 European Business Review (2014).
http://www.europeanbusinessreview.
com/?p=2817
3 Warren Buffet (2006), Memorandum
to Berkshire Hathaway Managers,
in Financial Times (October 6,
2006), Full text of Warren Buffett’s
memorandum.
4 The RiskMinds 2009 Risk
Managers’ Survey: The causes and
implications of the 2008 banking
crisis: http://www.moorecarter.
co.uk/RiskMinds%202009%20
Risk%20Managers’%20Survey%20
Report.19March2010.pdf
Contacts
For further information, please contact:
Ron Burke
Tel: +44 20 7170 3257
ron.burke@willistowerswatson.com
Oliver Davidson
Tel: +44 20 7170 3776
oliver.davidson@willistowerswatson.com
Patricia Mackenzie
Tel: +44 20 7170 3020
patricia.mackenzie@willistowerswatson.com
Mike Wilkinson
Tel: +44 20 7170 2000
mike.wilkinson@willistowerswatson.com