by François Masquelier, Head of Corporate Finance and Treasury, RTL Group, and Honorary Chairman of the European Association of Corporate Treasurers
This article describes what should be understood by ‘risk culture’ and what this involves. Inculcating such a culture into a company is often a challenge. However, it is a challenge that is crucial for successful risk management (Enterprise Risk Management-ERM). Surprisingly, people manage risk and set up an ERM system without having either a risk culture or a precise definition of their risk heightens appetite or risk tolerance. The financial crisis, and the fragile state of the economy, only emphasise the need to embed this culture throughout the whole company.
Background
No one can deny that there has been real progress over the last decade in the development of risk management tools, techniques and systems in multinational corporations. According to generally accepted practice, boards of directors and audit committees must relate all risks that face the company to its strategic objectives and align them. It is this alignment that often gives rise to problems. In general risks are managed as a whole without aligning them with the strategic risks approach. Everybody is in agreement on the need for a comprehensive, integrated, systematic, specialised and professional approach to corporate risk management (Enterprise Risk Management – ERM). To quote the UK Financial Reporting Council in 2011:
“The issues with which companies were grappling included understanding their exposure to risk and how this might change, identifying the information and assurance that the Board needed to carry out its role, embedding the right risk culture throughout the company and the increased velocity of risk, which had highlighted the importance of effective crisis management”.
Furthermore, if we refer to the international ISO 31000 standard on risk management, it repeatedly stresses the need to embed risk management in corporate culture and that the corporate culture needs to be well understood by everyone. Even the famous COSO II framework (COSO framework – www.coso.org) accepts the importance of the tone and culture of the organisation and how risks are perceived and tackled by employees, within an embedded approach internal to each company. This is one of the key foundations of the COSO II framework.[[[PAGE]]]
Risk culture
What are we to understand by these somewhat contradictory terms? Who would dare advise cultivating risks? Surely you did the opposite last Saturday when you yet again gave advice to your son? “Don’t cultivate risks” you tell him. In other words, “Don’t do anything silly, my boy!”. Surely that is what you would advise him?
Is it not paradoxical to claim that to manage risks properly, you need a true risk culture? No. In fact, risk culture consists of breaking this taboo. Let us dare talk about risks. It is nothing to be ashamed of. Quite the opposite: not taking any risks would be folly. In fact, by definition a company has to take some risks, to some extent, to create value and make a profit, the cornerstone of the capitalist system and the very reason for the existence of all commercial profit-orientated companies.
A culture is something that has to be shared. You acquire it and you become a member of it. This culture applies equally to the public sector, government bodies, and the private sector. When all is said and done it is a state of mind, a behaviour that its employees repeat, that they adopt in their underlying attitudes to their respective jobs. Risk culture, or to be more accurate risks culture, is about the values, beliefs, knowledge and fears of risks shared by a group of people or a company with one single goal or specific shared objectives. From this culture, employees will adopt a behaviour when faced with a risk and take decisions based on this predefined shared approach. In the face of risks everyone’s attitude will be based on this common shared stance on risks in general which is inculcated into them, and transmitted and communicated to everybody. It has to be disseminated, propagated and sometimes ingrained in each employee. Each company has its own risk culture (sometimes without knowing it or claiming to have one). A culture applied as a reflex is not ideal but nevertheless helps further the set objective and the company’s purposes. Each company must therefore have its own culture, which will not be set in stone, so it needs to cultivate it itself.
So why is this so important?
The risk culture prevailing within a company can make all the difference. It affects the capacity to take strategic decisions and thereby deliver the promised performance that the shareholders expect. A company with an unsuitable or inappropriate risk culture will inevitably agree to take risks or to become involved in operations well outside the boundaries of its normal business, making it vulnerable. Such a culture cannot be applied only partially. It has to be applied overall. When all is said and done, it could lead to financial loss or a risk to reputation. There is no shortage of examples of similar disasters, unfortunately, to remind us of the lack of culture within well-known corporations and banks. Banking scandals most recently, and scandals within major corporations, give us a glimpse of the failings or absence of a properly defined culture known to all. This is why you need to make sure everybody knows about the culture adopted and that it is communicated clearly to all stakeholders.
This culture, sometimes weaker and sometimes stronger (and stronger does not mean more aggressive in terms of risk-taking), explains the success of some businesses compared to others. The missing link in adopting the right risk culture lies in the subtle and tricky art of striking the perfect balance between risk and reward, or where to put the cursor between risk and return on investment. The popular saying “no risk, no fun”, might seem infantile. Against that, “enterprise is about taking risks” is accurate and real, even though you decide on the level of risk taking and even though this risk-taking may be codified by means of a predefined culture and specific written policies communicated to all.
Is taking decisions the same thing as taking risks? That is the lot of every manager. It is necessary, but within defined bounds. Such a culture, however, cannot be imposed; it has to be built up over many years. The difficulty lies in applying this culture coherently, consistently and embedding this approach into day-to-day management. In a way this is the art of living for companies which need to be skilful in juggling risks following precise rules. The most difficult task might be to define this culture, from which we could work out the risk appetite or partiality, and the risk tolerance. These three foundations make up the backbone of enterprise risk management, and form the true cornerstone of an ERM strategy. Once laid down, there remains the matter of having them adopted and approved by the board. Looking a bit like a radio channel logo in rue Bayard in Paris, with its famous sculpture of Victor Vasarely, the leader of the op-art movement, we could sum up the framework as follows:
Culture cannot be adopted, it has to be built
A risk culture cannot be adopted; it has to be built up gradually and patiently. Culture is more than just rules; it develops and creates itself, sometimes by word-of-mouth, and spreads by itself. Companies first have to establish it and define it before transmitting it and adopting it throughout all their business activities. They must understand their risk culture, however minimalist it may be, and lay down the risk culture that they wish to adopt. This then becomes a change management project in itself. It requires appropriate support from top management and also its commitment, particularly in setting an example and applying the famous ‘tone from the top’ principle. How can you make employees apply something that you do not apply to yourself?
To change this culture, management must pull certain levers (particularly in the HR department) to obtain results. Unfortunately, in spite of all the best advice in the world, there is no book of magic potions that will ensure this plan succeeds. The major difficulty of a plan to establish a shared risk culture lies in measuring risk culture. This is a real challenge for the chief risk officer (CRO). And as the management guru Peter Drucker noted,: “What cannot be measured, cannot be managed”. By contrast, risk tolerance and appetite can often be measured and quantified.
Risk and culture: strange bedfellows
As strange as this association of words may seem, ‘risk’ and ‘culture’ must be thought of together and used as the starting point for installing a real risk management system – an ERM. These two words fit together perfectly. Together they form the basis and the very foundation of a risk management structure. Putting this culture down on paper does not necessarily need to be a long job and consist of scores of pages. What is needed is a few basic principles to lay down a framework. Risk appetite and tolerance have to be the two other foundations of an ERM policy. The risk policy structure chart will be built up from these three foundations.
Many companies put in systems for providing reports on risk and set up structures for monitoring internal controls. The best organised have top-down and bottom-up approaches, with risk monitoring and techniques for mitigating risks. Unfortunately, many of them have no defined and pre-set basic principles. Investors, rating agencies and all other stakeholders have an interest in this risk culture. However, many of them would be hard put to come up with any document on any of the three foundations underlying risk management. Let’s not put the cart before the horse, and let’s start by defining the basics before laying down a risk management strategy. This is perhaps one of the CRO’s most important tasks on taking up his job, but is far from being one of the most difficult.