Managing the people side of risk

December 2, 2020

 

Here is an excerpt from another classic article, published in the McKinsey Quarterly and written by Alexis Krivkovich and Cindy Levy. To read the complete article, check out others, learn more about the firm, and sign up for email alerts, please click here.

* * *

Most executives take managing risk quite seriously, the better to avoid the kinds of crises that can destroy value, ruin reputations, and even bring a company down. Especially in the wake of the global financial crisis, many have strived to put in place more thorough risk-related processes and oversight structures in order to detect and correct fraud, safety breaches, operational errors, and overleveraging long before they become full-blown disasters.
Yet processes and oversight structures, albeit essential, are only part of the story. Some organizations have found that crises can continue to emerge when they neglect to manage the frontline attitudes and behaviors that are their first line of defense against risk. This so-called risk culture is the milieu within which the human decisions that govern the day-to-day activities of every organization are made; even decisions that are small and seemingly innocuous can be critical. Having a strong risk culture does not necessarily mean taking less risk. Companies with the most effective risk cultures might, in fact, take a lot of risk, acquiring new businesses, entering new markets, and investing in organic growth. Those with an ineffective risk culture might be taking too little.
Of course, it is unlikely that any program will completely safeguard a company against unforeseen events or bad actors. But we believe it is possible to create a culture that makes it harder for an outlier, be it an event or an offender, to put the company at risk. In our risk-culture-profiling work with 30 global companies, supported by 20 detailed case studies, we have found that the most effective managers of risk exhibit certain traits—which enable them to respond quickly, whether by avoiding risks or taking advantage of them. We have also observed companies that take concrete steps to begin building an effective risk culture—often starting with data they already have.

Acknowledging risk

It takes a certain confidence among managers to acknowledge risks. Doing so—especially to the point of discussing them internally, as well as with shareholders or even regulators—requires that managers rely on their own policies and procedures to work through issues that could lead to crisis, embarrassment, or loss.

The cultural differences between companies that acknowledge risk and those that do not are quite stark. Consider, for example, two global financial institutions that take similar risks and share a similar appetite for risk. The first has built a culture, at all levels of the organization, that prizes staying ahead of the trend. This might mean convening a group of executive peers to discuss issues faced by the entire industry or responding to regulatory trends early—for example, on capital and liquidity requirements or compensation practices. The stance it takes is, “If we see it, identify it, and size it, then even if it’s horrible, we’ll be able to manage it.” Where risks cannot be sized, they are at least discussed in qualitative terms. The institution’s candor and its plans to rectify cultural issues in response to a number of risk incidents has won it the respect of regulators and built credibility with investors.

The second institution, in contrast, has a reactive and back-footed culture—one focused more on staying out of trouble, ensuring regulatory compliance, and making sure all the boxes are ticked. Its managers are generally content to move with the pack on risk issues, preferring to wait for regulatory criticism or reprimand before upgrading subpar practices. They are afraid of knowing what they don’t know, and they fear the reaction of the board, regulators, and investors. Many would rather ignore undesirable behaviors because they don’t know how to manage them and because managing them would demand time and might affect their cost base. This organization’s stance is, “Let’s wait until we really need to deal with these unpleasant things, because they’re anomalies that may turn out to be nothing at all.”

A separate institution had such a mind-set during the mortgage crisis. Managers did not trust their own models, which accurately predicted the severity of the issues to come. They knew that if the models were correct, they would be in more trouble than they knew how to handle, and so they found it easier to assume that the models were wrong—or to hope that the risk would crest and fall before the model’s estimates came true. Whether from fear or hubris, managers convinced themselves that they were safer than they really were. Even as the crisis developed, they were confident that they would not experience the mishaps befalling similar companies. In the end, the company’s refusal to acknowledge and address risk left it far more vulnerable than managers expected, and it was hit particularly hard.

* * *

Obviously, a shortage of risk consciousness will lead to trouble. But it is all too easy to assume that a thorough set of risk-related processes and oversight structures is sufficient to avert a crisis. Companies cannot assume that a healthy risk culture will be a natural result. Rather, leadership teams must tackle risk culture just as thoroughly as any business problem, demanding evidence about the underlying attitudes that pervade day-to-day risk decisions.

* * *

Here is a direct link to the complete article.

Alexis Krivkovich is a partner in McKinsey’s San Francisco office, and Cindy Levy is a partner in the London office.

 

 

 

 

 

Posted in

Leave a Comment





This site uses Akismet to reduce spam. Learn how your comment data is processed.