Traits of strong risk cultures

The most effective risk managers we have observed act quickly to move risk issues up the chain of command as they emerge, breaking through rigid governance mechanisms to get the right experts involved whether or not, for example, they sit on a formal risk-management committee. They can respond to risk adroitly because they have fostered a culture that acknowledges risks for what they are, for better or for worse; they have encouraged transparency, making early signs of unexpected events more visible; and they have reinforced respect for internal controls, both in designing them and in adhering to them.

Acknowledging risk

It takes a certain confidence among managers to acknowledge risks. Doing so—especially to the point of discussing them internally, as well as with shareholders or even regulators—requires that managers rely on their own policies and procedures to work through issues that could lead to crisis, embarrassment, or loss.

The cultural differences between companies that acknowledge risk and those that do not are quite stark. Consider, for example, two global financial institutions that take similar risks and share a similar appetite for risk. The first has built a culture, at all levels of the organization, that prizes staying ahead of the trend. This might mean convening a group of executive peers to discuss issues faced by the entire industry or responding to regulatory trends early—for example, on capital and liquidity requirements or compensation practices. The stance it takes is, “If we see it, identify it, and size it, then even if it’s horrible, we’ll be able to manage it.” Where risks cannot be sized, they are at least discussed in qualitative terms. The institution’s candor and its plans to rectify cultural issues in response to a number of risk incidents has won it the respect of regulators and built credibility with investors.

The second institution, in contrast, has a reactive and back-footed culture—one focused more on staying out of trouble, ensuring regulatory compliance, and making sure all the boxes are ticked. Its managers are generally content to move with the pack on risk issues, preferring to wait for regulatory criticism or reprimand before upgrading subpar practices. They are afraid of knowing what they don’t know, and they fear the reaction of the board, regulators, and investors. Many would rather ignore undesirable behaviors because they don’t know how to manage them and because managing them would demand time and might affect their cost base. This organization’s stance is, “Let’s wait until we really need to deal with these unpleasant things, because they’re anomalies that may turn out to be nothing at all.”

A separate institution had such a mind-set during the mortgage crisis. Managers did not trust their own models, which accurately predicted the severity of the issues to come. They knew that if the models were correct, they would be in more trouble than they knew how to handle, and so they found it easier to assume that the models were wrong—or to hope that the risk would crest and fall before the model’s estimates came true. Whether from fear or hubris, managers convinced themselves that they were safer than they really were. Even as the crisis developed, they were confident that they would not experience the mishaps befalling similar companies. In the end, the company’s refusal to acknowledge and address risk left it far more vulnerable than managers expected, and it was hit particularly hard.

Encouraging transparency

Managers who are confident that their organizational policies and controls can handle—and even benefit from—openness about risk are more likely to share the kinds of information that signal risk events and allow the institution to resolve emerging issues long before they become crises. This means they spot a risk issue developing and mobilize the organization to analyze and remedy it—at the board level if needed, and often within a few working days. In one situation, a division of an energy-services company was operating a contract in an emerging country in which it had not previously worked. There, the division discovered employment practices among subcontractors that ran counter to its own policies and practices. The operating leadership swiftly escalated the issue to the company’s global management board to decide whether specific contractors were acceptable. It was able to reallocate project tasks among contractors, manage timeline slippage and the budget, and consequently reduce the company’s employment-practices risk and safeguard project returns.

Companies with a culture that discourages such discussions—as well as those in which overconfidence leads to denial—are prone to ignoring or failing to recognize risks. In some cases, employees fear telling the boss bad news because they worry about the financial downside of slowing commercial progress, they know the boss doesn’t want to hear it, or they fear being blamed. As a result, they alert managers to risks only when further delay is impossible.

In other cases, companies promote practices that unintentionally reduce transparency regarding risk. For example, at one global pharmaceutical company, the culture thrives on competitive teams. Competitiveness is so strong that product-development teams use subtly different risk classifications so that their respective projects can’t be directly compared. To the teams, it can feel like good management to deal with issues close to home rather than raise them to higher levels—especially since revealing their true risks might place them at a disadvantage in the next planning round. For the company, though, this practice has obscured risks that were identified by one unit but went unnoticed by others, which continued to make errors that had been resolved elsewhere.

The best cultures actively seek information about and insight into risk by making it everyone’s responsibility to flag potential issues. For example, managers at one global oil-exploration company explicitly begin every meeting and interaction with a discussion about safety. Participants know they must be able to make an observation or raise a concern if called on randomly, which keeps them on the lookout for safety issues at all times. Most of the issues they raise are minor and easily addressed. But bigger questions often lead to longer conversations and inquiries from leadership, which clarify the problem and identify by name those responsible for resolving the issue.

Ensuring respect for risk

Most executives understand the need for controls that alert them to trends and behaviors they should monitor, the better to mobilize in response to an evolving risk situation. And while managers are unlikely to approve of skirting the very guidelines and controls they have put in place, some unintentionally promote situations and behaviors that undermine them. For example, while too few controls can obviously leave companies in the dark as a situation builds, too many can be even more problematic. Managers in such cases mistake more controls for tighter management of risk, though they may be inadvertently encouraging undesired behaviors. In one large hospital system, managers had implemented so many guidelines and controls for ward procedures that the staff saw them as impractical. As a result, they routinely circumvented them, and the culture became increasingly dismissive of all guidelines—not just the less practical ones—to the detriment of patients.

Even companies with the right number of controls in place encounter difficulty if managers do not monitor related trends and behaviors. Companies often unconsciously celebrate a “beat the system” mind-set, rewarding people who create new businesses, launch projects, or obtain approvals for things others cannot—even if it means working around control functions in order to get credit lines or capital allocations, for example.

In the best of cases, respect for rules can be a powerful source of competitive advantage. A global investment company had a comprehensive due-diligence process and sign-off requirements for investments. Once these requirements were fulfilled, however, the board was prepared to make large, early investments in asset classes or companies with the collective support of the senior-executive team, which was ultimately accountable for performance. Company-wide confidence in proceeding resulted from an exhaustive risk debate that reduced fear of failure and encouraged greater boldness relative to competitors. Confidence also stemmed from an appropriately gauged set of risk controls and an understanding that if these controls were followed, failure would not be regarded as a matter of poor decision making.