OR: Creating an Operational Risk-Sensitive Culture

RMA Journal, The, March, 2002 by Miles Everson

This installment of OR offers findings on four key attributes of a strong risk culture and environment: leadership and strategy, accountability and reinforcement, people and communication, and risk management and infrastructure.

It defies the imagination. Entire industries dissolve or transform before our eyes. Break-neck technological developments leave our attempts to harness them in the dust. Newspapers teem with reports of the latest victims of unmanaged risk and, less often, of organizations that leap past competitors with record results and quality management practices. Central to both failure and success is the role risk management plays in either undermining or enhancing corporate performance and reputation.

Today's business credo is that within greater uncertainty lies the promise of greater opportunity Change acceleration requires businesses to be flexible, adaptable, and fast learners. And effective operational risk management is a mainstay of how successful organizations, regardless of size or industry sector, anticipate and adapt to uncertainty. But behind every successful operational risk program is a thriving operational risk culture. Operational risk culture is the set of shared attitudes, values, goals, and practices that characterize how a company considers risk in its day-to-day operations.

An organization has a choice in how it determines its risk culture. It can either select or formulate its risk culture explicitly, or it can allow its risk culture to evolve implicitly over time. A company that takes the first choice needs to determine the nature of the four specific components of its operational risk framework--strategy process, infrastructure, and environment. (1)

* Strategy sets the overall tone and approach for risk management.

* Process describes the steps and decisions for managing risk.

* Infrastructure identifies the tools used during the management process.

* Environment refers to culture.

If the choice is to evolve, it is the practices, albeit likely disparate practices, within the enterprise that will establish its risk culture. This approach generally results in multiple risk cultures within an enterprise or even within a business unit or department. By default, those organizations that do not explicitly choose to shape their risk culture allow it to evolve organically over time.

Risk culture often is viewed as the soft side of risk management and taken for granted. However, in reality it strikes the proper balance between qualitative and quantitative analysis, considers the level of top-down, versus bottom-up, analysis, shapes the extent of independent oversight and reporting, and influences the degree to which risk management is embedded in core management practices.

Risk culture also encompasses an organization's appetite and tolerance for risk in its daily operating activities and decision-making processes. Risk appetite is the degree of desire or tendency to take on risk and ranges from risk averse to risk neutral, risk taker, and risk seeker. Operational risk tolerance is the enterprise's acceptable or desirable amount of uncertainty associated with operational activities relative to performance expectations. An organization with a strong risk culture is committed to the establishment and communication of standards, protocols, and measures to facilitate the identification, assessment, management, and monitoring of those risks underlying operating performance uncertainties.

Just as a strong risk culture manages emerging risks and opportunities in a rapidly changing environment, a weak risk culture increases the vulnerability of the organization to risk occurrences, "near misses," and forgone opportunities.

Risk culture is all about people, and the most successful organizations are those that can capture the hearts, minds, and energy of their employees to work toward a common goal. The "right" culture can then support the successful introduction of the "right" risk management framework that is linked to the achievement of organizational goals and value creation.

Acknowledging that risk culture is important, an organization needs to assess the current state of its own culture to learn whether everyone in all parts of the organization shares the same values. By closely examining risk culture and environment, the organization can identify gaps, and managers can then focus their energy and resources on addressing disconnects and creating an explicit and strong risk culture.

The Survey

Since culture and behavior are traits that do not lend themselves to precise measurement, how is it possible to gain a baseline evaluation of a risk culture? One of the most effective and efficient methods is to conduct a survey that, by capturing everyone's views on their risk culture and environment, holds a mirror up to the organization.

Typically, PricewaterhouseCoopers uses a survey of about 60 questions that can be accessed through a password-protected website. The site is available 24 hours a day for two to three weeks, during which time employees can access the site anonymously. The survey questions can use a standard five-point "agree/disagree" ranking system and give those surveyed the opportunity to provide feedback in a comments section for each question.