Effectively managing the human element of risk
August 2013 | FEATURE | RISK MANAGEMENT
Financier Worldwide Magazine
Executives are increasingly taking risk management more seriously. Firms are waking up to the fact that now, more than ever, risk management has a crucial role to play in the wider strategies of all businesses – not least those in the financial sector. To that end, many boards are beginning to put in place thorough risk related processes and oversight structures in order to detect and correct fraud, safety breaches and operational errors as early as possible.
The financial sector is no stranger to controversy and scandal. In the wake of the much discussed global financial crisis we have seen many firms redouble their efforts to shore up risk management programs. Indeed, the new emphasis placed on risk management has undoubtedly come about as a response to a troubling few years for the industry.
The financial crisis notwithstanding, we have seen the financial sector lurch seemingly from one calamity to another. In the US we have seen Bank of America, Citigroup, JP Morgan Chase, Wells Fargo and six other banks forced to pay out over $8.5bn to homeowners due to mortgage improprieties. JPMorgan also had to withstand over $6bn worth of trading losses thanks to the ‘London whale’ affair. Furthermore the scandal surrounding the rigging of the London Interbank Offered Rate (Libor) benchmark has seen banks such as Barclays fined $451m for their role in the proceedings. As a result of these scandals, and others of a similar ilk, the financial sector has come to a crossroads, facing increasing levels of scrutiny from both the public and regulatory bodies alike.
Of course, it would be foolhardy to think that scandals of this nature are exclusive to the financial sector. Many different industries have experienced negative attention as a result of a high profile failure of internal risk management strategies. In the UK alone, a number of recent incidents have highlighted the importance of a robust and effective risk management program, particularly one that targets the human element of risk. The MP’s expenses scandal of 2009, the phone hacking at the News of the World and the BBC’s Jimmy Savile sexual abuse scandal have all drawn a great deal of attention to the impact of the human element of risk and the negligent cultures which allowed these events to transpire.
Unquestionably, the public’s confidence and trust in the financial industry has been damaged enormously by some of the scandalous revelations of the recent past, and it is fair to say that a great deal of the damage caused by these scandals can be put down to people risk.
However, human risk can be viewed as a spectrum, with deliberate or fraudulent activity at one end and incompetence or ill informed activity at the other. Firms with ineffective risk cultures could easily find their operations severely hampered. As we have seen, when left unchecked, the human aspect of risk can often lead to complacency, and later, crisis. In order to combat the varying forms of human risk, sound frontline attitudes and behaviours should be any company’s first line of defence.
The purpose of a strong risk management strategy is to permit some appropriate levels of risk, not to remove risk from a business entirely. A company with an effective risk management strategy may take on a great deal of risk. Acquiring new businesses, entering new markets and investing in organic growth can all be seen as prudent risks. In addition, too little risk can actually be detrimental to a business. Companies must strike a fine balance when establishing an appropriate level of risk.
Clearly the establishment of an effective new risk culture or the remodelling of an outdated risk model will take time. Therefore, a great deal of patience will be required throughout an organisation, most notably in the boardroom. An effective risk culture is one that instils the right core values, belief, knowledge and understanding into employees. A successful risk culture also enables and rewards individuals and groups for taking the right risks in an informed and appropriate manner. Modifying processes such as training, compensation and financial compensation can all be effective methods for creating a culture that can deal with the human element of risk.
Additionally, it is virtually impossible to completely insulate a business from bad risk decisions taken by malicious or negligent individuals, in the same way that you cannot protect a business from unforeseen or black swan events. Indeed, despite the best efforts of companies to educate staff, each individual within an organisation will still have their own personal predisposition to risk. Nevertheless, it is possible for companies to establish the right kind of risk culture to try to protect their business and their employees from something that could put the organisation at risk further down the line. By employing psychometric testing, management can also determine where an individual can be placed within a company by establishing where that person’s perception of risk can be most effectively incorporated into the organisation.
However, it is virtually impossible for one individual to turn around an entire company’s risk culture. Consequently, establishing a risk culture requires the cooperation of a company’s entire board and upper management structures. The creation of the right risk culture also involves a distinctive and consistent tone set from the top. Although each individual case is different, and there is obviously no catch-all solution to the challenges presented by risk management, creating a successful risk management strategy requires a board and upper management to see themselves as intrinsic to the company’s new, emerging risk culture. To that end, if boards and senior management teams can establish a strong and well formed front on risk taking, as well as on avoidance, this will undoubtedly help to set the tone for other employees.
According to the Institute of Risk Management (IRM), the culture of an organisation is derived from the behaviour and attitudes of its employees. The IRM states that the behaviour of a group or organisation and its constituent members is shaped by their basic attitudes. Yet those behaviours and attitudes are also influenced by the prevailing culture of the group in its own right. Therefore, creating an organisation’s risk culture can be seen as cyclical. By disseminating a strong message on risk through middle management, with middle management acting as a conduit, upper management can help to foster among individuals a consistent and coherent attitude toward risk.
In early 2013 Barclays Bank announced that the group would be undergoing a strategic and cultural revolution aimed at providing “greater disclosure and transparency around...financial performance”. The bank, under new chief executive Anthony Jenkins, has made it publicly known that it intends to undergo a complete ethical u-turn in order to repair some of the reputational damage it has had to withstand. In January Mr Jenkins issued a memorandum to staff urging them to buy into the bank’s new ethical standards or leave the firm altogether. Mr Jenkins stated that staff bonuses and performance would be assessed against a new purpose and value blueprint. The memo noted that should members of staff not feel that they are capable of adhering to the bank’s new ethical stance then the message “is simple. Barclays is not the place for you. The rules have changed”. By publicly engaging staff within the bank and making it known that the group’s management is actively invested in creating a new atmosphere around the business, Barclays has set in motion the creation of a culture whereby the human element of risk can be managed successfully.
It is also crucial that companies regularly monitor their risk culture once established. Aside from building consensus among senior members of staff, enforcing that culture is just as important.
Cultures within businesses are dynamic and changeable by their very nature. Companies are often susceptible to both internal and external forces. These forces may include new leadership assuming control of an organisation or a new set of market pressures. Furthermore, individuals responsible for maintaining existing risk values may lose motivation or interest in the project. In order to safeguard against lapses or any shifts around the business, it would be prudent for companies to establish regular education sessions for staff across the spectrum of the company. It is important that board members themselves attend these education sessions and keep themselves abreast of risk matters as the tone of the company’s risk culture should be personally set by the board. Instituting random spot checking of employees is another way in which firms can manage the human element of risk.
By regularly conducting employee questionnaires, management structures can easily monitor attitudes toward risk while also keeping abreast of any operational incidents, customer complaints, and so on. These sorts of exercises, carried out on a regular basis, should form the backbone of a company’s risk review process.
Also, increasing levels of transparency within an organisation can help to manage the human element of risk. By communicating both positive and negative data up through the organisation, companies can ensure that individuals may act without the fear of blame or reprisal hanging over them. Companies that encourage discussion around risk often create a culture whereby individuals are not afraid to voice their concerns, in these instances, companies can often benefit. Staff and management alike can draw attention to risk and any other emerging issues long before they become crises. In turn, the relevant strata of the company can be mobilised to analyse and respond to any issues accordingly. Companies with the most effective human risk cultures keenly seek out information and insight into risk by making it the responsibility of all employees to highlight and vocalise issues in an appropriate forum.
Furthermore, companies that wish to create an effective culture that can handle the human element of risk should help to create an environment where whistleblowing, as well as risk event reporting, is actively encouraged. Businesses must learn from their mistakes and the mistakes of others in the industry.
Equally, a company’s organisational structure and reward system must encourage employees to actively engage in risk management. Boards must challenge themselves over the level and standard of reward and compensation they offer to employees in exchange for compliance with the company’s risk management culture.
In the post financial crisis world, risk awareness is crucial. Companies need to foster a strong risk culture designed to create and promote accountability among staff, without alienating them. This culture must start in the boardroom before filtering down to staff via management structures.
Although every individual comes to a company with their own predisposition to risk, management structures can employ psychometric testing to place individuals in roles and areas of the business where their personal perception of risk can be effectively incorporated. This testing must be reinforced by regular educational sessions and vigilant fact finding exercises. It is of the utmost importance that compliance is reinforced throughout all levels of the business.
© Financier Worldwide