Building a Risk Intelligent Company Culture

A company culture is a shared system of values and practices that become blended with other norms and beliefs that send influential strategic messages to employees and stakeholders about a company’s attitudes and behaviors, by defining what’s important. It (a company culture) will emerge as management teams, boards, and employees come to recognize the beneficial (economic, competitive advantage) outcomes that can accrue as they engage and solve problems through a ‘company culture’ platform. (Adapted by Michael D. Moberly from the work of Dr. Edgar Shein)

A well oriented and nurtured company culture is an effective tool for identifying and distinguishing the various types of intangible assets that exist in a company and the risks

A company’s (strategic) growth plans rely not just on the ability to scale up numbers, but on maintaining things like quality, responsiveness, and product-service quality. If growth occurs by acquisition or if non-core opportunities are to be spun off, then all intangible asset areas require special attention-consideration by management teams, boards, and employees.

A first, and very important step toward developing a ‘risk intelligent company culture’ is recognizing that risk is not solely an external phenomena, i.e., all risk emanates from outside the company.

A second, and equally important step in developing a risk intelligent company culture comes from recognizing that company value can be favorably affected by integrating – merging risk management and human resource management. The rationale for doing this lies in the fact that a significant percentage of (company) risk actually evolves from – is inherently embedded in employee behavior and actions, which includes the management team and board as well.

According to Deloitte’s, The People Side Of Risk Intelligence: Aligning Talent And Risk Management, risk touches virtually every aspect of employee (HR) management, and employees touch virtually every aspect of risk management. Is there no better reason to develop a risk intelligent company culture?

Effective risk management (and a risk intelligent company) Deloitte suggests, executes at the point at which there’s a convergence of the following:

1. Risk Governance – how a company treats risk and assumes responsibility for risk oversight and strategic decision making…

2. Risk Infrastructure Management – how a company assumes responsibility for and understands how to design, implement, oversee, and sustain a risk management program…

3. Risk Ownership – employees knowing what their risk responsibilities are, i.e., they assume (some) responsibility (ownership) for identifying, measuring, monitoring, and reporting risk…

In light of the economic fact that U.S. businesses lose an estimated 7% of their annual revenue to various forms of occupational fraud, a risk intelligent workforce (and, company culture) can be a very valuable (intangible) asset for a company, because one does not have to look far to see the adverse strategic consequences – affects on companies when they rely primarily on ‘unwritten rules’ for how things get done and how, or if, risk is managed.

In a risk intelligent company (culture), management teams and boards assume an obligation to understand what those ‘unwritten company rules’ are and how they’re being interpreted-executed by employees. A good starting point is (a.) to critically assess a company’s ‘unwritten rules’ by getting answers to the following questions, and (b.) recognizing the questions’ relevance insofar as how they may serve to influence and perpetuate a company environment of unmanaged risk taking:

1. What (employee) behaviors are actually being rewarded?

2. Are company (employee) incentives (properly, effectively) aligned with the company’s risk management priorities?

3. Do all employees, including the management team and board, understand the companies risk management priorities, objectives, and the strategic reasons-rationales behind them?

Ultimately, becoming more intelligent (and objective) about company risk is an important and necessary prelude to creating a risk intelligent company culture wherein management teams and boards assume a responsibility for elevating and cultivating a company-wide awareness of risk that fosters risk intelligent behaviors at all levels. It begins by:

1. Adopting a common definition of risk in accordance with national standards and best practices.

2. Clearly defining roles, responsibilities, and authority (for managing risk) with appropriate levels of transparency.

Lastly, it’s important to recognize, insofar as developing a ‘risk intelligent company culture’ that (a.) a change in (company) culture generally follows a (employee) behavior change, and (b.) culture and behavior changes are less a product of formal risk policies, controls, and pronouncements, than they are the result of effective incentives and rewards.