It was not my intention to write this article before – Resiliency – An Impossible Dream?
But events and circumstances conspired and I have now written this one to respond to a question that I have been asking myself for sometime now:
Why is it so difficult to implement sustainable risk management i.e.the management of risk is embedded in organizational culture?
I am not sure that I have the complete answer, but I think I am tracking in the right direction. And neither do I provide a “how-to” answer – more a “what-to-do”?
Success Speaks for Itself!
The consensus view (1) amongst the world’s largest banks was that during the relatively benign economic environment leading up to the 2007 global financial crisis, the risk/reward balance became skewed with many companies focusing upon growth for growth’s sake; risk management being viewed primarily as an analytical function rather than a critical component of decision-making.
In the opinion of many, greed (both organizational and individual) aided and abetted by inappropriate incentive/bonus schemes underpinned this growth for growth’s sake strategy. But, digging deeper into the underlying reasons for this focus takes you to organizational and individual beliefs – assumed (tacit) truths, the matrix of organizational and indeed societal culture.
With the “social mood” up until the time of the crisis being one of “hubris” fueled by success after success (record profits & bonuses), the belief that became embedded in the culture of these organizations, the tacit assumptions upon which their people based their decision-making, was:
We know what we are doing, we are managing risk well; our performance -our success speaks for itself!
Whether or not they were managing risk well is a mute point. But there can be little doubt that in their collective minds they believed that they were and the success they were achieving was, in their view, testament to their capability to manage risk. Again, in their collective minds, they were of the view that if they were not adequately managing risk, they would not be successful. And anyone daring to question the adequacy of their risk decision-making, or more accurately lack of it, was viewed with distain and given the message:
Clearly you don’t understand that we know what we are doing; our record of success, our revenue streams and profits are testament to the correctness of the way we do things.
The essence of culture is jointly learned values and beliefs that work so well that they become both taken for granted and non-negotiable; they are considered to be valid and taught to new members as the way to think and feel. They become tacit assumptions that are shared as the organization continues to be successful. It is these learned, shared, tacit assumptions that people base their view of reality; hence “the way we do things around here.”
This is what makes culture so stable and difficult to change because it is the accumulated learning of a group – the ways of thinking, feeling and perceiving that have made the group successful.
The important parts of culture are essentially invisible.
This is why culture is entraping – the past success of “the way we do things around here” counter balances and often overwhelms organizational change and adaptation initiatives. For the banks prior to the financial crisis, their culture – their way of doing things worked, until the environment changed and what previously worked, no longer worked.
But, and this is important, the banks were managing risk prior to the 2007 financial crisis. Maybe, with the benefit of hindsight, not in the way that regulators and stakeholders might have wanted them to, but they were managing risk sufficiently well for them to achieve success and it was this success that embedded, what was for the time, an adequate level of risk management into their culture.
Then the times changed!
Success Can Blind!
In their pursuit of performance using the successful formulas of the past, banks failed to spot to the changes taking place in their environment; they were not aware of the risks emerging as the environment changed around them. They continued their pursuit of performance, blissfully unware of their exposure. Success embedded “their way” into the tacit assumptions of their culture, effectively blinding them to the realities of the future.
It’s not what we know and have already embedded in our culture that is the problem; more often than not we manage what we know well – what we have embedded in the tacit. It’s what we don’t know about that is “waiting to bite us” that is the problem. And if we do not embed awareness of emerging risk into our organizational culture, then the tacit assumptions implicit in and hidden in our organizational cultures will blind us to the changes that have and are taking place around us.
We become exposed to risk and we don’t know it!
We Manage Risk!
Almost without exception, executives and managers will tell you that they manage risk. If you press them further and ask them how they will tell you about the compliance and control frameworks, and the policies and procedures they use to manage risk. In their minds they manage risk effectively. Implicitly and sometimes explicitly they tell you:
…we know what we doing, we have done it before and nothing went wrong, so it must be alright.
This tacit assumption – the belief so often expounded, “we know what we are doing, we have done it before” is the achilles heel, if not balanced by awareness (mindfulness) of the changes taking place in the surrounding environment and the emerging risks inherent in these changes.
Upon reflection (1) the banking community concluded that in their pursuit of performance, they had neglected to mindfully consider the risks implicit in the ever changing environment in which they were operating
A couple of excerpts from a Ernst & Young’s 2008 report (1) make interesting reading:
As the economic crisis batters the banking community, it is casting a harsh light on the weaknesses inherent in both institutional and industry-wide approaches to risk management. Siloed infrastructures, outmoded systems, disjointed, reactive reporting, inadequate predictive tools and a dearth of interpretive, insightful risk analysis all emerged as glaring deficiencies – and, in some cases, catastrophic liabilities.
The changes required to institutionalize a strong risk culture are fundamental and far-reaching: risk must become “everyone’s business” throughout the organization – starting from the front line through to functions. Responsiblity and accountability for risk are intertwined as never before – all stakeholders, from board members to business unit heads and their teams, must be more actively committed to identifying and mitigating risk.
And in 2009 PriceWaterHouseCoopers (2) made the following observations:
Siloed approaches to risk management often fail to produce meaningful impact on a company’s overall performance.
Boards and management are under pressure to reform how risk is assessed and to measure its effect on company performance.
Linking risk and performance gives companies the confidence to take smart risks.
Non-financial information is crucial to managing both risk and performance.
” To institutionalize a strong risk culture… : risk must become everyone’s business… : responsibility and accountability for risk are intertwined as never before…”
“Make risk management a cultural imperative by embedding risk awareness and identification within all levels of their organizations…”
And this challenge is not just the challenge confronting the world’s largest banks, it is a challenge that confronts every organization, all levels of government, multinationals, public and private companies and not-for-profits.
Change is Non-Negotiable!
In times when the prevailing social mood is one of “fear“, when resources are static or diminishing and stakeholders demands and expectations are increasing, invariably the espoused tag lines are: “work harder“, “work smarter“, “reduce costs“, “be more efficient“, “innovate“.
And almost without exception, the management strategy employed to effect such change is to “apply pressure“, often indirectly through cost reduction, efficiency initiatives, restructuring and redundancy, etc. Few executives or managers appear to understand the impacts of management pressure on enterprise – organizational performance (achievement of objectives).
Indeed, for the most part executives and management appear to be blissfully unaware of the potential consequences of their actions, under the illusion that they are In Command and In Control, for that is what they believe is expected of them! They wonder (are even amazed) at the resistance to change that they encounter, attributing this resistance to the individual dispositions of people (sometimes correctly so), but rarely do they comprehend that this resistance to change stems largely from the tacit assumptions that underpin the organization’s culture; the shared values, learnings and experiences that have been embedded in the tacit (the organization’s culture) by the successes that have been achieved in the past with these shared values, learnings and experiences.
Little wonder that 70% of change initiatives fail including mergers! This should not be a surprise, yet for many it is because they greatly underestimate the influence and power of corporate culture.
Boards of Directors, Senior Executives, Managers and Supervisors need to appreciate that…
things are not what they seem…there is more going on than meets the eye!
The Way Forward.
How should organizations, their executives and managers think about the challenge?
To make risk management a cultural imperative by embedding risk awareness and identification within all levels of their organizations.
Most organizations attempt to meet the challenge to implement risk management using some or all of the following:
- Promulgating a risk policy and the adoption of a management system standard (e.g. AS/NZS ISO 31000:2009, AS/NZS 5050:2010, etc.)
- Delegation of responsibility for risk to a dedicated (risk) manager;
- Risk assessment workshops, creation of risk registers and dashboards;
- Implementation of processes, procedures and systems (controls) for risk the management of risk;
- Training managers on risk management system standards – risk awareness training.
The above do not address the critical cultural issues, which requires an adaptive rather than a technical approach.
And remember, the important parts of culture are invisible and not easily accessed.
Indeed, how do you teach and support with management process and system:
Conscious mindfulness, awareness and recognition of “known unknowns” and “unknown unknowns” – emerging risks, by front-line people, strategists, the C-Suite, when the situations, the circumstances and/or the cascade of events that will manifest their presence are unknown – “their wildness lies in wait“?
At the risk of seeming to be fractious in the eyes of some:
Not by just training people in the use of a mangement system standard, no matter how appropriate and logically correct (in a management context) that standard is!
Once emerging risk is recognized, management process and system can be invoked but prior to its recognition, it is about inductive and/or deductive cognition.
It’s not just about system, it’s also about culture and culture is not so much changed as its strengths are leveraged in novel ways to create new shared and successful learnings that are over time embedded in the unconscious tacit because they are successful. Then and only then does a “cultural imperative” become embedded.
The Road Map.
A carefully designed, integrated, planned and implemented “Change Management” program is required to embed a cultural imperative, one that both recognizes and utilizes the latent power and authority of an organization’s culture. It should start with identification of the organization’s tacit assumptions in respect of risk and be developed and implemented in a way that leverages the strengths of the culture – its past successes.
There is no one “Road Map“, there are many each reflecting the culture of the organization for which it has been developed.
The challenge is not technical – it’s not simply a matter of creating a policy or adopting a management system standard, rather it is an adaptive challenge, one that requires a change in mindset both collectively and individually. Failing to understand this, that its an adaptive and not a technical challenge, whilst not necessarily dooming a change initiative, does increase the likelihood of it being amongst the 70% that fail.
1/ Ernst & Young (2008), Navigating the crisis – A survey of the world’s largest banks.
2/ PriceWaterHouseCoopers (May 2009), 10 Minutes
Download PDF Copy
Copyright (C) 2011 – Bircham-Global Trust – All Rights Reserved.