“Many of the costliest risk and integrity failures have cultural weaknesses at their core. Here is how leading institutions are strengthening their culture and sustaining the change.”
Risk and integrity culture refers to the mindsets and behavioral norms that determine how an organization identifies and manages risk. In this challenging and highly uncertain moment, risk culture is more important than ever. Companies cannot rely on reflexive muscles for predicting and controlling risks. A good risk culture allows an organization to move with speed without breaking things. It is an organization’s best cross-cutting.
Beyond today’s travails, strong risk culture is a critical element to institutional resilience in the face of any challenge. In our experience, those organizations that have developed a mature risk and integrity culture outperform peers through economic cycles and in the face of challenging external shocks.
At the same time, companies with strong risk cultures are less likely to suffer from self-inflicted wounds, in the form of operational mistakes or reputational difficulties, and have more engaged and satisfied customers and employees. This article explores the steps involved in setting up an effective risk-culture program when to launch such a program, and the factors we have found to be critical for long-term success.
Understanding and Measuring Risk Culture
The starting point for most organizations looking to improve their risk culture is to diagnose the current state. Organizations that have built strong risk and integrity cultures seek to understand (and then address) three mutually reinforcing drivers: risk mindsets, risk practices, and contributing behavior. Risk mindsets can be understood as the set of assumptions about the risk that individuals hold within the organization; Risk practices are the daily actions that determine the effectiveness of risk management; Contributing behavior comprises the collective actions that build risk attitudes. Ideally, these actions will be systematic and deliberately intended to strengthen individuals’ risk attitudes, with desired risk behavior built into everyday functioning.
Companies that seek to understand risk culture can best begin by establishing concrete, detailed definitions. They should clearly spell out the specific elements of risk culture to set aspirations and measure progress. For example, we define ten dimensions of risk culture, based on a wide range of experiences with companies across all major industries, and incorporating the close study of a range of real-world risk-culture failings.
Once risk and integrity culture is defined, measurement can begin. Leading companies assess themselves systematically, looking at mindsets, practices, and behavior.
“Companies with strong risk cultures have more engaged and satisfied customers and employees.”
This assessment is often based on interviews among units and functions, then followed by a more comprehensive organization-wide survey. The survey will typically include 20 to 30 questions that measure performance against the elements of risk culture (covering mindsets, practices, and behavior) and will set the organization-wide baseline. The team can complement results with qualitative insights gleaned from follow-up interviews to provide further detail on the particular strengths or weaknesses revealed, and help uncover their root causes.
“Leading companies take proactive steps to maintain strong risk cultures in normal times, in times of stress, and when they are undergoing transformations.”
Instead of using a dedicated risk and integrity survey, many organizations falter by relying on a combination of employee-engagement surveys, focus groups, and analyses of incidents and near-misses to measure their risk culture. Each of these tools can bring useful results when used with sufficient rigor. However, typical employee-engagement surveys contain only a few relevant questions and therefore do not usually uncover enough insight to create an effective measure.
These approaches, furthermore, do not provide a view over time or ready comparisons between organizational units. We believe that a dedicated survey is an indispensable tool for obtaining a broad measure of a company’s risk culture. It is the only way to set a true initial baseline. A comprehensive survey creates hard data, comparable across divisions, geographies, and roles; with repeated use, it traces trends through time. The results allow fact-based conversations about risk culture, fostering engagement while deepening executive-level understanding.
The effort to address risk-culture gaps usually involves a balance of short- and long-term interventions. Targeted short-term interventions allow organizations to respond flexibly to changing needs while longer-term programs constantly reinforce core elements of desired risk culture. Long-term interventions are often formal programs like speak-up hotlines or training and compensation standards (based on risk criteria) that continually reinforce desired behaviors.
In an effective example of a long-term intervention, one bank developed a program that both encouraged employees to speak up on risk issues and increased the level of responsive actions. The program includes an externally managed channel for employees to register concerns, with the option of confidential help from internal speak-up champions on navigating the process. The board receives regular reports on both internal and external complaints, with resolution rates and common themes and trends. The following short-term initiatives are just a few examples of how organizations have addressed gaps in risk culture:
Launching a Risk-Culture Program
Risk-culture programs can have multiple triggers. Leading companies take proactive steps to maintain strong risk cultures in normal times, in times of stress (such as under the COVID-19 crisis), and when they are undergoing transformations.
Proactively Shaping Risk Culture
Building and sustaining strong risk culture requires proactive attention. In normal times, this means addressing risk culture before issues arise. Under the stress of the COVID-19 pandemic, which has disrupted the traditional mechanisms that reinforce an organization’s risk culture, this includes understanding how risk culture is evolving and then taking action to protect or improve it. Because of the pandemic, people are working together differently, often from home. In addition, many individuals and organizations are under added stress (including financial stress), increasing the risk of nearsighted decision-making and cultural problems.
Once a crisis with roots in risk culture hits, existing leadership, including boards, will find it difficult to lead change as they themselves become increasingly associated with the cultural problems. The problems tend to be seen as leadership failings in the eyes of the public, investors, and regulators.
Maintaining Risk Culture Under Company Transformation
Many organizations are transforming their operations, particularly to become more digital and more efficient. The COVID-19 crisis has served to accelerate many planned change programs. Large transformations can themselves raise risk levels, as risk-management practices are disrupted, core processes are redesigned, and teams and organizational structures shift. “Change fatigue,” a species of anxiety that comes with a transformation, can contribute its own share of risk. But transformations also afford organizations the opportunity to reset their model to their desired risk-management culture.
They must include programs to promote desired behaviors, in transparent, organization-wide efforts, as opposed to siloed, business-as-usual approaches. For example, one global manufacturing company undertook a major transformation in response to a series of product- and regulatory-compliance incidents. Front and center were issues of culture, integrity, and compliance, which became the core focus of the groupwide transformation.
Whatever the original motivation for a risk-culture program, a one- or two-year plan covering a range of intervention types can begin with a small set of priority initiatives targeting key weaknesses. In addition to achieving progress in important areas, these initiatives will create visibility and momentum for the entire plan. An example campaign would be one to encourage employees to speak up where they see risk concerns. The initiative might include a confidential speak-up line, communications from the top to set the tone on the importance of speaking up, and, for a dedicated period, an explicit focus on speaking up in team meetings. Results would be conveyed to the board, in a report covering internal and external complaints, whistleblower activity, overarching themes, and resolutions. This would serve as a first step and a gesture of commitment to the larger effort of changing risk culture.
Setting Yourself Up for Risk-Culture Success
Careful risk-culture definition, measurement, and initiative work plans are not enough. Successful risk-culture programs share five essential characteristics that leaders should put in place as part of their focus on risk culture:
Strengthening Institutional Resilience Has Never Been More Important.
2020 was a wake-up call. To thrive in the coming decade, companies must develop resilience—the ability to withstand unpredictable threats or change and then to emerge stronger. This perspective piece introduces our approach to resilience. “Develop resilience” is easy to say but hard to define, and yet harder to do. In this article, we reiterate the imperative, define the components of resilience, and introduce the approaches companies can take to become more resilient. In the coming months, we will publish a series of more detailed articles on the topic, focused on the actions that institutions of different types can take to measure and improve their resilience.
The Resilience Imperative.
The world is undergoing increasingly rapid, unpredictable, and unprecedented change. But across industries, most companies have remained persistently focused on near- and medium-term earnings, typically assuming ongoing smooth business conditions. The COVID-19 pandemic heralds the need for a new approach. Catastrophic events will grow more frequently but less predictable. They will unfold faster but in more varied ways. The digital and technology revolution, climate change, and geopolitical uncertainty will all play major roles.