The IRM are endeavouring to produce white papers on some of the less tangible elements of a risk practitioner's day job, which one would hope contribute to more consistency in practitioner approaches and ultimately more credence in the concept of risk professionalism (indeed, their work around defending pure risk professionalism as a career, as opposed to loading risk functions with cross-over actuaries, was very much required in early 2011).
Having scrutinised their work on Risk Appetite in 2011 (lined up against some of the competing influencing bodies here), I figured it was only fair to take a punt at their new release on Risk Culture. It's fair to say that for politicians, regulators and fingers-caught-in-the-till employees, 'culture' or 'risk culture' appears to be a handy soundbite when explaining why they didn't fulfil their obligations to their stakeholders. The IRM are joined by Protiviti in producing this guidance, Protiviti themselves having delivered a survey based on UK insurers on this very topic in the summer, which was not shy about highlighting how little some organisations think of their Risk functions.
I've always felt that the 'culture' comfort blanket was one weasel word too many i.e. "there was a culture of greed" = "they were greedy ********", or "there was a culture of fear" = "scared of the gaffer", so I approached this doc with a pretty open mind, but tempered with a Manxman's natural scepticism. I found the following (sequentially);
What does a good risk culture look like?
- Appears to have used examples of what a "bad" risk culture has recently led to, then flipped that on its head! Would have thought a clean slate approach is better for white papers, rather than reacting to zeitgeist incidents
- Fair list of 10 criteria for anyone in the risk culture assessment space, though will always be a nightmare to codify/quantify.
- The appearance of the dreaded "tone from the top" suggestion, which makes an appearance in the FRC's (p4), the FSA's and EIOPA's world (p10) - bearing in mind that the "top" is normally the problem when it comes to organisational catastrophe (Lehman, Northern Rock) as opposed to fat tail op risk loss events UBS/Credit Agricole/JP Morgan), I would be more inclined to call it "tone at the top".
- I like the IRM's take on culture being "the repeated behaviour" of a group - very convincing definition in comparison to say the FSA in SYSC (p12), though the rest of the ABC approach is a tad woolly.
- "Virtuous" versus "vicious" cycle sits nicely alongside this image of repetition, but nothing as such around how best to break a vicious one, either as a NED or a Head of Risk - perhaps that has been saved for the more extensive and expensive practitioner's guide!
- Don't agree that risk culture affects the capability to take strategic decisions, rather it enhances or impairs the quality of those decisions. Immediately makes me think of ORSA, and how "playing" at it or "doing" it doesn't prevent strategic decisions from being made.
- Also don't agree that "at worst" an inappropriate risk culture could lead to "serious reputational and financial damage" - I'm sure stockholders at Bear Stearns may say it can be a bit graver than that!
- Nice emphasis on how risk culture can both stifle necessary risk-seeking behaviour at one extreme (smartly citing Eastman Kodak as a "too slow" corporate failure), as well as the more obvious "prison rules" which emerge from uncontrolled risk taking.
- Should they really ask themselves "what is the current risk culture"? If so, is that at a chinwag-type round table, or via some kind of evaluation survey issued by Risk function? Instinctively sounds like the kind of thing that would be squeezed into a Q1/Q3 board meeting at the point of a gun, which is as cynical as it is sad!
- The meatier (i.e. costs money!) practitioner guide apparently contains some diagnostic tools to effectively indicate and track culture within an organisation. The flash we are given here reminds me of the psychometric testing for "what makes a great Risk Manager" that I looked at last year, but feels ultimately very high-end.
- The "Double S" model is an intriguing addition to the mix, specifically the comment that low scores on either rating "create a barrier to the effective management of risk". Would love to see more of the research cited, as I've found that the odd mercenary firm can work wonders...
- Can a risk culture effectively be changed top-down without a change in personnel? Can't imagine an existing CEO being prepared to antagonise his board/exec team by declaring them culturally bankrupt unless he had carte blanche to do so, which is normally the case with regime change. I'm more inclined to think a decent CEO, partnered with Risk, could do it by stealth, rather than with a pricey change management programme which would inevitably rock a few boats.
- "Risk culture is not a precise science" - does that make it an art?
- I would probably make it 11 questions, and frame the first one "Do we genuinely care about how culture impacts on our decision making, or only insofar as laws and regulations insist upon it?". If a Risk practitioner gets the answer to that directly from the Board/Exec, the other questions can be catered for with proportional vigour.