Corporate cultures that prevent employees from raising questions about perceived risks and threats to an organisation can only be changed if board members lead by example and become more sceptical and challenging, a report commissioned by ACCA (the Association of Chartered Certified Accountants) and IMA (the Institute of Management Accountants) has concluded.
The report A Risk Challenge Culture by Paul L. Walker, William G. Shenkir and Thomas L. Barton looks at the need for organisations to develop and implement effective risk oversight in the wake of the 2008 financial crisis, which exposed serious weaknesses in risk management.
The report says “Even some organisations that claim to have a robust risk governance structure have one in name only; the directors are not as actively engaged in risk oversight as they need to be. They oftentimes lack adequate training in risk issues and may receive unduly optimistic risk reporting. In the wake of a risk debacle, a typical question is, “Where was the board while this was happening?”
It calls for the development of a risk challenge culture which encourages, requires, and rewards inquiries that challenge existing conditions.
The report says: “When a subordinate is afraid to ask senior management about perceived risks, that is not a challenge culture. When a board member is satisfied with the CEO’s facile answer to a serious risk issue, that is not a challenge culture. When board members “rubber stamp” management’s critical actions without serious debate, they have not enhanced a challenge culture.”
Drawing on discussions from the ACCA / IMA Accountants for Business Global Forum and insights from ACCA / IMA roundtables held in Dubai, London, and New York, the report acknowledges that it is very difficult for a board member or manager to question critically policies or decisions when their organisation is earning outsized profits or enjoying unprecedented growth- and where there are bonuses at stake.
Ewan Willars, Director of Policy at ACCA, said: “It is critical that the board and executive set the tone for the rest of the organisation, which includes encouraging and rewarding those who raise concerns about behaviour and priorities- rather than those who take unnecessary risks or who act only in the short term interests of the organisation.
“All too often decision makers talk about wishing they had the benefit of hindsight - but scepticism and a culture in which people are actively encouraged and rewarded for challenging decisions can be highly effective in ensuring that organisations take the right course, and must be actively promoted.”
According to Raef Lawson, Ph.D., CMA, CPA, IMA vice president of research and policy, “Organisations should develop a ‘risk challenge culture,’ which provides employees with the opportunity to defy existing conditions. However, the report shows this culture is impossible to achieve if employees are not encouraged, required and rewarded by management when challenging a negative corporate culture.”
The authors of the report suggest there should be a different sort of culture surrounding risk management - one in which dissent and a questioning mindset are welcomed, expected and rewarded.
They identify nine key areas critical to the design and implementation of a risk challenge culture:
· Board members and the C-suite must approach their risk oversight responsibilities with a “questioning mind” and make “critical assessments” of the effectiveness of an organisation’s risk management process.
· The board, if it is to avoid being a risk itself, should reflect diversity in skills and experiences, and be knowledgeable about Enterprise Risk Management (ERM).
· The board and committees, the C-suite and risk-owning operating management are responsible for leading and sustaining a viable risk challenge culture. The board and CEO sets the tone from the top regarding the openness expected in risk discussions.
· The board must receive key risk information on a timely basis.
· It is essential to recognize that cognitive biases in decision making – where people think differently about issues – exist. They should be recorded with mechanisms put in place to minimize their impact.
· People need to be aware of the signs that a risk culture is lacking and in need of remediation. These include: weak risk leadership, poor risk transparency, and rewarding inappropriate risk-taking.
· It is critical that organisations begin the process of establishing formal risk appetites and risk tolerances, communicating them to all levels, and updating when necessary
· Setting strategy without performing a thorough risk analysis has often led to massive value destruction. It is the board’s responsibility to ensure that this linkage is strong and evaluated often.
· As recent history has shown, faulty, unbalanced incentive plans can lead to misguided, excessive or even ruinous risk-taking. Incentives should be carefully constructed to induce behaviors appropriately aligned with strategy and risk appetite/tolerance.
P.V