1. Introduction
Risk until the banking sector crisis of 2016/17 in Ghana was perhaps not considered a critical and proactive role but rather a compliance role. Poor risk management practice was a fundamental issue associated with banks whose licenses were revoked by the Bank of Ghana during the financial sector clean-up. After banking sector clean-up, risk management has thus become an emerging area within the financial sector. The recent COVID-19 pandemic has again highlighted the important role of risk management. This was evident in the absence of Business Continuity Plans and even where they existed, they were mere documents prepared for compliance purposes.
Generally, it is the Board of Directors that exercises oversight of the risk, governance, and culture. The Board defines the desired culture, but it is up to the management and other individuals within the organization to carry out the desired culture. Culture is inherent, thus introduction of new norms and ideas may require re-engineering and re-enforcement. Peter Drucker simply put it as “culture eats strategy for breakfast.” This is to say that an inspiring vision and excellent strategy can never be achieved without the right culture to support them.
Risk culture is defined by the Institute of Risk Management (IRM) as “the values, beliefs, knowledge, attitudes and understanding about risk shared by a group of people with a common purpose.” Put differently, risk culture can be described as a system of values, norms, mindsets, and actions that exist within the organization to shape daily risk decisions.
2. Background
Organizational culture can be described as a form of shared values and beliefs that offer individuals with the norms for behaviors in the organization (1, 2). Risk culture is an element of the whole organizational culture. Risk culture is an indispensable underpinning of the risk management framework (3). Wong et al. (2) concluded that the risk culture, specifically risk policy and risk appetite; key risk indicators; accountability; incentives; risk language; and internal relationships are estimated to have substantial and undeviating effects on enterprise risk management (ERM).
Uncertainties are inherent in the day-to-day activities of all organizations. Risk management is a strategic activity and is not limited to algorithms, checklists, and programs (4). The cultural dimension of risk management has been consistently emphasized by a number of researchers (5, 6). In recent times, risk management has been progressively highlighted as a spectacle of good corporate governance (6, 7). Almost all boards of organizations within the financial services industry have a subcommittee on risk. Risk management can be portrayed by some overt or covert management tactics that do not refer to risk, but tackle it in an efficient manner.
Regular interactions, formal and informal, among risk and business functions are commonly established to be critical in the financial services industry (8). Regulators and stakeholders have unquestionably been the drivers of risk culture change programs. Individual behavior is a function of the risk culture within an organization. Ashby et al. (8) posited that their observations indicate that risk culture is not just an industrywide challenge or one restricted to the global financial crisis, but also emphasize a variety of microlevel cultural “weaknesses” within particular financial organizations. It is paramount to recognize that a strong risk culture does not necessarily beget the achievement of corporate goals (9); moreover under certain situations, a strong risk culture can result in strategic myopia within the organization, making it less susceptible to environmental modifications.
Culture cannot be measured, weighed, or touched (10), although not quantifiable but play a pivotal role in achieving the organizational strategy. There are about four risk culture models; these are the Cultural Theory of Risk (11), Double S Model (Sociability or Solidarity) (12), IRM Risk Culture Model (10), and Organizational Culture Profiling (13). The Cultural Theory of Risk looks at the conduct of people within the organization, and the Double S model evaluates the culture of the organization as a group. The IRM Culture Model recommends eight “aspects,” categorized into four “themes,” that need to exist to guarantee the right risk culture is aligned to the organization’s vision, while the Organizational Culture Profiling supports individuals and organizations to control preferences for varying attitudes grounded on the understanding of “work-values.”
3. Discussion
Forming and maintaining a strong risk culture is imperative for all financial institutions. Risk culture awareness is an essential component of the ERM program. The principal cause of poor risk management practice within the financial sector is a weak risk culture. Stakeholders and regulators expect organizations to have a strong risk culture at least to ensure financial soundness and going concern.
3.1. Assessing risk culture
Assessing the risk culture within an organization involves subjective and qualitative matrixes within the entire enterprise risk framework. Risk culture persistently progresses through the stages of ERM maturity. Assessing risk culture involves the identification of prevailing conditions, behaviors, and practices within the organization that may directly or indirectly impact risk-related activities arising in the future.
There is no particular technique for evaluating risk culture; however, there are few tools that can be adopted to infer and track the level of awareness toward risk within an organization. These may include surveys, interviews within the organization, group discussions, feedback, reviews of operational processes, and training. It is exigent to measure an organization’s risk culture in order to know the current level, manage it, and improve upon it to achieve the desired culture.
The risk culture framework identifies the following (Figure 1):
Figure 1. IRM risk culture framework [Institute of Risk Management (14), p 16].
(i) Personal predisposition to risk–the level to which people are sensitive toward risk may be resilient, cautious, pessimistic, or optimistic.
(ii) Personal ethics–the set of personal moral values individuals bring into the organization.
(iii) Behaviors–the result of personal predisposition and personal ethics as depicted in a person’s actions.
(iv) Organizational culture–the way of life proscribed by the core values and desired attitudes of the organization.
3.2. Benefits of a strong risk culture
A strong risk culture ensures more effective risk management. It helps to mitigate exposures that may have far-reaching consequences. In an organization where staff risk awareness culture levels are high, there are low potential operational risk incidents and minimal fraudulent occurrences, which also enhance productivity.
Furthermore, a strong risk culture improves risk-based decision-making throughout the organization. A critical component of any risk governance framework is to ensure that the information provided to the board and management to make risk and business decisions is accurate. With the right attitudes and values, management and staff within the organization have a higher proclivity to make better decisions.
Again, confidence levels of stakeholders, investors, and regulators are improved when a strong risk culture exists within the organization. The cultures that enhance the value for shareholders, regulators, and customers are those effective for managing risks. Perceptions by stakeholders have an impact on organizational goodwill. Thus, a robust risk management within the organization attracts investments and, to a larger extent, impacts the credit rating of the organization.
Lastly, compliance with regulatory requirements is improved with a strong risk culture. The high levels of regulatory scrutiny within the financial services sector require organizations to have a resilient risk management system. The low tolerance of misconduct can be seen in the stiffer sanctions meted out to some banks and capital market players in the banking sector and capital market clean-up. Thus, a strong risk culture helps to avert actions that impair corporate goodwill.
3.3. Practical steps to successful risk culture
The essential themes of effective risk culture in the eyes of some Chief Risk Officers and staff within the financial services sector are tone from the top and tune from the middle; open and effective communication in a safe environment; and awareness, understanding, and ownership of risk at all levels (15).
As stated earlier, it is the Board of Directors that has oversight responsibility over the risk governance and culture of any organization. Thus, it is compelling for them to set the desired risk culture tone from their level, and flowing from that management also set the tone to be followed by staff within the organization. Culture curated by the overriding influence of management is a signal of “managerialism” (16), creating a dictatorship environment.
It is critical to involve staff in setting and journeying to the desired risk culture. An open and fair internal communication between management and staff is required to achieve a successful risk culture. These communications must happen in a safe environment devoid of acrimony. Again, constantly training and educating staff on the desired risk culture is necessary.
Finally, it is essential for both management and staff to be sentient of emerging risks, identify, understand, and own those risks within their various day-to-day functional activities. This raises the level of risk awareness within the organization.
4. Conclusion
Risk management has evolved and has now become a critical role in the eyes of stakeholders, especially in the post-banking crisis and the COVID-19 pandemic. It has moved from a regulator-compliance era to a proactive and essential function within the financial services sector. The foundation of a robust ERM framework is a strong risk culture to carry out activities in order to achieve the set vision and strategies of the organization.
References
1. Rohit D, Webster FE. Organisational culture and marketing: Defining the research agenda. J Mark. (1989). 53:3–15. doi: 10.1177/002224298905300102
2. Wong CC, Rahim FA, Loo SC, Zainon N, Aziz NM. Conceptualising risk culture on enterprise risk management (ERM) implementation in construction companies. Built Environ J. (2020) 17:58–69. doi: 10.24191/bej.v17i1.5988
3. Rossiter C. Risk culture–up close and personal. (Vol. 134). Toronto, ON: CA Magazine (2001). p. 45–46, 50.
6. Corvellec H. The practice of risk management: Silence is not absence. Risk Manag. (2009) 11:285–304. doi: 10.1057/rm.2009.12
7. Drew SAW, Kendrick T. Risk management: The five pillars of corporate governance. J Gen Manag. (2005) 31:19–36. doi: 10.1177/030630700503100202
8. Ashby S, Palermo T, Power M. Risk culture in financial organizations: An interim report. London: Centre for Analysis of Risk and Regulation and the University of Plymouth (2012).
9. Sinclair A. Approaches to organisational culture and ethics. J Bus Ethics. (1993) 12:63–73. doi: 10.1007/BF01845788
11. Douglas M, Wildavsky AB. Risk and Culture: An essay on the selection of technical and environmental dangers. Berkeley, CA: University of California Press (1982).
12. Goffee R, Jones G. The character of a corporation: How your company’s culture can make or break your business. New York, NY: Harper Collins Business (1998).
13. Spony G. The development of a work-value model assessing the cumulative impact of individual and cultural differences on managers’ work-value systems. Int J Hum Resour Manag. (2003) 14:658–79.
14. Institute of Risk Management.Risk culture–Resources for practitioners. London: Institute of Risk Management (2012).
15. McGing S, Brown A. “Risk culture leadership, measurement and management–a comparison across industries,” in Presented to the actuaries institute financial services forum 5-6 May 2014, Sydney. (2014). Available online at: www.actuaries.asn.au (assessed October 9, 2021).
16. Parker RM. Against management: Organization in the age of managerialism. Cambridge: Polity Press (2002).