Step 1: Hire the Right People

No one can legally sit behind the wheel of a car for the first time and jump onto the highway. The first measure toward establishing a good driving culture consists of setting up numerous barriers to entry: Age restrictions control for maturity and experiential aptitude, driver's education and paper examinations control for theoretical knowledge, and the road test controls for practical competency. The first way to prevent unsound driving is screening out unprepared drivers from ever getting behind the wheel in the first place. This will succeed only if the “hiring process” for approving new drivers aligns with the values and qualities that comprise a good driving culture.

Businesses can learn from this example. The employees of a company are fundamental to its risk culture being effective. The first step to establishing good risk culture is to limit whom the company hires. Studies have shown over 50% resumes contain inaccuracies.² Basic controls include employment and background checks. As a recent example, a simple background check would have saved Yahoo's board the trouble of ousting Scott Thompson, the company's fourth CEO in five years, because he falsely claimed a computer science degree.³ But this is not enough—a growing number of companies also conduct behavioral and honesty testing to screen employees.⁴

A basic strategy for minimizing risky behavior is to prevent questionable job candidates from ever becoming employees. Since the specific values, attitudes, and beliefs of a company's business units define its risk culture, it would do well to screen potential hires for desirable attitudes, such as honesty and integrity. I've found that emphasizing the importance of references (and even asking candidates what they believe their references will say about them) strongly incentivizes the candidate to be honest about their work history.

Questions evaluating competency in core areas have become the standard in hiring practices. For a company aiming to open the door only to sound risk practitioners, why not include risk awareness as a target competency? Interview questions might include:

• In your last job, did you ever face a tradeoff between profitability and risk? How did you handle the issue?
• Describe the last time one of your superiors put forth an idea that you strongly believed was incompatible with the company's strategic objectives. How did you respond?
• In your previous job, were you ever aware of a risk that wasn't being adequately addressed? How did you deal with it?

When a company refuses to hire a top performer who does not mesh with its risk appetite, it has succeeded in the first step toward developing a sound risk culture. As a bonus, screening for risk-culture fit will likely reduce employee turnover, meaning that the lengthy and costly process of hiring will consume fewer resources.

Step 2: Set the Tone from the Top

If you are a parent, I'm sure you try especially hard to display good driving behavior when your kids are in the car. You probably also become particularly frustrated when you see a police officer park illegally or make an illegal turn. What merits these actions and reactions? They come from our realization that the actions of senior figures and those in authority become the standard for acceptable behavior. Since the attitudes and values of these higher-ups often trickle down and influence others, they set precedents and therefore ought to be considered carefully.

In risk management, even more than other corporate initiatives, the involvement of senior management (and of the CEO in particular) is critical to success. Why is this? As we reviewed earlier, many aspects of risk management run counter to human nature. While people are eager to talk about their successes, they are generally much less enthusiastic about discussing actual or potential losses, particularly those related to their businesses. Overcoming this reluctance requires applied authority and power. The CEO must therefore be fully supportive of the risk-management process, and set the tone not only through words, but through actions as well. He or she must first communicate that risk management is a top priority for the company in presentations, meetings, town halls, and other settings. More importantly, the CEO must demonstrate commitment through actions, by exemplifying and embodying the values they espouse. Does the CEO actively participate in risk management meetings? Has the company allocated an appropriate budget to support the program? Are senior risk executives involved in major corporate decisions? What happens when a top producer violates risk-management policies? How the CEO and senior management respond to these questions will speak volumes about their true commitment to the risk management process.

Those at the top of the corporate ladder have a responsibility to embrace an open culture that gives people the freedom to voice concerns when they arise. If authority figures welcome critical opinions from those in lower positions and give them the proper consideration, they send a message that ideas will be judged on their own merit, no matter the source.

An effective practice to set the tone from the top is to articulate the key principles for strong risk management. As an example, when I was the Chief Risk Officer for Fidelity Investments, I established the following principles:

1. Business Units Drive the Car

   Business units are fully responsible and accountable for managing risk, with support from risk professionals providing tools and strategies for effective risk management.

2. Equip the Car with Instruments

   We must strive to increase the transparency of risk through measurement and reporting, and communicate exposures through escalation procedures.

3. Fast Cars Need Good Brakes

   We should set boundaries to avoid undesirable risk or behavior, as well as limits to manage our risk concentration.

4. Get to the Finish Line without Crashing

   We need to balance our business and control requirements, because risk management is a necessary but insufficient requirement for success. In order to be successful, businesses must strive for growth and profitability.

5. We Win or Lose as a Team

   Given that we must manage risks on an integrated basis—across different risks, processes, business units, and countries—risk management is everyone's job.

As another example, JP Morgan Chase, which is widely regarded as a best-practice organization in risk management, has set forth the following principles:

1. Defined risk governance
2. Independent oversight
3. Continual evaluation of risk appetite, managed through risk limits
4. Portfolio diversification
5. Risk assessment and measurement, including Value-at Risk analysis and portfolio stress testing
6. Performance measurement (shareholder value added) that allocates risk-adjusted capital to business units and charges a cost against that capital.

Some people may say that risk management is analogous to the brakes in a car—getting in the way of growth or speed. However, the fastest cars have the best brakes. Good brakes give the driver the confidence they need to go faster—safely.

Step 3: Make Good Risk Culture Easy and Accessible

Driving a car doesn't require detailed knowledge of the internal combustion engine. The third lesson that driving culture teaches us, then, is that easy driving is good driving. Two important ways of making driving easier are investing in human capital, and investing in driving infrastructure. The first way that the government can make driving easier and safer is by investing in human capital: namely, the knowledge of the drivers. Driver education courses, lessons, and public service campaigns about seatbelts and texting behind the wheel all serve to create competencies and habits that make safe driving easy.

Establishing a sound risk culture among business units is no different. Remember the story in the previous chapter about the president of GE Capital shutting down business for two days of risk training? The commitment to risk management he demonstrated was just the first step in improving the company's risk culture. The training he instituted provided core competencies that traders lacked. A major obstacle toward sound risk practice is the lack of risk knowledge and awareness. For CEOs wishing to improve their company's risk culture, workshops and training programs are a necessary first step. Between these training programs, executives should make sure to communicate the importance of risk management and risk culture throughout the organization.

The second way driving can be made easier is by investing in the right infrastructure. Imagine what the accident rate would be if cars lacked speedometers or freeways lacked speed limits, or if those tools were inconvenient to access? Auto designers have given careful thought to creating dashboards that communicate critical data at a glance to reduce this risk. All of these tools make driving easier by integrating information and allowing for well-informed decisions.

The value of integration applies equally in a business setting. By establishing an infrastructure that increases the flow of risk information among business units, management can ensure that decision makers have all the information they need. When risk exposures are correlated and move dependently relative to each other, their severity increases. How are business units supposed to respond appropriately when they lack the proper infrastructure to understand all the risks involved?

A study of retirement savings habits clearly illustrated the value of making the best choice the easiest one. In the study, experimenters measured 401(k) participation rates among employees and manipulated the ways in which employees could enroll.⁵ When the 401(k) was presented with opt-in enrollment, only 40% of the employees joined. However, when enrollment was made easier with a simple checkbox, 50% enrolled. And when employees were forced to decide whether to enroll or not, enrollment climbed to 70%. We can interpret the last two cases as instances where (among other factors) the opportunity cost of a certain behavior is reduced, and we find that decreasing the opportunity cost of desirable behavior increases its likelihood. Increasing risk information integration, then, is akin to decreasing the opportunity cost of sharing important risk indicators.

Step 4: Use the Right Yardstick

Car owners face very high costs—from the cost of the car itself, any loans taken out for the car, gas, maintenance, and so on. Insurance premiums are generally some of the highest costs a car owner faces. As car owners become better drivers, they are rewarded. The insurance company measures a variety of behaviors to track and reward drivers. The fewer accidents and speeding tickets one has, the lower one's insurance premium will be. Making good driving appealing increases the likelihood that we'll practice it. The negative incentives are strong as well. Policymakers use negative incentives to encourage desired behavior: They set numerous rules and enforce them with penalties to suit the infraction, such as fines, points, suspension, and even jail time. Similarly, CEOs and board members should incentivize good risk management both positively (by spelling out the rewards of sound risk practice) and negatively (with strict policies against unauthorized and unethical behavior).

The measures a company uses (or fails to use) to track and compensate individual and group performance comprise a key driver of behavior. Most companies establish performance goals in terms of sales, revenue, and profitability, reinforcing the desired behavior with incentive compensation. But increasingly, management experts are recognizing that performance measurement should not be limited to these parameters alone, and have devised frameworks that take into account broader considerations. One such framework is the Balanced Scorecard, which augments financial measures with metrics pertaining to customer satisfaction, operational efficiency, and organizational learning. In the same way, if management wants to gain a proper risk/return perspective, it must incorporate risk measures into the processes that generate management reports and track performance. (We'll examine risk frameworks in greater detail in the following chapter.)

The most important tool at a CEO's disposal is compensation. It has often been said that people don't do what you want them to do; they do what you pay them to do. And, as we discussed earlier, a compensation scheme that overemphasizes profitability can set a company up for risk hazard far beyond its appetite. In order to prevent this, key risk metrics must factor into performance evaluations to reward employees not for the highest returns per se, but for the highest risk-adjusted returns.

Figure 6.1 shows two different perspectives on revenue-based incentives. In the graph to the left, note that as risk increases, so does marginal return, though along an ever-flattening curve. Many companies evaluate and reward employees based on sales or revenue results alone, without considering risk exposures or losses. Now take a look at the graph to the right, which reveals risk-adjusted return. As you can see, at a certain point, risk-adjusted return peaks as risk increases before descending precipitously. As a result, this company is incentivizing its employees to expose it to increasingly higher levels of risk that may ultimately surpass its risk appetite. Such a company has opened itself to risk hazard, in which there is a fundamental misalignment between performance measures and compensation incentives of a company and the optimal level of risk it should take on.

The presence of risk hazard among companies is rampant. One need look no further than the 2008 financial crisis to see the adverse consequences that result from a focus on sales and earnings targets at the expense of risk. Too often, companies attempt to influence a single consequence of certain decisions (e.g., increased revenue) rather than the justification for those decisions (e.g., taking risk into consideration). They set aggressive earnings growth targets in the range of 15 to 20 percent per year. But are these targets realistic when the general economy is growing at 3 to 4 percent? What kind of pressures do they put on business units? How will people behave if aggressive sales and earnings goals, all tied to compensation, do not account for appropriate risk measures and controls?

Rules and exhortations are useless unless they are backed with fair and consistent enforcement, which not only corrects individual behavior, but also deters others from committing the same transgression. Drivers (or traders or accountants) are unlikely to follow the rules if they see others flout them with impunity. What message does it send to employees when management looks away as a rogue trader takes excessive risks simply because she's on a winning streak? Or when a business unit operates within risk policies without recognition or reward? In my practice, I've often found that management fails to distinguish between useful and reactive criticism. Consider two traders within a bank: One produces a gain but failed to adhere to risk policy. The other produces a loss but stayed within established tolerance levels. Management's response to these disparate results speaks volumes about the risk culture.

Effective risk management is about insight and foresight on current and future risks. Unfortunately, many companies struggle to anticipate emerging risks. Apart from our tendency to think in the short term based upon recent experience, we're all too busy focusing on the business at hand to give much thought to the future. But risk anticipation and modeling are essential components to crisis aversion. Consider Sarbanes-Oxley: While the regulations adequately responded to the recession of the early 2000 and the fraud and accounting scandals of companies like Enron and WorldCom, it failed to anticipate a key factor in the later economic meltdown—subprime lending.

Another difficulty in identifying risks stems from the fact that we tend to use heuristic strategies—shortcuts that facilitate decision-making at the cost of accuracy—when dealing with risk information. By contrast, proper risk management demands algorithmic strategies: well-defined steps that are more likely accurate. When identifying risks, many people succumb to availability bias, in which we judge things that we remember more easily as occurring more frequently or being more important than they actually are. For example, people often believe that flying has become riskier after news of a plane crash, when in reality the risk has not changed. Because we recall anecdotes with ease, they skew our perception of risks.⁶

Step 5: Understand the Information

Even for companies that collect the right data, a serious obstacle remains: understanding what that data actually means. We must be able to get from point A to point B without allowing our biases to lead us astray. Risk management demands objective analysis of probabilities and their implications. In this section, we turn to the shortcomings of human psychology that make quantitative understanding so difficult.

Step 6: Communicate the Problem

Once a business unit adequately evaluates a risk and establishes a response, it must relay this information to risk management and integrate it into its practices and decision making in a meaningful way. Often, this means discussing loss and other unpleasant topics, which few businesspeople enjoy doing. After all, those who go into business tend to be optimistic and ambitious, highly focused on success and what they are doing right. Successful people get promoted so it becomes a virtuous circle. But a large portion of ERM deals with what has gone wrong, what is going wrong, and what could go wrong. As a result, I often see risk managers characterized unfairly within their organization as Dr. Nos and naysayers. To use a complaint often lobbed at the Fed, risk managers seem to “take away the punchbowl just as the party gets going.”

Of course, nobody wants to be a party-pooper. And if management is pleased to see what appear to be positive results from an initiative, individuals have little incentive to speak up when they have concerns about a looming risk. This attitude can infect an entire organization. How often have we read about financial institutions that turned a blind eye to the trader delivering 20% returns annually year after year—in a market that was growing much more slowly? Such miraculous results should merit skepticism at the very least, but more often than not, these seemingly invincible individuals are instead given a pass when it comes to established oversight and controls.

In a healthy risk culture, people are comfortable identifying risks and discussing mistakes. They're prepared to pull projects and reject ideas when the risks involved exceed a company's appetite. They don't simply roll over just because management is enthusiastic about results, nor do they assume that an individual's or business unit's past success guarantees positive results in the future. Sure, they might pull the punchbowl just as the party's getting started, but maybe it's because the partygoers have to get behind the wheel later in the evening.

Step 7: Act on it

Suppose a business unit has the right incentives to consider risks and properly understands the bell curve. It objectively examines the problem at hand and, appreciating its severity, communicates the problem to the pertinent actors. Surely then it would act appropriately? Not necessarily. The growing field of behavioral economics has spurred a departure from our classical assumption of man as Homo oeconomico by exposing major flaws in our ability to make fully rational decisions. In particular, the phenomena of hyperbolic discounting and risk aversion present major obstacles to sound risk practice in an otherwise strong culture, and we will consider each in turn.

Step 8: Assess the Risk Culture

Safe driving isn't just about teaching the right skills and hoping drivers will apply them properly. Policymakers must also take time to track driving trends so they may better respond to changing behaviors and implement appropriate measures. Take, for example, the issue of texting behind the wheel—a problem that didn't even exist until relatively recently, but which has emerged as a particularly deadly trend. Policymakers in nearly every state responded by banning the practice, while insurers and other organizations produce PSAs to warn drivers of the danger. Likewise, companies should track and record both internal and external trends and respond to the data with their own measures. One of the easiest ways to do so is to create a schematic of key risk culture categories—each with its own metric—and benchmark the results.

Few policymakers could have predicted in the 1990s that texting while driving would grow to become a serious, widespread issue. But continued research and trend analysis led to a quick response that has likely saved untold lives. In the same way, being open to and prepared for change in your company, your industry, and the economy at large will ensure that you face fresh challenges effectively well into the future. For this reason, a company must monitor progress to refine the behavioral change initiatives set forth by management. Consider an internal survey that asks the following questions:

• Leadership. Do the board, executive, and line management set the appropriate “tone from the top” with respect to risk management?
• Accountability. Do employees understand and accept their risk management roles and responsibilities? Are there consequences if they don't?
• Challenge. Does the company have a strong feedback culture in terms of raising issues and challenging existing practices? Do leaders encourage such views and challenges?
• Transparency. Is there a clear process to communicate and escalate risks? Do we use the right metrics and incentives to support risk-related decisions?
• Value-added. Is there an appropriate balance between business and risk requirements? Does risk management add value to the business?

The results of these surveys can help companies understand risk drivers as well as the effectiveness of their risk-management processes. As the data accumulate year after year, they measure the evolution of risk culture and promote swifter response to the changing needs of the business.