How Do You Create a Great Risk Culture?
As someone who is trained as a scientist and then trained in finance, I am probably the last person who one would think of to write a chapter on organizational culture. My idea of the only time one should concern themselves with the human resources department is when they are handing you a specimen bottle for mandatory testing. I am not even sure I know how to define culture. One group of organizational experts seems to think it is what someone does when no one is watching. Another group of organizational experts thinks it is what one does when everyone is watching. I am not really quite sure which group of organizational experts is correct, but one thing I do know is that when I am conducting risk seminars, the issue of how to create a good risk culture is the one question that always seems to arise (after the question of “will I need a calculator for the seminar?”).
Great risk management simply will not occur if the risk culture stinks. In the 1990s, Banker’s Trust arguably had one of the best risk management systems going, but they failed in large part because their risk culture failed them. In the case of Banker’s Trust, it was hubris and an arrogance around risk management that failed them. Their risk management processes were world-class, but the culture was lacking. In most firms, the risk culture stinks for very different reasons. People are afraid of risk. People are skeptical of risk. People believe the risk department has the sole function of keeping their foot on the brake in order to kill any progressive idea or project. People want to avoid the risk function, as it is seen as a bureaucratic jumble of red tape and meaningless paperwork. In other words, risk stinks because the culture around risk stinks.
Perhaps, I am more than a little unstable mentally, but I think risk is cool. I think the risk function has the tools, techniques, and tactics to allow an organization to extend itself and really stretch for new goals and heights. I think that risk management is one of those true areas of management, where both the art and the science of business come together and allow the really talented people to strut their stuff. As such, risk culture should be cool, hip, and progressive, instead of the traditional corporate career graveyard that traditionally it has been. It should be the area of the organization where the people with the most ideas, the most creativity, and the most energy congregate and want to work in. Let’s get started exploring some ideas on how to create not just a good risk culture, but a great risk culture.
Culture Is the Middle
A lot of the reading about risk, and risk culture that I have done, and most of the people I have discussed the topic of risk culture with, say that risk culture starts at the top. I respectfully disagree. The rest of the literature and the rest of the people seem to think that risk culture starts at the bottom of the organization. Again, I respectfully disagree. I think that culture, and in particular, risk culture is made or broken in the middle.
In some sense, I realize that culture does absolutely begin at the top, but it is only at the lower levels of the organization—where the rubber meets the road—that culture ultimately gets implemented. A culture, however, needs to be consistent, and if the top and the bottom of the organization do not “get” the same “memo,” there is a disconnect. That disconnect is the middle manager.
The middle manager in any organization is in a very unique position. Those at the lowest rungs of the ladder realize that they have a lot of room to move up before things start to get serious. They are also probably content to just have a decent job at their given stage of their career. Those at the top of an organization have, in some way, “made it,” and thus, enjoy a freedom and flexibility that most people in the organization do not get to experience. Those at the top are also generally quite out of tune with what is happening at the front lines. (Of course, this is the premise of the popular television show “Undercover Boss” that puts senior executives in frontline positions and highlights their ineptitude at doing the very tasks that their companies are in business to do.) The middle manager is squeezed between these two groups. The middle manager likely has aspirations to move up, and thus, is hesitant to do anything that will jeopardize their placement in the upper echelon. They are also the ones who are on the hot seat when the rubber does not meet the road properly, but as they are one step removed from the front lines, they have limited ability to affect their own fate. The middle manager has a quandary and a unique risk management problem as well. Do they play it safe and avoid a misstep that could get them fired, or do they take chances and try things in order to get ahead? Their career choices are a risk management exercise, in a nutshell.
Almost by definition, middle managers are the epitome of the “organization man or women.” If they had an entrepreneurial mindset, they likely would have left the organization once they reached middle management. A few of them may be stars and shooting for the top, but in my experience, many of them quickly realize the odds are stacked against them from reaching the upper reaches of management, and thus, they settle for a career as a middle manager. This creates a mindset that is focused on not rocking the status quo. It also creates a mindset that any risk—upside risk or downside risk—is bad and to be avoided at all costs. There are obviously exceptions, and hopefully, in your organization, the exceptions are many, but middle management is not the place to find a healthy and positive attitude toward risk.
As middle management is where the connection is made from the upper reaches of management to the frontline workers in the trenches, it is also where the culture of risk gets set. If you have middle managers with an unhealthy and negative view of risk, then the organization will have an unhealthy and negative culture around risk, despite the proclamations of the board, the CEO, or the entire senior staff. It is a tough problem to crack.
There are a few central causes to the middle management problem. The first is the process for promotion. In any organization, you generally get hired for some type of technical skill, and perhaps, that skill is management itself, but more likely, it is some type of skill that is best designed for complicated tasks, such as accounting or engineering. Someone who demonstrates proficiency in accounting or engineering, for example, then gets promoted to middle management. However, this is without any real management experience, or even evidence of managerial skill. This, of course, is a well-known problem as accurately and humorously outlined as the Peter Principle.1 However, not only does promotion occur without the employee providing evidence of managerial skill, but it also occurs without the employee providing risk management skills—except for risk management skills in their technical expertise.
The second cause of the middle management issue with risk is the risk training that they receive. Almost all of the risk training is in terms of regulatory aspects of risk, and the risk processes—one might say risk bureaucracy—that is in place at the organization. This training generally occurs at the inception of the manager’s promotion when the attitude of the new middle manager is most impressionable. The impression made is that risk is a process-based, brain dead jumble of bureaucratic red tape. No wonder most middle managers develop, and thus, implicitly promote, a robust dislike of the risk management function.
Ironically, the senior managers who I have had the opportunity to work with tend to have much healthier attitudes toward risk. Admittedly, many do not agree with my definition of risk, and many believe that risk management is only to protect against bad things happening. The big difference is that at least they consider the question of what risk is, and what the role of risk management is. Additionally, while their technical understanding of risk may be weak, and in the current regulatory climate of the Sarbanes-Oxley Act, their lack of a strong technical understanding of risk is a source of fear for them, these senior managers do tend to have a very good intuitive understanding for the two-sided nature of risk and the inherent uncertainties of risk. Perhaps, this intuitive understanding of risk is what makes them qualified for senior management as opposed to those lower-ranked employees who have a better technical understanding of risk.
The culture of any organization obviously begins at the top and conveying that culture from the top throughout the organization is always going to be a challenge—no matter what form of culture we are talking about. However, when it comes specifically to risk culture, I believe that there is a special problem in getting the message from the top of the house to the front lines because of the unique career-based risk issues facing the middle managers. When it comes to risk culture, middle managers control the knobs on where judgment versus processes are set, they control the knobs of what the definition of risk is going to be, and while they likely do not control the risk metrics used, they control how those risk metrics are interpreted and utilized. In essence, middle management controls the risk culture.
Banish Risk as the “Department of No”
Perhaps, there is no more fruitful step toward promoting a positive risk culture than banishing the thought that risk is the “Department of No.” The risk management function as the “Department of No” is an obvious downer. This has been a major theme running throughout this book, so I will not beat the dead horse once again, but leave this section intentionally short to drive home what should be an obvious, but almost always overlooked point in creating a positive risk management culture; banish risk as the “Department of No!”
People Not Processes
Prioritizing people, not processes should be an incredibly obvious step toward creating a great culture, but apparently, it is not. Culture is about people. Thus, if you want to have a great culture, you need the risk management function to have the focus on people not processes. This includes thinking about the people first in the design of risk management practices, it includes the training around risk management, it includes the rewards and motivations around risk, and includes people in the decision making around risk. It also includes hiring for a certain risk management attitude—attitude that you want your risk culture to be.
When risk management becomes an engineering problem, or a regulatory exercise, then the focus on the people often gets lost in the minutia of the processes. The issue is that, as discussed in Chapter 4, risk is rarely caused by complicated engineering issues, but much more frequently has complex people-related causes. Furthermore, it is almost always people that have to implement risk management. Thus, it just makes sense to design risk management with people first. However, it is almost done the other way around. This makes one feel insignificant, unimportant, and thus, unmotivated. Basically, when you realize that you are playing second fiddle to a process, it is a soul-destroying realization.
Take a very common risk management process: that of the safety announcements on airplanes. How many times have you sat through a demonstration of how to put on your seat belt in the airplane? Did you feel like you were back in preschool day care and the teacher was telling you it was nap time? Did you pay attention to the demonstration with rapt attention or did you try to show that you were purposefully ignoring it while all the while trying to block out the annoying litany—which you have probably memorized after your first three flights? Did you mumble under your breath “this is stupid”? Do you feel you are in a positive culture of safety or a pawn of a cruel hoax imposed by some brain dead bureaucrat of one of the myriad of transportation agencies? Do you believe that the safety message is to help you improve your flying safety or was designed as a legal protection strategy for the airline? Do you get cynical about the whole thing when the airline simply puts on a recorded message while the flight crew stands at their regulated spots going through a lackadaisical mime routine, showing you how to buckle and unbuckle your seatbelt and tighten the oxygen mask “around your nose and mouth”?
There is one airline that I fly frequently who take a different approach. Knowing that their customers are, for the most part, frequent flyers, they make an ongoing joke and allow their flight crew to inject their personalities into the safety announcement. I am not going to name the airline for fear that some bureaucrat sees this and hunts them down and forces them to stick to the script. The point is the flight crew is making an effort to show they realize that there are people, and not bots seating in the seats. The crew are also making an effort to show that they believe their customers are not idiots who never learned how to fasten and unfasten a seat belt.2 It is a small thing, but it gives you a different attitude toward the demonstration. A vastly greater proportion of flyers listen to the announcement, and when they do buckle up, they do so with a positive attitude, rather than “here we go again” attitude that they do with the more usual litany. A realization that people are in the seats and also that it is people (flight crew) who are giving the message allows the safety message to be about people and not just the regulatory aspects. It leads to more interest in the message from both the crew who have to improvise—a bit—and to the flyers who listen with interest to see how interesting, and perhaps, entertaining the crew can make the mundane instructions. More interest leads to more compliance, more awareness, and more acceptance. Perhaps a trivial example, but one that illustrates the power of putting people before processes.
It is very basic, but risk management processes are in place for the good of people—employees, customers, suppliers, the general public, and so on. People, stakeholders of an organization, do not exist for the risk management processes. However, it often feels like it.
Risk Happens
Part of a risk management culture is very simply admitting that risk happens—both good and bad. Risk happens despite everyone’s best intentions and despite the strength and resiliency of the risk management system. To create a great risk culture, a firm needs to admit that risk happens. It needs to celebrate the good risks, and try to the best of its ability to learn and to improve from the bad risks. It needs to stop punishing the occurrence of risk—unless it was a deliberate and willful act to trigger a negative risk outcome.
Too often, the culture is set up to let those know that if they are the cause of a risk outcome, then there will be consequences, and the consequences will not be nice. This leads to a culture of fear and loathing toward risk management. Perhaps, more seriously, it leads to hiding events from risk management.
I can clearly recall an incidence when I was a young lad—about five or six. Before you think my parents were willfully neglectful, I should point out that it was a different era, and as kids, we were actually allowed to do such risky things such as play outdoors, and—horrors of horrors—our parents would occasionally even leave us alone at home during the daytime. It was during one such day that my parents left me home alone and I knew there were cookies in the uppermost reaches of the kitchen cupboard. I also knew that if I got a chair that I would be able to climb up on the cupboard and pilfer a few cookies. Needless to say, the temptation was too great. What I did not quite allow for in my plan was the newness of the expensive countertop that I was now climbing on, and in my climbing, I chipped the corner. Knowing the risk attitude of my parents, I knew the outcome was not likely to be good. Thus, I got some glue and tried to glue the chipped pieces of the countertop back in place. I thought I did a great job, but when my parents came home, my mother caught her new dress on my handiwork and ripped the new dress that she was so proud of. Not only had I been found out, but my relatively small problem had turned into a much bigger problem. Needless to say, I was grounded and my lust for cookies has been diminished for life.
The reason behind the story is straightforward. If mistakes are not tolerated, then mistakes will be hidden. Furthermore, when mistakes are hidden, they almost always grow into bigger mistakes. Almost no one sets out to make a mistake or cause a negative risk event. However, mistakes and bad risks occur. If mistakes and risks are not tolerated, then they will be subject to attempts to hide them or cover them up. It is like someone being in denial about having cancer. Just like cancer, the cover up will almost always lead to a series of further mistakes and mishaps and the problem will continue to grow and fester.
Ironic as it sounds, mistakes and risk events—both good and bad—should be celebrated as learning events. In essence, risk events are teachable moments. The risk culture has a choice about what to teach. It can teach that risk is evil and risk must be avoided at all times—both good and bad risk—or it can teach tolerance and learning and improvement. Risk events should be teaching moments, not scolding and blaming moments.
In terms of athletic ability, I am (and was) quite mediocre, but somehow I managed to be quite successful in organized sports. How, you might ask, given my limited athletic ability. The answer was simple—I tried hard to never make the same mistake twice. I tried to learn from my mistakes on the playing field, rather than berate myself for my mistakes. It was quite likely I was going to continue to make mistakes and to lose points. However, by concentrating efforts on not making the same mistake twice, I not only avoided repeating mistakes, but I was forced to think of different ways of doing things. Thus, mistakes became opportunities to improve myself during a match, rather than a method for getting my spirits down. The same philosophy can also work for a risk culture. If the emphasis is on not making the same mistake twice, and if there is a tolerance for making a new mistake, then the organization not only accelerates its learning, but it also improves the risk culture.
Having a risk culture that recognizes that risk happens allows everyone to take a collective breath. It lowers the fear of making a mistake, which, in turn, produces fewer mistakes. When the atmosphere is so tense, and there is a paranoia about doing something wrong, the ability of people to think and to respond properly is diminished. Worse yet, people may get paralyzed for doing the wrong thing, and thus, do not trust their instincts and wind up doing nothing, even when action is called for. It is far less stressful, and far more productive to take a collective organizational breath and freely admit and realize that “risk happens.”
Risk Training and Culture
What did you learn from your organizational training on risk—that is, assuming that your organization has risk training? Was the risk training fun, or was it a boring litany of thou shall not? Did you leave with positive or negative thoughts about risk? Was the training based on knowing things about risk or in how to think about things surrounding risk? Do you even remember anything from your training?
If a firm is to have a positive culture about risk, the training about risk needs to take on a positive tone. The training should emphasize the risk philosophy of the firm, the fact that risk management is an active part of the competitive advantage of the firm; that risk management is not the “Department of No”; and that risk management is inherent in everyone’s role.
A second important aspect of the training is that it should focus on understanding and appreciating risk, not just on knowing the textbook aspects of risk. Knowing and understanding are two different things. If the training is focused on knowing about risk, then risk is seen as a complicated system. If the training is focused on understanding and appreciating risk, then the complexity of risk and the creativity in managing it comes to the fore.
My colleagues and I once conducted a daylong risk training simulation exercise for a large international organization. Over 100 managers of this organization had been through a series of risk training workshops over the previous year led by well-known academics and consultants. The duration of the training spanned a full 10 days. The purpose was to make the organization state-of-art when it came to risk management. The daylong event was to end with each of the groups making a series of presentations for their analysis and solution of the issue that we designed for the simulation. The senior managers were to be there for the final presentations. The whole meeting was designed to be the capstone event for this major training initiative.
The simulation we designed was closely based on an actual situation that had occurred roughly 15 years previously to a similar company. For the simulation, we basically updated the scenario and used newer data and a slightly disguised product for the participants to conduct their analysis on. We were slightly concerned that someone would recognize the true story we had based the simulation on, but no one did. In short, the simulation was based on designing the risk management of a new product launch. What happened in the real-life situation was the company did everything correctly in terms of the complicated processes, but they neglected how to deal with the media and the reputational risk and the social risk management of the project. In the real-life situation, the risk management broke down and fell apart with a call from the media.
In the simulation, which ran for six hours, my colleagues and I worked with each of the groups. I was very impressed with their knowledge of risk, and each of the teams was doing a great job of preparing a presentation that showed that they understood risk and had mastered the training that they had been given. The problem was they demonstrated a lot of knowing and not a lot of thinking. When everyone convened in the main hall for their presentations to senior management, they had on each of their desks the same memo from the media that had occurred in the real-life situation, and just like the real-life situation just over a decade ago, the risk management plans fell into disarray, and furthermore, they fell into disarray in a hurry.
What this example illustrates is that training based on knowing things about risk is ineffective. Training about risk needs to be on thinking about risk. Knowing “stuff” and being trained to think are two very different things. While it is admittedly good to know things, a simple knowing does not imply understanding or knowing how to think about a situation. In part, knowing stuff implies that risk is a complicated system. So, therefore, if the majority of your risks are complicated, then by all means focus on training to know. However, if like most firms, your organization’s risk arises because of complex issues, then you need to train based on thinking and understanding and creativity and appreciation for the complexity—a very different approach.
Training for knowing things implies an arrogance that risk is something to be optimized. However, if risk can be so easily optimized, then the future of risk managers is bleak because, as previously discussed, we will all be replaced by computers who are much better at optimizing complicated things than we as humans are.
Risk Should Be Fun and Creative
Where do the creatives in your organization exist or migrate to? (If you do not have creatives in your organization, then you really should start looking for a new job.) Do the creatives, those with an entrepreneurial mindset, those who like to connect the dots, and those who like to search for new dots, do they exist in your risk function?
Admittedly, there is a lot of engineering and math and best practices in risk management. In other words, risk management has a chuck of science associated with it. However, I would argue that the really important and valuable risk management activities are those that are much more art and much more creative and much less science than we normally ascribe to risk management. It is hard to be creative when the mood is doom and gloom. Much more creative productivity occurs in an atmosphere of fun and optimism.
Risk should be fun, and risk should be creative. Earlier in the book, I stated my first law of risk management: the mere fact that you acknowledge that a risk may exist automatically increases the probability of it occurring and its magnitude if it is a good risk, while also automatically decreasing the probability and severity of it occurring if it is a bad risk. Thus, to be good at risk management, one needs to come up with lots of creative scenarios. With risk management being buried under processes and mounds of data collection, and heaps of regulation, it is hard for even the most creative of people to be inspired.
As a university professor, I have the vicarious pleasure of seeing my best students set off on their career’s at the end of each school year. I am always surprised by how companies recruit who they believe are the best students. Most of the time, companies recruit the worst students. I wish companies could see the process from my point of view and hear the conversations I do coming from the truly great students with the most potential.
As someone who teaches risk management, I am often asked by recruiters and human resource professionals who the best students are and who they should look out for. When I ask the criteria they are looking for, they almost never ask for creative, or fun, or forward-looking, or ability to deal with ambiguity. Instead, they claim they want those who know the math of risk the best, and are organized. (Really—organized is the key skill you are looking for in a junior risk manager?) What I observe by following the success of my student’s careers though is that it is those who are creative, who see the possibilities and the potential of risk management, and who enjoy thinking about risk management problems and opportunities are those that do the best. Those who are focused on the techniques of risk management might have the easiest path getting hired, but they generally stall the earliest in their careers or burn out the quickest.
In short, many organizations that are recruiting for their risk management department make it seem like the most brain dead and boring of departments. In fact, they should use a form of reverse hiring—anyone who expresses interest in applying for a job after listening to the company’s pitch at their information sessions should be eliminated from contention.
One company—a respected global leader in risk management consulting—got it right in my opinion. On campus, instead of having the traditional corporate information session, they held a board game tournament. The game they used was of course Risk. The interesting thing was that the engineering types thought the idea was stupid. The students who were creative and looking to avoid a boring job at a boring company thought it was a great idea and eagerly participated. I guess it comes down to what type of people you want to try to recruit, but then again it comes down to what culture you want to create around risk management.
Concluding Thoughts
To reiterate a point I made at the beginning of this chapter, I am probably not the one most people would choose to pontificate on creating a great risk culture. However, having worked in several different types of risk cultures, and consulting for many more, I am a believer that the risk culture of an organization is absolutely key to having great risk management.
Historically, it was often the case that risk management was the department in which an employee who had reached their usefulness as a manager, but was not yet ready to retire would be placed. Risk was thought of as a sleepy place where you needed experience about how things worked—and how they did not work. The work was thought to be dull, relatively unimportant, and not very dynamic. In essence, the risk department was akin to a corporate retirement home. I would argue that this concept is about as quaint as a rotary dial corded phone. It is from another era that is not returning.
In contrast, I believe that risk is about the most dynamic, important, challenging, and valuable function in an organization. Making that message clear, and constantly reinforcing the message that not only bad risk needs to be managed, but good risk as well, is critical for a firm’s success.
1 Laurence Peter and Raymond Hull, “The Peter Principle: Why Things Always Go Wrong,” William Morrow and Company, 1969. To remind the reader, the Perter Principle states that a manager will get promoted until they reach their level of incompetence. This implies that all senior managers are, thus, operating at their level of incompetence.
2 I actually was on a flight once in the Middle East where the person seated next to me was flying for the first time. They were the only person I have encountered in my entire life who did not know what the seatbelt was or how to fasten or unfasten it. Some bureaucrat will claim this is the exception that shows why it is still necessary, but I suggest they need to get real.