protecting and creating value through culture - united · pdf fileprotecting and creating...

The human side of riskProtecting and creating value through culture

What is risk taking capability?Risk taking capability is a culture in which employees are provided with incentives and encouragement to work on new ideas despite uncertain outcomes or initial failures. Risk capability can improve employee performance by an overwhelming 39%.Source: Corporate Leadership Council 2002

The human side of risk

1Protecting and creating value through culture

To optimise organisational value, you must strengthen the alignment between the human and non-human environments, and shape people’s behaviour as you would shape organisational process and systems. It is only when people really understand the risks they are taking through consistent and repeatable practices, moving away from just “ticking the box” that they can far better optimise the risk and reward equation for their business.

It is both the human and non-human elements of enterprise risk management that either create or erode value. At its most basic level, a human element is the behaviour of an individual which then combines into team behaviour, departmental behaviour and then organisational behaviour. Non-human elements are the parts of the business that human elements interact with to produce value, for example, processes, systems, rules and regulations. In effect, the combination of the two sets of elements results in “culture”.

The challenge — moving beyond “box ticking”

Risk taking, whether you love it or loathe it, is the single cultural trait with the largest impact on organisational performance, according to research by the Corporate Leadership Council1. One of today’s most challenging questions faced by business leaders is whether they have the confidence to leverage risk taking behaviours in order to create value.

1 Source: Corporate Leadership Council 2002 Performance Management Survey

2 The human side of risk

Over the last decade, risk management has evolved from being primarily compliance focused, where regulatory pressures were of central concern, to one of governance and reporting across the organisation. The function has sought to ensure that management receives quality information to act upon and that a control environment operationalises the strategically-defined risk appetite.

Risk management has become increasingly disciplined with investment into the improvement of more effective risk frameworks and processes. Initially, the non-human aspects of risk management have been the priority. Today, a much broader approach to risk management is required by regulators, boards and shareholders. These stakeholders expect the approach to be proactive, where risk management is embedded into the DNA of an organisation and day to day decision making is conscious and aligned with the organisations desired risk appetite and business strategy. They also expect a culture that is risk aware and a control environment where people, from the senior executive to the frontline, actively own the risks of their actions. Overall, stakeholders expect all aspects of risk management to be prioritised, including culture, capability and behavioural elements and both human and non-human elements to be aligned.

Figure 1 depicts what can occur when there is an imbalance between the human and non-human environments. Too much focus in one direction will lead to either a lack of value protection because of over exposure to risk or an erosion of value because of constraints to innovate or “seize the moment”.

Risk management is a central part of the strategic and operational management of any organisation. Its key objective is to optimise the organisation’s resources to protect and create value. By extension, effective Enterprise Risk Management (ERM) is a fundamental enabler of a high performing organisational culture.

The journey so far

Risk management as a performance driver

Today’s Enterprise Risk Management frameworks often meet corporate governance needs, but miss the broader opportunity to enhance business performance. For example, risk information can be used to:

• Shape the strategy and business plans within the organisation’s stated risk appetite through structured scenario analysis (currently, risk registers are often an output not an input to the key planning process)

• Understand the underlying variability of budgets and forecasts, stress test assumptions and consider risk adjusted cost and earnings volatility to optimise capital allocation

• Appraise and select projects and programs and monitor their progress using risk adjusted net present value and internal rate of return calculations

• Advise on operational direction as a response to Key Risk Indicator (KRI) analysis

Over-managedUnder-managed

Balance

Risk taking

Risk avoiding

Hum

an e

nviro

nmen

t

Non

-hum

an e

nviro

nmen

t

Tight

Loose

Figure 1: Getting the balance right


To explain how this diagram works in practical terms in the following tables (Figure 3 and Figure 4), we observe different organisational environments that manifest. At one end of the continuum, we observe organisations or teams where risk is managed to the point of constraint. At the other end of

the continuum we observe organisations or teams where risk is ignored at the preference of results. Our point is that alignment is required to meet the business needs and is necessary to optimise risk returns.

The diagram below (Figure 2) illustrates the organisational alignment which links risk with performance. The first alignment point is between organisational strategy, risk appetite and the control environment. This establishes risk management as a recognised and valued enabler to business strategy. The next important alignment point is between the control environment, the operating model and behaviours which is where your people are making business decisions every day.

Achieve organisational alignment

Alignment

Risk management behaviours

Operating model

Control environment

Risk appetite

Business strategy

Figure 2: Link between risk and performance


Do either of these environments look familiar to you?

Figure 3: The extremes

Over-managed risk Under-managed risk

Definition Business lines that are conservative in their approach and focused on explicit policies, procedures, documentation, systems and processes to control business activities.

Business lines that are speculative in their approach and encourage risk taking with little investment into the processes and procedures required to manage such risks.

Risk appetite Risk avoidance Risk taking

Control environment Tight Loose

What this looks like At its worst, business lines characterised by a tight control environment and risk avoidance are usually mechanistic, constrained, and innovation-stifled in an attempt to anticipate and control every business challenge that might arise.

These types of organisations and teams tend to add controls but never take them away.

At its worst, business lines with a loose control environment and high risk taking can be described as laissez-faire, with maverick and “win at all cost” behaviour; characteristics that became highly apparent in the onset of the recent Global Financial Crisis.

These types of organisations or teams have a drive to achieve results quickly that tends to far outweigh the risk being taken on.


Control environment


Control environment

Where do we see this This condition typically affects back office functions, public sector service delivery and functions with high levels of safety risk.

This condition typically affects revenue generating functions in high growth markets and functions with little financial or safety risk.

Figure 4: Getting the balance right

Wouldn’t you rather see this?

Aligned

Risk Appetite Risk taking that is appropriate to the role of the business line

Control Environment Appropriate limits Appropriate freedoms

What this looks like • A well defined strategy that defines the organisational risk appetite

• An appropriate control environment that is integrated into the operating model that supports and enables consistent behaviours

• There is an alignment between the desired and actual risk culture

• Behaviours are within the risk appetite tolerance

• The control environment enables both value creation and protection

• Risk management is a performance driver, not a constraint

What it takes to achieve this • The organisation needs strong values and ethical guidelines

• People need to know what is expected of them, as it relates to risk taking

• There must be a “way” of working that unites the team

• People need the appropriate accountabilities, systems, tools, escalation mechanisms, training, policies and procedures to support the expected behaviours

• There must be incentive to exhibit the expected behaviours

• People need the right capabilities to make risk and reward decisions

• Leadership must act as role models and enable staff through coaching, experience and recognition

• People’s value sets need to be aligned with the organisation’s


A closer look at risk taking, according to the Corporate Leadership Council

A culture of risk tolerance has a substantial and positive impact on three important employee attitudes. Employees who work in a risk-tolerant culture are likely to:

• Put 18% more effort into their job

• Be 45% more committed to their organisation

• Feel 33% more closely matched with their jobs than employees in a risk-intolerant culture

Promoting a risk-tolerant culture has further direct benefits such as encouraging employees to push themselves beyond their current practice, leading to a total impact on performance of nearly 39%.

Chief Risk Officers — it’s time to step up!

The role of enterprise risk management has no doubt been enhanced in the past decade… but there is still more to be done.

As CRO, it is your role to drive the agenda that an adequate control environment consists of both physical and behavioural elements; that processes and systems are only part of the answer and that behaviours can’t be ignored.

In doing so, you will start to ask different questions and work with a broader set of capabilities than you do today. Importantly, this is not about neglecting the compliance aspects of your role — rather, it is about offering your business more capability to drive business performance.

We believe that business leaders understand that the culture of an organisation is important and that an uplift in risk management capability will result in significant performance improvements. But transition has been slow. A global survey conducted by Ernst & Young in 2010 showed that although 92% of respondents in Financial Services noticed an increase in attention on risk culture, only 23% report a significant shift2.

To overcome this slow transition, business leaders need to undertake a change management exercise and the challenge will be around “how” to make a difference.

The next section will explain “how” business leaders can unlock the human dimension.

2 Source: Ernst & Young and the Institute of International Finance 2010 Making Strides in Financial Services Risk Management Report.


Achieving your desired risk culture requires you to follow five stages:

1. Identify — Meaningfully segment your organisation and define your risk culture vision

2. Diagnose — Establish, quantitatively and qualitatively, whether your actual risk culture aligns with your vision

3. Design — Create a behaviour change program that includes the interventions that you know, from diagnostic analysis, will work most effectively

4. Deliver — Focus on engineering the appropriate risk behaviours required within each meaningful sub-group and deploy targeted change interventions only in the areas that need them

5. Sustain and evolve — Continuously monitor the health of your risk culture and make adjustments early, before bad habits get ingrained

In addition to what is required organisationally, behaviour is also the result of individual drivers, such as the need for achievement and affiliation (McClelland, 1961; Maslow, 1943). People, in any role they perform, do not come to work to fail. They are driven to achieve and grow in their work, to do the right thing and not actively make decisions that lead to adverse outcomes such as financial loss or unsafe practices. Equally, people need to feel they belong and are accepted by the various groups that they operate in. In the risk context these two needs, organisational and individual, can result in a level of tension between the way in which people would behave (to fulfil their need for achievement), and the behaviour required by the culture and norms of the groups in which they operate (to fulfil their need to belong).

According to Dunbar’s Number3, there is a cognitive limit to the number of people with whom one can maintain stable social relationships — between 100 and 230; that is they know who each person is and how each person relates to each other. This should indicate to us that in large organisations there will be sub cultures that emerge, often focused around departments, function or geographies, and that distinct risk cultures are likely to manifest when a group reaches around 150 people. This in itself is not bad, as the different departments, functions or geographies may require different risk cultures. However the challenge lies in ensuring all the parts are aligned to the overriding and dominant organisation-wide culture and risk appetite.

“The way we work around here”, or the combined effect of the human and non-human environments, is what we define as the culture of a group and can be defined, changed, and monitored. A strong culture can constitute a powerful capability when addressing certain types of problems or seizing new market opportunities. However, it can also be a disability when not aligned to the strategy and risk appetite set by leadership.

Understand and drive the right risk culture

Alignment

Behaviours

Marketing

Product

FInance

IT

Risk

Sales

Individual driversNeed for achievement and affiliation

Group driversSet norms for the way in which people in that group should behave

The needs of these different stakeholder groups can often conflict, thereby confusing people as to what is expected behaviour

3 Source: Dunbar, 1992


Stage one: Identifying your risk cultureTo date, risk appetite, and by extension risk culture, has not been defined at a meaningful enough level down the organisation. A Board-level risk appetite statement is simply not enough to guide behaviours at the frontline. It does, however, provide the broad “playing field” within which individual teams and sub-groups can be expected to operate.

The diagram below (Figure 5) illustrates in very simple and illustrative terms, how

the definition of risk appetite can be articulated at a more meaningful level. Functions such as marketing and sales and product development are focused on creating value and therefore will need to demonstrate more innovative and free-thinking behaviour than divisions such as compliance and internal audit that are focused on protecting value. If we examine this at a more micro-level we can see that even within one function like Information technology (IT), whether the team is focused on creating or protecting value will vary depending

Mission

Illustrative only

To maximise our shareholder's worth in a manner consistent with our vision and culture

• Long-term aims of global expansion• Increase market share

Safety Continuous improvment Courage TeamworkIntegrity Customer focus Enthusiasm Balance

Strategy

Value chain

Business culture and values

Support services/enabling activities

Marketing and sales

Design/product development Procurement Manufacturing Supply and

distributionService facilities

HR IT

Servers/networks

Protectingvalue

Creating value

Softwaredevelopment

Helpdesk

Web team

IT security

Legal Finance Compliance Risk management Internal audit

Figure 5: Illustrative segmentation of sub-group risk cultures

on their role. For example software development may be more focused on creating value while IT security is more focused on protecting value. These differences in risk appetite and subsequent risk culture are critical to understand when examining and attempting to influence the behaviours of a group.

In identifying your risk culture vision, you need to account for two dimensions:

• The specific risk appetite expected of the functional area

• The required control environment to operate within

Ask questions, such as:• To what degree are functions in your business line expected to create and

protect value?• What are the behaviours you expect from sub-groups? • What level of control is really necessary to prevent over exposure to risk? • Are there areas where control can be relaxed to stimulate innovation?


Stage two: Diagnosing the health of your risk cultureThere are four common archetypes of risk culture that organisations pursue, as described in Figure 6:

1. Tightly controlled and risk avoiding — think of the soldier ant

2. Tightly controlled and risk taking — think of the cheetah

3. Loosely controlled and risk taking — think of the eagle

4. Loosely controlled and risk avoiding — think of the meerkat

In diagnosing the health of your risk culture, establish, quantitatively and qualitatively, whether your actual risk culture aligns to your vision and establish whether there are any pockets of your organisation where you expect eagle behaviour but are getting soldier ants.

Figure 6: Risk culture archetypes

MeerkatLooking out into the distance at where the source of danger is coming from but flexible and nimble to a changing environmente.g., Chief Risk Officer

EagleSurveying the scene for opportunities and prepared to take quantified riskse.g., Head of Product Design

Soldier antFocussed on creating the safe home base that protects the tribee.g., Bank Teller

CheetahPredatory in nature but very careful about each move it makese.g., Trader

Risk appetite TakeAvoid

Tight

Loose

Cont

rol e

nviro

nmen

t

Ask questions, such as:• Where are the greatest deviations between our vision

for risk and the actual behaviours taking place? • What is driving behaviours to be the way they are? • What is the actual problem that requires fixing? • Where is the evidence saying I should invest?


4 Source: Ernst & Young, 2008

Stage three: Designing the right behaviour change programA strong diagnostic output is not only an insightful and evidence-based assessment on whether behaviours fall within or outside of risk appetite but should also provide a set of recommendations for greater alignment between desired and actual culture.

Our Behaviour Engineering Model, described in our Postcards from the Edge4 series, and further outlined in Figure 7, continues to prove a practical approach for changing behaviours within an organisation. The approach outlines a range of potential interventions for changing behaviour. The model is based on six key levers of change and works on a diminishing returns principle so that activities in box one will yield greater results for less effort than box two and so on. The model also separates activities that are organisational factors (activities one to three) that leaders can control, versus individual factors (activities four to six) that individuals have greater control over.

Non-human elements

1. Information

Setting clear expectations

2. Resources

Aligning accountabilities, resources, systems and language

3. Incentive

Incentivising the right behaviours

Ensuring that people know what is expected of them so they can model their behaviour accordingly. This includes having an awareness of the risk appetite and current risk profile of the group most relevant to them day to day.

Ensuring that people have everything they need in order to achieve the expectations that have been set for them — everything from time, to authority, to skills and systems.

Reinforcing the desired behaviours with appropriate incentives and discouraging undesirable behaviour with disincentive or disciplinary action where appropriate.

Human elements

4. Competency

Developing skills, knowledge and capability

5. Application

Role modelling the right behaviours

6. Motivation

Aligning organisational and individual values

Providing people with the skills, knowledge and experience to develop their capability in risk and reward decision making.

Leadership role modelling and enabling staff to do so through coaching, experience and recognition.

Ensuring that the right people are employed and creating an environment where people are encouraged to achieve and grow and belong.

Figure 7: Behaviour engineering model

In designing the right behaviour change program, ask questions, such as: • Which interventions will have the greatest effect? • Where should I invest first? • Who will be accountable for delivering the change? • How will I measure their success?


Stage four: Delivering behavioural changeChanging the culture of an organisation, or a sub-group, is a challenging change management project. Just as projects to implement IT infrastructure or new reporting lines needs appropriately skilled resources, so too must a project to progressively change culture. Formal project methodologies should be adopted including the development of clear success factors and implementation check points to ensure that cultural change can be evidenced rather than just assumed.

So when delivering behavioural change, focus on engineering the appropriate risk behaviours required within each meaningful sub-group of individuals. It is only there that meaningful and appropriate behavioural alignment can be achieved. Ensure the leadership is accountable for change and that ongoing monitoring keeps the momentum going.

Ask questions, such as:• Is accountability for

leading change strong? • Are we consistent in

our change messages? • Are there pockets of

resistance that need addressing?


Stage five: Sustaining change and building on risk management capabilityBehavioural change is not a “set and forget” exercise. Through active and ongoing use of consistent diagnostic monitoring, a common language emerges that risk and the business can work with together to evolve the risk culture of an organisation. It is likely, over time, to be predictive of latent behavioural risk and useful as an early warning system to prevent unforseen incidences.

Going forwardRisk management is going through an exciting evolution. Its role to enable business performance is becoming increasingly appreciated and, with this, comes greater expectations of stakeholders as to what it can deliver. We believe that you can influence the right human behaviours to complement the existing non-human environment; it’s just a matter of knowing “how”.

Behavioural change is a challenging feat and one which won’t occur overnight, or by osmosis. It requires a methodical, analytical and planned approach that has strong leadership and typical program infrastructure. With these factors in place, the five stages of identify, diagnose, design, deliver and sustain are achievable.

Be clear on your vision, diagnose the current state, design a change program for the areas that need it, deliver the targeted initiatives in a coordinated way and continue to sustain and evolve the risk capability that you have developed. The confidence to leverage risk taking behaviours will flow from there so you can protect the value you have and continue to create more.

In the long term, the question you will want to ask is:• Now that I have

aligned my risk culture to my risk appetite, where can we push for greater impact?


ContactsRisk Advisory ServicesRob PerryNational Leader Partner Tel: +61 3 9288 8639 [email protected]

Tony Martin Partner — Victoria Tel: +61 3 9288 8684 [email protected]

Robin RajadhyakshaPartner — New South Wales Tel: +61 2 8295 6558 [email protected]

Catherine FridayPartner — Australian Capital Territory Tel: +61 2 6267 3955 [email protected]

Heidi RiddellPartner — Western Australia Tel: +61 8 9429 2136 [email protected]

Ian RodinPartner — Queensland Tel: +61 7 3011 3313 [email protected]

Peter ByrnesPartner — South Australia Tel: +61 8 8417 1647 [email protected]

Paul RobertsPartner — New Zealand Tel: +64 9 308 1064 [email protected]

People Advisory ServicesAmy PoyntonNational Leader Partner Tel: +61 3 9288 8901 [email protected]

Graeme Bignell Partner — New South Wales Tel: +61 2 9248 4077 [email protected]

Joanne Smail Executive Director — New South Wales Tel: + 61 2 9248 4258 [email protected]

S112

3128

Ernst & Young

Assurance | Tax | Transactions | Advisory

About Ernst & YoungErnst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 141,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential.

Ernst & Young refers to the global organisation of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organisation, please visit www.ey.com

© 2011 Ernst & Young, Australia. All Rights Reserved. SCORE No. AU00001068

This communication provides general information which is current as at the time of production. The information contained in this communication does not constitute advice and should not be relied on as such. Professional advice should be sought prior to any action being taken in reliance on any of the information. Ernst & Young disclaims all responsibility and liability (including, without limitation, for any direct or indirect or consequential costs, loss or damage or loss of profits) arising from anything done or omitted to be done by any party in reliance, whether wholly or partially, on any of the information. Any party that relies on the information does so at its own risk.

Liability limited by a scheme approved under Professional Standards Legislation.

protecting and creating value through culture - united · pdf fileprotecting and creating...

Documents