This article was originally written for and included in the ACCA Quarterly Newsletter for Financial Services, AB.Direct.
What is the risk culture of an institution? When assessing the economic and competitive sustainability of an organisation, is it good enough to focus solely on the risk culture?
Ever since the financial crisis, risk culture has been a hot topic. For the most part organisations believe that having a good risk culture means ensuring that all risks are properly identified, assessed, reported, managed, controlled and mitigated. By definition this also means ensuring that IT and reporting systems are adequate, as they must record, aggregate and report risk information accurately and reliably.
For many, another aspect of good risk culture is the adoption of enterprise risk management (ERM): the idea that an organisation must take a holistic view of all the risks that might affect its activities and ensure that it develops an appropriate capability to manage them. Frameworks such as COSO were developed to provide a formal approach to ERM and guidelines for its successful implementation.
Consistent with this concept of ERM is the idea of the risk register. Organisations the world over have been busy identifying and logging all the risks they are exposed to. These risks are then assessed to identify how they can be controlled.
Many also believe that communication plays an important role in the development of an appropriate risk culture. If everyone within an organisation is sufficiently ‘risk conscious’, the ongoing identification, management and mitigation of risks is improved.
The importance of communication cannot be underestimated. Periodic reviews of ERM frameworks and risk registers are required, but they remain static approaches to risk in a business and regulatory environment that is subject to constant change.
For this reason alone, an organisation’s attitude, attention to and due diligence in managing risk is not enough to safeguard its interests, irrespective of how good its approach is.
The reality is that it is more important to focus on how that risk is incurred, which means understanding the business, the business model and how that model generates risk. Ultimately, what matters most is not so much the risk culture of the organisation but the overall culture of the organisation including that of the leadership.
The financial crisis provides a very good example of why focusing solely on risk culture is not enough.
A primary cause of the crisis was the origination of subprime loans from unlicensed brokers, the now infamous ninja loans, on behalf of small and/or regional banks. These loans were then sold to major investment banks for securitisation. The securitised assets were then sold on to investors.
Everyone now recognises that such a poorly regulated market was certain to create a major problem.
Nevertheless, we can reasonably presume that while this business model was being fully exploited, risk managers, auditors and accountants were busy checking, to ensure that the loans were purchased from reputable banks; the monies were properly moved across the nostro accounts; legal documentation was in place; securitisation was in accordance with regulations; and rating agencies had stated the quality of the securities. All hallmarks of a good risk culture.
However, none of the above actually prevented the entire market for subprime loans and related securities from crashing down.
How could such a thing have happened? How could there have been such a collective failure of the risk culture of virtually the entire banking industry?
Hal Gregersen, one of the co-authors of The Innovator’s DNA provides some of his own insights, stating in an interview ‘I look back to the financial crisis in 2009 and wonder how many of the CEOs and executives of the major banks in the world ever took the time to get out of their offices to walk down to their home loan making office and just watch the process of how these loans were being made? I bet if they had they would have sniffed something ugly really fast. And they would have done something.’
Having a good risk culture, then, is simply not good enough, even if those responsible for managing and mitigating risk act independently of management and are great at their jobs. The reality is that an organisation’s risk culture cannot be divorced from its overall business culture. If the business culture fails the organisation, there is very little that the risk culture can do about it.
Organisations are constantly taking decisions that impact their risk profile and render their risk culture irrelevant. They may make acquisitions that turn out to be completely wrong for their business, as RBS found out when it purchased ABN AMRO, an acquisition which effectively resulted in the collapse of the merged entity.
Another major cause of value destruction in the financial markets has been the herd mentality, where participants pile in and markets rapidly rise, as if defying gravity, only to fall back when the false paradigm on which they were built no longer appears plausible. This scenario has been the hallmark of financial crises over the past forty years and it appears to be one specifically designed to circumvent and subvert risk cultures.
Sometimes organisations make too many acquisitions and it becomes impossible to integrate all the misfit units into a coherent whole or worse still the cultures of the merged entities are incompatible.
What then? Is a mismatch of organisational cultures regularly included in the ERM framework? Is organisational culture recorded in the risk register?
The answer is most certainly not. Yet, these issues are the ones most likely to cause the largest destruction of value, as Rupert Murdoch found out when he bought MySpace, only to see Facebook vault ahead in the social media game. That cost Murdoch some US$545 million.
All finance professionals have a decision to make. They can continue to emphasise risk culture and remain in the role of guardian or police officer. Alternatively, they can don the mantle of leadership, by also focusing on the organisational culture, and tackle the main risk issues right at inception. That is how we can best add value to our organisations.
Jonathan Ledwidge, FCCA is the author of the book Clearing The Bull, The Financial Crisis And Why Banks Need A Human Transformation (iUniverse)