Recent risk management failures in global finance have led to a review of what went wrong and planning to make sure it doesn't happen again.
Though mathematical risk models got most of criticism as the financial crisis hit, industry discussions now revolve around a story deeper than the numbers — the people involved in the meltdown.
The lessons learned this time around are going to be incorporated into a new business paradigm. Risk-conscious organizations are emerging.
They define and articulate risk culture before setting standards and make their risk appetite transparent to the work force through clear communication of the risk culture. Call it "Risk Management 2.0."
The new organizations acknowledge a new level of accountability from the board and prepare their institutions to roll out far-reaching risk management frameworks. They focus on corporate governance principles and procedures that reduce operational risk exposure to achieve a competitive advantage.
Regulators will be looking to see what steps companies are taking to avoid a repeat of the systemic risk failure that occurred in the last couple of years. Leading institutions will ensure that risk management is an enterprisewide discipline that yields tangible shareholder value. Shareholders will invest in companies that have a handle on their risk culture and methodologies for communicating it to employees.
At a basic human level, risk culture is the way everyone in the organization comes to feel about risk. It recognizes that feelings, attitudes and perceptions about risk influence how the company is managed. And attitudes are changing, as I witnessed at a recent risk conference in New York, where fervent conversation ensued when the panel discussion turned to risk culture.
Scott Randall, who founded RiskCulture.com as an industry resource for insights and research, said peer discussions of risk culture are becoming increasingly passionate. A growing consciousness of the importance of risk-consciousness heralds a paradigm shift in management of risks.
Every company has its own culture. Some are defined by their leader's personality, some by legacies from long before their leaders were born and others by their position in the marketplace and perceptions held about them by investors and the public.
Culture does not emanate from management standards, employee manuals or regulatory requirements. It represents human behavior, attitudes, values, responses and beliefs.
A bank's framework for managing operational risk draws heavily on its corporate culture. The Basel Committee on Banking Supervision defines risk culture as "the combined set of individual and corporate value, attitudes, competencies and behavior that determine a firm's commitment to and style of risk management." I believe a company's risk culture is the combination of its risk appetite and the corporate culture. The resulting blend can be more simply defined as "how things are approved around here."
Ironically, the leaders of many of today's most troubled financial institutions communicated risk culture extremely well — setting a tone that resonated throughout their organizations. They gave employees a clear sense of mission, and consequently, their "profits first, risk management second" tone translated into operational standards and process. Managers and employees picked up on top management's values and subscribed to the operational culture, ignoring the red flags raised by risk managers.
How to migrate to Risk Management 2.0? Institutions should begin by defining their risk culture. Then a company's leaders can agree on risk-related decisions and articulate policies that are in line with the institution's risk profile.
Reviewing and re-engineering risk appetite and the framework of systems, policies and processes is not enough. Financial institutions must articulate and communicate enterprise risk culture so that employees understand their roles in applying standards consistently. They need to take the time to articulate clear and job-specific messaging, communicated in a way that teaches employees how to think critically beyond merely "following the rules."
The competitive edge that comes from companywide adherence to defined standards only materializes if the risk culture is communicated enterprisewide. This must be done in the context of a distinct and differentiated corporate culture so that employees see the big picture of how the corporate risk profile fits into the success of the company and the work they do every day.
They must be engaged in the topic. Risk-conscious organizations should invest in effective communication of risk policies, processes, systems and values so that employees understand their responsibilities and their roles in applying standards consistently while working toward their strategic business goals.
We'll probably see the increased adoption of "Web 2.0" interactive learning approaches to accelerate the driving of the message through the organization, replacing ineffective and time-consuming classroom-based instruction.
Imagine an interactive computer-based simulation. Actual operational risk and compliance scenarios model human behavior in the way you have modeled market and credit risk in the past. Business managers have a risk-free environment in which to assess the consequences of business decisions.
The future is now: ANZ Banking Group in Australia successfully develops operational risk and compliance competencies using this type of simulation.
In Risk Management 2.0, business managers will not be averse to risk-management controls over their profit projections because they will be equal partners with their risk colleagues on a balanced risk/reward approach in alignment with their institution's well-communicated risk appetite.
Companies that take this path will be leaders. Companies that proceed with business as usual may repeat history.