Asia-Pacific countries are putting more focus on individual conduct and culture. How can risk managers embed a culture of risk management across their organisation?
Culture is a buzzword for corporates across the Asia-Pacific region in 2019. In February, Australia’s Royal Commission into financial services published its final report, a damning indictment of corporate culture across the country. The report highlighted endemic greed, a lack of care for customers, and an absence of accountability at Australia’s biggest corporations. The Commission prompted the Australian government to put more focus on the actions of individuals, a trend seen across the region.
The Reserve Bank of New Zealand is one of many regulators to focus on corporate misconduct and culture. In Singapore, meanwhile, financial regulators have drafted laws to identify the responsibilities of employees in material risk functions. Elsewhere, Hong Kong’s Manager in Charge regime is set to enforce greater individual accountability for corporate executives and organisations.
Scrutiny is key
As scrutiny on conduct and culture increases, risk managers face more pressure to implement a strong risk management culture in their organisation. Risk managers need to ensure the tone is set from the top and practised throughout their business.
The stakes are higher than ever. How can risk managers ensure their company has a strong risk management culture? How do they make it consistent? And what obstacles stand in the way of embedding risk management culture?
Recent studies underline the importance of risk culture. Thomson Reuters’ recently-released 2018 Culture and Conduct Risk report revealed that conduct risk continues to influence boardroom decisions. A total of 28% of respondents said they had turned down business opportunities due to culture and conduct concerns over the past year.
More than 70% of companies surveyed by Thomson Reuters expect regulators to increase their focus on conduct this year. The report concluded most companies had just begun to tackle risk culture. “There is a sense that firms are now at the end of the beginning phase of coming to grips with culture and conduct risk, and that the concepts, approach and practices have entered the mainstream of business practices.”
What does risk culture mean?
Advisory firm Aon Hewitt believes risk culture is the overlap between what’s important to a business, how it makes decisions, and how it behaves. Aon says a strong risk culture allows a business to operate within its risk appetite and maximise market opportunities.
Advisory firm Deloitte says there are seven key characteristics of a risk intelligent culture; a commonality of purpose, values and ethics, universal adoption, a learning organisation, transparent communications, an understanding of risk management value, individual and collective responsibility, and the expectation of a challenge. The firm says there is “no one size fits all approach” to risk culture, but says companies should align their risk culture with their business model and risk tolerance.
According to senior risk consultants, executives at the top of an organisation, such as chief executives and senior management teams, should set the tone for risk culture. Ryan Tan, vice president of M&A and corporate planning at Singaporean telecommunications company StarHub, believes there are three main components to setting a risk culture. The first, he says, is support from the top level. “You need a top-down approach, and you need management to buy into it,” Tan says.
Tan adds: “You need them [senior executives] to support all risk management initiatives because there will be times where corporations will have different priorities. Because risk management doesn’t have a direct association with the P&O of a company, it may be deprioritised, and that needs to be addressed.”
The second step to embedding risk management culture is a bottom-up approach, Tan says. “Risk managers need to engage different risk junior to mid-level associates. That could be through risk training programmes or other practical applications. Not only to train them but to educate them about how risk makes a difference.
Tan believes the third step is to gain an “external perspective”, and identify areas of improvement by looking at rival businesses and organisations outside of their sector. “Risk managers should be thinking about best practices and benchmarking outside of their industry,” Tan adds.
Tan says the perception of risk as an independent function, rather than a profit driver, can make it difficult to embed risk culture. He believes companies need to emphasise that risk is integral to profits. He says mindset is the biggest obstacle to embedding risk culture, and says companies need to stress the value of risk. “You need to identify cases where risk management has made a difference to profits.”
Nor Adila Ismail, head of group risk management at energy company Petronas, agrees that senior management should set the tone for risk culture. She says “both positive and negative behaviours, especially displayed by role models and senior management, to me, will instil values on the importance of risk management”.
Like Tan, she believes risk has to be viewed as an integral profit driver. Ismail believes employees at all levels can play their part in creating a strong risk culture: “Encourage staff to express concerns and upholds processes to elevate concerns to appropriate levels. Emphasise this to the business, and change the perception of risk management as a policeman. Emphasise that we are not just concerned about the downside, but also seeing the upside. This helps a positive risk culture where risk is embedded in the day-to-day business.”
Ismail believes practical steps can be taken to embed risk culture, such as working with closely with Human Resources departments and ensuring clear internal communications on risk matters.
Victoria Tan, head of group risk & sustainability at Philippines conglomerate Ayala Corporation, has conducted research into the group’s risk culture. Tan has launched a survey to gauge risk appetite and awareness of its employees. Ayala uses the data and analysis to identify weaknesses and make improvements to its corporate risk culture.
Tan says: “We first did a risk culture survey in 2015 involving managers and senior officers, the results of which were used to help us understand where we are and to breakdown silos. Last year, we did another survey using the same framework and across all positions within the organisation. So far, we had a good response rate. The results will be used to develop strategies that will enhance the risk culture of the organisation.”
Tan advises Asia-Pacific corporates to conduct company-wide analysis. “The best start is to do a survey. Use any framework that will suit the organisation’s culture. At Ayala, we started with Aon’s Risk Maturity Index, which includes questions related to risk culture. Then we moved to Deloitte’s framework for a deep-dive.”
Tan says the onus is on chief risk officers to “establish risk-aware culture” and “strengthen it in the years to come”. She adds: “So we always ask the question of ‘what is the impact of our risk program to the risk-aware culture of the organisation?’ We also encourage other functional units to include risk awareness in their activities, such as HR for employee health and safety.”
Overall, Tan believes business functions need to work together to create and maintain a risk intelligent culture. “Truly ERM should be a collaboration platform and should let us breakdown silos. After all, risk’s interconnectedness is real, and only a collaborative solution will manage it effectively.”