With a 300-page analysis produced as part of her PhD thesis, Ferma board member Cristina Martínez aims to inject a positive risk culture into Spain’s slow-to-adapt corporate secto
Rushing back to her office from an two-hour risk committee meeting at Sacyr, one of Spain’s largest and most successful construction companies, Cristina Martínez appeared rather determined when she spoke with StrategicRISK.
On the board’s agenda was risk culture, a topic that is increasingly gaining C-suite interest, and for good reasons. With the right culture – one that catches risk exposures early and manages them well – a company could avoid financial losses in the billions.
But Martínez didn’t want to discuss theory.
“Although organisations recognise that implementing ERM philosophy is regarded internationally as ‘good practice’, most do not have an effective ERM programme in place because they continue to meet resistance to the cultural and structural changes required by this risk management model”, she says. “For Sacyr’s top management behaviour of people in relation to uncertainty (risk) is a priority”.
She had an action plan to share, derived from 300 pages of qualitative and statistical analysis she had produced as part of a doctoral thesis.
For Martínez, this thesis – submitted to Spanish university Universidad Pontificia de Salamanca in January – was as much about obtaining the highest qualification in risk management as it was about effecting cultural change on a wider scale.
“Risk behaviour – whether good or bad – is very contagious,” she says. “So if a company has a negative or prohibitive risk culture, employees will adopt characteristics commensurate with that culture.”
She adds: “My thesis is about understanding the human side of risk – how a company’s corporate culture can influence an individual’s attitude and behaviour towards risk.
“I wanted to scientifically prove this link to add further weight to industry discussions and reinforce a message we have heard many times from many risk leaders: if chief executives want to ensure a risk-intelligent company, they must understand how they are influencing the behaviour and attitudes of their staff.”
More than just spreading this message, Martínez wants to help businesses take action against negative risk cultures. Having surveyed 61 of Spain’s stock-listed companies, she concluded that lack of risk culture was a major problem.
The survey was particularly telling when it came to the frustration felt by risk managers, some of whom resent what they see as the lack of investment in their role. For example, some risk managers said risk culture was not formally defined at work. Those who said a risk culture was present were quick to describe it as “very weak”.
Just as worrying was the admission that risk management was not integrated into strategic plans and that little effort was made to understand whether critical risk-informed business decisions had helped achieve company objectives. Risk was not always understood outside the risk department and few firms had a framework for measuring risk maturity.
In essence, “there is a disconnection between business strategy, organisational structure and risk culture”, says Martínez. The problem, however, is not limited to Spain. “FERMA’s benchmarking survey also found the same disconnection among businesses across Europe.
“There are, of course, numerous risk management models which aim to address this gap,” she adds. “But it is not easy to apply complex theory into practice.”
Her solution? A diagnostic model that she hopes will help risk managers “detect symptoms of poor culture and treat them”.
During five years of PhD research she combined her family duties, professional career and FERMA Board mandate to study more than 1,000 papers on organisational behaviour and risk culture – everything from scholarly texts, theses, surveys and corporate thought leadership reports.
She also examined the main risk management standards, including FERMA, CAS, COSO and ISO31000, to understand how these industry guidelines address cultural and organisational problems.
From this came a framework of the main symptoms: what she calls “inhibitors” to a fit risk culture. She says the top five disruptive symptoms to watch out for are:
- Theory is not translated to into practice: The company’s objectives and values are simply communicated through wall posters. There is no framework for how to achieve these values and executives neglect to train decision makers in how to apply the risk management process.
- Procedures more relevant than people: There is little investment in people and few training opportunities. “This can result in a mismatch between skillsets and job roles and high turnover in staff,” says Martínez.
- Mistakes are punished and employees are not encouraged to learn from mistakes.
- Employees display little or no awareness of how risk management can contribute to the delivery of the company’s overall business strategy: “Some businesses even expressed a lack of confidence in the benefits of ERM,” says Martínez.
- Risk managers fail to communicate with business departments regularly and so there is doubt whether risk management enhances the decision-making.
Tackling some of these symptoms begins with top management and risk managers taking steps to define both its risk and corporate culture. Martínez prescribes the following:
- Engage executives and department heads in translating the “corporate culture and strategic objectives” into a list of what the company wants to achieve, how and when.
- Ask senior management to draw up a map of critical decisions and consider how unconsciously biased are they. Explain there is a direct link between unconscious thinking and actions and behaviour.
- Engage diverse and cross-functional teams of business experts in identifying and assessing problems that may adversely impact their own objectives or projects and opportunities that may allow them to share best practices.
- Prioritise critical risks and review controls and mitigation plans that are in place to address them.
- Share the results with business experts, presenting the ERM department as decision facilitator