Risk culture in organisations took centre stage after the Global Financial Crisis (GFC) broke in 2007. That’s when businesses realised the extensive, catastrophic and sometimes irrevocable damage that can result from a weak risk culture.
Ten years later, poor risk culture is still the root of many high-profile fraudulent incidents across the globe, the latest one being Volkswagen. The automotive giant recently agreed to plead guilty in a fraud case over a diesel emissions scandal and pay US$4.3 billion in criminal and civil penalties. VW intentionally cheated on emissions tests for nearly 10 years, which led to the ousting of its chief executive, damage to the company's global reputation, and the loss of billions of dollars.
So what is risk culture and why is the concept so challenging for organisations to get their heads around and take action to help mitigate fraudulent incidents?
Risk culture is defined as the shared perceptions among employees of the relative priority given to risk management, including perceptions of risk-related practices and behaviours that are expected, valued and supported. Regulators and industry participants alike acknowledge the importance of risk and ethical leadership culture as a crucial factor in preventing unexpected losses, risk events and even insolvency.
Survey after survey indicate that risk is now a board-level topic, yet so many organisations still suffer from the “gap of grief” - the inability to fully understand to what degree security incidents translate to quantifiable business risk. Issues are identified through a variety of sources, such as audits, risk assessments and security assessments, but are not managed properly to closure. Prioritisation of these issues is near impossible because there is no common understanding of the business criticality of assets and processes affected by these issues. Companies then lack a consolidated view of general risks or have a very manual-based (spreadsheet) approach to cataloguing and assigning risks. In addition, third parties (outsourcers, contractors, service providers, business partners, etc.) are becoming increasingly important and organisations just don’t know what entities are impacting their risk profile.
To strategically address risk, organisations need a strong program foundation. This might include a process for issues management, a business impact analysis framework, the ability to catalogue and monitor risks, and the ability to identify and track third parties to understand the emerging ecosystem that affects business risk.
In order to have a resilient risk culture in place, it is of the utmost importance for business leaders to fully understand the security component of the equation, so that internally, both the leadership team as well as the IT department can be on the same page when it comes to managing the business risk of both internal and external data breaches and cyberattacks. Having a security architecture that helps create explicit linkage between what security technology is telling you and what that means in terms of business risk, is poised to bridge that gap and get everyone on the same page.
Despite all of this, companies can have the most efficient tools and expensive processes in place, but it only takes one employee to cross moral and ethical boundaries for a business to have its reputation tarnished, face hefty fines and penalties and be prosecuted. And if the company nurtures a culture that enables such transgressions, it is only a matter of time before a staff member intentionally goes rogue. It is also worth mentioning that in some cases, unethical behaviours are knowingly encouraged by senior leadership.
The VW case is a classic example. Senior leadership knowingly allowed engineers to cross ethical boundaries by installing software in their vehicles that helped them pass greenhouse gas emissions testing, while emitting pollution about 40 times the legal limit.
Another example is the Wells Fargo fraud scandal, where employees opened as many as two million bank and credit card accounts on behalf of its customers, without their authorisation. Wells Fargo had a very aggressive sales culture and elaborate incentive schemes in place, driving wrong-doing amongst their staff members from the top.
While risk should be everybody's business, it is imperative that leadership teams encourage a strong risk culture where employees are risk aware, understand the consequences of their decisions and are confident to raise objections when necessary. If the senior leadership team makes risk management a priority and leads by example, then this will filter through the rest of the organisation. By making it clear that risk culture is on the leadership agenda, business leaders send a powerful message in their organisations that a lack of awareness, indifference or disregard for risk are not acceptable behaviours.
Moreover, risk culture assessment and reform should not be a one-off event or remain static. It should be actively challenged to encourage continuous improvement. Tools such as regular risk culture diagnostics foster a cycle of ongoing improvement by allowing management to benchmark against other organisations, track performance over time and provide results at a sufficiently granular level so that effective remedial action can be applied.
Embedding a resilient and ethical risk culture in an organisation takes a lot of commitment from business leaders, but the business benefits of investing in risk culture far outweigh the efforts.
If senior leadership teams attack risk management from all corners, it will flow down to the rest of the company and it will contribute to instilling a resilient risk culture that becomes part of the organisation’s DNA.
Antoine Le Tard is General Manager – Australia and New Zealand at security company RSA.