Creating Enterprise-Wide Risk Awareness: Are Your Entities Building Prudent ‘Risk Cultures’?

Many entities have imprudent risk cultures or elaborate ethics codes that aren’t instilled among employees. CFEs can take a lead role in guiding companies through the essential fraud prevention process of creating an effective and vibrant risk culture. 

Stacy, a CFE, and a vice president and assistant manager at Schultez Bank, was concerned the bank had been taking chances by making hundreds of subprime home loans to questionable borrowers. And she was often dismayed when the executives, spurred by bloated incentive packages, took dubious chances. Stacy knew what a healthy “risk culture” should look like, and this wasn’t it.

She took her concerns to the bank’s president, who tried to convince her that the bank needed to take these chances in boom times to satisfy the shareholders. But Stacy wasn’t convinced; she took her skills to another bank that had cultivated a culture of ethics, sound reasoning, and a healthy risk structure among all its employees. Good thing she did. In 2007, Schultez Bank, like many small banks, succumbed to its wildly high-risk attitude, unethical practices, and outright fraud. 

Though Schultez Bank isn’t real, it represents many institutions and companies that have imprudent cultures or those with elaborate ethics codes never instilled among the employees (witness Enron).

CFEs can take a lead role in guiding companies through the essential fraud prevention process of creating an effective and vibrant risk culture. Simply put: A risk culture gives every employee a stake in risk management. Employees’ basic principles, values, and attitudes – as well as their knowledge and opportunities in dealing with risk – determine an enterprise’s risk culture. An appropriate risk culture is necessary before a risk management system is able to work effectively and efficiently and comply with the Sarbanes-Oxley Act (SOX). In this article, we’ll discuss management’s opportunity and obligation to shape its risk culture and how CFEs can advise them.

To comply with SOX, those employees directly involved with internal controls have to be aware of risks. But the internal control system only fulfills its purpose when all employees are aware of risks in a well-established enterprisewide risk culture.

Tone at the top – the ethical atmosphere that the organization’s leadership creates – is fundamental. But it doesn’t automatically lead to an effective risk culture, nor does it guarantee a perfectly designed internal control system is working properly.

SHAPING RISK CULTURE  

There’s plenty of economic literature focused on concrete and detailed risk management recommendations. Annual reports give the impression that every enterprise has implemented a system for managing risks. However, making risk culture an important part of risk management is still typically neglected. Yet, risk cultures are an integral part of corporate culture. Consequently, a company’s leadership must plan how it can create a responsive and companywide risk culture.

According to the model of corporate culture by Edgar Schein, professor at MIT Sloan School of Management and prolific writer on organizational culture, three elements determine the risk culture of an enterprise: basic assumptions, values, and artifacts and creations. (See “Coming to a New Awareness of Organizational Culture,” by Edgar Schein in the winter 1984 issue of Sloan Management Review.)

Basic assumptions are the foundation of corporate culture. They’re the invisible fundamental matters of organizational and environmental relations that are taken for granted. Employees’ perceptions, thoughts, and feelings about risks and the ways in which they experience those risks are the basic assumptions of a risk culture.

Values determine employees’ moral and behavioral standards. Principles, unwritten guidelines, and taboos that employees respect come from these values. Sometimes, management can see the evidence of an employee’s values, but often they’re only partially visible.

Artifacts and creations are the tangible products of a risk-management system. They include a risk manual, a risk manager and/or risk committee, published risk principles and guidelines, an IT-based risk reporting system, and a printed risk report included in the annual report as well as employee risk workshops. Such items are clearly visible and allow risk managers to understand the existing risk culture of an enterprise. The presence, or absence, of artifacts and creations provides the platform from which managers can evaluate and shape a risk culture.

FOUR STEPS FOR SHAPING RISK CULTURE 

A plan for shaping risk culture in an enterprise should contain four steps:

1. Create a team to lead the process.
2. Diagnose the existing risk culture.
3. Evaluate the existing risk culture to get an idea of what the desired risk culture should look like.
4. Initiate and monitor an action plan for reaching the new risk culture.

Create a risk culture team
Appoint a person independent from the enterprise, possibly an external consultant who’s a CFE, to lead the risk culture team. Members can include not only top management and the risk-controlling department, but also board members, and internal and external auditors. Make sure that at least one member of the board is on the team to encourage management’s support when it works to diagnose the enterprise’s risk culture.

Diagnose
Ultimately, employees should diagnose the risk culture, and they shouldn’t think that forces from outside the organization are imposing their views on them. However, the members of the risk culture team should be responsible for discovering the employees’ views on the existing risk culture and what it should become.

Interview employees. The team should speak with all employees in the enterprise about its risk culture so the entire staff is sensitized to the risk culture topic. It’s best to send a computerized questionnaire to limit the workload and costs and because it’s easier to evaluate. A standardized and anonymous questionnaire might garner more honest results when it comes to questions about the “risk appetite” of the company.

Launch an analysis workshop. The independent coordinator and the members of the risk culture team should prepare an analysis workshop for selected upper management and cultural leaders to help uncover the invisible basic assumptions (Schein’s second level) that are fundamental for the enterprise’s values.

Speak to executives. In addition to the analysis workshop, individually interview each member of top management to promote high interactivity and frankness. The highest priority is eliciting deep thinking and honesty from them. Top management has to devise the range of possibilities for shaping a new risk culture. Subjects to cover are the strategies and philosophies of the enterprise and their styles and systems of leadership. This will determine the chances of cultural change.

Evaluate
The target culture will be based on the same factors that were used to evaluate the existing culture. (See “How to Evaluate a Corporate Culture” on page 34.) The members of the risk culture team then conduct a critical review of the existing culture after assimilating the results from the enterprisewide survey, the analysis workshop, and the individual interviews.  

Reorientation is possible only if there’s a reason and an understanding of the necessity for cultural change among management and employees. The goal of a new risk culture should be a conscious handling of risks by every enterprise employee.

Act!
After members of the risk culture team diagnose, evaluate, and create a plan for the new risk culture, top management is responsible for implementing cultural change. Proposal of new orientation patterns is accompanied with new display formats as well as an update of artifacts and creations.

Interestingly enough, simply acting differently, breaking through routines, and terminating lifeless rituals can be effective. As a result, employees become more willing to support cultural change.

Getting all employees to “buy in” is crucial to the success of a risk-oriented culture. They must know their input was instrumental in creating new policies and that their continued involvement is essential. Communication, of course, is key to making this happen. All employees must understand that they each have a continuing role to play. Management should reward risk-sensitive behavior and attributes that contribute to the targeted risk culture and dissuade bad behavior.

Once the general framework and the proposed measures and tools begin to initiate cultural change, you might see some unexpected effects. Erroneous trends, such as irritation of employees or unexpected cultural developments, could surface that need to be recognized, discussed, and corrected if necessary. Consequently, monitoring is vitally important. A new culture is vulnerable to undesired changes. So management must continuously observe and evaluate newly implemented risk-culture measures.

REWARDS OF SUCCESS 

A well-conceived and executed risk culture creates enterprisewide accepted guidelines for managing risks. It simplifies coordination among all employees and clarifies how each individual should handle his or her job regarding risks. They take ownership of their risks and even that of their coworkers.

A good risk culture conveys solidarity; employees believe they’re an integral part of the corporate culture. It engenders a strong sense of belonging, motivates people to become active participants in the welfare of their company, and deters fraud.

A dynamic risk culture increases the level of awareness that sensitizes employees to corporate risks. Not only will they more fully support the basic structures and processes of risk management, but they’ll also become mindful of the fact that they’re an important part of a risk-oriented corporate culture, and they’ll strive to help the company avoid fraud and threats that could jeopardize business continuity.

Oliver Bungartz, Ph.D, CFE, CIA, CISA, is head of Enterprise Risk Management (ERM) Services at RSM Altavis in Germany.

How to Evaluate a Corporate Culture 

These factors significantly influence the risk culture of an enterprise:

1. Strategy and philosophy: Document current risk strategy and philosophy throughout the enterprise through questionnaires and interviews. Discover if the message is creating a culture of anxiety or thoughtlessness. Be brutally honest.
2. Leadership: Leadership in an enterprise should be based on a balanced ratio of risks and an efficient and effective internal control system. Evaluate if your control structure motivates management to take calculated, prudent risks or paralyzes them. Discover if leadership reflects the style of risk-sensitive management.
3. Personnel: You have to find out if management is living up to its responsibility to act as examples of manifesting healthy risk-sensitive behavior to employees so they enthusiastically take ownership of these concepts instead of merely mimicking the bosses’ actions or parroting their words.
4. Communication: Discover if top management is encouraging open communication throughout the enterprise top-down and bottom-up as well as cross-stream. Open communication of risks facilitates a fast reaction on environmental changes.
5. Organization and risk-management process: Meticulously evaluate each department to see if responsibilities and accountabilities are clearly defined.
6. Response and reaction to changes in the business environment: Discover if your enterprise is rapidly and flexibly reacting to environmental changes.

Factors of influence for a risk culture are strongly interdependent and influence one another. An adequate and desirable risk culture produces three main effects:

Coordination
Risk culture should create accepted enterprisewide guidelines for managing risks, which increase coordination among all employees and define their responsibilities.

Integration
Risk culture should convey solidarity and security to employees as they carry out their responsibilities. The strong coherence of the whole complex enterprise will communicate to employees that a healthy risk culture isn’t a fuzzy concept for corporate types but part of their job descriptions.

Motivation
Cultural integration and a sense of belonging motivate employees to create an esprit de corps, or sense of fellowship, and an even stronger risk culture.

This figure summarizes the factors and effects of an appropriate risk culture: [Image no longer available. —Ed.]

The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or ACFE.com. Permission of the publisher is required before an article can be copied or reproduced.