Your company will be worth more when you have a good risk management culture
As an investor or owner of a business, you know that maximising the company’s value when it comes to sale is based on current profitability and the “multiple”. The multiple is based on the industry in which the company operates but will increase or decrease based upon various factors. Having a strong risk culture and framework in place – knowing your risks, actively managing them, and minimising the impact of incidents - are all key to proving to potential buyers that they are purchasing a resilient and well-managed company.
Since the global financial crisis, financial services institutions have worked hard to strengthen their risk management capabilities. Despite good progress, there is clearly more work to do, as witnessed from recent incidents i.e. TSB banking failure, and the RBS payments issue. Failures in risk management are not just limited to financial services. There are numerous examples in other industries too, such as the VW emissions scandal, EU horse meat scandal.
After the financial crisis, financial institutions embarked upon major risk programmes to redesign frameworks, policies, procedures and controls to detect and mitigate potential risks. The use of these tools, however, is limited when dealing with incidents for two reasons:
1. The tools are only be effective if used in the right way, and at the right time.
2. Procedures, more rules or more regulation lead to a decline in clarity and employee accountability, which in turn lowers the quality of professional judgement and commitment to living up to ethical standards.*
A problematic ‘risk culture’ is often the true root cause of major incidents in an organisation. The widely accepted definition of risk culture is “a term describing the values, beliefs, knowledge, attitudes and understanding about risk shared by a group of people with a common purpose”. Put simply, it is the way of thinking embedded in your company’s DNA, visible through core values, behaviour, transparency and tone of the leadership team.
So what does a risk-mature culture look like?
The Institute of Risk Management describes this with the following ten visible behaviours:
1. Distinct and consistent tone from the top on risk-taking
2. Commitment to ethical principles and practice
3. Wide acceptance of importance of managing risk
4. Transparent and timely risk information flow up and down the organisation
5. Risk reporting and whistle-blowing is encouraged
6. Active learning from impacted risks and near-misses
7. Risk-taking behaviours rewarded or challenged
8. Risk management skills are valued, encouraged and developed
9. Properly resourced risk management function
10. Regular challenging of status quo from diverse perspectives
To find out how your approach to risk is affecting the value of your company, carry out an assessment follow these five steps:
1. Assess your current risk culture - Where are you now?
2. Define your desired risk culture - Where do you want to be?
3. Determine what you need to change so you can close the gap
4. Design and implement risk culture change programme
5. (repeat of step 1): Assess changes in risk culture
*Research: Katz-Navon (2005)
If you would like to find out more about good risk management culture, please contact Tom Willcock on firstname.lastname@example.org