Aldi A. Alijoyo, S.Psi., MBA, QRMP, CGP
CEO of CyberWhale
LSP MKS Certification Holder
In the present-day era of global regulatory change, much focus has been pointed towards the substantive and structural elements of risk management and regulatory compliance. Some issues such as what is our solvency margin and capital sufficiency; what is our governance structure; or what process ensures that our organisation is compliant with regulatory, licencing and legislative requirements. In addition to the concerns related to regulatory environment, there is, unfortunately, one element that quite often being overlooked and underappreciated – culture, including the impact it has on the company’s response to risk.
Moreover, managers’ ability to build profitable firms arguably depends in part upon the business environment. It is widely believed that the external environment of business influences resources, prices, incentives, and imposes constraints on managers’ existing and future course of actions. A prerequisite to prospering is therefore the ability to anticipate, and perhaps foster changes in the business environment. Aside from that, globalisation – as a political, economic, social, and technological force – appears all but unstoppable; just look at how COVID-19 pandemic changes lots of how things work. The ever-faster flow of information across the globe has made people aware of the tastes, preferences, and peculiarities of citizens in other countries. Through this controversial convergence, we are all most likely becoming – at varying speeds and at least in economic terms – global citizens. Nevertheless, culture still plays an important role in corporate strategy, decision-making process, and in particular, risk governance.
A firm has made significant progress in developing frameworks, processes, regulations and standards for managing risks. However, rules and guidelines can be easily misunderstood and misapplied, inadvertently or even deliberately. The missing part in comprehending how to balance risk and reward decision making successfully is an organisational risk culture. Based on the Institute of Risk Management, risk culture is the sum of the organisation’s “shared values, beliefs, knowledge, attitudes and understanding about risk, shared by a group of people with a common intended purpose, in particular the leadership and employees of an organisation[i]”. Moreover, every organisation has a particular “personality trait” as its ethos – comprising of five elements: charm, spirit, culture, character, and the lasting impression of an organisation – that would eventually shape the invisible rules that is highly tailored to a particular organisational culture. That is quite a fact on every organisation, no matter how big they are. The question is, therefore, whether that culture is effectively supporting or undermining long-term success.
It is quite clear that the prevailing risk culture within a firm could make it significantly better or worse at managing risks. While the structural implementation and operation of an organisation’s governance, risk and compliance (GRC) framework is important, having an appropriate risk culture aids the transition from mere compliance to something that creates value for an organisation. In most cases, top management has meticulously put together very good, comprehensive frameworks, but they are not well embedded and not well internalised in business operations due to misaligned (or ineffective) risk culture.
Although broadly defined in conflicting manners, generally, risk culture is manifested in how an organisation reacts to uncertainty, risk, and opportunities. One of the key determinant factors is what kind of industries are you in as an organisation; despite that, it is one that’s in line with business strategy and ensures all members of the entity approach risk and opportunity in the manner that senior management and the Board envisages. The perceived culture is embedded on the decision-making process of a company’s Board and senior management which ultimately own the risk culture – to cut it simply, it is all going back to one of the principles of risk management according to ISO 31000:2018; “Leadership and Commitment” of top management to demonstrate risk management practices that are in line with what has been established in their organisations. In other words, espoused values have to be in congruence with enacted values[ii].
- [i]The Institute of Risk Management. (2018). Risk Culture. Retrieved from www.theirm.org
- [ii]Gopinath, Dr. Mohan & Nair, Aswathi & Thangaraj, Viswanathan. (2018). Espoused and Enacted Values in an Organization: Workforce Implications. Management and Labour Studies. 43. 0258042X1879775. 10.1177/0258042X18797757.