24 May, 2018 – In an environment that is increasingly volatile, uncertain, complex and ambiguous, businesses must have a robust risk management programme. Underpinning any successful risk management programme is good risk culture. To address how companies can shape organisational behavior and attitudes about risk management, the Institute of Singapore Chartered Accountants (ISCA), EY, The Chartered Institute of Management Accountants (CIMA), with Aberdeen Standard Investments as a knowledge partner, have produced a report on developing good risk culture.
Released today, the report “Risk Culture: How to Get it Right” dissects risk culture by providing an in-depth look at components such as organizational attitudes, behavior, structures and processes. It also features in-depth views from prominent business leaders on the practices that lead to good risk culture in their organisation. Business leaders who have contributed their views to the report include Ms Claire Chiang, Senior Vice President, Banyan Tree Holdings; Mr Lawrence Leow, Executive Chairman, Crescendas Group; Mr Michael Dean, Audit Committee Chair and Board Risk Management Chair, Delfi Limited and Mr Kelvin Lim, Executive Chairman and Group Managing Director, LHN Group.
Mr Lee Fook Chiew, Chief Executive Officer, Institute of Singapore Chartered Accountants, said: “Good risk culture goes beyond having good frameworks and systems in place. Companies also need to look at the attitudes and behaviours that shape organisational culture. What we have found from the interviews conducted with companies is that in most cases, while there are adequate frameworks, but they are not entrenched in business operations due to misaligned risk culture.”
Dr. Ian Selby, Vice President – Research & Development, CIMA, said: “Risk Culture should not be seen as something separate from the rest of the business. A key word here is ‘integration’. A company needs to articulate a clear purpose, strategy and values delivered through its business model. The culture of an organisation – including the risk culture – needs to be integrated and aligned with the company’s purpose, strategy and values.”
Mr Neo Sing Hwee, Advisory Partner, Ernst & Young Advisory Pte. Ltd adds: “Risk culture is not something that is just designed and executed; it must be proactive and everyone from board to management to individuals must understand that they have a responsibility for their own risk behavior and be vigilant of unacceptable behavior of others. A shift from a ‘tone at the top’ corporate culture to ‘tone in the middle and at the bottom’ is needed to present a clear view of the desired behaviors and have the right values embedded throughout the business.”
Key Findings from the Report
The report states that the belief that risk culture is an intangible concept with no concrete practices and processes is a myth. Instead, to build an appropriate risk culture, a variety of hard and soft mechanisms should be used. Another myth that the report seeks to debunk is that building risk culture is only for large companies, since they have abundant resources to create and maintain an Enterprise Risk Management framework. On the contrary, it is precisely because SMEs may not have the time and resources to establish more formalised ERM practices that makes good risk culture an imperative for them.
Based on interviews and roundtable discussion with business leaders, here are some of the key takeways on how business leaders can promote good risk culture.
Get balanced feedback on your business, so that one does not inadvertently stumble into a risk.
Don’t surround yourself only with like-minded people.
Having a collegiate atmosphere is key. There should be openness to discuss anything, and diversity in knowledge, skillsets and backgrounds. There should also be a willingness to accept that internal or external advice is required at times, and these should be incorporated quickly into decision making.
Companies, especially SMEs, should see risk culture and frameworks as a building block for future growth, rather than a resource-draining activity. This does not suggest that SMEs inherently have poorer risk culture practices than large companies. Nevertheless, SMEs, with their tighter resources, may indeed need more robust risk culture to be prepared to address the risks they face.