Many outside suppliers at Virgin Atlantic are given the company uniform to wear so that they feel part of the “family” and are more likely to promote its values. Management at Drax power station were inundated with valuable risk information after offering employees supermarket vouchers in return for tip-offs about safety near-misses. Junior staff at the insurer AIG are actively encouraged to ask their bosses difficult questions about the way the company is run.
These are three of many illustrations of how organisations have developed risk-aware cultures, all of them featured in our 2013 report, researched jointly with Cranfield Business School, Roads to Resilience.
Conversely, a 2011 piece of research, by CASS Business School and published by Airmic risk management association, Roads to Ruin investigated 23 companies with aggregate pre-crisis assets of more than $6 trillion, all of which had suffered potentially life-threatening corporate traumas. In every single case corporate culture was at fault. In all but one, for example, there was a failure of risk information known within the organisation to reach the top, creating “risk blindness” at board level.
Behaviour invariably reflects culture, which more than anything else determines the robustness of an enterprise’s risk management
These two pieces of in-depth research demonstrate how risk management goes much wider than mere compliance or having the right processes in place, essential as these factors may be. All corporate disasters reflect the behaviour of people working for the organisations concerned – as do the success stories. And behaviour invariably reflects culture, which more than anything else determines the robustness of an enterprise’s risk management.
The UK Corporate Governance Code, published in 2014, underlines this view. It is quite explicit about where responsibility for risk management and internal controls lies – with the board. The guidance includes specific reference to risk culture and assurance, and the need to ensure that an appropriate culture is embedded throughout the organisation.
How to make this happen is, of course, a complex and demanding question. However, the two pieces of research mentioned provide some helpful insights into where the solution lies. Roads to Ruin found that corporate failures had a remarkable amount in common, regardless of the sector of the company involved.
Lack of the necessary board skills and insufficient control by non-executive directors, board risk blindness, leadership failures, poor communications, organisational complexity, inappropriate incentives and a “glass ceiling” that prevents risk information reaching the board – these factors recurred time and time again.
Similarly, Roads to Resilience found that well risk-managed organisations have much in common with each other. They all promote the idea that everyone is responsible for risk and constant vigilance is required (hence the earlier example of Drax), complacency has been engineered out, and constant questioning and challenge are encouraged (for example, at AIG). All the organisations appreciate the critical importance of good communication.
Sadly, we fear these shining examples represent a minority of enterprises. It is only a matter of time before the next big corporate disaster and, when it comes, we will see how it could have been avoided. But you do not need hindsight to do so. Any organisation can develop the culture to handle all eventualities swiftly and effectively – even the so-called “black swan” events. This represents perhaps the board’s biggest single challenge and duty.
