By Horst Simon, The Risk Culture Builder

Bank regulators have been on a “capital charge”-path for a very long time. No capital charge can be a buffer for bad management of risk. History showed us that sometimes ALL the capital is not enough to save the bank from a risk event gone wrong

Then they created a thing they call conduct risk and went on a “break the bonus mission” thinking that money and incentives can reduce the risk posed by humans in a business environment of greed and profits. Conduct is the outcome of good or bad people risk management and can only be mitigated by addressing people risk.

Risk equals Reward, the problem is not with the risk, the problem is that organisations try to take more risk for more reward WITHOUT getting better at the management of risk. You can only live on the edge if you are good at managing risk.

All this time, and still; there are hundreds of people running around with standards, frameworks and guidance papers converted into PowerPoint presentations; selling it off as a couple of days training to obtain some obscure “internationally recognised” certification in Risk Management. No wonder we have so many “experts” in Risk management! A couple of days, a multiple-choice exam after a couple of thousand dollars can even get you a “certified diploma” in Risk management.

Finally, some are now realising that the answer to all the losses, scandals and fines is to build an effective Risk Culture. You can have the greatest looking set of values on the wall, the most optimised capital charge, the best-looking dashboards and best policies, systems and processes; if the humans behind it act up; it is all worth nothing.

Risk Culture Building is the training of mind, of heart and of personal character to respond effectively to any situation of risk and take the right decision to mitigate, control or optimise risk to the advantage of the organisation. It is not about using concepts and buying systems created outside your business by people who might not even understand your business; it is about training every employee risk management skills and sending the information down the line for them to take risk-informed decisions. It is about what the entire workforce does daily, not about how well the selected “army” defend.

We have known for a long time that no two people will respond the same way to a situation of risk, the way any person responds to risk is influenced by many factors, the main ones are:

• Nationality & culture
• Childhood experiences (and formative environment)
• Work ethics, trust & honesty
• Education (and the way it was obtained)
• Work experience
• Religion and other spiritual thinking
• Attitude towards life (and death)

Risk practitioners generally failed to address these underlying human aspects. Since the publication of the Basle accord, ISO 31000 and other standards and regulations, it has often been argued that compliance with these standards and regulations will mitigate and control risk, but this is only true if the standards and regulations are embraced in an effective Risk Culture. Just like the policies, procedures and systems, these are worthless if human attitude, acceptance and desired response lack.

Addressing the aspect of people risk is the only way an organisation can improve the results of how their people respond to a situation of risk and the effectiveness of their risk management function. No organisation can ever have a perfect risk management culture, but organisations can achieve a level of maturity where they have an effective risk culture process and every employee is risk-minded and does something daily to mitigate, control and optimize risk.

At the end, it all goes into the “Human Control Malfunction” – box and it is important to realise that your key human controls are often those who are paid the least.

The development of Risk Culture Building is focused on awareness and training in business ethics and human behaviour, both the behaviours we want to encourage and the behaviours we want to avoid. Organisations should frequently evaluate the progress (or regress) they are making on the path to maturity and implement action plans.

Finally, stop trying to do everything and chase all so-called best practices, it is impossible to do. The challenge to build an effective Risk Culture in your organisation requires passion and dedication and has no end-date. Risk Culture Building is an agile process that needs to change and adapt as the internal and external risk profiles change, a process that can only be stopped by the organisation failing and going out-of-business. Successful Risk Culture Building is never reaching that point.