2.5.1 Creating risk awareness culture
Risk management consultants play a key role in helping
companies prevent fraud by installing an effective and vibrant risk culture in
companies. A healthy risk culture gives employees a stake in risk management.
Employees' basic principles, values, and attitudes as well as their
understanding of how to deal with risk shape a company's risk culture.
An appropriate risk culture is necessary for corporate risk
management procedures to work effectively. The compliance requires that
employees directly involved in internal controls be fully aware of risks. For
the company's internal control system to fulfill its purpose, employees must
operate within a well-established, enterprise-wide risk culture. The tone at
the top the ethical atmosphere that the organisation's leadership creates is
fundamental. But exemplary leadership does not automatically lead to an
effective risk culture, nor does it guarantee a properly functioning internal
control system.
Shaping risk culture
Annual reports typically convey the impression that companies
have implemented effective risk management procedures. But risk culture is
often neglected as an integral part of corporate risk management. E. Schein
(1984) developed a model of corporate culture whereby, three elements determine
the risk culture of an enterprise: Basic assumptions, values, and artifacts and
creations.
Basic assumptions are the foundation of corporate culture.
They are the invisible matters of organisational and environmental relations
that are commonly taken for granted. Employees' perceptions, thoughts, and
feelings about risks shape a company's risk culture.
Values determine employees' moral and behavioural standards.
Principles, unwritten guidelines, and taboos that employees respect come from
these values. Often these values are only partially visible from employees'
outward conduct.
Artifacts and creations are the tangible components of a
company's risk management system. They include a risk manual, a risk manager,
risk committee, published risk principles and guidelines, an IT-based risk
reporting system, and a printed risk report included in the annual report as
well as employee risk workshops. Such items are clearly visible and allow risk
managers to understand the existing risk culture of an enterprise. The presence
or absence of artifacts and creations enable managers to evaluate and shape the
company's risk culture.
According to O. Bungartz,( 2010), a plan for shaping risk
culture in an enterprise should contain four steps; creating a team to lead the
process, evaluating the existing risk culture, determining what the desired
risk culture should look like and devising and implementing an action plan to
build the new risk culture.
Create a risk culture team
Management should appoint a person independent of the
enterprise (possibly an external risk management consultant) to lead the risk
culture team. Members can include not only top management and the
risk-controlling department, but also board members and internal/ external
auditors.
Evaluate the Existing Culture
Ultimately, employees should diagnose their company's risk
culture free of external forces imposing views on them. However, the members of
the risk culture team should be responsible for discovering the employees'
views on the existing risk culture and what it should become.
The team should speak with all company employees so the entire
staff is sensitised to the risk-culture topic. Standardised and anonymous
questionnaires usually elicit more honest responses to questions about the
«risk appetite» of the company. The independent coordinator and the
members of the risk-culture team should prepare an analysis workshop for
selected upper management and cultural leaders to help uncover the invisible
basic assumptions that are fundamental to the enterprise's values. In addition
to the analysis workshop, the risk culture team should individually interview
each member of top management to promote high interactivity and frankness.
These interviews prompt senior managers to think deeply about the range of
possibilities for shaping a new risk culture. The members of the risk culture
team then conduct a critical review of the existing culture based on the
results of the enterprise-wide survey, the analysis workshop, and the
individual interviews (Oliver Bungartz, 2010).
Determine Desired Risk Culture
The profile of the target culture will be based on the same
factors that were used to evaluate the existing culture. Reorientation of the
company culture is possible only if there is a compelling reason and a shared
understanding of the need for cultural change among managers and employees. The
foremost goal of cultural reorientation is to sensitise every employee to the
necessity of conscious handling of corporate risks (Oliver Bungartz, 2010).
Action Plan
The fourth step in the risk culture programme is the
formulation of an actionable plan to realise the new cultural vision. Senior
management is responsible for implementing and monitoring this plan. New
orientation patterns are accompanied by new signals and formats as well as an
update of artifacts and creations. Securing «buy in» from employees
is crucial to the success of the action plan. They must know their input was
instrumental in creating new policies and that their continued involvement is
essential. Transparency and communication are key to making this happen. All
employees must understand that they each have a continuing role to play.
Management should reward risk sensitive behaviour that helps build the target
culture and dissuades unethical behaviour. Once the action plan begins to
initiate cultural change in the enterprise, it is common to see unanticipated
consequences. Erroneous trends (such as irritated employees or adverse cultural
developments) can surface that require monitoring and correction. A new risk
culture is vulnerable to undesired changes. Management must therefore
continuously observe and evaluate newly implemented risk-culture measures. The
figure overleaf summarises the factors and effects of an appropriate risk
culture (Oliver Bungartz, 2010).
| 
