Addressing Sales Practice and Conduct Risk in the Canadian Market
Shifting into an ERM Culture
1. October 2012 The RMA Journal
by Abrahim Althonayan, Joanna Keith,
and Henry Killackey
12
into an ERM Culture
How to Sustain an Enterprise Risk Management
Program and Maintain Competitive Advantage
Stockbyte/Thinkstock
Enterprise RiskER
Shifting economic conditions, technological advances,
emerging markets, geopolitical threats, and changing regu-
latory environments have compelled organizations to turn
to enterprise risk management (ERM) as a way to address
the risks they continually face. As they implement ERM pro-
grams, organizations are realizing that long-term value comes
out of ERM through its sustainability, which is fostered by an
ERM culture embraced by the organization’s stakeholders.
Defining ERM Culture
The need for organizations to have a strong ERM culture
emerged from a new role for enterprise risk management—
which shifted from being
a specific type of risk
management handled by
a small department or a
specialized group of pro-
fessionals to a process for
guiding the achievement
of strategic objectives.
ERM requires the
collaboration of depart-
ments, teams, and func-
tions, and the results have included new perspectives into
the ERM process. With this integration of human capital,
new organizational cultures have emerged, in which stake-
holders take the sustainability of ERM into consideration
when making decisions.
Business decisions and actions regarding risk are shaped
by a system of values and behaviors present throughout an
organization that are demonstrated by the individuals or
groups within it.1
In the context of ERM, culture is a value
that impacts business decisions2
and determines the way the
organization identifies, understands, discusses, and acts on
the risks it faces and the risks it takes. ERM culture affects
the decisions of management and employees, regardless of
whether they consciously weigh benefits and costs.3
The concept of risk culture has been in the spotlight in
recent years with the realization that the financial collapses
of organizations originated in having a flawed risk culture
or no risk culture at all. A lack of a solid risk culture can
also diminish an organization’s ability to achieve strate-
gic objectives, which hinders business performance and
weakens market competitiveness.4
Culture, as argued by
Douglas Brooks, is not an intangible concept, but one that
can be measured. And the strength of risk culture can be
determined by tracking the level of consistency that risk
decisions have with organizational policies and the desired
risk profile. In decision making, there is an active consider-
ation of potential rewards and losses in taking and avoiding
ERM requires the
collaboration of
departments, teams,
and functions, and the
results have included
new perspectives into
the ERM process.
S h i f t i n g
2. October 2012 The RMA Journal 13
the ERM culture they wish to see in the organization.
• Incentives that reward risk awareness among depart-
ments, teams, and employees to establish enterprise-wide
thinking.5
• Information sharing and communication among depart-
ments and teams.
• Learning opportunities for employees.
Just as strength within an ERM culture can be measured,
so, too, can weaknesses. According to Brooks, a weak ERM
culture becomes evident when stakeholder decisions run
counter to organizational policies and the desired risk
profile. The consistency necessary for an ERM culture can
be undermined by competing interests. Brooks gives the
following example of how considerations of risk can be
undermined by other interests of stakeholders:
risks. This consideration enables decision makers to make
choices that will align best with the organization’s policies
and desired risk profile, which ultimately, based on the
assessment by Brooks, contributes to a strong risk culture.
However, organizations that do not have an ERM cul-
ture fail to reap the benefits of a functional ERM program.
Because ERM culture is a product of shared values and
behaviors, it is based on establishing predictability and
high reliability in executing processes for managing risks.
When there is no ERM culture, business units work in silos
and do not align themselves to manage risks and achieve
strategic objectives. The result is low reliability and lack
of consistency in executing risk management processes.
Practicing ERM in silos also results in repeating processes
for managing risks, which translates into additional costs
in staff time and dedicated resources. When reliability and
consistency are low, a mixed message is communicated to
staff about how the organization values ERM—and this can
negatively impact employees’ perceptions and diminish the
support needed for a global execution of ERM throughout
the organization.
There are elements, consistent with organizational poli-
cies and desired risk profile, that signify a strong risk culture
within an organization:
• Committed executives and senior managers who model
Because ERM culture is a product of shared
values and behaviors, it is based on
establishing predictability and high reliability
in executing processes for managing risks.
3. October 2012 The RMA Journal14
ERM Culture Case Studies
Organization Challenges What Was Done? Results Further Improvements and
Recommendations
AZElectronicMaterials
» Reporting and process requirements ignited skepticism.
» A focus on data collection instead of action scattered
management’s attention.
» Challenging to introduce risk culture to globally diverse
business units and achieve integration.
»Difficultieswithculturalchangeandtransitioningintothe
newriskapproach.Potentiallong-termbenefitsdifficultto
recognize and comprehend by employees.
» ERM and risk culture were reprioritized to protect the
organization’s mission and achieve better customer
satisfaction.
» Efforts were made to embed ERM culture throughout
the enterprise.
» Initial risk assessment sessions received management
support and adequate action responses.
Results
» Better understanding of corporate objectives and busi-
ness continuity, customer needs, and potential threats
and opportunities to the business.
» Improved quality controls.
» Perceptionofstrongcompetitivemarketimage;stronger
customer loyalty.
» Better internal and external communication over poten-
tial business interruptions.
» Focus on practical translation of risk analysis into
risk action items (key threats and opportunities for
the business).
» Continue integration of risk culture amid global
environment and achieve enterprise-wide
cultural uniformity.
» Ensure logical understanding of both ERM and risk
culture as extension of planning strategies.
» Defineexplicitalignmentofriskculture,competitive
advantage, and long-term suitability.
Global
Investment Bank
» New unit had a good ability to challenge each other’s
actions and ideas, but a lack of cooperation and cohesion
became the main concern of management.
» Working toward reducing the visible disconnect in com-
municationanddailyoperationsbetweenriskandbusiness
groups.
» Minimizing the demographic divide between senior
and junior employees that was hindering complete group
integration of people’s behaviors and risk decisions.
» Risk culture was reassessed within sales and trading
units recently integrated as a new unit.
» Management aims to ensure a comprehensive integra-
tion of newly formed group through creating a strong and
consistent risk culture.
Results
» The existing risk culture needs to be rethought given
the gaps identified as a result of the internal survey.
» Employees were unclear what the bank’s risk tolerance
meant.
» Thechangeinthegroup’sstructuretriggeredunexpected
behaviors and risk decisions.
» Senior management should realign the leadership
team and encourage appropriate risk behaviors as
part of a robust risk culture.
» Communicatingrisktoleranceenterprise-wideshould
be changed; everyone in an organization should be
able to understand and express clearly what risk
tolerance is.
» Increasedtransparencyinmakingriskdecisionsand
business involvement in setting risk appetite.
» Rethink internal controls and processes to ensure
effective approval mechanisms.
» Reassess what value can be generated through risk
culture.
Global
Professional Services
» Potential over-extension of junior staff was identified as
an emerging concern.
» Junior employees felt that senior colleagues did not
appreciate or welcome upward challenges, such as their
active participation in various decision-making processes
led by the seniors, which in effect inflicted inhibition and
lack of confidence to undertake challenges by juniors.
Employeescitedalackofclearguidelinesandcommunica-
tion in terms of risk tolerance vs. appetite.
» Current risk culture was assessed.
» Managementraisednospecificculturalconcernstoinves-
tigate, but was keen on learning what can be improved.
» Risk culture was considered healthy.
Results
» The study revealed that the risk culture can be consid-
ered robust, especially regarding employees’ responses
to change and their caring about the quality of their work
and the impact on the organization.
» Senior and junior employees should work together
to overcome disconnect and lack of integration.
» Senior and more experienced staff should provide
guidance to junior personnel to reinforce trust across
the organization.
» Comprehensiverisktrainingprovidedforallemploy-
ees(knowledgesharing,crosstraining)toclearaway
risk inconsistencies.
» A restructured (more effective) annual planning
process that incorporates key risks the organization
may face.
» Realign risk appetite and strategic business
objectives.
Financial Services
» Communication is not yet consistent and effective
enterprise-wide.
» Level of risk ownership and commitment is lacking and
appears to be disintegrated; employees feel like the risk
ownership is primarily an element of risk management,
not the business.
» Lack of alignment between risk and business manage-
mentmagnifiestheviewofriskasaninconveniencerather
that a value-adding opportunity.
» Lack of focus on adequate risk-adjusted incentives and
compensation schemes discourages effective managing
of risks. This diminishes risk morale among employees.
» The state of existing risk culture was examined as a
critical element of effective risk management.
» Internal risk survey was designed to gauge employees’
attitudes toward the current risk management approach.
» A baseline for development of risk culture was estab-
lished based on the survey analysis.
» Custom workshops and discussions were organized
within various stakeholder groups.
» Results
» Employees value integrity and appreciate that the
organization appears to have a competitive advantage
in the market driven by cultural change.
» Risk change management has been perceived as well-
designed and implemented; communication was found
effective bottom-up and top-down.
» Effective change management to engage with the
new culture.
» Robust information flow leading to informed busi-
ness decisions.
» Align compensation and risk-based performance to
encourage effective risk management.
Source: Originated by the authors.
4. October 2012 The RMA Journal
“It may occur at the top of an organization if an
acquisition is being considered, and considerations of
risk fall victim to the ego of the participants. They may
be put aside because the participants in the transaction
have ‘fallen in love with the deal,’ and cannot bear
the thought of backing out of the transaction given
the work that has been put into it and the poten-
tial benefits of the transaction.... Rewards may also
incent this type of behavior. These may be tangible
rewards—bonuses and salary increases—or they may
be intangible because the participants in successful
transactions are those recognized in the organization,
given higher profiles and promotions.”
This example demonstrates how competing interests
can ruin the consistency needed for developing a strong
risk culture. Participants in the transaction focused on the
benefits and the overall attractiveness of the deal instead of
considering how the transaction would enhance or erode
the risk profile that the organization wishes to have.
When employees share the same values and display the
same behaviors in managing risk, consistency in the execu-
tion of ERM and business results is ensured, reassuring
stakeholders and generating value.
Introducing the ERM Culture Alignment
Creating a strong ERM culture is a prerequisite for a sus-
tainable and value-adding ERM. Organizations should see
the importance and value of culture and take steps to ad-
dress it in their mission statement. In recent years, industry
practitioners have extensively analyzed the flaws of existing
risk management practices, corporate governance, manage-
ment leadership, and risk culture. Risk management culture
was also the top priority at the Deloitte’s Directors Forum
in 2011,6
when it was identified as critical for building
risk-intelligent organizations where everyone can take re-
sponsibility for risk management and “mind the business”
to protect and create value.
The Enterprise Risk Management Survey, administered by
The Risk Management Association (RMA) in 2006, indicated
that most organizations measured the effectiveness of ERM
in the context of regulatory compliance, the Sarbanes-Oxley
Act, and audit requirements rather than with the expectation
of enhancing shareholder value; 48.4% of respondents saw
the ability to set a common risk culture, establish a common
risk language, and understand risk appetite as potential ERM
implementation benefits.7
When asked if the culture “openly
encourages the reporting of risks and losses,” 32% agreed,
while only 16% strongly agreed. In many cases, ERM was
still a new concept in the early stages of implementation.
Since then, significant progress has been made toward sup-
porting ERM implementation with management buy-in and
moving away from silo risk management
In a recent 2010 KPMG International survey, nearly
50% of respondents identified a lack of and the potential
weaknesses of risk culture as a primary contributor to the
financial crisis. Even though risk culture is a fundamental
component of ERM, many organizations still show signifi-
cant shortcomings in this area. Over 58% of surveyed cor-
porate board members and internal auditors admitted that
most personnel had little
or no understanding
of how risk exposures
should be assessed for
likelihood and impact.
This indicates that the
leadership may not ad-
equately foster a culture
of continuous ERM de-
velopment for employ-
ees who should fully
comprehend how well-
informed risk decisions
are made. Without a strong ERM approach, establishing
an enterprise risk culture becomes unachievable, and this
may adversely affect decision-making.
In organizations where the cultural aspect is still not
considered a corporate priority, management needs to revisit
the potential consequences of an underappreciated culture
and how its value becomes diluted across the organization.
According to Aon (2007), one in 10 enterprises confirmed
that ERM is embedded in the business process, and only
one in four admitted the impact of ERM on the enterprise
strategic planning process.8
Looking at the new economic
reality, financial organizations in particular were forced to
rigorously revise their current risk management. In effect,
core ERM elements such as strategy, resources, and culture
had to be reviewed and recalibrated.
The increasingly uncertain economy and the consequenc-
es of continuous crises are another indication that both ERM
and its culture need to be developed further. ERM culture is
a critical risk dimension expressed in employees’ attitudes
and in the way they feel about the organization. Taken as
an example, the 2009 PricewaterhouseCoopers’ integrated
risk management approach summarizes keys aspects and
shortcomings of risk management and the culture.9
At one time, the keys to effective risk management were
1) leadership and strategy, 2) accountability and reinforce-
ment, 3) people and communication, and 4) risk manage-
ment and infrastructure (Figure 1). Leadership integrates
high ethical standards and ensures clear enterprise-wide
communication of business objectives. Meanwhile, the
accountability component should, by definition, assume
individual risk responsibility. The people quadrant reflects
the organization’s ability to share knowledge and promote
continuous development and growth of all employees.
Lastly, the role of risk management should not be limited to
15
The increasingly
uncertain economy
and the consequences
of continuous crises
are another indication
that both ERM and
its culture need to be
developed further.
5. October 2012 The RMA Journal
reviewed so far (Figure 2). Lack of a logically coherent and
dynamic alignment between key variables of a specific risk
approach limits the ability to generate sustainable organi-
zational value that doesn’t erode when exposed to market
dynamics or a change in competitors’ strategic direction.
The ERM culture alignment approach assumes that the
following ERM elements interact dynamically with one an-
other; it focuses on achieving organizational consistency
and uniform ERM mechanisms that link key organizational
units responsible for active value generation. The alignment
consists of four core components:
• ERM culture inputs.
• ERM culture.
• ERM culture outputs.
• Cultural foundation.
ERM culture inputs are designed to exert significant in-
fluence over business results and are critical to forming an
effective ERM culture alignment. But while ERM culture
inputs are based on organizational philosophy and shape
ERM culture attributes, ERM culture is at the core of risk
management structure.
In all aspects, for business and corporate strategies to fold
into alignment with ERM strategy, enterprise risk awareness
becomes essential. The main challenges for corporate leader-
ship remain the same: to gain tacit understanding of what
enterprise-wide risk awareness means in business reality
and to align the business and corporate risk objectives.
16
depicting organizational capability in assessing, measuring,
and mitigating the concentration of major risk exposures.
Can these core attributes—supported by set behaviors,
specific knowledge, established skills, and appropriate
infrastructure—build on an integrated risk management
framework and become a foundation for a corporate cul-
ture? If any of these components are not interconnected with
the others, it is rather unlikely—if not impossible—that a
strong ERM culture can be created.
Because every organization has a unique risk equation,
ERM requires a distinctive interpretation from management.
By demystifying ERM’s unique nature, management can
focus on aligning strategy, culture, and risk mind-set, all
leading toward establishing a competitive advantage.
However, by misinterpreting ERM, organizations expose
themselves to unexpected market dynamics. Lack of strong
risk awareness affects the way organizations and employ-
ees react to new information or potential changes that can
significantly distort corporate dynamics and compromise
maximum business effectiveness.
Analyses of competing views of ERM culture and available
industry data show what organizations did to achieve end
results, where they fell short, and which future develop-
mental points might be recommended (see box on p. 14).
The observations shown establish a baseline for a new
approach to culture, called ERM culture alignment, that ad-
dresses the shortcomings identified in the cultural practices
Effective Risk Culture and Potential Shortcomings
Figure 1
Leadership &
Strategy
Accountability &
Reinforcement
People &
Communication
Risk Management
& Infrastructure
• Lack of consistent direction from management
• Unawareness of corporate and business objectives and strategies
• Lack of comprehensive alignment of objectives on corporate and business level
• Lack of clarity of individual accountability objectives
• Lack of understanding of policies
• Lack of focus on long-term objectives
• Lack of consistent reinforcement of disciplinary actions
• Poor management approach toward receiving ’bad news’
• Insufficient risk management training and development
• Inadequate risk resources and high turnover of employees
• Inconsistent enterprise-wide communication
• Imperfect understanding of risk
• Weak management emphasis on the importance of risk management
• Lack of robust risk change management process
• Unidentified or poorly managed control gaps
• No performance metrics
Source: Originated by the authors
Integrated
Risk Management
Leadership & Strategy
• Integrity and Ethical Values
• Communication Mission & Objectives
Accountability & Reinforcement
• Assignment of Responsibility
• HR Practices & Performance Measurement
People & Communication
• Commitment to Compliance
• Information & Communication
Risk Management & Infrastructure
• Establish Processes & Controls
• Identify & Assess Risk
6. October 2012 The RMA Journal
Corporate leaders often fail to establish a consistent and
inclusive behavioral model that can reinforce intangible risk
and business rules. Management attitudes should exemplify
ERM standards across the organization and ensure that such
behaviors are accomplished.
Cultural awareness needs to be initiated from the top.
ERM culture developed on the basis of cultural inputs
should be well defined and transparent and maintain a
level of consistency across the enterprise. Its dynamic
and proactive nature would then trigger a uniform risk
response to unexpected changes and minimize negative
business impacts.
The factors defined as ERM outputs present an organi-
zational state where the dynamic ERM culture alignment
becomes a motivating driver for achievement in a prede-
termined manner. Along with aligned ERM and strategic
risk management pushing enhanced shareholder value as
a key priority, gaining competitive advantage in the market
becomes a primary indicator of future success.
Where to Start?
“The Where”: Determine Strategic Direction
When business, strategy, and ERM units work together,
they communicate what the organizational objectives are
and how risk and strategies can be aligned to achieve them.
Potential issues are analyzed and openly discussed to estab-
lish an enterprise-wide level of collaboration, awareness,
and understanding.
“The What”: Define Unique Organizational Structure
What does the organization want to achieve? What are the
corporate and business priorities and how do they fit into
ERM strategy? Regardless of whether the enterprise aims
at 1) enhancing shareholder value, 2) meeting corporate
objectives, 3) creating ERM culture, 4) reducing the element
of risk surprise, 5) maintaining reputation, or 6) minimiz-
ing the cost of risk, management needs to communicate it
clearly from the top down. All employees should understand
where the organization is going, its mission statement, and
what the goals are.
“The How”: Define the Best Implementation Tools for the
Organization
Management decides which tools will be used across the or-
ganization to achieve the objectives and establishes a rapport
with the relevant stakeholders. Some financial enterprises,
depending on where they are with ERM implementation,
favor adopting strong risk policies; others choose risk moni-
toring to develop a solid risk management culture. Staff in
organizations where ERM is well established appears to
place more trust in management’s efforts to embed ERM
culture into the corporate structure.
“The Who”: Focus on Achieving Key Results and Get It Done
Together
Organizations need to focus closely on getting it done
together rather than being overwhelmed by an excessive
number of action points. When risk ownership is well-
defined as a collective effort, everyone understands their
roles in the ERM implementation process and feels involved
in creating a common ERM culture. An ERM mind-set and
common risk language create a natural risk habitat and
together dictate everyone’s enterprise-wide involvement.
As ERM culture alignment enforces the integration of pro-
17
ERM Culture Alignment
Figure 2
ERM Culture Inputs
ERM Culture
ERM Culture Outputs
ERM: Understanding Key
Risks Enterprise-wide
Enterprise Risk Mind-set:
Value-adding Decision Making
Business Strategy:
Developing Business Objectives
Aligned with Risk Strategy
Management & Board:
Achieve Buy-in &
Commitment at the Top
Corporate Strategy:
Aligning Risk Appetite
and Tolerance
Transparent
Consistent
Enterprise-wide
Inclusive & Dynamic
Proactive
Well-defined
Aligned ERM and Strategy
Development and Execution
Competitive Advantage Strategic Risk Management
Enhanced Shareholder Value
Dynamic ERM
Culture Alignment
ERM Communication
& Dialogue
Common ERM
Language
ERM
Understanding &
Acknowledgment
ERM Respect
& Ethics
ERM Ownership
& Collaboration
ERM Mind-set
ERM
Responsiveness
ERM Leadership
Aligned with
Business
Source: Originated by the authors
Ò Ò
7. October 2012 The RMA Journal
risk culture. Effective resource allocation
with the appropriate level of authority can
significantly impact ERM culture. Finally,
a cross-communication between lines of
businesses, awareness of business objec-
tives, use of risk-performance indicators,
and the alignment of ERM with business
planning were highly recommended.
Another significant factor contributing
to the process of shaping ERM culture is
ERM mind-set and enterprise-wide com-
munication. Results-driven organizations
view information flow and communica-
tion as key principles for creating strong
governance and culture. Enterprise-wide
risk communication and a dialogue
among management, employees, groups,
and departments can help in understand-
ing key risk concentrations (in terms of
risk appetite and tolerance). Employees should recognize
risk management as strategic partners in the business and
feel motivated to be proactively involved.
For example, within the ERM cultural alignment, an
effective method for responding to risk issues is to identify
stakeholders, gain their commitment and awareness, de-
velop a robust communication strategy within safe channels,
and ensure continuous feedback. Common risk language
creates an ERM mind-set and generates an intimidation-
free atmosphere for discussions with management about
business and risk.
Developing success metrics to measure process effec-
tiveness plays a crucial role in the process. Management’s
commitment to creating a sustainable organizational culture
should support developing unique cultural characteristics
that can significantly impact business value and reputation.
A robust ERM culture promotes leadership strategies for
downward-upward communication.
The Way Forward
Transitioning risk culture into ERM culture and embedding
it across the financial organization has became an area of
increased focus, especially since lack of risk culture was
a primary contributor to the recent financial crisis. Nev-
ertheless, embedding a risk culture remains a significant
challenge, especially for enterprises where risk management
is developed in isolation. If key risks are being miscalcu-
lated, then negative impacts on business performance will
inevitably result.
ERM culture should be well defined, transparent, and
consistent in the mission statement. It should be dynamic
and allow proactive feedback and generate a uniform risk
response. Significantly, ERM culture affects the decisions
of all employees. And when those decisions run counter
18
cesses for formulating and executing core strategies with the
planning for ERM implementation, management continues
to work on understanding which factors determine effective
ERM culture and what makes it truly unique.
What Drives an Effective ERM Culture?
One of the most important factors influencing ERM culture is
the involvement of leadership and employees at all levels in
adopting, accepting, and promoting ERM and ERM culture.
A good example of an effective ERM approach and its
focus on risk culture is Caterpillar, Inc. The firm adopted
a unique ERM approach to the organizational structure—
calling it business risk management, or BRM—by setting
a key objective: to identify, track, and mitigate anything
that would prevent the enterprise from achieving its long-
term strategic objectives.10
To promote the BRM culture,
Caterpillar developed a code of conduct statement, Our
Values in Action. The code states that the firm sees risk as
“something to be managed and as a potential opportunity.”
Other factors critical to developing ERM cultures are
aligning ERM with corporate and business strategies and
securing management buy-in. As senior management de-
velops a strategic vision for the organization, the road map
for corporate and business objectives is being established
in tandem. Subsequently, ERM and strategy development
should be aligned, becoming two sides of the same coin.
ERM needs to be embedded in enterprise-wide activities,
processes, policies, and procedures and implemented across
all of the organization’s divisions.
In order to accomplish an alignment of ERM and risk
culture, a well-defined vision and ERM planning become
essential. Senior management’s commitment to creating
a fitting internal environment and allocating sufficient
resources has also been identified as critical in building
Transitioning risk culture into ERM
culture and embedding it across
the financial organization has
became an area of increased
focus, especially since lack of risk
culture was a primary contributor
to the recent financial crisis.