In a volatile economy, leave nothing to chance

In today’s volatile economic and financial conditions, I believe that it is imperative for business executives to take managing risk seriously. There is an old proverb saying “prevention is better than cure”. I think everyone would agree that it is better to avoid the kinds of crises that can destroy value, ruin reputations and even bring a company down. Especially in the wake of the recent global financial crises, many business leaders have strived to put in place more thorough risk-related processes and oversight structures, in order to detect and correct fraud, safety breaches, operational errors and over-leveraging, long before they become full-blown disasters.

Yet processes and oversight structures, albeit essential, are only part of the story. I think it is also important to manage the frontline attitudes and behaviours that are their first line of defence against risk. In other words, it is important to manage the “risk culture” of the organisation.  

Risk culture is the human decisions that govern the day-to-day activities of every organisation. Even decisions that are small and seemingly innocuous can be critical. Having a strong risk culture does not necessarily mean taking less risk. Companies with the most effective risk cultures might, in fact, take a lot of risk, acquiring new businesses, entering new markets, and investing in organic growth. Those with an ineffective risk culture might be taking too little.

Of course, it is unlikely that any programme will completely safeguard a company against unforeseen events and/or fraudulent individuals. But I believe it is possible to create a culture that makes it harder for an outlier, be it an event or an offender, to put the company at risk.  

In my own professional experiences, I found that the most effective risk managers exhibit certain traits – which enable them to respond quickly, whether by avoiding risks or taking advantage of them. I would like to share with readers two traits as follows: (

1. An effective line of communication is needed. The most effective risk managers act quickly to move risk issues up the chain of command as they emerge, breaking through rigid governance mechanisms to get the right experts involved whether or not, for example, they sit on a formal risk-management committee. They can respond to risk adroitly because they have fostered a culture that acknowledges risks for what they are, for better or for worse. They have encouraged transparency, making early signs of unexpected events more visible, and they have reinforced respect for internal controls, both in designing them and in adhering to them.

2. Early acknowledgement of risk is essential for prudential risk management. It takes a certain confidence among managers to acknowledge risks. Doing so – especially to the point of discussing them internally, as well as with shareholders or even regulators – requires that managers rely on their own policies and procedures to work through issues that could lead to crisis, embarrassment, or loss.

Obviously, the cultural differences between companies that acknowledge risk and those that do not are quite stark. I think we can differentiate between two types of institutions in their dealing with risk. The good risk management institution would strive to build a culture, at all levels of the organisation, that prizes staying ahead of the trend. This might mean convening a group of executive peers to discuss issues faced by the entire industry, or responding to regulatory trends early – for example, on capital and liquidity requirements or compensation practices. The stance it takes is, “If we see it, identify and size it, then, even if it’s horrible, we’ll be able to manage it.” Where risks cannot be sized, they should at least be discussed in qualitative terms. 

On the other hand, a bad risk management institution would have a reactive and back-footed culture – one focused more on staying out of trouble, ensuring regulatory compliance and making sure all the boxes are ticked. Its managers would generally be content to move with the pack on risk issues, preferring to wait for regulatory criticism or reprimand before upgrading sub-par practices. They would be afraid of knowing what they don’t know, and they fear the reaction of the board, regulators and investors. Many would rather ignore undesirable behaviours because they don’t know how to manage them, and because managing them would demand time and might affect the cost base. This organisation’s stance is, “Let’s wait until we really need to deal with these unpleasant things, because they’re anomalies that may turn out to be nothing at all.”

Therefore, I think it is crucial to enable managers to be confident that they are working in an organisation with policies and controls that can handle – and even benefit from – openness about risk. They would be far more likely to share the kinds of information that signal risk events and allow the institution to resolve emerging issues long before they become crises.  

Companies with a culture that discourages such discussion – as well as those in which over-confidence leads to denial – are prone to ignoring or failing to recognise risks. In some cases, employees fear telling the boss bad news because they worry about the financial downside of slowing commercial progress; they know the boss doesn’t want to hear it, or they fear being blamed. As a result, they alert managers to risks only when further delay is impossible. Today, we have to ask what type of organisation we are working for and aim to improve our risk management structure that will be the backbone of our business success in the future.

 

Chodechai Suwanaporn is executive vice president, corporate strategy, PTT Plc.