A BIG THANKS to Jack Jones for writing the forward for my new book Cultural Calamity: Culture Driven Risk Management Disasters and How to Avoid Them.
One of the most important factors in successful risk management is organizational culture. Unfortunately, few organizations take the risk management aspects of their culture seriously or even know how to address them when there are concerns. There are a number of factors that drive this, including:
- Profits and operational costs are measurable in the near term, while major loss events are less frequent and more likely to be “someone else’s problem” after current leadership has moved on. This is exacerbated by incentive schemes that focus on profit and cost management and ignore the level of risk decision-makers are subjecting their organizations to.
- It is relatively easy to hide or ignore the symptoms of poor risk management culture. Regrettably, it’s also true that too few auditors know what to look for or are very interested in rocking the organizational leadership’s boat. It takes unusual intestinal fortitude to look senior executives in the face and tell them the culture they’ve established (or inherited) is guiding their ship straight into an iceberg.
- Improving an organization’s culture doesn’t happen overnight. As a result, executive management has to be consistent and persistent in their improvement efforts, and operate with a longer time horizon in mind. This can be especially challenging in many industries because of the emphasis on the “What have you done for me lately?” attitude by stakeholders.
- Leadership is rarely provided accurate and meaningful risk information. Too often, organizations equate compliance with good risk management and/or produce inaccurate and meaningless risk “heat maps,” which management has little hope of accurately interpreting. The absence of clear and meaningful risk information makes it that much easier for management to discount risk and focus on clearer goals and incentives.
- Due to a combination of poor risk measurement practices, and the points above, risk professionals are prone to inflate risk ratings just so that management will “pay attention.” Unfortunately, executives are quick to detect risk-related baloney and thus discount risk reporting—all risk reporting, even reporting the problems they legitimately need to pay attention to. And, again, this is especially easy for executives to do if addressing how risk might affect profit and cost management goals, and where no risk-related incentives are in play.
Another contributing factor is that there are too few resources that focus on the value and effect of a strong risk management culture. In Cultural Calamity, Joseph Mayo helps to solve this by sharing long overlooked research on risk management culture and bringing to the surface the symptoms of flawed risk cultures and the profound damage that can result. He also offers sound advice on steps organizations can take to better manage this critical issue. Cultural Calamity is a concise, digestible, and valuable resource that risk management professionals would do well to read.
Jack Jones Executive Vice President of Research RiskLens, Inc.