Governance: Why culture matters

Instances of poor governance, bribery and corruption have increased in the wake of the COVID-19 pandemic, as economic uncertainty has triggered risky behaviours.

A study carried out by Refinitiv found that 73% of organisations were under mounting pressure to increase revenues and 65% needed to push up profits. This had a knock-on effect on operations with 65% of firms taking shortcuts with KYC [know your customer] and due diligence checks – significantly increasing their risk exposure.

Fraud was also a big concern, with 20% of companies dedicating substantial resources to combatting this aspect of financial crime, followed by 16% for money laundering and 14% for cybercrime and theft.

Adrian Clements, a chief risk officer and board adviser at AT-IPIC, said that increased pressure on finances means that many businesses lose sight of their organisational purpose, which in turn leads to employees cutting corners to boost short-term profitability at the expense of ethical practices.

He explained: “The world has changed totally, but you’re still being measured on a KPI based on a budget that was set 12 months ago based upon the reality of two years ago. So, you’re going to have people manipulating the numbers… They’re overestimating the opportunities and they are underestimating the consequences, which are that your image or reputation will be destroyed.

The role of risk managers

For risk managers, making sure that governance levels are high should be a top priority. This means challenging boards to view company performance and objectives through non-financial lenses and ensuring that company purpose is well understood throughout the organisation.

Carolina Klint, Risk Management leader, Continental Europe at Marsh, said: “Good risk management fundamentally requires good ethics, and vice versa. There is a joint responsibility between the board and the risk management function to act with honesty and integrity, and to be accountable for their actions.

To even begin to start having these conversations, risk managers need to make sure that they have the right connections and contacts in the C-suite and that they are involved in decision-making from the outset.

Far too often, risk teams are only brought in once the strategy has been decided, which means that the role becomes reactive rather than proactive. Reactive risk management adds value, but it does not go far enough to ensure positive governance and eliminate risky behaviours incentivised by poorly thought out KPIs.

For some risk managers, this may mean a pivot away from the traditional world of risk registers and appetite statements.

While experts are divided on the value of such tools in day-to-day risk management, most are agreed that the jargon and level of detail doesn’t resonate with the C-suite meaning that anyone wanting board access needs to take a different approach.

Airmic CEO Julia Graham explained: “I prefer to not use good old-fashioned things like risk registers and some of the more traditional methodologies. This is a great subject for an around the table facilitated board conversation. It’s a fabulous boardroom agenda item and we keep the risk registers firmly locked in their cupboard for that type of conversation because it’s a discussion.”

She suggests that risk managers kick off board level discussions by asking questions like:

• How do you know that risks associated with the governance of the organisation are being managed?
• What do you think those risks are?
• Who is responsible for them and what is your role?

Building company culture

Risk managers seem to agree that the most important factor in improving governance and reducing risks is to build a strong company culture. This means risk managers must work in concert both with boards and with HR teams to establish this culture and ensure that it is cascaded down throughout the company.

It also means ensuring that there are policies in place for employees to sound the alarm bell when something goes wrong.

Graham says: “First of all, I think you need to know what your culture should be, You can’t maintain something until you understand it and then maintaining it is publicising what it means to you and taking action if you don’t live up to it.

“If you don’t have a great culture and it’s not appropriate to your business and you don’t have a strong ethical philosophy, then I wonder just how well your purpose as an organisation is stated… Having great approaches to unbiased whistleblowing is incredibly important.”