Transcription
Fit 4 VUCATowards a risk-intelligent cultureFit 4 VUCA Towards a risk-intelligent culture1
What is VUCA?The world is changing – fast. We live and operate in a constant state of turbulence, military planners (amongst others)have an official term for it. They call it VUCA – an environment of relentless volatility, uncertainty, complexity andambiguity. In this state of VUCA, events coming at an organisation are increasing both in number and variety – at anunforgiving speed – it is survival of the fittest and the triumph of the agilest.Financial institutions (Banks, Insurers, Lenders, Investment and Asset Managers) across Africa are feeling it - barriers arebeing eroded, invaders are entering their atmosphere from different industries, lands and vantage points.Never before has technology been so disruptive, so exponential – so quickly. Regulations and risks so far-reaching.Employee and customer power so strong, transparent, expecting. Innovation so vital to survival. How do you future-proofyour organisation in ever-shifting times?Towards a risk-intelligent cultureEconomic instability, increasing competition fromnon-traditional invaders, a plethora of regulatorychange, as well as new roles for the board andexecutive teams financial-services institutionsare operating in high-speed, dynamic and everchanging times. How do we prepare ourselvesin an unforgiving, competitive world, wherethe stakes are high? Do we batten down thehatches and wait for it to pass, or do we donour protective gear and launch ourselves into theturbulence? How do we continue to grow ourbusinesses, be innovative and still manage therisks of operating in this new climate?The key is around proactive, effective andsustainable management of risk.As the global financial crisis unfolded, it becameevident that cultural misalignment playeda large role in organisational failures. Anorganisation’s culture determines howit manages risk when under stress. Forsome organisations, their risk culture isa liability, while for others it facilitatesstability, innovation and a competitiveadvantage.One of the cornerstones of being Fit 4VUCA in the financial-services sector isone’s ability, as an organisation, to thinkholistically about risk and uncertainty, speaka common risk language and understand howto make risk-related decisions. Every worldclass athlete and sporting team has a gameplan that includes knowing and confrontingthe competition, knowing the boundariesand dealing with unforeseen events such asinjury. Every world-class organisation needsa similar game plan, and this is what theRisk Management Framework involves.2Global economic events have highlightedweaknesses in many financial-servicesorganisations in the area of risk governance andmanagement. This, coupled with regulatorydemands, has catalysed many organisationsto devote significant time to developing andimplementing enterprise Risk ManagementFrameworks, policies, procedures andtechnologies. Our experience tells us that therehas been progress in revamping governancepractices and establishing infrastructures, but thatthere is still a considerable need for cultivatingrisk-intelligent cultures within the Africanfinancial-services sector. It is like providing yourteam with the latest sporting equipment,world-class coaching, medical support andstate-of-the-art training facilities – but notbothering to use any of these enablers whenconfronting the competition on the playing field,preventing and dealing with unexpected injuriesor developing new talent. You can have all the riskmanagement policies and structures in the world,but if you do not use them and do not behaveaccordingly, they will not enable you to triumphin the face of adversity or to deal with changes inthe game plan.
Regulations stipulate that financial-servicesfirms must have a robust Risk ManagementFramework (RMF) in place. This needs to cover riskidentification, risk assessment, risk measurement,risk monitoring, risk treatment and risk reporting.However, having an effective RMF is absolutelypredicated upon the firm having a true riskintelligent culture – one that is tangible and realand that is almost the glue in the organisation.Without it, even the most sophisticated risksystems are merely expensive and bureaucraticdashboards.Just as there is no magic formula in terms ofmaintaining a sporting team’s position on theleague table, there is no “silver bullet” solution torisk management. How a business manages itsrisk should be aligned with, and should support,its environment, strategy, business model,business practices, risk appetite and risk tolerance.This is especially true in the financial-servicesindustry, where significant risk-based decisions arebeing made by businesses every day. One pressof the button and confidential informationcan go to the wrong place. One second too slowon a trade can result in massive misdeals – it isincreasingly about excellence in execution. Howwell you execute strategy is your organisation’scompetitive advantage.Essentially, a risk-intelligent culture exists in anorganisation when its employees’ understandingand their attitudes towards risk lead themto consistently make appropriate risk-baseddecisions. It is not about avoiding risk but ratherabout accepting the need for sufficient risk inorder to create value. Let’s use the analogy ofa world-class rugby team such as the All Blacks.The game of rugby has changed drastically in thelast 20 years; and the success of the All Blackshas been due to its ability to change the gameplan, to adapt to changes in how the game isplayed and to set the standard so that otherteams continually have to play “catch-up” toremain relevant. Your business is much the samein that it is increasingly up against threats thatit cannot foresee and unstable climate changesthat it needs to adapt to. Ultimately, it is howyou cope with that unpredictability that counts.Risk management should not be limited tospecific business areas and should not operateonly as an audit or control function. It is not justa reactive mind-set; it is about anticipating whatcould happen in the environment. It is aboutembedding this mind-set and these behaviours inthe way an organisation operates, and it coversall areas, levels and activities.Consequently, risk culture drives the behavioursthat influence day-to-day business practices,and it is a significant indicator of whether theorganisation embodies the characteristics of aRisk-Intelligent Enterprise .Fit 4 VUCA Towards a risk-intelligent culture3
Having a risk-intelligent culture means thateveryone understands the organisation’sapproach to risk, takes personal responsibilityto manage risk in everything that he or shedoes, and encourages others to follow his orher example – everyone becomes an activecitizen in saving one’s business, in conqueringone’s goals and in achieving one’s aspirations.Codes, management systems, HR systemsand behavioural norms should be aligned toencourage and enable people to make the rightrisk-related decisions, and to empower them toexhibit appropriate risk management behaviours.4So what are the characteristics of a strong riskculture? These can be summarised as follows: Commonality of purpose, values and ethics Universal engagement and application Learning organisation that emphasises riskculture Timely and honest communications Understanding the value of effective riskmanagement Responsibility and accountability, bothindividually and collectively Encouraging an environment of constructivechallenge
The four risk themes that help to shape thebehaviour of a risk-intelligent culture are:1. RespondBuild risk competence. The collective riskmanagement competence of the organisationfosters collective wisdom and helps people tounderstand the risks the organisation is taking –they need to know the threat and have an ideaof how to respond. This comes from proactivesharing of leading practices, consulting otherswhen in doubt, and ensuring that your learningand development frameworks and interventionshave a strong management of risk elementrunning through them, at all levels.2. RewardAlign motivational systems. The board andmanagement should have an understanding andclear communication as to why the organisationmanages risk the way it does. Secondly, thereshould be a consistent theme as to whatorganisations are motivating people to do. Howdoes an organisation convey that its employeescan admit to making mistakes? An effective riskintelligent organisation is one in which everyonetakes personal accountability for managing riskwhile still looking for those opportunities forinnovation and growth. Key performance metricsshould reflect this accountability and be alignedwith the reward framework.3. Recognise and relateStrengthen relationships. This focuses on howpeople in the organisation interact with others.Do employees, management and directors allhave a clear understanding of, and commitmentto, a risk-intelligent culture? Does managementprovide a trusting environment and constructiveresponse to challenges? Is there open andhonest dialogue about risk? These are a fewquestions that boards can ask to strengthenand foster relationships at each level of theorganisation. The behaviours that are displayedat the most senior levels of the organisation arecritical in creating this environment. Leadersmust find ways to connect with people insideand outside the organisation. They must beable to openly communicate their values on anongoing and transparent basis. They must beable to make it very clear what the risk appetiteof an organisation is. How innovative can peoplebe across the organisation without putting thesustainability of the business at risk? People aresuspicious of leaders whose behaviour does notsupport their words or who are closed abouttheir values and standards.Fit 4 VUCA Towards a risk-intelligent culture5
4. RecommendPromote an organisational risk managementinfrastructure. Consider how the organisationalenvironment is structured and what is valued.Each organisation typically sets up standardsof expectations in the form of policies andprocedures. Having a Risk ManagementFramework (RMF), following the risk managementpolicies and involving risk professionals in riskdecisions form the foundation on which tobuild the risk culture. A risk culture cannot bedeveloped in isolation from the RMF – the twoare so heavily dependent that approaching thetwo elements as separate initiatives (as manyorganisations do) is disjointed and inefficient.However, it is ultimately about the organisationknowing what level of risk is acceptable, what theboundaries are and what is in place to protect usfrom the turbulence around us.These risk themes are examples that can beadapted to help organisations understand theircurrent state. Shaping a risk-intelligent culturerequires focused efforts and commitment on thepart of leaders. Organisations that seek to achievea risk-intelligent culture should set metrics againstwhich they can define next steps and measureprogress.The first step is to understand the existing riskculture and to measure how well it supports theorganisation’s risk strategy and risk managementapproach. The Deloitte Risk Culture Frameworkand corresponding Risk Culture Survey providea structure and process to help clients in theirefforts to achieve this measurement.6
The Deloitte Risk CultureFrameworkDeloitte has developed a broad approach tohelp financial-services clients assess and measurerisk culture based on the Deloitte Risk CultureFramework. The framework consists of sixteenRisk Culture Indicators that are aligned to the fourRisk Culture Influencers.A Risk Culture Survey allows us to measure anorganisation’s risk culture against each indicatorand then to analyse and gain a thoroughunderstanding of the current maturity level ofthe risk culture. Once we have done so, we canuse the Risk Culture Framework to identify andrecommend specific target areas in order tohelp strengthen the risk culture throughout theorganisation.rningationanisOrgRiskCulture RelationshipsRisk competencedgeKnowleillsSkLeaRisk Culture InfluencesRisk competenceThe collective riskmanagementcompetence of theorganisation.MotivationThe reason whypeople manage riskthe way they do.RelationshipsHow people in theorganisation interactwith others.OrganisationHow the organisationalenvironment is structuredand what is valued.Fit 4 VUCA Towards a risk-intelligent culture7
Strengthening an organisation’s risk culturerequires both a focused effort and the direction ofleadership.The initial focus should be on buildingcultural awareness, predominantly throughcommunications and education. Culturalimprovement will be likely to require meaningfulchanges to established ways of operating. Inthe same way that the All Blacks are continuallyrefining their game plan, financial-servicesorganisations should continually refine theirapproach to managing risk to reflect ongoingchanges in business strategy. The All Black teammanagement will not stop considering where theteam’s strengths lie and what the limitations are.They will continually review their plan of attack,look for opportunities to improve their defenceand analyse how they are doing on recognisingpatterns. Financial-services organisationsthat want to stay on top of the game will dosomething similar, continually refining theirapproach to managing risk in order to be relevant,ready, adaptable and frontrunners.It is important to recognise that this roadmapfocuses on the cultural aspects of riskmanagement. To achieve a strong, effective andintelligent risk culture, all the components ofa formal risk management structure should beimplemented.8
Risk d risk competence Risk function Existing employees New employees Future employeesAlign motivational system Incentive systems Reward systems Performance systems Individual and teamaccountabilitiesStrengthen relationships Leaders to manage Leaders/managers toemployees Peer to peer Risk function to businessCultural awareness Delivercommunicationsfrom leadershipusing a common riskmanagementvocabulary. Clarify riskmanagementresponsibilities andaccountabilities. Roll out riskmanagementgeneral educationand customisedtraining based on role. Refine recruitmentmethods to include riskmanagementcapabilities.Cultural change Create a culture ofconstructive challenge Embed riskperformance metricsinto a motivationalsystem. Establish riskmanagementconsiderations in talentmanagementprocesses. Position individualswith the desired riskorientation in roleswhere effective riskmanagement is critical. Reinforce behavioural,ethical and compliancestandards.Cultural refinement Integrate riskmanagementlessons-learned intocommunications,education and training. Hold peopleaccountable for theiractions. Refine riskperformance metricsto reflect changes inbusiness strategy, riskappetite and tolerance. Reposition individualsto reflect change tobusiness strategy andpriorities.EnablersPromote organisational riskmanagement infrastructure Governance and reportingprotocols Procedural protocols Behavioural and ethicalexpectations Compliance expectationsLeadership commitment: secure the buy-in and commitment of the leadershipteam including executives and the boardCommunications: Communicate programme goals to all stakeholders, andproactively seek out feedbackMeasurement and reporting: Establish an objective measurement of theorganisation’s risk culture and report on it regularly.Programme management: Manage as a programme of change, includingco-ordinating with other relevant change initiativesFit 4 VUCA Towards a risk-intelligent culture9
in the context of strengthening an organisation’srisk culture, the “tone at the top” is critical insetting guiding values, ways of working and theethical climate. “Tone at the top” has becomea rather hackneyed expression, but if yourorganisation is to become Fit 4 VUCA, one needsto realise that it is the foundation on whichthe culture of an enterprise is built. We see theimportance of this in our top sporting teams,and it is no different in successful organisations.Ultimately, it is the glue that will hold yourorganisation together. The risk culture cannot bechanged if the change is coming from the riskmanagement function alone. Leadership mustrepresent the real driver of change.10It is all about ensuring that people know whento watch the weather reports to prepare forenvironmental threats, when to analyse how thecompeting teams are playing, when to use newequipment and training techniques to raise thebar, when and how to respond to a threat to theorganisation’s effectiveness and survival, when tomake tactical substitutions, when to attack, howto organise your defence, when to play the ballwide, how to enable your fly-half to take a shortpass from the scrum-half. These are all tacticsthat we prepare for in order to win the game, nomatter what gets thrown at us.
The board, the CEO and the chief compliance/risk officer (CRO) all play critical roles in settingthis tone at the top and influencing the riskculture.The board: Sets clear roles and responsibilities for riskmanagement In terms of succession planning and senior levelrecruitment activity, ensures that the followingare given as much weight as technical skills: Risk understanding Required character and moral fibre “Chemistry” and communication/leadershipskills Demands timely escalation procedures Receives training in terms of its new role andresponsibilities Demands audit results that indicate a strongcompliance culture Requires a regular cycle of risk reviews Allocates adequate resources for managementof risk Sets a well-defined and clearly articulated riskappetite for the organisationThe CRO: Needs to be a person with the appropriateintegrity, stature and character to reflect theorganisation’s commitment to ethics and tomanaging risk Plays a critical role in creating a “speak-up”culture – essential for tone at the top Proactively assists the board and the leadershipteam in understanding and executing theirroles in terms of managing risk and seeing thetone at the top Is able to translate the risk appetite of theorganisation so that everyone understands itand demonstrates appropriate behaviours Owns the training and education aroundmanaging risk Is responsible for setting and facilitating theRisk Management FrameworkThe CEO: Openly communicates his/her values on anongoing and transparent basis Is unequivocal in what is permitted and whatis deemed too risky in terms of growing thebusiness Behaves in a way that tells employees whatcounts and what is rewarded and punished Works with the leadership team to developa sense of shared values against which alldecisions can be measured and tested Ensures adequate risk management educationand training for the leadership team Ensures that performance management andreward systems support the embedding of therisk cultureFit 4 VUCA Towards a risk-intelligent culture11
The financial-services sector is a world ofchanging game plans and strategies, ofstrengthening competition, of changingrules and unpredictable pitch and weatherconditions. Your organisations cannot affordto play a sub-standard game, irrespective ofthe opposition, injuries or bad weather. To notanticipate these factors is a risky game. Thereality is that financial-services providers areconnected to every industry, every community.We don’t have the option of shutting ourselvesaway to wait for better times or a weakeropponent in a world that demands that we stayin the game and on the league table. We areleaders, integrators and influencers; and we havea responsibility to anticipate the game and to dobusiness in a responsible and ethical manner.ContactColin SmithAssociate Director – Human CapitalDeloitte ConsultingDirect: 27 11 5174836Mobile: 27 (0) 845058989colsmith@deloitte.co.za12To survive opposition from non-traditionalcompetitors, to change the game as we areplaying it, to prepare ourselves for new andunknown patterns of play, to keep our defencestrong but still be able to go on the attack –leaders in the financial-services sector should bepreparing their businesses and their employeesfor uncertainty, so that when the disruptionstrikes their people are prepared, have thecapacity and knowledge to succeed and are ableto put the ball over the touchline.It is critical to ensure that you have the RiskManagement Frameworks and structures.Prepare and enable your organisation to lead,respond and set the standard for others. Activateyour employees so they become active citizensand integral parts of the team, with a senseof personal responsibility in terms of winningthe game. A winning team demonstrates itscommitment, its ability and its passion throughbehaviours – that’s what the shareholdersrespond to, that’s what the sponsors like,that’s what gets the fans cheering out of theirseats. It’s the same in your organisation. Doesyour game plan, your leadership style and yourpatterns of play establish the playing field foryour team to be successful no matter whatopposition, changes or poor conditions it faces?
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited byguarantee, and its network of member firms, each of which is a legally separate and independent entity.Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte ToucheTohmatsu Limited and its member firms.Deloitte provides audit, tax, consulting and financial advisory services to public and private clientsspanning multiple industries. With a globally connected network of member firms in more than 150countries, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insightsthey need to address their most complex business challenges. The more than 200 000 professionals ofDeloitte are committed to becoming the standard of excellence.This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited,its member firms, or their related entities (collectively, the “Deloitte Network”) is, by means of thiscommunication, rendering professional advice or services. No entity in the Deloitte Network shall beresponsible for any loss whatsoever sustained by any person who relies on this communication. 2014 Deloitte & Touche. All rights reserved. Member of Deloitte Touche Tohmatsu LimitedDesigned and produced by Creative Services at Deloitte, Johannesburg. (000000/dbn)
Fit 4 VUCA Towards a risk-intelligent culture 3 Regulations stipulate that financial-services firms must have a robust Risk Management Framework (RMF) in place. This needs to cover risk identification, risk assessment, risk measurement, risk monitoring, risk treatment and risk reporting. However, having an effective RMF is absolutely
