While we are used to thinking about risk management in terms of formal corporate governance structures and processes, our research showed that these top-down efforts are less than half of the solution. While effective formal systems are certainly required – for auditing, compliance, insurance and many other reasons – most of the companies we spoke to said that no amount of top-down management could truly cover the myriad risks their firms face every day. It was essential that risk awareness and mitigation be deeply embedded into the operational culture of the firm.

Some of the key components of such cultures are shown in the figure above. While the balance of these and other cultural aspects will clearly vary by both firm and industry, just about every organization can relate to these concepts. Having a culture of safety, where defects and problems are tracked and measured, and where employees drive improvements in quality and raise red flags when necessary, seems like common sense. But, as recent events have shown, sustaining a socially responsible business culture where employees are not afraid of speaking the truth to those in power, and where individuals are actually held accountable, is much easier said than done.

As always, lived values are more important than written rules. If the behaviours and systems of the firm put profits above all else, there should be no surprises when the incidents occur. Similarly, we have also seen how a company’s true values are inevitably exposed after a crisis occurs, and the inability of market leaders such as BP, Citicorp and Goldman Sachs to satisfactorily explain the ethics and values behind their behaviour has put their firms at even greater risk. This is why we believe that a company’s executives, employees and IT organization must see risk management in a consistent, informed and highly ethical manner. We hope our research helps toward this end.

Pages 1 2 3 4 Next