• ⇤
• ⇽
• ≡
• ⇾
• ⇥

an experiment in risk culture programming

the journal of Michael Werneburg

twenty-seven years and one million words

A large part of my duty as a risk manager is to guide the organization’s approach to risk. This applies not only to risks in the pursuit of opportunity or the guarding of assets, but to the everyday decisions by which the organization achieves its goals. For it to have any meaning, guidance from my office has to set the standard for risk tolerance in language that means something to the organization.

In stating the organization’s tolerance for risk in a way that can be readily consumed, I’m hoping to allow members of the organization to understand something useful about the company’s mission, its self-conception, and its internal culture. This clarity is vital. The Institute of Risk Management, in the 2012 volume Risk Culture from their “Resources for Practitioners” series, summed it up nicely:

Human beings, acting as individuals and interacting in groups, are the ‘wetware’ in the system—not necessarily behaving in the logical, predictable, and controllable way that we would like them to.

Process manuals and policy documents can’t solve this. Annual training sessions can’t do it, either. Embedding risk into the day-to-day decision making requires reinforcement at every point. Compiling an explicit statement of risk tolerance is one of the means by which I’m trying to achieve this reinforcement.

A statement of risk

In September of 2014, Portfolio Aid Inc. published its statement of risk tolerance to the company’s website, in an internal memo, and to a colorful poster in the kitchen. The statement reads:

Risk is a necessary part of business opportunity. The Company must be sure to understand and mitigate risks when pursuing opportunities.

PortfolioAid offers a compliance solution in a heavily regulated industry in which reputation is crucial to our clientele. As a niche vendor, we must ourselves maintain a flawless reputation for ethical and competent behavior, and must convey stability.

In making decisions in business conduct, the Company shall consider our reputation and the reputation of our clients. The Company shall also consider impacts to the quality of our products, our ability to serve our clients in a timely and effective fashion, and potential consequences to our financial standing.

The Company shall engage only in activities that meet these criteria.

In communicating the company’s risk statement in this fashion, I’m explicitly asking our staff to consider our clients. I’m also driving home the issue of reputation. In doing so, I hope to convey something vital about how we wants to manage the thing that separates it from every other firm on Earth: our brand. Here I’m talking about the company’s unique position in the market, our unique relationship with our clientele, and the vital impressions of the company formed by internal and external parties alike.

Making decisions

To tie the risk tolerance statement to decisions on the ground, the company has also published guidance on incorporating risk into its routine decision making. That kitchen poster further says:

These are some questions by which risk can be factored into decisions:

• Have we gathered enough information to make this decision with competence? What are the uncertainties?
• Have we sufficiently considered potential outcomes from this decision?
• If divulged, would this decision negatively impact the Company’s reputation, or the reputation of our clients?

An ongoing experiment

All of this is quite supplemental to the concrete things we do to understand and deal with risk on a regular basis. As a technology service provider, we go to great lengths to secure information assets. We constantly monitor performance on hundreds of internal controls. These are documented in process manuals that tie the controls to certain activities that are assigned to named individuals. Those individuals sign off their acknowledgement of those duties annually. This is all verified in annual service audits compiled in semi-annual sessions with our auditors. We train staff annually on acceptable use of their IT assets. We conduct annual business continuity drills and technical penetration tests. But for all of this ‘what’ and ‘how’, I believe it’s the ‘who we want to be’ that matters.

I’m aiming high. The IRM publication speaks of the “tone of the top” in terms of the clarity of direction and how the organization responds to bad news. It speaks of decision making in terms of the degree to which decisions are well informed and involve the right degree of risk. It speaks of governance, in which accountability for risk is clear and risk information is timely and transparent. Lastly, it points to the competence of the risk function – is that function embedding risk management skills across the firm. I want all of these things, and intend that clearly expressed guidance can help shape the company’s risk culture in obtaining them.