By Ard W. Valk, Luc Albert and Déborah Carlson-Burkart
As illustrated in the previous article, it is not that difficult to list a number of operational risk management failures, including fraud and corruption scandals, non-compliance, as well as major accidents. The London whale, the Libor-scandal, material fines for banks for lacking anti-money laundering controls, the BP oil spill and its consequences, to name a few.
A common denominator and explanatory factor seems to be – surprisingly – human behaviour.
Risk management practices have devoted a great deal of attention to develop standard frameworks and hard controls in terms of design, existence and operating effectiveness. But behavioural and cultural aspects – the soft side – are less frequently addressed.
It is too simple however, to assume that assessing and improving human behaviour only is enough to prevent operational risk management failures.
In this article, control frameworks and individual behaviour are connected to organisational culture.
The internal or “hard control” factor
After emerging scandals that originate from fraud and similar types of failure, the classical response by regulators has been to impose regulations – mostly with regard to finance and risk legislation (Basel II, Solvency III, IFRS 9) – and to tighten them on a regular basis. Following new legislation, the regulator requires companies to adapt internal control frameworks accordingly. Key elements of controls are planning and control, tasks, responsibilities and authorisations.
Corporate governance codes (also) describe internal control requirements. If well implemented, this leads to the publication of a so-called “in control statement”, approved by the managing board, and reflected in the company’s annual report.
Another internal source for controls are the so-called risk & control self-assessments in which companies make an inventory of their most important value chains or processes. Key risks are identified which might materially impact the achievement of defined goals (likelihood and impact) and for which key controls are developed in order to manage, mitigate and monitor these key risks.
These type of controls, which originate from different sources, can be clearly identified. As they are relatively simple to test, they can be seen as hard controls.
According to COSO[1], commonly accepted objectives of a sound internal control framework are: effectiveness and efficiency of operations, reliability of financial reporting, compliance with applicable laws and regulations.
To this end and as described by the COSO, internal control must have five components: Control environment, control activities, risk assessment, information and communication, and monitoring. A typical example of a combination of hard controls is a risk management framework.
The human or “soft control” factor
In 2010, Prof. Dr. Muel Kaptein, KPMG Netherlands, researched the “human” root cause behind 150 corporate risk management failures. He discovered that they could all be linked back to one of eight “soft controls” that influence employees’ behaviour: clarity, role modelling, commitment, achievability, transparency, “discuss-ability”, accountability and enforcement. Consequently, he built a framework and methodology around the concept of soft controls which helps to understand, identify, measure and monitor organisational culture (see annex)[2].
Soft controls intervene in or appeal to employees’ individual performance (based on conviction and personality). They also provide insights about employee’s drive, loyalty, integrity, as well as their standards and values.
Soft controls generally include less-objective measures, like culture and the behaviour of management and employees. Inadequate soft controls can have a major impact on the achievement of business objectives. Hence, the upside potential for the company’s development is substantial, if these eight soft controls are adequately adopted and incorporated.
Soft and hard controls: A fine balance
Soft controls influence behaviour and can help with achieving goals and managing risks. They do not replace legislation, rules, protocols or procedures. Written hard controls are a strong fundament to show what the company control framework looks like. They also allow the company to provide proof to boards, regulators and other stakeholders that the company is in compliance with law and regulations.
But it does not stop with design and existence of a – hard controls- framework, as it is all about operating effectiveness.
Hard controls prove ineffective if they are not communicated, misunderstood, evaded or even deliberately neglected. Implementing hard controls in an environment without enforcement, accountability, or commitment (see annex) is doomed to fail.
Soft controls and the implicit conduct going along with them, serve as lubricating oil; without it the machine cannot run. Hence, soft controls can improve the operating effectiveness of hard controls, but it is not the other way round.
How to connect hard and soft controls?
One should start at the organisational level, once convinced that when behaviour improves, the chance of effectively implementing the hard control framework and of incidents occurring, decreases at the moment soft controls are prominently visible in an organisation.
Organisational culture is expressed in values and behavioural standards an organisation considers important. One of the most important indirect behaviour influencers within an organisation is the organisational culture. Behavioural standards can be set by using soft controls and determining ambition levels.
Defining and achieving a desired organisational culture is difficult. Soft controls are less tangible and there is often no strict standard against which they can be tested. The culture being aimed for should be transparent to all stakeholders and ethically sound.
At the moment an organisation is prepared to learn from failures and mistakes -materialised risks- and turns them into lessons learned in order to reduce likelihood and impact if it should occur again, we are there.
The most indirect behavioural influencer is management behaviour, including their leadership style and role modelling (“tone at the top”). In addition, awareness training, skill improvement and actively encouraging interventions at individual level are instrumental to achieve the desired organisational culture.
Behaviour and culture are an integral part of managing risks: Effective risk management is only possible if structure (hard controls) and culture (soft controls) are in balance. No matter how clearly risk appetite and controls are defined, people working in the company will not consistently make the desired decisions, unless corporate culture encourages them to “do the right thing” naturally.
The benefits of applying soft controls and paying attention to the human factor
As mentioned earlier: When behaviour improves, the chance of incidents occurring decreases.
But there is more.
When role modelling, enforcement, “discussability” and accountability are vividly present, it will open the door for continuous improvement. A critical attitude with regard to the going concern of a company in many aspects will improve the framework, can help in pro-activity and creates the fundamentals for a learning organisation.
Board member awareness and key learnings
Based on the important combination between hard and soft controls, board members should be aware of the following key learnings:
- Human behaviour is a risk factor
- In addition to hard controls, soft controls are necessary
- Hard and soft controls interact
- Design and existence of a risk framework on its own is not sufficient
- Soft controls are a conditio sine qua non for operating effectiveness
- Soft controls open the road for continuous improvement
- Tone at the top starts in the board room
Concluding: A Board must really understand the company’s risk culture and the human factor and respective behaviour in order to set an effective risk framework and create the conditions for continuous improvement.
Author Ard. W. Valk IDP-C is a risk manager, Independent Board Member- Non-Executive Director and Independent Risk Advisor
Co-Author Luc Albert IDP-C is an Independent Board Member
Co-Author Déborah Carlson-Burkart IDP-C is a lawyer and independent board member
Annex
Soft controls – What does it mean?
Enforcement | Is desired behaviour rewarded and undesired behaviour sanctioned? |
Call someone to account | Are people being held accountable by others in the organization for misconduct? |
Discussability | Do people feel comfortable to voice their opinion, raise issues and discuss dilemma’s? |
Transparency | Is people’s behaviour visible to others? |
Achievability | Are activities/targets realistic? |
Commitment | Do employees feel motivated and engaged to follow the rules? |
Role modelling | Do managers set a good example? |
Clarity | Are rules, procedures and desired behaviour clear? |
[1] This most well-known and used definition, by both professionals and academics, is originating from the Committee of Sponsoring Organizations of the Treadway Commission or COSO (1992), which provided a first conceptual framework to internal control.
[2] Dr. M. Kaptein, Wallage P., Assurance over gedrag en de rol van soft-controls: Een lonkend perspectief, 2010, KPMG.