Tag Archives: #controls

Behavioural Risk Management Matters – Be aware

Date
Posted by
Comments0
Behavioural Risk Management Matters – Be aware

By Ard W. Valk, Luc Albert and Déborah Carlson-Burkart

As illustrated in the previous article, it is not that difficult to list a number of operational risk management failures, including fraud and corruption scandals, non-compliance, as well as major accidents. The London whale, the Libor-scandal, material fines for banks for lacking anti-money laundering controls, the BP oil spill and its consequences, to name a few.

A common denominator and explanatory factor seems to be – surprisingly – human behaviour.

Risk management practices have devoted a great deal of attention to develop standard frameworks and hard controls in terms of design, existence and operating effectiveness. But behavioural and cultural aspects – the soft side – are less frequently addressed.

It is too simple however, to assume that assessing and improving human behaviour only is enough to prevent operational risk management failures.

In this article, control frameworks and individual behaviour are connected to organisational culture.

The internal or “hard control” factor

After emerging scandals that originate from fraud and similar types of failure, the classical response by regulators has been to impose regulations – mostly with regard to finance and risk legislation (Basel II, Solvency III, IFRS 9) – and to tighten them on a regular basis. Following new legislation, the regulator requires companies to adapt internal control frameworks accordingly. Key elements of controls are planning and control, tasks, responsibilities and authorisations.

Corporate governance codes (also) describe internal control requirements. If well implemented, this leads to the publication of a so-called “in control statement”, approved by the managing board, and reflected in the company’s annual report.

Another internal source for controls are the so-called risk & control self-assessments in which companies make an inventory of their most important value chains or processes. Key risks are identified which might materially impact the achievement of defined goals (likelihood and impact) and for which key controls are developed in order to manage, mitigate and monitor these key risks.

These type of controls, which originate from different sources, can be clearly identified. As they are relatively simple to test, they can be seen as hard controls.

According to COSO[1], commonly accepted objectives of a sound internal control framework are: effectiveness and efficiency of operations, reliability of financial reporting, compliance with applicable laws and regulations.

To this end and as described by the COSO, internal control must have five components: Control environment, control activities, risk assessment, information and communication, and monitoring. A typical example of a combination of hard controls is a risk management framework.

The human or “soft control” factor

In 2010, Prof. Dr. Muel Kaptein, KPMG Netherlands, researched the “human” root cause behind 150 corporate risk management failures. He discovered that they could all be linked back to one of eight “soft controls” that influence employees’ behaviour: clarity, role modelling, commitment, achievability, transparency, “discuss-ability”, accountability and enforcement. Consequently, he built a framework and methodology around the concept of soft controls which helps to understand, identify, measure and monitor organisational culture (see annex)[2].

Soft controls intervene in or appeal to employees’ individual performance (based on conviction and personality). They also provide insights about employee’s drive, loyalty, integrity, as well as their standards and values.

Soft controls generally include less-objective measures, like culture and the behaviour of management and employees. Inadequate soft controls can have a major impact on the achievement of business objectives. Hence, the upside potential for the company’s development is substantial, if these eight soft controls are adequately adopted and incorporated.

Soft and hard controls: A fine balance

Soft controls influence behaviour and can help with achieving goals and managing risks. They do not replace legislation, rules, protocols or procedures. Written hard controls are a strong fundament to show what the company control framework looks like. They also allow the company to provide proof to boards, regulators and other stakeholders that the company is in compliance with law and regulations.

But it does not stop with design and existence of a – hard controls- framework, as it is all about operating effectiveness.

Hard controls prove ineffective if they are not communicated, misunderstood, evaded or even deliberately neglected. Implementing hard controls in an environment without enforcement, accountability, or commitment (see annex) is doomed to fail.

Soft controls and the implicit conduct going along with them, serve as lubricating oil; without it the machine cannot run. Hence, soft controls can improve the operating effectiveness of hard controls, but it is not the other way round.

How to connect hard and soft controls?

One should start at the organisational level, once convinced that when behaviour improves, the chance of effectively implementing the hard control framework and of incidents occurring, decreases at the moment soft controls are prominently visible in an organisation.

Organisational culture is expressed in values and behavioural standards an organisation considers important. One of the most important indirect behaviour influencers within an organisation is the organisational culture. Behavioural standards can be set by using soft controls and determining ambition levels.

Defining and achieving a desired organisational culture is difficult. Soft controls are less tangible and there is often no strict standard against which they can be tested. The culture being aimed for should be transparent to all stakeholders and ethically sound.

At the moment an organisation is prepared to learn from failures and mistakes -materialised risks- and turns them into lessons learned in order to reduce likelihood and impact if it should occur again, we are there.

The most indirect behavioural influencer is management behaviour, including their leadership style and role modelling (“tone at the top”). In addition, awareness training, skill improvement and actively encouraging interventions at individual level are instrumental to achieve the desired organisational culture.

Behaviour and culture are an integral part of managing risks: Effective risk management is only possible if structure (hard controls) and culture (soft controls) are in balance. No matter how clearly risk appetite and controls are defined, people working in the company will not consistently make the desired decisions, unless corporate culture encourages them to “do the right thing” naturally.

The benefits of applying soft controls and paying attention to the human factor

As mentioned earlier: When behaviour improves, the chance of incidents occurring decreases.

But there is more.

When role modelling, enforcement, “discussability” and accountability are vividly present, it will open the door for continuous improvement. A critical attitude with regard to the going concern of a company in many aspects will improve the framework, can help in pro-activity and creates the fundamentals for a learning organisation.

Board member awareness and key learnings

Based on the important combination between hard and soft controls, board members should be aware of the following key learnings:

  • Human behaviour is a risk factor
  • In addition to hard controls, soft controls are necessary
  • Hard and soft controls interact
  • Design and existence of a risk framework on its own is not sufficient
  • Soft controls are a conditio sine qua non for operating effectiveness
  • Soft controls open the road for continuous improvement
  • Tone at the top starts in the board room

Concluding: A Board must really understand the company’s risk culture and the human factor and respective behaviour in order to set an effective risk framework and create the conditions for continuous improvement.

 

Author Ard. W. Valk IDP-C is a risk manager, Independent Board Member- Non-Executive Director and Independent Risk Advisor

Co-Author Luc Albert IDP-C is an Independent Board Member

Co-Author Déborah Carlson-Burkart IDP-C is a lawyer and independent board member

Annex

Soft controls – What does it mean?

Enforcement Is desired behaviour rewarded and undesired behaviour sanctioned?
Call someone to account Are people being held accountable by others in the organization for misconduct?
Discussability Do people feel comfortable to voice their opinion, raise issues and discuss dilemma’s?
Transparency Is people’s behaviour visible to others?
Achievability Are activities/targets realistic?
Commitment Do employees feel motivated and engaged to follow the rules?
Role modelling Do managers set a good example?
Clarity Are rules, procedures and desired behaviour clear?

[1] This most well-known and used definition, by both professionals and academics, is originating from the Committee of Sponsoring Organizations of the Treadway Commission or COSO (1992), which provided a first conceptual framework to internal control.

[2] Dr. M. Kaptein, Wallage P., Assurance over gedrag en de rol van soft-controls: Een lonkend perspectief, 2010, KPMG.

Putting a people lens on risk management and controls

Date
Posted by
Putting a people lens on risk management and controls

COVID-19 has been a catalyst for many boards and management to focus more on the well-being of their people and their corporate cultures.  What could this mean for risk management and controls?

By Karen Loon IDP-C, IDN Board Member and Non-Executive Director

As directors in times of crisis, many of us have become more anxious as a result of the multiplicity of uncertainties we have experienced, both at work and in our personal lives.  As a result, in our director roles, we may inadvertently bring these anxieties into the boardroom.

Whilst our role includes asking questions about what we can do to minimise the risk of similar circumstances in the future, and the new environment has definitely led to new risks which need to be managed, particularly cyber risk as digitisation has accelerated, there is also a risk that we ask our organisations to put in place additional measures, policies, procedures and controls without fully understanding the root causes of these complex new issues, which could inadvertently lead to further organisational and employee anxieties and issues in the future.

At this time, is it worth us taking a step back and reflecting on whether we fully understand our organisational cultures and future challenges with a people lens on before taking action?

The impact of Work from Home

COVID-19 has had a major effect on our lives as it has impacted our work-life balance.  Confined to home, many of us have seen the boundaries between our private and professional lives disappear.  Whilst some may view this liberating, others may not view this as positively.  Added to this has been the long emotional roller coaster we have been on – the longer that social distancing lasts, the less energetic and motivated people may be.  I know of many people in senior roles who are exhausted as a result of working from home for months.

Maintaining a healthy corporate culture

COVID-19 has not only impacted the business models of organisations but had a significant impact on how people work together.  For some employees, they may feel excessive pressure to achieve results due to the fear of losing their jobs.  For others, interpersonal relations may be inadvertently strained due to the physical separation of teams.  This loss of energy and motivation is challenging the old ways of working together, and could lead to tensions in organisations.

Given the way we work may not return to the way things were for some time (or even at all), reflecting on whether our corporate cultures are healthy and whether their systems, norms and values are fully aligned to the purpose of our organisations is something which boards should reflect on given this will influence how people feel and behave.

How could risk management and controls be impacted?

Many risk management and control frameworks were put in place in organisations to focus people on how to manage their businesses assuming they will operate as usual, that they can identify and manage most risks, and that people will behave as expected.  However, not all risks and behaviours are as expected, for example, internal frauds continue to take place.  Further, who would have expected COVID-19 would have taken place, and the impact it has had on organisations and people!

In a crisis like COVID-19, sudden triggers may lead to individual anxieties and unexpected behaviours by individuals, some of which may have been triggered unconsciously.  Before putting in place additional measures, policies and procedures, it is worth considering how people may feel and may behave as a result of them before putting them in place, as the measures could inadvertently increase organisational and individual anxieties and impact behaviours, which could lead to other risks.  It is worth noting that many IT/cyber issues can be traced back to human errors or oversight.

As directors, we have a role to ensure that there is an appropriate balance between resilience and agility in our organisations.  To evaluate the effectiveness of the risk management and controls in our organisations requires us to consider our overall organisational cultural context and norms.  For our companies to perform, we also have a responsibility to ensure our people’s well-being is looked after.  Questions we should ask ourselves are:

  • Does the culture of our organisation and the way that we work in the new norm lead to collaboration, respect, trust and accountability? Is there an environment of continuous learning environment where we learn from our mistakes across all levels of the organisation (being individual, interpersonal, group, intergroup and interorganisational) which will allow the organisation to pivot and be agile in the future?  Or is it overly competitive and overly focused on growth, more individualistic, have silos and is less open, and is technocratic and rigid?
  • How has increased digitisation and working from home changed the way work is done? How have our risks changed, and how should our controls best manage these risks?
  • And given the need to manage both performance and people, should we revisit at how we manage our risks and our control environment differently? For example, do our remuneration policies appropriately balance resilience and agility considerations?

Time to reflect

Many of us look at how organisations identify risks and the controls put in place from a rational and logical perspective.  However, at times of stress and anxiety, not all of us may behave as we would do in a pre-COVID-19 environment.

In undertaking our roles, we should strive to be empathetic, build trust, and take a step back and consider the people aspects of our organisations and how they impact risk management and the control environment.  Assessing corporate culture and putting a people lens on how risks are managed will be an important role of boards when guiding their organisations forward in a more uncertain world.

Karen Loon is a Non-Executive Director based in Singapore.