Behavioural Risk Management Matters – Be aware

By Ard W. Valk, Luc Albert and Déborah Carlson-Burkart

As illustrated in the previous article, it is not that difficult to list a number of operational risk management failures, including fraud and corruption scandals, non-compliance, as well as major accidents. The London whale, the Libor-scandal, material fines for banks for lacking anti-money laundering controls, the BP oil spill and its consequences, to name a few.

A common denominator and explanatory factor seems to be – surprisingly – human behaviour.

Risk management practices have devoted a great deal of attention to develop standard frameworks and hard controls in terms of design, existence and operating effectiveness. But behavioural and cultural aspects – the soft side – are less frequently addressed.

It is too simple however, to assume that assessing and improving human behaviour only is enough to prevent operational risk management failures.

In this article, control frameworks and individual behaviour are connected to organisational culture.

The internal or “hard control” factor

After emerging scandals that originate from fraud and similar types of failure, the classical response by regulators has been to impose regulations – mostly with regard to finance and risk legislation (Basel II, Solvency III, IFRS 9) – and to tighten them on a regular basis. Following new legislation, the regulator requires companies to adapt internal control frameworks accordingly. Key elements of controls are planning and control, tasks, responsibilities and authorisations.

Corporate governance codes (also) describe internal control requirements. If well implemented, this leads to the publication of a so-called “in control statement”, approved by the managing board, and reflected in the company’s annual report.

Another internal source for controls are the so-called risk & control self-assessments in which companies make an inventory of their most important value chains or processes. Key risks are identified which might materially impact the achievement of defined goals (likelihood and impact) and for which key controls are developed in order to manage, mitigate and monitor these key risks.

These type of controls, which originate from different sources, can be clearly identified. As they are relatively simple to test, they can be seen as hard controls.

According to COSO[1], commonly accepted objectives of a sound internal control framework are: effectiveness and efficiency of operations, reliability of financial reporting, compliance with applicable laws and regulations.

To this end and as described by the COSO, internal control must have five components: Control environment, control activities, risk assessment, information and communication, and monitoring. A typical example of a combination of hard controls is a risk management framework.

The human or “soft control” factor

In 2010, Prof. Dr. Muel Kaptein, KPMG Netherlands, researched the “human” root cause behind 150 corporate risk management failures. He discovered that they could all be linked back to one of eight “soft controls” that influence employees’ behaviour: clarity, role modelling, commitment, achievability, transparency, “discuss-ability”, accountability and enforcement. Consequently, he built a framework and methodology around the concept of soft controls which helps to understand, identify, measure and monitor organisational culture (see annex)[2].

Soft controls intervene in or appeal to employees’ individual performance (based on conviction and personality). They also provide insights about employee’s drive, loyalty, integrity, as well as their standards and values.

Soft controls generally include less-objective measures, like culture and the behaviour of management and employees. Inadequate soft controls can have a major impact on the achievement of business objectives. Hence, the upside potential for the company’s development is substantial, if these eight soft controls are adequately adopted and incorporated.

Soft and hard controls: A fine balance

Soft controls influence behaviour and can help with achieving goals and managing risks. They do not replace legislation, rules, protocols or procedures. Written hard controls are a strong fundament to show what the company control framework looks like. They also allow the company to provide proof to boards, regulators and other stakeholders that the company is in compliance with law and regulations.

But it does not stop with design and existence of a – hard controls- framework, as it is all about operating effectiveness.

Hard controls prove ineffective if they are not communicated, misunderstood, evaded or even deliberately neglected. Implementing hard controls in an environment without enforcement, accountability, or commitment (see annex) is doomed to fail.

Soft controls and the implicit conduct going along with them, serve as lubricating oil; without it the machine cannot run. Hence, soft controls can improve the operating effectiveness of hard controls, but it is not the other way round.

How to connect hard and soft controls?

One should start at the organisational level, once convinced that when behaviour improves, the chance of effectively implementing the hard control framework and of incidents occurring, decreases at the moment soft controls are prominently visible in an organisation.

Organisational culture is expressed in values and behavioural standards an organisation considers important. One of the most important indirect behaviour influencers within an organisation is the organisational culture. Behavioural standards can be set by using soft controls and determining ambition levels.

Defining and achieving a desired organisational culture is difficult. Soft controls are less tangible and there is often no strict standard against which they can be tested. The culture being aimed for should be transparent to all stakeholders and ethically sound.

At the moment an organisation is prepared to learn from failures and mistakes -materialised risks- and turns them into lessons learned in order to reduce likelihood and impact if it should occur again, we are there.

The most indirect behavioural influencer is management behaviour, including their leadership style and role modelling (“tone at the top”). In addition, awareness training, skill improvement and actively encouraging interventions at individual level are instrumental to achieve the desired organisational culture.

Behaviour and culture are an integral part of managing risks: Effective risk management is only possible if structure (hard controls) and culture (soft controls) are in balance. No matter how clearly risk appetite and controls are defined, people working in the company will not consistently make the desired decisions, unless corporate culture encourages them to “do the right thing” naturally.

The benefits of applying soft controls and paying attention to the human factor

As mentioned earlier: When behaviour improves, the chance of incidents occurring decreases.

But there is more.

When role modelling, enforcement, “discussability” and accountability are vividly present, it will open the door for continuous improvement. A critical attitude with regard to the going concern of a company in many aspects will improve the framework, can help in pro-activity and creates the fundamentals for a learning organisation.

Board member awareness and key learnings

Based on the important combination between hard and soft controls, board members should be aware of the following key learnings:

  • Human behaviour is a risk factor
  • In addition to hard controls, soft controls are necessary
  • Hard and soft controls interact
  • Design and existence of a risk framework on its own is not sufficient
  • Soft controls are a conditio sine qua non for operating effectiveness
  • Soft controls open the road for continuous improvement
  • Tone at the top starts in the board room

Concluding: A Board must really understand the company’s risk culture and the human factor and respective behaviour in order to set an effective risk framework and create the conditions for continuous improvement.


Author Ard. W. Valk IDP-C is a risk manager, Independent Board Member- Non-Executive Director and Independent Risk Advisor

Co-Author Luc Albert IDP-C is an Independent Board Member

Co-Author Déborah Carlson-Burkart IDP-C is a lawyer and independent board member


Soft controls – What does it mean?

Enforcement Is desired behaviour rewarded and undesired behaviour sanctioned?
Call someone to account Are people being held accountable by others in the organization for misconduct?
Discussability Do people feel comfortable to voice their opinion, raise issues and discuss dilemma’s?
Transparency Is people’s behaviour visible to others?
Achievability Are activities/targets realistic?
Commitment Do employees feel motivated and engaged to follow the rules?
Role modelling Do managers set a good example?
Clarity Are rules, procedures and desired behaviour clear?

[1] This most well-known and used definition, by both professionals and academics, is originating from the Committee of Sponsoring Organizations of the Treadway Commission or COSO (1992), which provided a first conceptual framework to internal control.

[2] Dr. M. Kaptein, Wallage P., Assurance over gedrag en de rol van soft-controls: Een lonkend perspectief, 2010, KPMG.

Human behaviour – Why does it matter to effectively manage risk?

By Luc Albert, Ard W. Valk and Déborah Carlson-Burkart

Organisations are exposed to risks

In September 2011, Kweku Adoboli was arrested, after having caused a loss of over US$ 2 billion for UBS by unauthorized trading at the group’s investment bank. In the following month, the bank’s CEO admitted that the computer system at UBS had detected Adoboli’s unauthorized trading activities beforehand. Although the system had issued a warning, the bank had failed to act upon it.

Over the past two decades, the financial industry has been regularly shaken by cases of such nature. These occurred despite strong regulation, as well as the existence of robust risk frameworks. Underlying causes included fraud or bad intentions, but also human mistakes and mis-interpretations of duties and responsibilities.

In April 2010, the Deepwater Horizon Drilling rig exploded in the Macondo Prospect oil field about 40 miles southeast of the Louisiana coast. The explosion resulted in human casualties – 11 workers died and 17 were injured – an oil well fire and a massive offshore oil spill in the Gulf of Mexico. A BP-report, released in September 2010, revealed a series of design errors, operational malfunctioning and human mistakes as main causes for the catastrophe. In September 2014, a US District Judge ruled BP was guilty of gross negligence and wilful misconduct. Transocean and Halliburton, two other companies involved, were fined alongside BP, which was apportioned the bulk of the blame.

The oil industry is known to apply rigorous risk management, given the nature of its operations and potential exposures to its environment. In this industry as well, multiple examples can be found of significant accidents, major pollution and human tragedy, which couldn’t be prevented despite these frameworks.

The Enron scandal publicized in October 2001, resulted in substantially more regulatory scrutiny and led to the implementation of the Sarbanes-Oxley Act. The downfall of Enron was caused by wilful human misconduct, incentivized by asymmetric compensation schemes, creative accounting facilitated by the firm’s auditor and a corporate culture focused on misleading internal and external stakeholders.

Risk management framework: a foundation for risk mitigation

A sound risk management approach provides a framework, which typically allows to identifying particular events relevant to the organization’s objectives, assessing them in terms of likelihood and magnitude of impact, while determining a response strategy and a monitoring process, including regular reporting on its design and operating effectiveness. By identifying and proactively addressing risks and opportunities, organisations can protect and create value for their stakeholders, such as owners, employees, customers, regulators, and society at large.

The company’s executive management is responsible for the establishment and implementation of an appropriate risk management framework. Ongoing oversight is sometimes enforced via a dedicated risk management function, led by a member of the executive management team. Today, this is a standard approach for strongly regulated sectors like the financial industry. Internal audit provides assurance.

The board, which has ultimate fiduciary responsibility for determining the company’s strategic direction, plays an important role to assure that risks are appropriately identified and effectively mitigated. After being inducted into the firm’s risk management framework, board members merely receive regular reports from executive management, the internal audit function, as well as external auditors, including ongoing risk assessments, identified exposures and mitigating actions. Applying its collective expertise and experience, the board facilitates identification of oversights and blind spots.

Does this allow the board to effectively fulfil its supervisory role in risk management?

A survey conducted among our IDP 29 cohort members about their own experience revealed a wide variety of risk management  approaches in the companies they are engaged in as board members. Not surprisingly, regulated industries appear to have more robust risk frameworks than non-regulated ones. The same applies for larger, more mature companies in comparison to start-ups or smaller companies. Information received is different in quantity, quality and regularity. Moreover, it is often not easy to assess. The amount of time boards dedicate to risk management also differs between companies and industries. Developing a thorough understanding of the company’s core processes as a pre-requisite to fulfil the board’s role turned out to be a common denominator.

Although the examples at the beginning of this article derive from different industries, human behaviour seems to be a decisive factor in all three of them. Whilst risk management frameworks are hardly comparable in quality, rigor and attention, their effectiveness heavily depends on how these are applied by the people involved on a daily basis.

So, why should human behaviour be of interest to board members?

Let us take a step back. The board has ultimate fiduciary responsibility for determining the company’s strategy. This includes stress testing a long-term business plan, its underlying assumptions and main risks. Whilst executive management is mandated to seek growth opportunities, drive innovation and strengthen the company’s market position, it is the board’s responsibility to ensure that the company’s going concern is not put at risk. Or as Timothy Rowley likes to put it: “An effective board acts as an anti-inflammatory, not a growth hormone.”

Once the strategy for a given time period has been approved, the board’s role moves to regular “health checks” which are to a large extent defined by the company’s risk management framework. However, as it appears, it is not enough to have a cognitive understanding of the risk management, processes and controls, as their operating effectiveness ultimately depends on how “risk management is being lived” in daily operations.

As Plato stated in 340 BC: “Good people do not need laws to tell them to act responsibly, while bad people will find a way around the laws”. A crucial element – besides tools and systems – therefore is human behaviour, which is best captured in the risk culture that the company has developed. A vast majority of employees go to work with the best of intentions, using their skills and talents to contribute to the company’s going concern. Setting aside those few who engage in wilful misconduct, fraud or even criminal activities, staff and executives at all hierarchical levels will use their intelligence and judgment to “do the right thing”. At the same time, mistakes are inherent to any human intervention.

Understanding the human factor and risk culture in a company is crucial for the board to effectively operate. Some of the questions that board members should keep in mind: How does the human factor affect risk management in the company? Are mistakes openly addressed and useful lessons learned, leading to improvements of risk management behaviour? What do I, as a board member, have to know about human behaviour and risk culture across the organisation?

In a second article on this topic, we will further assess how understanding human behaviour and risk management culture can be captured as a crucial element for board effectiveness.

Luc Albert, IDP-C is an Independent Board Member.

Ard W. Valk, IDP-C, is a risk manager, Independent Board Member and Independent Risk Advisor.

Déborah Carlson-Burkart, IDP-C, is a lawyer and Independent Board Member.

On Risk – It’s the Reputation, stupid!

By Frans Cornelis, MBA83J, IDP-C

Risk management is one of the “big three” attention items for non-executive directors, along with strategy and talent. And the current COVID-19 crisis has left many scratching their heads, wondering what lessons one should draw from this highly unpleasant experience.

Previous worldwide crisis situations that virtually no-one had planned for gave rise to concepts like “The Black Swan”. So is COVID-19 a “Black Swan”? Probably not – to quote Michele Wucker, it is more like a “Grey Rhino”: a known risk, rare but by no means fully extinct, and with very destructive properties.

So what is a non-executive director to do? Classic “risk management” often has a financial and statistical focus. One can and should insist that an organization maintains sufficient reserves. Of all types. And it is obvious that the idea that if you have less than your maximum leverage you are inefficient or in some way not maximizing things for your stakeholders is probably overdue for a rethink. One organization I am involved with, and that had to close down completely for almost three months, is now very happy with the fact that they did not go anywhere near the limit, and that they are therefore surviving where others have already gone bankrupt.

Over the decades, “Risk management”  has almost been developing in a specialized science. In many if not most major businesses, there are elaborate schemes to assess risk; usually on the financial side (interest rates, policy changes, but also things like fashion change etc.). Mostly drawn up by accounting people. As a non-executive director, you could be forgiven for thinking that you have done your job well when you have scrutinized, probed and discussed the typical complex and serious report on “Risk Management” that has been produced for inclusion in the annual report.

And yet…… The Covid-19 crisis should also make us think first and foremost about something the Coca Cola leadership used to say: “You can take away everything, but if you leave the brand and some of our key people, we will rebuild the business”.

And, interestingly, science backs this up. The annual AON risk management surveys have a consistent item in the #1 spot for largest risks for decades now: Reputation.  Not industrial policies, fashion, monetary policy, flooding or what have you. They all figure in the lists, but Reputation comes out on top.  Almost every time, usually by some margin.

Also, the Boston based Reputation Institute, in cooperation with the Rotterdam School of Management (RSM), runs serious longitudinal studies of many thousands of organizations worldwide measuring “Reputation”. They also point out that Reputation is closely linked to another concept: Identity.

And there are quite a few cases, with verified examples, where they can prove that a high reputation score allows you to recover quickly from a disaster, whereas a poor reputation score does not.

Studies by prof. Cees van Riel (RSM, now emeritus) also show that the actions in the initial phases by the company executives and spokespeople are critical for benefiting from that “Reputation cushion” or not. The wrong actions quickly destroy that reputation, sometimes forever.

Like in the well-known case of once world leading Perrier water, where a contamination was detected in their flagship product. While a recall was forced on the company in the USA, the management sought to play for time and declared, untruthfully, that this had been a one-off mistake. In reality, it soon became clear that water all over the world had this contamination, and that it would have had this for quite some time. In a post mortem, it turned out it was due to bad quality and process control at the source itself.  Why did management lie, did they know they were lying? Hard to tell, but certainly the attitude was one of denial, at the expense of their customers, and subsequently, the other stakeholders. The company never got anywhere near its previous market share, valuation and standing. It was sold 18 months later – to a direct competitor.

So does this mean that non-executive directors should also insist on better PR people, or that they should have probed the quality systems at the core processes better? That cannot be the right answer, as they would end up firmly on the chairs of the management.

What it does mean is that we should all be aware that while Reputation is the key risk, it is very closely linked to the actual Corporate Identity. That Identity is defined by norms, values, ethical choices, character. Not so much the beautiful words in the corporate statements, but the real actions and the actual paradigms.

What it does mean is that we should all be aware that while Reputation is the key risk, it is very closely linked to the actual Corporate Identity.

What you do in a crisis will be seen by all stakeholders, and they will immediately notice when, faced with a tradeoff between the interests of various groups of stakeholders, the company chooses against its customers.

This “Identity” (the actual one, not just the one on paper or in advertising slogans) is something formed over many years, and ingrained in the character of the employees. It is heavily influenced by the actions and personal examples of the management. The “value statements”, “purpose statements”, “brand” or whatever they are called are certainly important, and one has to start from somewhere, but actual behavior is the deciding factor.

That Identity is, as the Germans like to say, “Chefsache”. So yes, a Risk Analysis does deserve the full attention of good non-executive directors. If the report does take Reputation into account, so much the better. But in my mind, great non-executive directors have also made sure that the core values inside the organization, what people feel they stand for, and the ways the outside world perceives the organization, have been carefully defined and strengthened.

When a highly appreciated Identity as externally perceived is aligned with the “employer brand”, the  “corporate brand promises”, the investor reputation, and the actual internal and external actions, you have a fantastic foundation that will also guide and determine the right actions in a crisis, when there is no time to weigh and ponder each individual statement or action.

In the current COVID-19 crisis, there are many examples of companies that were quick, open and transparent when they could not keep their promises. I know of some organizations where clients literally sent emails saying ”Keep my money, hang in there, and we’ll see what you can do when this is over”. But there are also many companies who leapt from promise to promise, did not follow through on the promises for many months, got into overly legalistic and “small print” conversations and lost a lot of sympathy with their stakeholders.

I have a hunch who, a few years from now, the winners will turn out to be.

So my recommendation for non-executive directors in these times is: do read your Risk paragraphs – but also do check whether the crisis actions harm or bolster the reputation of the organization. And whether there is a clear, admirable and effective “Identity”. Because once survival is more or less assured, that is what will determine how well you can bounce back – or not.

Putting a people lens on risk management and controls

COVID-19 has been a catalyst for many boards and management to focus more on the well-being of their people and their corporate cultures.  What could this mean for risk management and controls?

By Karen Loon IDP-C, IDN Board Member and Non-Executive Director

As directors in times of crisis, many of us have become more anxious as a result of the multiplicity of uncertainties we have experienced, both at work and in our personal lives.  As a result, in our director roles, we may inadvertently bring these anxieties into the boardroom.

Whilst our role includes asking questions about what we can do to minimise the risk of similar circumstances in the future, and the new environment has definitely led to new risks which need to be managed, particularly cyber risk as digitisation has accelerated, there is also a risk that we ask our organisations to put in place additional measures, policies, procedures and controls without fully understanding the root causes of these complex new issues, which could inadvertently lead to further organisational and employee anxieties and issues in the future.

At this time, is it worth us taking a step back and reflecting on whether we fully understand our organisational cultures and future challenges with a people lens on before taking action?

The impact of Work from Home

COVID-19 has had a major effect on our lives as it has impacted our work-life balance.  Confined to home, many of us have seen the boundaries between our private and professional lives disappear.  Whilst some may view this liberating, others may not view this as positively.  Added to this has been the long emotional roller coaster we have been on – the longer that social distancing lasts, the less energetic and motivated people may be.  I know of many people in senior roles who are exhausted as a result of working from home for months.

Maintaining a healthy corporate culture

COVID-19 has not only impacted the business models of organisations but had a significant impact on how people work together.  For some employees, they may feel excessive pressure to achieve results due to the fear of losing their jobs.  For others, interpersonal relations may be inadvertently strained due to the physical separation of teams.  This loss of energy and motivation is challenging the old ways of working together, and could lead to tensions in organisations.

Given the way we work may not return to the way things were for some time (or even at all), reflecting on whether our corporate cultures are healthy and whether their systems, norms and values are fully aligned to the purpose of our organisations is something which boards should reflect on given this will influence how people feel and behave.

How could risk management and controls be impacted?

Many risk management and control frameworks were put in place in organisations to focus people on how to manage their businesses assuming they will operate as usual, that they can identify and manage most risks, and that people will behave as expected.  However, not all risks and behaviours are as expected, for example, internal frauds continue to take place.  Further, who would have expected COVID-19 would have taken place, and the impact it has had on organisations and people!

In a crisis like COVID-19, sudden triggers may lead to individual anxieties and unexpected behaviours by individuals, some of which may have been triggered unconsciously.  Before putting in place additional measures, policies and procedures, it is worth considering how people may feel and may behave as a result of them before putting them in place, as the measures could inadvertently increase organisational and individual anxieties and impact behaviours, which could lead to other risks.  It is worth noting that many IT/cyber issues can be traced back to human errors or oversight.

As directors, we have a role to ensure that there is an appropriate balance between resilience and agility in our organisations.  To evaluate the effectiveness of the risk management and controls in our organisations requires us to consider our overall organisational cultural context and norms.  For our companies to perform, we also have a responsibility to ensure our people’s well-being is looked after.  Questions we should ask ourselves are:

  • Does the culture of our organisation and the way that we work in the new norm lead to collaboration, respect, trust and accountability? Is there an environment of continuous learning environment where we learn from our mistakes across all levels of the organisation (being individual, interpersonal, group, intergroup and interorganisational) which will allow the organisation to pivot and be agile in the future?  Or is it overly competitive and overly focused on growth, more individualistic, have silos and is less open, and is technocratic and rigid?
  • How has increased digitisation and working from home changed the way work is done? How have our risks changed, and how should our controls best manage these risks?
  • And given the need to manage both performance and people, should we revisit at how we manage our risks and our control environment differently? For example, do our remuneration policies appropriately balance resilience and agility considerations?

Time to reflect

Many of us look at how organisations identify risks and the controls put in place from a rational and logical perspective.  However, at times of stress and anxiety, not all of us may behave as we would do in a pre-COVID-19 environment.

In undertaking our roles, we should strive to be empathetic, build trust, and take a step back and consider the people aspects of our organisations and how they impact risk management and the control environment.  Assessing corporate culture and putting a people lens on how risks are managed will be an important role of boards when guiding their organisations forward in a more uncertain world.

Karen Loon is a Non-Executive Director based in Singapore.