Risk culture

CREATING A
RISK CULTURE
FRAMEWORK
Risk culture lies at the root of many of the most publicised energy
risk management failures. In the first instalment of a two-part series,
CarlosBlanco, Jean Hinrichs and Robert Mark explore how energy firms
can define, assess, benchmark and actively manage risk culture

nterest in the risk culture of organisations has increased What is risk culture?

I dramatically in recent years. During that time, research, studies

and broad discussions on the importance of risk culture have
Most people believe that they already understand what risk culture
is. This attitude is characterised by the phrase: I know it when I
Christian Delbert / [Link]

proliferated across the world. see it. Risk culture drives the behaviours that inuence all business
Risk culture is often the elephant in the room behind many risk practices, yet it is often based on softer skills, informal controls and
management failures, such as those shown in gure 1. To enhance communications that are invisible and less tangible than structured
rms level of risk awareness, boards and senior management should processes. Consequently, each individuals denition of risk culture
periodically assess the risk-taking culture of their organisation in may be biased by personal values, ethics and experiences.
order to understand how people at various levels make decisions that Why do we need a single denition of risk culture? Assessing the
have a material impact on the rms risk prole. eectiveness of risk culture in an organisation requires a common

[Link] 29
Risk culture

%'HQLWLRQRIULVNFXOWXUH
understanding of what it is. A variety of professional and regulatory
organisations have attempted to dene risk culture. While there isnt Risk culture consists of the values and norms of behaviour for
a consensus on any one denition, most of those we reviewed include individuals and groups within an organisation that determine the
a focus on behaviour and practices to identify and manage risk. collective ability to identify and understand, openly discuss and act on
For the purposes of this paper and a broader discussion of risk the organisations current and future risks. Risk culture is inuenced by
culture, we have developed the denition shown in box 1, which ongoing formal and information processes that may dier between
borrows elements from several denitions already espoused by others. discrete organisational groups.

Risk culture and energy rms

Risk culture is at the root of many of the most publicised energy risk take excessive risks, which can ultimately compromise its survival.
management failures in the past few decades (see gure 1). A holistic In many instances, a poor risk culture is also reected in a lack
analysis of the risk management process at any rm must include an of rigorous risk analysis, the exclusion of risk groups from major
investigation of risk culture, since any deciencies in this are likely to investment and divestment decisions, or an aggressive incentive
negatively impact risk governance, risk management and risk oversight. structure based primarily on short-term results. In such instances,
In gure 1, we can see the main causes of energy risk management risk managers are unlikely to be empowered to eectively challenge,
failures organised into four overall groups. One of these is excessive confront or escalate a deteriorating situation due to lack of authority,
risk-taking. If a board either fails to set clear boundaries around the independence or clear guidelines.
rms risk appetite, or fails to understand the breadth and magnitude Another set of risk management failures includes market
of material risks being taken, then certain units within the rm may manipulation, outright fraud, and the existence of questionable ethics.

F1. Key causes of most publicised energy risk management failures Source: Osipovich (2014); authors

Hedging strategy design

and execution
t Metallgesellschaft Rening and Marketing
(199394)
t Gas and power utilities hedging
programmes (2008present)
t Ceylon Petroleum Corporation (2008)

t Constellation Energy (2008)

Operations and safety risk Excessive risk-taking

t Energy merchant business model
t Exxon Valdez oil spill (1989) (19992001)

t BP: Texas City refinery explosion (2005); t China Aviation Oil (2004)
Deepwater Horizon oil spill (2010) t Amaranth Advisors (2006)

t Tokyo Electric Power Companys t SemGroup (2008)

Fukushima nuclear plant (2011)
t MF Global (200811)

Market manipulation,
fraud and ethical failures
t Enron (2001)

t California power crisis (200001)

t BP Propane manipulation (2004)

t Power and gas market manipulation cases

(2008present)

30 [Link] July/August 2014

 Risk culture

%5LVNFXOWXUHULVNJRYHUQDQFH (50
A pattern of doing whatever it takes to meet short-term goals,
rather than doing what is right, is a clear warning signal of potential t


Risk culture consists of the values and norms of behaviour for
problems. Another warning signal is behaviour that shows a lack of individuals and groups within an organisation that determine the
respect for compliance, audit and other risk oversight roles. Recently, collective ability to identify and understand, openly discuss and
many energy market players have strengthened their compliance and act on the organisations current and future risks
oversight in response to increasing pressure from the US Commodity t


Risk governance is a systematic approach to decision-making
Futures Trading Commission and the Federal Energy Regulatory processes adopted to achieve more eective risk management
Commission, for example. Firms with a strong risk culture will be t


ERM is a process applied in strategy-setting designed to identify
better prepared to comply with the new regulatory requirements and manage potential risks that are within the organisations
being ushered in by laws such as the US Dodd-Frank Act. risk appetite and to provide reasonable assurance regarding the
Hedging programmes are essential for large energy producers, achievement of its objectives
utilities and consumers, due to the high volatility of commodity
and energy prices. One element of risk culture is the degree of risk
literacyat the top of the organisation, including the board. Firms infrastructure are key components of ERM. Policies establish an
with a weak risk culture are more likely to experience problems organisations tolerance for risk, consistent with its risk appetite and
arising from hedging programmes that are poorly designed, strategy. Risk methodologies include the models and tools that assist
understood or communicated. with identifying, assessing, and managing risks to achieve strategic
Another category of common causes can be traced to failures objectives. Infrastructure consists of the people and processes
in operations risk and crisis management. The risk culture of an necessary to eectively manage risk. The rigour, fairness, and
organisation is critical when it comes to managing emerging risks eectiveness of the risk management process
faced by energy rms, such as ageing infrastructure, terrorism, the inuences risk culture. Similarly, risk culture
impact of climate change or extreme weather. Operations risk in inuences both risk governance and ERM.
many energy rms is exclusively managed by engineers in business There are also interdependencies in some
units operating in a silo. This often leads to ineective oversight by areas, such as processes, organisational
risk and compliance groups. structure, and tone at the top. For example,
if the risk culture is to game an activity by
Framework benets meeting the letter of the rule or regulation,
One of the challenges of actively managing the risk culture of any but not necessarily its spirit, then policy and
organisation is its dynamic nature and complexity. However, the processes will be loosely constructed to allow
risk management process in rms without a formal risk culture for gaming. Conversely, if the organisations
programme has a blind spot that could create material deciencies. risk culture supports doing the right thing in
In those situations, adding more risk managers, developing new dicult situations, its policies and processes
systems or improving policies and procedures may not adequately should be more robust, while employees will
address the potential underlying problems in risk culture. endeavour to meet the spirit of the rule or
A comprehensive framework for managing risk culture provides regulation based on expectations.
thefollowing benets:
t


*U
DSFBUFT
B
DPNNPO
MBOHVBHF
GPS
EJTDVTTJOH
BOE
NBOBHJOH
Interrelationships
riskculture The integrated risk culture framework is structured to quantify the
t


*U
FOTVSFT
FYQFDUBUJPOT
BCPVU
SJTL
BQQFUJUF
BOE
SJTLUBLJOH
quality of risk culture. In particular, it captures the interrelationships
behaviour are clear and practical and interdependencies between the quality of risk culture, risk
t


*U
QSPWJEFT
QFSGPSNBODF
BOE
CFIBWJPVSBM
NFBTVSFT
UP
USBDL
BOE
governance and ERM.
manage desired outcomes and changes The framework has four characteristics (see gure 2), each with
t


*U
JNQSPWFT
EJBMPHVF
SFHBSEJOH
UIF
FFDUJWFOFTT
PG
SJTL
DVMUVSF
BOE
their own underlying dimensions. We have selected these four
related initiatives characteristics because they signicantly inuence behaviour and
values within an organisation. The characteristics are further
Before we introduce the integrated risk culture framework, it is dened by dimensions that can be observed, assessed and
important to understand the dierence and interaction between risk quantied. These are critical requirements for understanding and
culture, risk governance and enterprise risk management (ERM). improvingriskculture.
This is illustrated in box 2. A series of key risk culture indicators (KRCIs) can be designed
Pavel Ganchev - Paf / [Link]

Risk governance includes actions, processes, traditions and to assess each characteristic, as well as its interactions. For instance,
institutions through which authority is exercised and decisions are there is a strong correlation between the quality of the tools used
made and executed. Risk governance covers areas such as supervisory to identify, assess, manage and report on risk and the ability to be
oversight, operating processes, performance management, committees responsive to risk. Furthermore, the ability to attract and retain
and management hierarchy. All of these inuence behaviour and qualied risk personnel is inuenced by the quality of the talent
corporate values to some extent thus resulting in risk culture. development and succession-planning programmes.
An organisations risk policies, risk methodologies and risk Developing a framework calls for identifying high-level

[Link] 31
Risk culture

F2. Characteristics and dimensions of the risk culture framework Source: Authors

t Tone at the top t Qualied risk

t Robust and open personnel
discussions of risk Risk t Effective recruiting
t Risk appetite linked
People and orientation
to risk decisions
awareness and risk programme
t Responsiveness and competence t Continuous
to risk issues transparency learning

t Risk policies and Policies and Incentives t Performance

procedures and reviews,
consistent with Infrastructure behaviours
compensation,
risk prole incentives and non-
t Tools to identify, cash recognition
assess, manage and t Talent development
report on risks and succession
t Clear authorities, planning
responsibilities and t Gaming
accountability t Cognitive biases

characteristics that provide an insight into the organisations risk structured and informal processes for performance management,
culture. The next step is to identify dimensions of those characteristics compensationand incentives, career development, and the overall
that can inuence behaviour. In this section, we describe the main ethics of theorganisation.
dimensions for each characteristic of our risk culture framework.
Risk awareness and transparency of risk issues and related Summary
decisions are critical to understanding and managing risk in the Our integrated risk framework identies four key characteristics
organisation. Key dimensions of this characteristic can be used and underlying dimensions that allow management and the board
to assess and measure the tone set by senior management and the to understand, assess and quantify the organisations risk culture
board regarding risk appetite and risk tolerance. These capture the in order to achieve a
individual and collective respect for risk management practices across competitive advantage
References
the organisation and its responsiveness to risk issues. through an eective
People and risk competence are also important. The long-term risk culture programme. Levy C, Twining J and Lamarre E, 2010
success of any rm rests on its ability to attract and retain qualied Our approach is unique, Taking control of organizational risk culture
McKinsey working papers on risk, February
personnel with adequate skill sets, knowledge and experience to because it moves on
perform their duties. Key dimensions of this characteristic involve from what has been Osipovich A, 2014
recruiting qualied personnel throughout the organisation, along with a mostly subjective Ten dark chapters
Energy Risk, February: [Link]
eective orientation programmes to embed the desired risk culture, evaluation to a more
supplemented with a process to encourage continuouslearning. objective measure of the
Policies and infrastructure supplement a robust risk culture, but quality of risk culture.
are not a guarantee of eective risk management. This characteristic In our next article, we will discuss how to construct KRCIs to
requires policies that complement governance, including clear measure the quality of risk culture in an energy company. These
authorities and responsibilities, along with operations and analytical KRCIs will be based on the characteristics and dimensions of the
tools to understand and manage risk. risk culture described in this article. Q
Incentives and behaviours within an organisation have a
signicant inuence on employees decisions to take or avoid Carlos Blanco is managing director of Black Swan Risk Advisors. Jean Hinrichs is a risk,
certain risks. Key dimensions of this characteristic encompass governance and control expert. Robert Mark is managing partner of Black Diamond Risk

32 [Link] July/August 2014

Reproduced with permission of the copyright owner. Further reproduction prohibited without
permission.