What is the current culture? What are the reasons for the current culture? What are the challenges in the current risk management domain? Where do we have to reach out and how can we reach this destination? Sonjai Kumar explores the issues surrounding the lack of an active risk management culture in India.
Instituting a “what if” mindset
Responses to the above questions will help us understand the reasons why we are at the current risk culture position and help us start working in the right direction. Without understanding the fundamental causes, it may throw challenges in assessment of current risk culture. The article covers some of the core building blocks of risk culture taken from the Institute of Risk Management (IRM), London, risk culture framework, and helps in bringing together the key components of risk culture.
What is the current culture in India?
While working over the years in the risk management areas performing the risk oversight roles, when dealing with the very fundamental question on “what are the risks” in a particular area; the most common response received is that “There is a no risk”. For example, if people are quizzed on what are the risks in meeting the business objectives in the next quarter, the most common instant response that comes is that there is a no risk. If you further dig the same question, the next response that comes is, “I do not think there is any risk”. It may be noted that the person has gone into a “thinking” mode while responding. A further poke in the same direction and an even deeper response received is, “In my opinion, this will not happen”. It may further be observed that here “opinion” has come into the picture in risk identification. The final round of discussion on the same question brings in a to a more data-centric response, “In past 10 years, this has not happened, why will it happen now?”
The key challenge in such discussions is to identify and acknowledge what the risks are.
In one of the discussions held recently at a risk conclave, a question that came up was “Why is there need of a risk function?” The line of argument reasoned that if you know how to do your business, you will always be able to find ways to eliminate hurdles. This is a very logical response and the right way of doing business. However, does that mean that Lehman Brothers Holdings Inc, Enron and so many other failed financial institutions in western countries did not know how to do the business or is there something deeper that the world has realised in last decade which has hastened the development of risk management and risk-based capital?
Reasons for rising risk consciousness
Till 1990 we witnessed closed economy. The economy was insulated from the external world where interest rate and foreign exchange rates were all government controlled and there was literally no market risk. The working environment was heavily dominated by the government and public sector, money was not a constraint and the economy was dependent on the fiscal deficit to fund the excesses of expenditure with the option to print more money. No business school taught risk management as a core subject at undergraduate or postgraduate level. This fact, however, is still true even at a global level. Even the 2008 economic meltdown did not deter the Indian economy as much as the western world because there was drag effect of the closed economy. As such, there were no thoughts on risk identification in those days.
However, something changed in 1990, when the doors of the Indian shores were thrown open for the foreign players to do business in India and that process of liberalization is still on. This brought Foreign Direct Investment (FDI) in many areas such as insurance, banking, automobiles, pharma, etc., which peaked during 2007-08 at around $40 billion; there were also developments on the economic front with real GDP increasing from 4.5% during 1990-91 to touching highest growth level close to 9% during 2007 before falling to current level. Also, the contributions of the agriculture and service sector in GDP during the early 1990s were 30% and a shade over 40% respectively. The agriculture contribution during 2016 fell to 15% while from service sector increased close to 50%. The industry contribution in GDP stayed flat close to 30%-35% during this period.
The development of the private sector in India mainly happened during this period. The corporate governance guidelines were first developed by Confederation of Indian Industries (CII) which was adopted by Securities and Exchange Board of India (SEBI) in 1998. Post the Satyam debacle, a CII task force was set up in February 2009.
However, something more changed in the risk management sphere after 2000, both at the global level as well as India level. During this period economic capital (EC) was emerging in place of formula-based capital calculation. The EC gave due regard to the level of individual risks and their correlation as compared to formula approach, thus good risk management became a valuable addition to the company.
Also, Enterprise Risk Management (ERM) emerged as a holistic concept to manage companywide risks. The ERM tool talked about risk management at the company level as against the earlier approach of silo risk management. The emergence of economic capital together with the ERM fitted well to make risk management a potent tool both in banking and insurance industries across the world. Also, 2008 global economic crisis reinforced the need for ERM.
In the Indian banking industry, the Reserve Bank of India is committed to implementing the Basel-III norm by 2019. The Basel-III advocates the use of risk-based capital in the banking sector. Similarly, the Indian Insurance regulator is also working towards the introduction of risk-based capital by 2021. There have been developments in the area of revision of corporate governance guidelines in 2016 in the insurance sector by strengthening the roles and responsibilities of the board and different committees.
SEBI requirements also mandate the implementation of ERM in top 100 listed companies in India.
The above discussion encapsulates early stages of various developments in India in different areas such as the economy, private sector; governance and risk management. Further, shareholders are not directly impacted by their capital as its calculations are not based on risks. Therefore, the current risk culture should not be taken as a surprise development.With time, the fundamentals of the uncertainties of the future which result in risks will become more developed.
The above discussion points to the build-up of risk culture; the next question is how the risk culture may be improved?
Improving the Risk Culture
Building risk culture is most important to make ERM effective; this is possible only by understanding the building blocks of risk culture and work on those blocks to improve risk culture. Risk culture is defined as “the values, belief, knowledge and understanding about risk shared by a group of people with a common purpose”. The Institute of Risk Management London has defined fundamentals of risk culture as an ABC model. This stands for “Attitude, Behaviour, and Culture”.
It may be noted that culture is a function of behaviour, Culture =f(Behaviour) and Behaviour is a function of attitude, Behaviour= f (Attitude).
Attitude is the predisposition or a tendency to respond positively or negatively towards a certain idea, object, person, or situation. Attitude influences an individual's choice of action, and responses to challenges, incentives, and rewards (together called stimuli). These stimuli are:
Affective: emotions or feelings
Cognitive: belief or opinions held consciously
Conative: inclination for action
Evaluative: positive or negative response to stimuli
In order to improve the risk culture, it is important to know the building blocks of human nature that influence the perception of risk. The overall build up of the risk culture within the organization is given in Figure-1 taken from IRM framework. At the bottom of the layer is “Personal Predisposition to Risk”, where some people are spontaneous to challenge convention. Such people are organized, systematic and compliant, while another set of people who are cautious, pessimistic and anxious, are optimistic, resilient and fearless.
This bottommost layer builds the next upper layer of “Personal Ethics”, these are of three types:
Ethics of Care- empathy, care and respect
Ethics of reason- wisdom, experience and prudence
Ethics of obedience - follow compliance and law
These personal ethics giving rise to individual behaviors which lead to different interpretations of risks.
The risk culture within the organization is a combination of individual behaviors and “organizational culture”. In the organization, two types of people are found, some people are “people focused” while
others are “task focused”. This is broadly clubbed into two categories of sociability and solidarity.
Sociability- people focus, get well with people
Solidarity- task focus empathy, care and respect
Four categories of people may finally be observed who require different treatment when building the risk culture as they are good in certain areas while requiring development in other areas. These four categories are:
Networked - high on people, low on task
Communal - high on people, high on task
Mercenary - low on people, high on task
Fragmented - low on people, low on task
It has been found that strong sociability people are good in working across the organizational boundaries; they can be really helpful in ensuring risk mitigation plans are acted upon. Similarly, networked culture people are good for participation in the workshop model while mercenary culture is good for regular reporting and risk information may be implemented successfully. However, the organization should improve both sociability and solidarity for effective implementation of risk management.
Changing the Risk Culture
Changing the risk culture of the organization requires a clear understanding of current culture and target culture, this activity should be taken as change management programme with proper involvement of the board, along with project with set objectives and target dates. Following activities may be taken up to improve the risk culture:
Improvement in risk education
Risk education starting from early days in college in BBA, Commerce, Economics, MBA, develop ‘what if” thinking
Corporate focus on risk certifications
CRO/Head of Risks: Minimum Risk Qualification like other specialist roles
Development of risk behaviour
Salary component linked to risk mitigation
CEO and senior management – high variable component based on risk mitigation and risk based decision
Change in risk attitude
HR recruitment process must include risk management understanding
To be looked into at the time of recruitment for all recruitments
We have to be patient when instituting risk culture in the organisation, as change is a slow process. Most of the corporate development in India is very new, hence it lacks the culture of “what if”. To improve the risk culture in the company, the ABC model is useful in understanding the current spectrum of people. Risk education, importance of risk in KRA and focusing on risk attitude in recruitment process will help bring about a culture of risk management in organistons.
About the author:
Sonjai Kumar, CMIRM, Vice President (Business Risk), Aviva India Life Insurance & Ambassador of Institute of Risk Management, London in India.