The collapse of Enron and other corporate scandals in the early 2000s and ever since demonstrate how imprudent company cultures can lead to unethical practices and outright fraud. The more recent implosion of Lehman Brothers showed how a culture of risk-taking permeated financial institutions and precipitated the global financial meltdown. A healthy risk culture gives employees a stake in risk management. Employees’ basic principles, values, and attitudes – as well as their understanding of how to deal with risk – shape a company’s risk culture. An appropriate risk culture is necessary for corporate risk management procedures to work effectively.
For the company’s internal control system to fulfill its purpose, employees must operate within a well-established, enterprise-wide risk awareness frame of mind. The tone at the top – the ethical atmosphere that the organization’s leadership creates – is fundamental. But exemplary leadership does not automatically lead to an effective risk culture, nor does it guarantee a properly functioning internal control system. Values determine employees’ moral and behavioral standards. Principles, unwritten guidelines, and a set of ‘golden rules’ that employees respect come from these values. A risk awareness culture is collectively promoting a shared sense of values, ideas, and goals that is unified to take actions to reduce and mitigate opportunities for unfavorable events to occur that impact an organization’s ability to meet its purpose. An objective could be to put people in charge of their own risks and the role of the organization to be one of providing tools to help them identify, manage, and monitor their risks — not to manage directly the risks for them. Aligning people and risk appetites across the organization can be a challenging task.