Social Capital

Separating the culture of compliance into people and process

If you were given two options, a 2% or 8% improvement in your risk management processes, which would you choose? As with everyone else in any organization, risk managers are expected to deliver more and get more from their current resources. We’re expected to deliver more and better results from what we are using. If given the choice, I would assume that the 8% would be the first choice, yet we seem to settle for the 2%.

The reason for settling for the 2% is because of the perceived tools in our toolbox that are available to get any improvements.  The 2% improvement comes mainly from software changes, and current process evolutions. The 8% comes from tools that are readily available in our toolbox, but we do not see them or recognize them as something we can use. One tool is the ability for risk managers to develop and use social capital as part our day to day activities. By separating the culture of compliance into people and process social capital is the development of goodwill by individuals in their interactions in any corporate setting.  By developing and building social capital, there is a more trusting and engaging relationship with those who you interact with.

Why is this concept important for risk managers? Because it begins to bring the culture of the organization into the risk management process. It may seem like it requires a major change and a potential costly re-organization, but it does not. All that’s needed is a subtle shift, an incremental shift in the right spot to begin moving towards incorporating people and their culture into the risk management systems.

Culture is a significant contributor to improving a risk management system and building trust. To get 8%, the focus needs to be in individual training and coaching however it needs to be done in a trusting environment and social capital goes along way to building that trust. Moving towards the use of social capital moves improvement in the risk management process from 2% closer towards 8%

It should be noted that both options can be used together it’s not one or the other. In fact, both are needed to be used together, social capital improvement can drive process improvements. Using process improvements with social capital will get you more than the 2% process improvement and closer to meeting or exceeding the 8% improvement.

Social Capital is a tool that should not be overlooked by risk managers. Are you using social capital as a tool to help promote the culture of being compliant?

Your thoughts and comments are welcomed.

Trust and Risk Managers

It goes without saying that the integrity of any process is dependent upon the amount of trust everyone has in the process. So, the question I have is; what is the level of trust whether it’s those being supervised or those doing the supervision in any risk management program? I’ve always assumed that as a risk manager, there would be a basic business level of trust in the relationships right from the start as in any relationship. It turns out the research shows when someone is put into a position of  supervising as a risk manager, their level of trust of those they are supervising goes down. A risk manager will have a lower level of trust of those they are supervising right at the start.

This level of trust is an answer to a question I did not know I needed the answer to. I should have asked this question because it would explain certain actions I’ve come across in the past. The actions I’m referring to is an extreme case were the individuals in the risk management department could not be trusted. This risk management department developed a very low level of trust, a very toxic culture towards the rest of the company. Their toxic attitudes became well known in all departments. I learned over time that you should never get a verbal answer because you could never take their word as is, you always needed to get an answer in writing. Even in writing, there was little comfort that this would be the truth over time.  There was an underlying belief that the truth will always be adjusted to fit their beliefs as a risk manager, not the corporate culture or corporate history.

While this is an extreme case, a very limited case, there are elements that I’ve noticed in many risk management departments over the years when trust is involved. In my view, a risk management department must have a focus on the level of trust so that everyone believes in the integrity of the process. Adjusting the truth overtime to satisfy the risk management process does not build trust. Building trust is the corner stone for individuals in any business relationship, we must be willing to have honest and true conversations about any situation, whether it’s a verbal conversation or in writing.  These conversations allow us as risk managers to uncover hidden risks by listening and understanding that not all risks can be identified by a process. While any risk management process provides the three lines of defense, we should also be listening and trying to learn if something has been overlooked. Back to my extreme case of toxic risk management leader. There may have been some listening, however people are unwilling to speak up because they do not believe in the integrity of the department or the process. Remember toxic leaders are in it for themselves, not for the company, not for their department and not for those who are in their department. It’s all about them and their goals and objectives.

Which brings me to the independent audit function in the three lines of defense. Does anyone have a component of any audit team that is geared towards reviewing a risk management department for there effectiveness in relationships, communications, and building trust and integrity for the risk management process? This is important because toxic leadership is an unnecessary expense, destroys cultural trust and therefor hinders the effectiveness of any risk management process.  So, I guess what I’m really asking is; how may audit teams are on the lookout for toxic leadership, specifically in the risk management department and the detrimental effects it has on their respective organizations? 

Perceiving risk managers for their strategic value versus technical expertise

Over the past many years, I’ve come across risk management publications and articles that have questioned the role that risk management plays in many organizations, these publications question the value that risk management can create or preserve. While there are quite a few publications talking about new tools or systems that risk managers can deploy or incorporate to increase effectiveness, very few talks about the strategic value of risk management.

I recently read an article that spoke about this same value add issues in the human resource profession in the early 2000’s. The human resource profession had the same questions about their profession; what value do they bring, what do they have to offer and more importantly, how can they become valuable to the company? Adding value will preserve them from the threatened budget cuts and terminations during economic downturns. After a few years of sole searching and discussions, the human resource profession decided to push for a change in the perception of what they can offer to the corporation. They identified the perception that they are the technical experts on human resources and are only called upon only when needed.  They realized they needed to change this need from being the technical expertise to providing a strategic value. The profession decided to focus on changing the perceptions of human resources from technical experts to strategic partners. By being a strategic partner, human resources can aid in the hiring process, creating successful work teams, and employee training and development. The result is the human resource function is now viewed and used as a strategic partner and is no longer subject to threatened budget cuts.

For risk management, I must ask this question: is this where the risk management profession is today, in the same situation the HR profession was in many years ago? My answer, I’m leaning towards yes. The financial crisis of 2008 and 2009 highlighted the role of risk management as technical experts that were left on the sidelines. Repeatedly risk management was used as a scapegoat, with statements such as why did risk management allowed the financial crisis to occur. They are the technical experts, they should have been able to highlight the risks and prevent or at least minimize the risks. In my view, the risk management profession needs to start promoting the value of risk management as a strategic partner.  The risk management trade organizations and advocacy groups need to create and promote strategies, plans and marketing materials to begin to change the perception of risk management, much the same way the human resources profession did in the early 2000’s.

Transformational Risk Managers

In a previous posting, I described the need for risk managers to become more of a strategic partner for other departments in an organization. The one big obstacle that risk managers will need to overcome is the transactional mindset that is at the heart of risk management. Risk managers have the three lines of defense that are described best as policies and procedures or tools and systems for transactional supervision which leads to a transactional managerial style. In our daily work lives, were running hard to get things done, pushing for the next deadline or due date. This transaction style maintains the status quo and makes it very hard for any transformational changes to take place.

This maintaining of the status quo will prevent risk management from becoming a strategic partner for any organization. To become a strategic partner, risk managers will need to take on a transformational leadership role. Transformational leadership will promote an evolution and exploration of new systems and tools that may alter the status quo rather than maintaining it. An example that I can think of is the loss of private corporate secrets and information. While a loss of information many not have a financial loss today, there may be significant corporate losses in the future that could have been prevented. A transactional manager will deal with the single loss of information and how it could have been prevented. A transformational risk manager would create a project to understand what information across the whole organization should be deemed important, create systems and tools to prevent any additional losses and create an education program for all employees so they understand the importance of privacy and secrecy. The holistic transformational thinking of prevention and education does not happen in an instant, it takes time and training.

Risk Managers need to understand the difference between transactional leadership and transformation leadership. This understanding can be used to make small incremental changes in their day to day business dealings, then overtime, more and more transformational activities can be introduced. While there will always be a need to be a transactional leader, other departments will take notice when there is a perception of transformational leadership. Transformational leaders attract open interaction, dialogue and creativity, yet the most important is developing consultative trust. It’s developing the consultative trust between risk management and the other departments that will lead to becoming a strategic partner in any organization. This transformation to becoming a strategic partner will not happen overnight, it takes time and persistence, yet in the end the benefits will far exceed the effort expended to get there.  

Risk Managers Identifying Destructive Leaders

I overheard a conversation in a coffee shop the other day that made me ask, how close are the traits of inexperience leaders and destructive leaders.

Two people were talking about the company they work for and the risk management program they were subject to. They did mention the name of the company, so I do know that they work for a highly regulated securities company that is subject to a rigorous risk management regime. The basic gist of the conversation was how they and their coworkers have developed strategies and implemented plans to meet their annual risk management obligations. They have on an annual basis a requirement to prep for and pass a risk management quiz, with prep time being done on their own time, outside of their day jobs.  If one answer is incorrect on the quiz, then they must register and take the quiz again.

The strategy they devised to help their group of coworkers is to get one person to complete the quiz (the department know it all), write down the correct answers and then pass them on to everyone else in the department. All they needed to do is to have the answers when they completed the quiz to get a pass on the first attempt. No need to prepare, just complete the quiz with all the correct answers.

Which brings be back to the question, how close are the traits of inexperience leaders and destructive leaders? Based on the tone of the conversation and not having the opportunity to seek clarification, I would assume that there is inexperience at the leadership level in the risk management department. They understand that there is a need for an annual review which is a good idea, however in the execution, this may not be the best positive way to get a positive buy in by everyone. The risk management department can get some honest feedback and maybe change their approach to make it a better and positive experience.

The inexperienced leader can gain experience. They may be viewed as somewhat incompetent at the start, yet through feedback, soliciting suggestions, or seeking outside guidance, they can move along the sliding scale of inexperienced and incompetence to experienced and accomplished. There is a chance however that an inexperienced leader may not move positively along the leadership experience scale. They may decide that they know best, they know what needs to happen and do not seek feedback, or suggestions. They might resort to destructive tactics such as bullying or command and control to get there way. The near term risk management goals can be met however the long-term destructive attitude will erode the effectiveness of any risk management program.

As an example, I do know of a rare situation were a risk manager who moved from being an inexperience leader to a destructive leader. The risk manager has all the technical skills to be in the C suite position and deserved the opportunity to assume the role. However, upon assuming the C suite role and their inexperience, they started to display destructive leadership tendencies rather quickly. In any role as a risk management executive, there will always be questions about a risk management program, this is part of the position and an expectation of the role. For this individual, they took these questions as a direct challenge to their technical knowledge and experience, rather than what they were at face value, fundamental clarifications. These clarifications were the result of updates to the risk management program rolled out to the company. As with any updates, there is a desire to comply which will prompt questions about how to comply. The risk manager viewed these questions as an unwillingness to implement the changes and then resorted to destructive behaviors to enforce the changes. These behaviors included destructive office politics, abusive communications, and even false allegations of unethical behavior on a fellow co-worker. The result is this individual is no longer in the C suite position and may never be able to be a risk manager again. All that technical experience thrown away simply for not understanding that the fundamental role of the C suite position is to provide leadership, complimented with their technical skills.

An inexperienced leader can gain experience through training, and time on the job. They can move from inexperience to experienced over time. In the first example of the coffee shop conversation, the risk manager can learn about the corporate attitude towards the risk management program and adapt. The second example of a destructive leader, a wall is built between themselves and the rest of the corporation. This wall and the toxic environment that’s created will prevent any opportunities to learn, adapt, or gain positive leadership experience.  

In closing, here’s a question; does anyone look at leadership styles as part of their risk management program? Is there any attempt to identify destructive leaders in their organization?