A path to good culture

In this piece from The Risk Universe magazine archives, guest columnist Chris Smerald looks at how an operational risk event can be leveraged for positive change.

Traditionally, operational risk management is focused on minimising the chance of loss from failed processes, systems, people and external events, so there should be little upside, right? But It’s an ill wind that blows nobody any good, so what is the good that operational risk events bring? The obvious (but difficult to achieve) answer is an enhanced understanding of how the financial world really works and an increased capability to act on this knowledge. We need to focus on surviving and minimising operational risk events, while aiming for something much more – better appreciation and management of business complexities.

This is hard to do well. One must understand how improvement efforts link to risk reduction, what complexity is and how it can be tackled, as well as how to underpin everything with a good risk  culture, since most complexities cannot be resolved in isolation.


There is a helpful wine analogy here. A wine is judged first for its lack of negative qualities before being judged on its virtues; increasing a wine’s virtues will generally reduce its negative qualities, so if your goal is excellence, you will enhance your effectiveness by thinking about positives that reduce negatives (killing two crows with one stone while throwing the stone out of the field) and not just the negatives.

A winemaker who takes seriously what the critics say, will surely put pressure on known problem processes or individuals. But he will also focus everyone on getting the basics right and alerting him to problems, reinforcing mutual activity watchfulness and making his whole team more alert and proactive in identifying and communicating changing environmental conditions. He will ask everyone to work together to find obvious and subtle means of enhancing aroma and body. He makes sure they all know the goal: a better, more consistent product, delicious and hassle free.

Thus, an adequate operational risk culture should avoid or minimise foreseeable and catastrophic losses, but a great operational risk culture will focus on achieving excellence that minimises problems. All pursued through increased attentiveness, good communication and teamwork – in a “watched space” (where everyone knows that everyone else is paying attention to their mutual dependencies and performance). Everything should be tied to favourable business outcomes: a reliable, tasty stakeholder experience.


As an example, consider the management of insurance policy issuance timelines to avoid the risks of backlog build-up and you notice backlogs building up. At the same time, you hear news of a major shakeup at a key broker and find their service slipping. Next, a customer complains about a delay that was not your fault. Is your best course of action to push harder on the errant broker (and other brokers generally) to get your average timeline down?

That might be adequate, but the best outcome would arise from a team discussion combining intelligence and tactics from multiple areas. Captured and remembered facts might lead you to leverage this event to set a strategy to strengthen your relationship directly with your customers: candidly sharing the issues and your approach, rather than a once off assurance “All will be completed by the thirty-first, sorry.” You might also use the event to leverage better service or lower commissions or find a way to oversee broker-owned steps previously unmonitored. You might even take over certain broker functions so as to have an overall safer process.

More importantly, a culture of noticing, sharing and resolving other information might lead you to notice the writing on the wall that poor broker service will send business away and do permanent damage to your business model – leading you to start planning direct marketing strategies or strategic partner discussions. These actions could possibly happen without a good operational risk culture versus probably happen with a good operational risk culture in place – and they would happen more effectively.

This helps explain why operational risks and culture are so important. It is hard to learn from something that is going well and sometimes someone else’s problem makes you see something in your own world you missed!


Complexity (in the social complexity theory sense) is the key to why a good operational risk culture is so important, but complexity is complex to explain. It is philosophy more than science, so without conversation and examples, it is extremely hard to get one’s head round. That is why I am using a narrative with story examples and metaphors. These are the language of complexity. Complexity is why learning is easier said than done.

As all aspects of business have operational risk attached, completely controlling operational risks means controlling “everything” and companies know they cannot manage this fully. Instead, risk management focuses on simplified labels or summary analysis – like risk registers and RCSA processes which are “representations or compressions”. Firms manage with extreme prejudice the things they can control, but risk over-management can be counter-productive by diverting resource from more productive activity or even setting an organisation up for conflict. A control obsessed risk culture can destroy value just as a success focused one can create it.


Thus, with great difficulty, firms prioritise their risks, but this leaves gaps that real events can easily wriggle through or creates weak spots that are exploited in chain reactions. We need to understand business complexities better and deal with them more effectively. We need to appreciate better the things that manage to wriggle or burst out, and learn how to react to evolving circumstances – in addition to building robust controls. Understanding and managing “wrigglers” takes teamwork and experience. We can learn to be good risk herders.

You cannot stop all risk, but you can help ensure it escapes in directions that minimise adverse outcomes or support positive ones. Not lone cowboys, but teams of cowboys: independent thinkers heading off the stampede or gently guiding their charges in their own quarter of the herd while reinforcing the efforts of their fellows in the other quarters. Later they sit by the campfire sharing stories that add to group wisdom with insights about conditions or the mood swings and history of their charges, or re-enacting a let-down or successful reinforcement, or discussing a possible opportunity the next day.

In a similar way, embedding a good risk culture will translate into business savvy and innovation as well as lower operational risk losses. It is part of complexity management. These can only be dealt with dynamically, with good listening, independent thinking, good communication, good dialogue and teamwork. We need libraries of past stories of events and their treatment successes and failures to learn from and people to help interpret them for current conditions. We need vigilance, especially as some relationships may lie hidden until a rattler strikes. The things that can only be appreciated through a team need a team and, without practice or teamwork, there is none. We need excuses and opportunities to discuss real things and let team feedback happen. This fosters learning and strategising and helps a group keep “on task” both the overly ambitious doers and the slackers in a rapidly changing environment. This needs a relaxed space, a campfire or a relaxed meeting room.

Why is it so hard to engineer a good operational risk culture? While there seems to be general agreement on qualities a good risk culture should strive for, such as “increasing risk awareness and communication, embedding risk management considerations into business decision making, and preventing unethical behaviour,” there is little written about how to create one. This is perhaps because authors shy away from being proscriptive as organisations are extremely complicated and risk management approaches differ widely. It is easy to think in terms of outcome and features of a completed system, but that is not the same as building one and they all will be different. It is impossible to provide blueprints. No one seems to have written about how to grow one from scratch. A complex snowflake from a single seed, unique, but following rules and principles that start  simply and apply generally. Snowflakes are unique, but recognisable as such. I think effective risk cultures may grow and present similarly.


I am fortunate enough to have a seed example for you to learn from which, like most complex understandings, benefits from being conveyed as a story. Ironically, our successful operational risk culture emerged like most serious operational risk events: In a high risk area, the thing you feared could happen happens, despite your best preventative measures, then has broad repercussions that you could not have predicted. But later, when you analyse it all, you realise that some of it was inevitable and the rest luck and that all along you collectively understood more than you gave yourself credit for. If only you knew how to pool your knowledge effectively. It sometimes just wants the right pressures and saturated conditions.

One would certainly expect that a difficult conversation might occur with one’s insurance supervisor, but we felt fairly confident we had a good tale to tell. We had very able management and staff; good processes and internal controls (verified externally); and good internal communication. Yes, formal risk management terminology and processes were new to us, but we were following the guidance of consultants and we were confident in their advice. We followed diligently the received wisdom of risk and control self-assessment (RCSA) processes, with a risk register of top risks and their potential impact and consideration for the effectiveness of controls, resulting in an assessed level of residual risk. We quickly produced all sorts of risk register elements and measurements, but we greatly struggled with getting our heads around how all this work was practically helpful. It felt unnatural to management and “the business”. We were not sure how it added value, but were hopeful it would satisfy the regulator. Now let’s roll forward to our regular supervisory meeting whose agenda is abbreviated below:

FSA Meeting October 3rd 2006 at 2pm room 5:1

Agenda: – Update 2006 performance; – Expectations for 2007; – Risk Management – Operational Risk.

 We “owned” the first two agenda items and confidently dove into the third, then struggled. At one point, the then-FSA made their frustration clear: “What we are trying to understand is how your people know that they are within appetite.” with reply, “We can see your difficulty in grasping the degree of controls – particularly to the level of confidence required and we will continue to pursue additional levels of analysis, but we do not want to lose sight or focus on our business.”

Clear language from the FSA, stilted language from us. Our well-prepared-for meeting ended with a lingering frustration on both sides. We both knew we had an excellent operation and we were diligently trying to meet risk management expectations, but the FSA knew we did not really understand what they needed to see and that we had an immature view of operational risk. Later in our internal debrief, I was asked, as the actuary, to develop a more “logical” response in time for our next meeting and thus began the journey and my love affair with the illogical wiles of operational risk management.

So how did this lead to a good risk culture when we just wanted to explain our risk appetite? A simple question can lead you further than all the papers on the internet, as we soon learned:


It is a question that grows into and feeds other good risk management questions. As someone used to studying problems, I began by reading many hundreds of pages of risk management papers, but found nothing useful. Risk appetite and risk management discussions were generally abstract with few practical details (and no data or formulae). So I tried a different tack, asking the managers and supervisors of the front and back offices how they could track that things were in control (ditching the troublesome appetite word for the moment), but with limited success.

Feeling at a loss, I researched their procedure guides and helped them get started with “straw man” examples of what I thought might be reasonable responses. A straw man of issues they might have and objective thresholds that, beyond which, might indicate a problem. Suddenly, I got through. People started thinking in terms of their current concerns, documented procedures and controls and reports that they already gave to management, but in a more outcome-focused way. Information, not just data. They willingly (most of them) refined and expanded the issues lists and the objective measures.

We aimed to keep it concise with a preference for reports and data readily available to avoid making things burdensome. Because they had a say in setting the “appetite”, there was buy in and to cement things, we gave them ownership of amendments, subject to risk-management input. We built a simple system to get them to report on “breaches” of their appetite. They had to at least monthly report on “breaches” or certify there were none. They knew internal audit could now challenge them. Others could report on their issues and cause discomfort. They could now communicate objectively and regularly and had a voice.

A voice. If something, or another department affected their area, they had an objective standard to help them judge its impact. Simplicity and alignment with what they are already doing meant they were not diverted from the core purpose they were driving towards. If something unexpected happened, they could report a new “all other” breach and invent a threshold and priority on the spot. When you use your car’s cruise control well, you become a fixed point and can better appreciate the subtleties of other cars movements. This is where risk awareness was amplified from internalised business savvy to something more perceptive and externally shared. That was “day 1” in the first flushes of an operational risk culture.


Then the transformation continued, subtle “day 2” effects began to manifest. There was a defusing of tensions between areas, as the metric was the “bad guy,” not the area raising a dependency related issue. People “got their eye in.” They started noticing things they were previously blinded by familiarity to. They started seeing connections between their area and others. They started noticing environmental threats and “near misses.”

“Day 3” effects began. Management started getting an appreciation of all the large and small business issues and could have more confidence that things were in control or in appetite. Management had their own self-created monitoring and could start to see how upstream smaller issues could impact their own or how market events were affecting everyone.

“Day 4” effects began, things we were doing out of consultant advice began to make sense. We saw the RCSA process as something more like a useful mini scenario analysis rather than a direct management tool. It was by tying actual granular appetite events to our RCSA elements, that our scenarios stayed fresh and relevant.

At this point we started to use risk profiling to help us know if we had missed anything the industry was experiencing or were worrying about the right risks. External views began to be part of our internal view. We had a very strong externally recognised risk culture at this point. We heard from our supervisor that our approach was “unique, innovative and progressive.”


Masses of data begin to be captured. The linking of natural language bottom-up issues with management issues now allowed better conversations in all directions, bottom-up and top-down and in-between. The risk appetite monitoring, by being based on key business concerns, becomes directly useful, with pressure to improve. This makes peripheral conversations even more useful, also putting pressure on whole process improvements. Traditional operational risk management approaches begin to make sense, because they now have a business context. Employees and management begin to feel empowered and start planning together more for the future.

“Day 5” brought the challenge of success. We needed more risk management staff. Risk management conversations now took more time. We had a lot of data that we were not using (it was more a prompt for good conversations than data we knew what to do with). We imagined all sorts of new risk management activities that we could do. But we were resource constrained. This is what a good operational risk culture looks like. So much success that you almost do not know what to do anymore, because you want to do so much. A crossroads. More status quo or less. Each with a cost. We wanted more, so we did some radical thinking. “How can risk thinking be integrated closer to business-as-usual thinking rather than be separate processes? How can we use technology and external views to get more power out of the good internal work we have done? How can we meet regulatory requirements more easily?” This is when an operational risk culture began to really coalesce into a strong business culture.


Here is some advice to those who want to try and emulate this. Building a good risk culture in our case was simple when we kept to the basics and used natural business language, but I forgot to also mention leaders who embrace change and the right facilitators. It was only after we built something business friendly that the more traditional risk management processes had a useful home. The simple emerged into something complex. Starting complex and trying to make it work in simple cases is a much harder road. In fact, things are complex because they cannot be simplified. So do not impose good risk cultures, but culture them.