The key to sustainable risk governance

This chapter brings attention to the importance of corporate values and concrete leadership enactment of those values as a necessary condition for effective risk management outcomes. The content is based on practice-based research experiences supported by relevant literature on risk governance and values-based management complemented with insights from case analyses and empirical studies. The chapter explains why formal risk management approaches have limitations and outlines how the presence of official policies and codes of conduct is insufficient to deal with dynamic and complex high-impact situations where strong core values heeded by the corporate leadership, in contrast, leads the way to better risk behaviors throughout the organization. Major disasters in British Petroleum over the past decade illustrate how a formal code of conduct failed to do the job when the leadership in reality gave first priority to profits at the expense of the stated environmental values. The prioritized code of the US Coast Guard is used to illustrate the circumstances where core values support effective crisis, disaster and risk management outcomes. The findings go against conventional wisdom of imposing tighter rules and regulations with formal controls as a panacea to cope with major disasters and shows why simpler means of guiding core values combined with delegation of responsibility to act under unexpected conditions is important in both private and public enterprise.

Major crises have regularly affected highly reputed business enterprises and public institutions over the past decades with significant negative impacts on value creation and social welfare. Many of these events seemingly happened without ill-intended human interventions and despite seemingly good governance practices, executive intents and managerial efforts. However, these cases often display a striking discrepancy between what executives thought, and said, was being done and what actually took place within the organization as business activities were carried out in practice. To remind ourselves we can just think of Lehman Brothers during the financial crisis and British Petroleum (BP) in the Mexican Gulf. ² Lehman Brothers had excellent risk management capabilities but the board still accepted higher exposures to the market for 71subprime loans. BP had a clear code of conduct emphasizing safety and environment as prime concerns but still pushed the organization into risky drilling ventures. These crises were caused by a diversity of factors ranging from lack of oversight and excessive risk-taking to the impacts of operational hazards and external economic phenomena. Yet, as a typical trait across incidents there was a shortage of behavioral guidance and core values, or if they were in place, they were somehow not respected or adhered to when push came to shove. In short, the organizations were exposed to poor risk governance and leadership practices that beg the questions why such events happen time and again, and what top managers and directors can do to safeguard against these kinds of devastating outcomes.

More often than not the response to major crises and reported scandals has been to impose more regulation, tighter rules, increased scrutiny and more detailed reporting to enforce compliance such as the imposition of the Sarbanes–Oxley Act in 2002. However, there is little evidence to show that these approaches actually advanced the cause they were intended to support. At best we see no effect from intensified monitoring and tighter controls and at worst it increases the burden of bureaucracy and kills creative efforts devoted to search for better responses to unexpected conditions. Instead we suggest that good risk management behaviors derive from relatively mundane but essential and fairly costless leadership traits. We find it is important that essential core values are instituted and followed by the top executives both in spirit and in terms of specific actions because the example of good leadership decisions inspires people in the organization to follow the lead. It might be necessary to express the core values in words displayed in a formal code of conduct in general view for everybody, but it is insufficient to formalize the principles in glossy policy documents. The values and the principles behind the codes and core values must be enacted from the highest level of the organization through executive deeds and concrete actions.

If the leaders in charge pay lip service to the core values of the organization and make decisions without any regard for them, or apply incentives that contravene these values, then people working in the organization cannot be expected to adhere to the underlying principles either. Good risk behaviors derive from good leadership conduct as practiced by the top executives, and by extension, by the managers that operate at all levels of the organization leading the daily execution of business activities. Investing in extensive risk management systems without supportive leadership in spirit and action can be a waste of money and effort and may become an excuse for inactive leadership. Sometimes poor leadership traits derive from engrained behaviors embedded in the way organizational members think and act as implanted by generally accepted conduct over prolonged periods of time, which is often referred to as the corporate culture. In particular, executives that gained most of their managerial experience in a single organization with the same contextual background should be cognizant of this phenomenon, but we all are prone to it.

Since corporate cultures to a large extent are established, influenced and subsequently changed by the executive echelons, it may take a strong and diverse board to identify such traits and actively engage to have them instituted across the organization in a proactive and effective manner. Humans, and thereby also executives, are exposed to particular perceptions and views of the world that derive from their own personal experiences, and hence it is sound practice to involve people with diverse backgrounds and experiences in major decisions about complex strategic issues and potential disaster scenarios. That is, good risk management practices entail attentiveness and engagement at all levels of the organization with open and honest communication about what may turn out to be early warning signals revealing emergent risks and potential opportunities.

Every streak of risk events seems to stir an urge towards legislative, regulatory and corporate governance initiatives with the intent of restraining similar events from ever happening again by 72imposing more elaborate and comprehensive restrictions. While well intended, this can unfortunately lead us into a false belief about our ability to control human behaviors in highly dynamic and complex environments. It also displays the human shortcoming of not being able to see low-probability high-impact events in advance while seeing too many shadows pointing in that same direction after a major event has occurred. This bias often results in the futile exercise of “closing the barn door after the horse has left,” and closing it with a slam. But doing things too late does not help, no matter how hard they are done. A better response might be to try to understand how the adverse situations arose in the first place and then learn from the mistakes.

In the early 2000s we saw a number of corporate scandals caused by executive misbehavior in some cases bordering on fraudulent actions including corporations like Enron, Global Crossing, WorldCom and Tyco where executives purposely misreported for personal gains. The Sarbanes–Oxley (SOX) legislation was a direct outgrowth of these events and imposed new reporting demands on US-listed firms while holding executives personally responsible. These requirements would encourage top managers to engage in stringent compliance exercises hiring external consulting outfits to implement state-of-the-art control systems and demonstrate that best efforts had been made. However, this inadvertently promotes a protective and defensive behavior, where the exercise has more concern for covering one’s behind rather than ensuring the organization is more alert, engaged, responsive and on its toes to deal with the unexpected that always will arise along the way. To little surprise then, we saw that a SOX-compliant super-bank, Société Générale, was able to lose close to €5 billion in January 2008 due to an individual so-called rogue trader, Jérôme Kerviel. ³ During the evolving financial market crisis in 2008, we saw other compliant financial institutions budge due to reckless risk-taking pursued by dominant executives condoned by their boards in established companies like Bear Stearns ⁴ and Lehman Brothers. ⁵ In these cases, the shareholders lost most if not all of their invested money, while the executives continued to rake in their sizeable bonuses.

Other events are more subtle in nature and not necessarily ill-intended, although the disastrous consequences often will be the same. Two examples from the United States National Aeronautics and Space Administration (NASA) organization include the Columbia and Challenger disasters, both caused by systemic internal priorities arising from an institutional environment of budget controls and an accounting culture that gradually induced decision-makers to ignore the potential for major disasters (Vaughan, 2005). In the corporate sector some comparable examples may include the major explosions at the Texas City refinery and the Deepwater Horizon platform operated by BP in the Mexican Gulf. While the corporate governance practices at BP for all intents and purposes appeared to be perfect and run by the book, it was still possible for the company to incur two major industrial disasters within a relatively short period of time despite corrective changes in the executive management team. This pinpoints a number of challenges, such as: how to establish an effective culture of risk awareness throughout the organization; how to ensure that risk is handled by all organizational members in accordance with the corporate aims; how to motivate employees to act as effective risk managers; and how executives and directors can engage to ensure better risk leadership.

We believe an important part of the answer to these essential questions lies in the leadership approach taken by the executive team and the directors that oversees it. It is not a question of control and compliance, which represents a false sense of security in dynamic, complex and unpredictable environmental settings. The issue rather becomes how to ensure that early warning signals identified throughout the organization are communicated, probed, and interpreted in a timely and proactive manner, so the corporate executives are in a better position to deal with the unexpected event that can lead to crisis and disaster. This requires clear moral standards and prioritized core values imposed on the organization and enforced through executive example. 73It further demands delegation of authority where local managers and employees in general can act knowing that their superiors support them and trust their ability to respond properly while they are accountable for actions taken or not taken.