Risk management in Etablissement Kazoza et Compagnie-Rwanda
par NOHELI Sam
Kabale University-Rep of Uganda - Masters 2011
Risk management consultants play a key role in helping companies prevent fraud by installing an effective and vibrant risk culture in companies. A healthy risk culture gives employees a stake in risk management. Employees' basic principles, values, and attitudes as well as their understanding of how to deal with risk shape a company's risk culture.
An appropriate risk culture is necessary for corporate risk management procedures to work effectively. The compliance requires that employees directly involved in internal controls be fully aware of risks. For the company's internal control system to fulfill its purpose, employees must operate within a well-established, enterprise-wide risk culture. The tone at the top the ethical atmosphere that the organisation's leadership creates is fundamental. But exemplary leadership does not automatically lead to an effective risk culture, nor does it guarantee a properly functioning internal control system.
Shaping risk culture
Annual reports typically convey the impression that companies have implemented effective risk management procedures. But risk culture is often neglected as an integral part of corporate risk management. E. Schein (1984) developed a model of corporate culture whereby, three elements determine the risk culture of an enterprise: Basic assumptions, values, and artifacts and creations.
Basic assumptions are the foundation of corporate culture. They are the invisible matters of organisational and environmental relations that are commonly taken for granted. Employees' perceptions, thoughts, and feelings about risks shape a company's risk culture.
Values determine employees' moral and behavioural standards. Principles, unwritten guidelines, and taboos that employees respect come from these values. Often these values are only partially visible from employees' outward conduct.
Artifacts and creations are the tangible components of a company's risk management system. They include a risk manual, a risk manager, risk committee, published risk principles and guidelines, an IT-based risk reporting system, and a printed risk report included in the annual report as well as employee risk workshops. Such items are clearly visible and allow risk managers to understand the existing risk culture of an enterprise. The presence or absence of artifacts and creations enable managers to evaluate and shape the company's risk culture.
According to O. Bungartz,( 2010), a plan for shaping risk culture in an enterprise should contain four steps; creating a team to lead the process, evaluating the existing risk culture, determining what the desired risk culture should look like and devising and implementing an action plan to build the new risk culture.
Create a risk culture team
Management should appoint a person independent of the enterprise (possibly an external risk management consultant) to lead the risk culture team. Members can include not only top management and the risk-controlling department, but also board members and internal/ external auditors.
Evaluate the Existing Culture
Ultimately, employees should diagnose their company's risk culture free of external forces imposing views on them. However, the members of the risk culture team should be responsible for discovering the employees' views on the existing risk culture and what it should become.
The team should speak with all company employees so the entire staff is sensitised to the risk-culture topic. Standardised and anonymous questionnaires usually elicit more honest responses to questions about the «risk appetite» of the company. The independent coordinator and the members of the risk-culture team should prepare an analysis workshop for selected upper management and cultural leaders to help uncover the invisible basic assumptions that are fundamental to the enterprise's values. In addition to the analysis workshop, the risk culture team should individually interview each member of top management to promote high interactivity and frankness. These interviews prompt senior managers to think deeply about the range of possibilities for shaping a new risk culture. The members of the risk culture team then conduct a critical review of the existing culture based on the results of the enterprise-wide survey, the analysis workshop, and the individual interviews (Oliver Bungartz, 2010).
Determine Desired Risk Culture
The profile of the target culture will be based on the same factors that were used to evaluate the existing culture. Reorientation of the company culture is possible only if there is a compelling reason and a shared understanding of the need for cultural change among managers and employees. The foremost goal of cultural reorientation is to sensitise every employee to the necessity of conscious handling of corporate risks (Oliver Bungartz, 2010).
The fourth step in the risk culture programme is the formulation of an actionable plan to realise the new cultural vision. Senior management is responsible for implementing and monitoring this plan. New orientation patterns are accompanied by new signals and formats as well as an update of artifacts and creations. Securing «buy in» from employees is crucial to the success of the action plan. They must know their input was instrumental in creating new policies and that their continued involvement is essential. Transparency and communication are key to making this happen. All employees must understand that they each have a continuing role to play. Management should reward risk sensitive behaviour that helps build the target culture and dissuades unethical behaviour. Once the action plan begins to initiate cultural change in the enterprise, it is common to see unanticipated consequences. Erroneous trends (such as irritated employees or adverse cultural developments) can surface that require monitoring and correction. A new risk culture is vulnerable to undesired changes. Management must therefore continuously observe and evaluate newly implemented risk-culture measures. The figure overleaf summarises the factors and effects of an appropriate risk culture (Oliver Bungartz, 2010).