7/12/2015

Managingthepeoplesideofrisk|McKinsey&Company
Login

ClientService
Insights&Publications

Register

Insights&Publications
Latestthinking

Industries

Functions

Regions

Themes

AboutUs
Alumni
Careers
GlobalLocations

Article

Managingthepeoplesideofrisk
Companiescancreateapowerfulriskculturewithoutturningtheorganizationupsidedown.
May2013 |by AlexisKrivkovichandCindyLevy

Search

Mostexecutivestakemanagingriskquiteseriously,thebettertoavoidthekindsof
crisesthatcandestroyvalue,ruinreputations,andevenbringacompanydown.
Especiallyinthewakeoftheglobalfinancialcrisis,manyhavestrivedtoputinplace
morethoroughriskrelatedprocessesandoversightstructuresinordertodetectand
correctfraud,safetybreaches,operationalerrors,andoverleveraginglongbeforethey
becomefullblowndisasters.
Yetprocessesandoversightstructures,albeitessential,areonlypartofthestory.Some
organizationshavefoundthatcrisescancontinuetoemergewhentheyneglectto
managethefrontlineattitudesandbehaviorsthataretheirfirstlineofdefenseagainst
1

risk.Thissocalledriskculture isthemilieuwithinwhichthehumandecisionsthat
governthedaytodayactivitiesofeveryorganizationaremadeevendecisionsthatare
smallandseeminglyinnocuouscanbecritical.Havingastrongriskculturedoesnot
necessarilymeantakinglessrisk.Companieswiththemosteffectiveriskculturesmight,
infact,takealotofrisk,acquiringnewbusinesses,enteringnewmarkets,andinvesting
inorganicgrowth.Thosewithanineffectiveriskculturemightbetakingtoolittle.
Ofcourse,itisunlikelythatanyprogramwillcompletelysafeguardacompanyagainst
unforeseeneventsorbadactors.Butwebelieveitispossibletocreateaculturethatmakes
itharderforanoutlier,beitaneventoranoffender,toputthecompanyatrisk.Inour
riskcultureprofilingworkwith30globalcompanies,supportedby20detailedcase
studies,wehavefoundthatthemosteffectivemanagersofriskexhibitcertaintraits
whichenablethemtorespondquickly,whetherbyavoidingrisksortakingadvantageof
them.Wehavealsoobservedcompaniesthattakeconcretestepstobeginbuildingan
effectiveriskcultureoftenstartingwithdatatheyalreadyhave.

PDF

Print

Email

Share

Aboutthiscontent
Thematerialonthispage
drawsontheresearch
andexperienceof
McKinseyconsultants
andothersources.To
learnmoreaboutour
expertise,pleasevisitthe
CorporateFinance
Practice.

MostPopular
1. RaisingyourDigital

Quotient
2. Unlockingthe

Traitsofstrongriskcultures
Contactus
Frequentlyaskedquestions
Sitemap
Termsofuse
Locallanguageinformation
Privacypolicy
19962015McKinsey&Company

Themosteffectiveriskmanagerswehaveobservedactquicklytomoveriskissuesupthe
chainofcommandastheyemerge,breakingthroughrigidgovernancemechanismstoget
therightexpertsinvolvedwhetherornot,forexample,theysitonaformalrisk
managementcommittee.Theycanrespondtoriskadroitlybecausetheyhavefostereda
culturethatacknowledgesrisksforwhattheyare,forbetterorforworsetheyhave
encouragedtransparency,makingearlysignsofunexpectedeventsmorevisibleandthey
havereinforcedrespectforinternalcontrols,bothindesigningthemandinadheringto
them.
Acknowledgingrisk

Ittakesacertainconfidenceamongmanagerstoacknowledgerisks.Doingso
especiallytothepointofdiscussingtheminternally,aswellaswithshareholdersoreven
regulatorsrequiresthatmanagersrelyontheirownpoliciesandprocedurestowork
throughissuesthatcouldleadtocrisis,embarrassment,orloss.
Theculturaldifferencesbetweencompaniesthatacknowledgeriskandthosethatdonot
arequitestark.Consider,forexample,twoglobalfinancialinstitutionsthattakesimilar
risksandshareasimilarappetiteforrisk.Thefirsthasbuiltaculture,atalllevelsofthe
organization,thatprizesstayingaheadofthetrend.Thismightmeanconveningagroup
ofexecutivepeerstodiscussissuesfacedbytheentireindustryorrespondingtoregulatory
trendsearlyforexample,oncapitalandliquidityrequirementsorcompensation
practices.Thestanceittakesis,Ifweseeit,identifyit,andsizeit,thenevenifits
horrible,wellbeabletomanageit.Whereriskscannotbesized,theyareatleast
discussedinqualitativeterms.Theinstitutionscandoranditsplanstorectifycultural
issuesinresponsetoanumberofriskincidentshaswonittherespectofregulatorsand
builtcredibilitywithinvestors.
Thesecondinstitution,incontrast,hasareactiveandbackfootedcultureonefocused
moreonstayingoutoftrouble,ensuringregulatorycompliance,andmakingsureallthe
boxesareticked.Itsmanagersaregenerallycontenttomovewiththepackonriskissues,
preferringtowaitforregulatorycriticismorreprimandbeforeupgradingsubparpractices.
Theyareafraidofknowingwhattheydontknow,andtheyfearthereactionoftheboard,
regulators,andinvestors.Manywouldratherignoreundesirablebehaviorsbecausethey
dontknowhowtomanagethemandbecausemanagingthemwoulddemandtimeand
mightaffecttheircostbase.Thisorganizationsstanceis,Letswaituntilwereallyneed

http://www.mckinsey.com/insights/risk_management/managing_the_people_side_of_risk

potentialofthe
InternetofThings
includes:

3. Getting

organizational
redesignright
4. Anexecutives

guidetomachine
learning
5. Manufacturings

nextact

Stayconnected
Emailalerts
Twitter
Facebook
LinkedIn
McKinseyInsights
YouTube
RSS

1/4

7/12/2015

Managingthepeoplesideofrisk|McKinsey&Company
todealwiththeseunpleasantthings,becausetheyreanomaliesthatmayturnouttobe
nothingatall.
Aseparateinstitutionhadsuchamindsetduringthemortgagecrisis.Managersdidnot
trusttheirownmodels,whichaccuratelypredictedtheseverityoftheissuestocome.They
knewthatifthemodelswerecorrect,theywouldbeinmoretroublethantheyknewhow
tohandle,andsotheyfounditeasiertoassumethatthemodelswerewrongortohope
thattheriskwouldcrestandfallbeforethemodelsestimatescametrue.Whetherfrom
fearorhubris,managersconvincedthemselvesthattheyweresaferthantheyreallywere.
Evenasthecrisisdeveloped,theywereconfidentthattheywouldnotexperiencethe
mishapsbefallingsimilarcompanies.Intheend,thecompanysrefusaltoacknowledge
andaddressriskleftitfarmorevulnerablethanmanagersexpected,anditwashit
particularlyhard.
Encouragingtransparency

Managerswhoareconfidentthattheirorganizationalpoliciesandcontrolscanhandle
andevenbenefitfromopennessaboutriskaremorelikelytosharethekindsof
informationthatsignalriskeventsandallowtheinstitutiontoresolveemergingissues
longbeforetheybecomecrises.Thismeanstheyspotariskissuedevelopingandmobilize
theorganizationtoanalyzeandremedyitattheboardlevelifneeded,andoftenwithina
fewworkingdays.Inonesituation,adivisionofanenergyservicescompanywas
operatingacontractinanemergingcountryinwhichithadnotpreviouslyworked.
There,thedivisiondiscoveredemploymentpracticesamongsubcontractorsthatran
countertoitsownpoliciesandpractices.Theoperatingleadershipswiftlyescalatedthe
issuetothecompanysglobalmanagementboardtodecidewhetherspecificcontractors
wereacceptable.Itwasabletoreallocateprojecttasksamongcontractors,manage
timelineslippageandthebudget,andconsequentlyreducethecompanysemployment
practicesriskandsafeguardprojectreturns.
Companieswithaculturethatdiscouragessuchdiscussionsaswellasthoseinwhich
overconfidenceleadstodenialarepronetoignoringorfailingtorecognizerisks.In
somecases,employeesfeartellingthebossbadnewsbecausetheyworryaboutthe
financialdownsideofslowingcommercialprogress,theyknowthebossdoesntwantto
hearit,ortheyfearbeingblamed.Asaresult,theyalertmanagerstorisksonlywhen
furtherdelayisimpossible.
Inothercases,companiespromotepracticesthatunintentionallyreducetransparency
regardingrisk.Forexample,atoneglobalpharmaceuticalcompany,theculturethrives
oncompetitiveteams.Competitivenessissostrongthatproductdevelopmentteamsuse
subtlydifferentriskclassificationssothattheirrespectiveprojectscantbedirectly
compared.Totheteams,itcanfeellikegoodmanagementtodealwithissuescloseto
homeratherthanraisethemtohigherlevelsespeciallysincerevealingtheirtruerisks
mightplacethematadisadvantageinthenextplanninground.Forthecompany,
though,thispracticehasobscuredrisksthatwereidentifiedbyoneunitbutwent
unnoticedbyothers,whichcontinuedtomakeerrorsthathadbeenresolvedelsewhere.
Thebestculturesactivelyseekinformationaboutandinsightintoriskbymakingit
everyonesresponsibilitytoflagpotentialissues.Forexample,managersatoneglobal
oilexplorationcompanyexplicitlybegineverymeetingandinteractionwithadiscussion
aboutsafety.Participantsknowtheymustbeabletomakeanobservationorraisea
concernifcalledonrandomly,whichkeepsthemonthelookoutforsafetyissuesatall
times.Mostoftheissuestheyraiseareminorandeasilyaddressed.Butbiggerquestions
oftenleadtolongerconversationsandinquiriesfromleadership,whichclarifythe
problemandidentifybynamethoseresponsibleforresolvingtheissue.
Ensuringrespectforrisk

Mostexecutivesunderstandtheneedforcontrolsthatalertthemtotrendsandbehaviors
theyshouldmonitor,thebettertomobilizeinresponsetoanevolvingrisksituation.And
whilemanagersareunlikelytoapproveofskirtingtheveryguidelinesandcontrolsthey
haveputinplace,someunintentionallypromotesituationsandbehaviorsthatundermine
them.Forexample,whiletoofewcontrolscanobviouslyleavecompaniesinthedarkasa
situationbuilds,toomanycanbeevenmoreproblematic.Managersinsuchcases
mistakemorecontrolsfortightermanagementofrisk,thoughtheymaybeinadvertently
encouragingundesiredbehaviors.Inonelargehospitalsystem,managershad
implementedsomanyguidelinesandcontrolsforwardproceduresthatthestaffsaw
themasimpractical.Asaresult,theyroutinelycircumventedthem,andtheculture
becameincreasinglydismissiveofallguidelinesnotjustthelesspracticalonestothe
detrimentofpatients.
Evencompanieswiththerightnumberofcontrolsinplaceencounterdifficultyif
managersdonotmonitorrelatedtrendsandbehaviors.Companiesoftenunconsciously
celebrateabeatthesystemmindset,rewardingpeoplewhocreatenewbusinesses,
launchprojects,orobtainapprovalsforthingsotherscannotevenifitmeansworking
aroundcontrolfunctionsinordertogetcreditlinesorcapitalallocations,forexample.
Inthebestofcases,respectforrulescanbeapowerfulsourceofcompetitiveadvantage.A
globalinvestmentcompanyhadacomprehensiveduediligenceprocessandsignoff
requirementsforinvestments.Oncetheserequirementswerefulfilled,however,theboard
waspreparedtomakelarge,earlyinvestmentsinassetclassesorcompanieswiththe
collectivesupportoftheseniorexecutiveteam,whichwasultimatelyaccountablefor
performance.Companywideconfidenceinproceedingresultedfromanexhaustiverisk
debatethatreducedfearoffailureandencouragedgreaterboldnessrelativeto

http://www.mckinsey.com/insights/risk_management/managing_the_people_side_of_risk

2/4

7/12/2015

Managingthepeoplesideofrisk|McKinsey&Company
competitors.Confidencealsostemmedfromanappropriatelygaugedsetofriskcontrols
andanunderstandingthatifthesecontrolswerefollowed,failurewouldnotberegarded
asamatterofpoordecisionmaking.

Buildinganeffectiveriskculture
Companiesthatwanttoreshapetheirriskcultureshouldbeawarethatpatienceand
tenacityarecrucial.Changingtheoperatingenvironmentofalargeorganizationtakesat
leasttwotothreeyears,asindividualscomeupagainstspecificprocessessuchaspolicy
decisions,projectapprovals,orevenpersonnelreviewsthathavechangedinlinewith
newriskcultureprinciples.Inourobservation,companieswrestlewithtwochallenges:
buildingconsensusamongseniorexecutivesandsustainingvigilanceovertime.
Findingconsensusonculture

Improvingacompanysriskcultureisagroupexercise.Nooneexecutiveorevena
dozencansufficientlyaddressthechallenge.Inmostglobalorganizations,CEOsand
CFOswhowanttoinitiatetheprocessmustbuildabroadconsensusamongthe
companystop50or60leadersaboutthecurrentculturesweaknesses.Thentheymust
agreeonandclearlydefinethekindofculturetheywanttobuild.Thisisnosmalltask,
typicallyrequiringagreementonfourorfivecorestatementsofvaluesaboutthedesired
culturethatimplyclearprocesschanges.Forexample,inoneorganization,managers
oftenadoptednewproductsortookonnewcustomerswithoutconsideringwhetherthe
companysinfrastructurecouldsupportthem.Often,itcouldnotthisranupcostsand
createdhugeoperationalrisks.Whenleadersgatheredtodefinetheriskculturethey
wantedtosee,oneoftheirstatementswas,Wewillalwaysunderstandtheinfrastructure
implicationsoftheriskdecisionswemake.
Theconsequenceofcommittingtosuchstatementsisthatthecompanywillneedto
changethewayitapprovesactivities,whetherthosearetransactionsatbanks,capital
projectsinheavyindustry,orevensurgicalproceduresathospitals.Itcannotletthem
proceediftheriskinfrastructuredoesnotsupportthemandbusinessunitCOOsmustbe
heldaccountableforriskeventsrelatedtoinfrastructureintheirareas.Tomake
aspirationsforthecultureoperational,managersmusttranslatethemintoasmanyas20
specificprocesschangesaroundtheorganization,deliberatelyinterveningwhereitwill
makeadifferenceinordertosignaltherightbehavior.Insomecompanies,thishas
meantchangingthewaygovernancecommitteesfunctionormodifyingpeopleprocesses,
suchastraining,compensation,andaccountability.Andwhilefinetuningsomeofthese
areasmaytakeafairnumberofcycles,evenafewsymbolicchangesinthefirstcyclecan
haveaprofoundimpactontheculture.
Forexample,inoneglobalorganization,asimpleannouncementthatcertainrisk
relateddatawouldbeincorporatedintooneroundofpromotionsradiatedthroughthe
organizationalmostovernight,encouragingsomebehaviorsanddiscouragingothers.In
thenextroundofpromotions,managerscreatedreportsusingthedatasothateverystaff
memberhadtangibleriskindicatorsnexttohisorhername.Atthatpoint,thenew
approachtoriskstartedtobecomepartoftheinfrastructuresendingloudsignalstothe
organizationaboutwhatwouldbecelebratedandwhatwouldnot.Althoughthesewere
bigchanges,theywereaccomplishedwithoutturningtheorganizationupsidedown.
Sustainingvigilance

Sinceculturesaredynamicbydefinition,sustainingtherightattitudesandbehaviorsover
timerequirescontinuingeffort.Anongoingriskcommitteemightstartoffbykeepingon
topofkeyissuesbutbecomestaleandmechanicalaspeopleloseenergyovertime.Ora
discontinuitynewleadershiporanewsetofmarketpressures,forinstancecouldsend
thecultureinadifferentdirection.Tomonitorforsuchshiftsandmakesurethings
continuemovingintherightdirection,managersatonepharmaceuticalcompany
conductspotcheckseveryyearonemployeeattitudesandminorriskinfractions.
Theresponsibilityformaintainingthenewriskcultureextendstoboardsofdirectors,
whichshoulddemandperiodicreviewsoftheoverallcompanyandindividualbusinesses
toidentifyareasthatmeritadeeperlook.Thisneednotbecomplicated.Indeed,most
companiescanaggregateexistingdata:apeoplesurvey,whichmostcompaniesconduct,
canprovideonesetofindicatorsasummaryofoperationalincidents,informationon
financialperformance,andevencustomercomplaintscanalsobeuseful.Combined,
thesedatacouldbedisplayedinadashboardofindicatorsrelevanttothecompanys
desiredriskcultureandvalues.Suchareviewprocessshouldbecomepartoftheannual
riskstrategyonwhichtheboardsignsoff.

Obviously,ashortageofriskconsciousnesswillleadtotrouble.Butitisalltooeasyto
assumethatathoroughsetofriskrelatedprocessesandoversightstructuresissufficient
toavertacrisis.Companiescannotassumethatahealthyriskculturewillbeanatural
result.Rather,leadershipteamsmusttackleriskculturejustasthoroughlyasany
businessproblem,demandingevidenceabouttheunderlyingattitudesthatpervadeday
todayriskdecisions.
Abouttheauthors

AlexisKrivkovichisapartnerinMcKinseysSanFranciscooffice,andCindyLevyisapartnerinthe
Londonoffice.

http://www.mckinsey.com/insights/risk_management/managing_the_people_side_of_risk

3/4

7/12/2015

Managingthepeoplesideofrisk|McKinsey&Company

PDF

Print

Email

Share

Relatedarticles
article

Risk:Seeingaroundthecorners
October2009Riskassessmentprocessestypicallyexpose
onlythemostdirectthreatsfacingacompanyandneglect
indirectonesthatcanhaveanequalorgreater
impact. more
article

Leadingthroughuncertainty
December2008Therangeofpossiblefuturesconfronting
businessisgreat.Companiesthatnurtureflexibility,
awareness,andresiliencyaremorelikelytosurvivethe
crisis,andeventoprosper. more
survey

Governancesincetheeconomiccrisis:
McKinseyGlobalSurveyresults
July2011Corporatedirectorsknowwhattheyshouldbe
doing.Buttheyhaventraisedtheirgamesince2008and
muststrengthentheircapabilitiesandspendmoretimeon
boardwork. more

AboutInsights&
Publications

ThecreationofknowledgesupportsMcKinseyscoremission:helpingourclients
achievedistinctive,lasting,andsubstantialperformanceimprovements.We
publishourinsightsandthoseofexternalexpertstohelpadvancethepracticeof
managementandprovideleaderswithfactsonwhichtobasebusinessand
policydecisions.Viewsexpressedbythirdpartyauthorsaretheirsalone.

http://www.mckinsey.com/insights/risk_management/managing_the_people_side_of_risk

4/4