Risk, both known and unknown, actual and potential, keeps many CEOs, corporate directors and general counsel up at night. Sustainability issues from environmental, health and safety, human rights or indigenous rights can present critical risks affecting the future of a mining project. Responding to these issues, a key question for the CEO must be: What can I do to create resilience in my company and effectively manage risk at the strategic level?
The answer to this question necessitates an appreciation and understanding of corporate risk culture, where it is within your organization and where it needs to go. Senior management is the place where an appropriate risk culture suited to the company’s goals, objectives and risk appetite can originate and be cultivated. It is also the best potential driver of a strong risk culture, embedded throughout the organization, that aligns actual conduct and behaviour with governance expectations.
Non-financial risks may give rise to strategic failures, operational failures, financial failures, market disruptions, environmental disasters and regulatory violations that seriously affect reputation and financial performance. New and emerging risks such as sustainability, climate change, human rights, cyber security and the internet of things require a proactive rather than reactive approach. From a strategic perspective, senior management can promote a culture of risk that anticipates and addresses such risks before they materialize. This necessitates a culture of risk intelligence, beyond mere compliance.
True intelligence in risk management necessitates a dynamic and flexible approach to risk management with the ability to identify at an early stage risks that may not have been foreseen in the development of the current risk management system. To achieve this intelligent, forward looking, approach to risk management, there must be a culture of risk management and full utilization of the talent, reach and technology of the organization to anticipate and mitigate risks proactively rather than reactively. At its root, this necessitates a strategic role for senior management to inculcate a culture of risk management and drive an understanding of the company’s risk appetite and approach to risk management.
Effective risk management necessitates consistency between corporate risk culture and employee behaviour which embodies corporate conduct. Where corporate conduct deviates from risk culture, it creates conduct risk that can manifest in fines, penalties, loss of reputation and the fees associated with remediation or litigation. Alignment of actual conduct (of individual personnel or agents of the company and the company itself) with risk management expectations, is necessary to mitigate conduct risk. This alignment must be driven by an embedded risk culture, relentlessly re-enforced at the highest levels of the company. In the field of sustainability this is most critical. That the way the company, its personnel and agents actually act line up with the risk culture and objectives of the company
Put simply, risk culture is “how we do things around here”. Culture embeds the risk appetite and approach of the company throughout the organization. A strong culture allows for a clear sense of purpose with every employee, wherever located or in whichever business line, knowing what the organization stands for and being capable of withstanding internal and external pressures.
Far from simply management theory, risk culture can be part of legal and regulatory risk compliance and enforcement. Regulators want to see companies and their leadership going beyond simply a “tick the box” approach to compliance. These regulators may examine and consider the existence of a “culture of compliance” within an organization, along with other considerations like resourcing of the compliance function, effective risk assessment, auditing and competence of compliance personnel, in assessing legal compliance or in enforcement action.
Leading sustainability standards, which can be a requirement for financing, also adopt management approaches that are implemented through a strong risk culture. Ongoing monitoring by financiers of a sustainability action plan may involve understanding of how risk culture is affecting the risks associated with the project.
Senior management is ideally situated to drive a strong risk culture through the company – with the end result of improved risk management results. This requires knowledge of risk management strategy and embedding and reinforcing that strategy through relentless communication, role modelling, tone setting and alignment of incentives and disincentives with risk objectives. Coupled with an effective strategy for intelligent risk management, companies can anticipate rather than simply react to risk. Alignment of behaviour with risk objectives will also allow for the mitigation of conduct, ethical and compliance risk that flows from a weak risk culture.
Michael Torrance is a lawyer with Norton Rose Fulbright, Toronto