Using financial incentives to drive a culture shift in risk management across all levels of a company.
Legendary investor and Warren Buffett’s late partner Charlie Munger once said, “show me the incentive and I’ll show you the outcome.” In the business world, monetary incentives drive better decisions, behaviors and outcomes—at least in theory. But can all behaviors be incentivized? What about those involving risk?
- Discussions at a recent meeting of NeuGroup for Enterprise Risk Management revealed that, as you might expect, enterprise risk managers themselves are rewarded for achieving goals that include meeting targets around starting, completing and summarizing annual risk assessments. But that’s the relatively low-hanging fruit.
- The biggest challenge for many companies is creating a culture—and compensation structure—where risk awareness and management are prioritized and incentivized at all levels. The few corporates that have achieved a risk culture transformation rely on financial incentives like bonuses for completing mitigation plans addressing high-profile risks flagged by ERM.
- “The way to create interest and appetite for better risk management is to put incentives into the pay structure, which is exactly how we’re doing a risk culture shift,” one member said. “Employees want recognition, but they also want payment.”
Leading by example. Several members highlighted transformative approaches where top leadership’s commitment to risk management catalyzed significant shifts in organizational culture. One described tying bonuses to critical actions, such as implementing two-factor authentication for treasury payments above a threshold.
- This initiative, extended to all executives including business unit CFOs and CAOs, emphasized the importance of proactive risk management. Successes were celebrated company-wide, reinforcing the value of risk mitigation efforts and fostering a culture of vigilance.
- At another member’s company, the CEO’s bonus goals included requiring mitigation plans for what the company considers tier 1 risks. The member acknowledged that there is a level of subjectivity when finding the causes of risk, and measuring how well risks are mitigated. It’s a bit of a “leap of faith,” he said.
Keeping score. At one member company, ERM does a yearly assessment on risk culture by sending out surveys to individuals. This is then converted into a risk-culture scorecard for individuals, and for the company. The company’s director of risk management said the most recent edition of the exercise revealed “we are still at stage of growing to maturity” when it comes to risk.
To tailor the performance criteria according to the roles of individuals in risk management, the company has categorized employees into three groups:
- Management: Performance is evaluated based on their oversight function, specifically in setting the direction and sponsorship for risk management.
- Risk management champions: These individuals are designated representatives within various teams or departments of the company, tasked with driving risk management initiatives including distributing messages from the ERM team. Their performance is measured by the level of communication, initiatives, programs and overall involvement in risk management activities.
- General employees: The rest of the company is evaluated on effectiveness in mitigating risks, with expectations communicated by management or risk management champions.
A plan coming together. Another member says his team also identifies risk champions, who are then mandated to create a risk treatment plan—a type of standardized template to deal with specific risks published by the International Organization for Standardization.
- “We ensured that each risk champion, including their risk owners and action owners, has their treatment plans specifically built into their quarterly bonus goals,” said the member. Each quarter, “we confirm treatment plan results.” These results are measured against overall company results.
- “So for example, for intellectual property risk, we add in the goals the completion of an external and internal self-assessment, and an improvement road map,” one member said.
- The team can now assess whether business unit margin and growth metrics are met—one way to ensure that a risk has been mitigated well enough to achieve growth.
- Another way is tying risk mitigation to new products brought to market smoothly. “Product development risk mitigation is incentivized based on the timeliness and cost achievement of a new product introduction,” one member said.
Key to success: A well-planned strategy. Incentivizing risk leaders is a crucial component of building a risk-aware culture, but not all companies within the ERM group have a specific structure—and even for those who do, it still seems to be a work in progress.
- Following the discussion, NeuGroup’s Ted Howard, who leads the ERM group, said, “Any plan that does get initiated must be supported by a comprehensive strategy that includes leadership commitment, clear processes, training, open communication and a supportive environment.”