Promoting risk culture in SMEs

Esstisch AG, a Swiss furniture manufacturer with 120 employees, operates a modern risk management system. A risk policy with clearly assigned responsibilities was discussed and approved by the Board of Directors. Risks from the internal and external environment were identified, analysed and assessed, taking into account dependencies. The risks acceptable to the company are monitored by the risk manager in cooperation with the strategy and process managers. In addition, measures to reduce risks are defined and reported to the management.

Nevertheless, Esstisch AG was caught flat-footed by unforeseen events: first, the financial director was absent for an extended period due to an accident, then one of the most important customers announced its insolvency. In addition, despite intensive negotiations, the cooperation with an online retailer could not be deepened. As a result, the person responsible for risk management and the methods and instruments used were criticized because the consequences of the incidents could not be anticipated.

Up to this point, risks (and opportunities) were in fact only discussed at the top management level of Esstisch AG. Due to the heavy workload, hardly any lessons were learned at the operational level from previous incidents or near incidents. For example, payments from the major customer had already been delayed in the past. In addition, the management did not set an example, as the cooperation mentioned failed due to a conflict within the management. Ultimately, the risk manager's recommended measures were only seen as causing costs, which is why the company refrained from comprehensive deputisation arrangements.

What makes a good risk culture?
This fictitious example, which is based on similar cases in practice, is a phenomenon that can be observed time and again: Despite a systematic approach to risk management, risks occur that the company does not have in its sights. As a consequence, the benefit of risk management is doubted and resources have to be justified even more in the future. Often, the reason for this lies in a deficient risk culture.

Risk culture can be described as the cross-hierarchical, observable behaviour of an entire organisation with regard to dealing with opportunities and risks. The formal basis is the risk policy, which deals with the principles of risk management. As part of the corporate culture, the risk culture in turn comprises the common set of norms and values shared by employees. This is the basis for their willingness to recognise and accept risks and to communicate them within the company. The following factors can also be cited as prerequisites for a good risk culture (cf. Boutellier, Gabriel, Barodte & Montagne, 2007):

• an open and constructive culture of communication,
• a goal- and solution-oriented group climate,
• constructive handling of conflicts, so that factual solutions are made possible.

This can promote an intensive exchange of information within the organization, active learning from mistakes or the ongoing questioning of existing processes. Finally, this basis also favors the comprehensive identification and conscious acceptance of risks.

SMEs with considerable need to catch up
As part of a study by the Lucerne University of Applied Sciences and Arts, the risk culture at Swiss companies was examined in depth. It was found that only one in four companies consciously promotes a positive risk culture. For two-thirds, risk culture is only partially in focus, while ten percent of respondents pay little or no attention to risk culture (see figure).

An industry analysis suggests that especially financial services and health and social care pay increased attention to risk culture. Moreover, when the results are broken down by size category, smaller and medium-sized companies are less concerned with a positive risk culture than large companies. Accordingly, positive risk culture is likely to serve only marginally as a basis for risk management activities.

Risk culture as a "basic framework
A positive risk culture in which all employees are involved embodies the basic framework for sustainably functioning risk management. The question arises as to what measures SMEs can take to strengthen the risk culture and awareness in the company. The three fields of action of communication, leadership & strategy and motivation are suitable for this purpose (cf. Korte & Romeike, 2011).

Communication
Because risk culture is not a one-off process, the permanent exchange of information across all departments and hierarchical levels is central. The importance of risk management, in particular the sensitivity to risks, must be conveyed to employees time and again. At the same time, however, it is important to convey the certainty that risks are fraught with uncertainty and that, despite modern methods, not all scenarios can be anticipated precisely. Various means of communication are suitable, such as intranet messages, suggestion schemes, employee magazines or regular agenda items at information events for employees.

Leadership & Strategy
The management culture is a central field of action for shaping the risk culture. Management plays an important role in setting an example of a positive risk culture ("tone at the top"), which should be reflected in the management style. Since all employees embody a part of the company-wide risk management, the actions corresponding to a positive risk culture must be internalised in an organisation (cf. Hunziker & Meissner, 2017).

Therefore, the opportunities of risks should already be addressed when setting the strategy. With this approach, the employees or the respective department also recognize the value-creating process of risk management, in that new opportunities can open up. In addition, the incentive system should be designed in such a way that compensation is based on risk-adjusted results. On the other hand, taking undesirable or unacceptable risks, even if they do not have negative consequences for the company, must be sanctioned.

Motivation
The third field of action for the integration of an adequate risk culture concerns the motivation of employees. It must be the goal of every company to create an internal environment in which sensible and pragmatic decisions can be made. If, in addition, active involvement is ensured with regard to opportunities and risks, employee motivation can be significantly increased. Another possibility is to include risk-relevant aspects in performance appraisals. Furthermore, it helps to clearly define responsibilities and to consider appropriate education and training programs to promote the ability to think and act in a holistic, interdisciplinary manner.

Conclusion
With a positive risk culture in the company, risk management can become a strategic competitive advantage by consciously taking risks in order to exploit potential opportunities. In this way, it is also possible to refute the image of risk management as a mere cost generator without corresponding benefits. However, the results of the study mentioned above show that SMEs in particular still have a lot of catching up to do in terms of promoting a risk culture. However, the three fields of action communication, leadership & strategy as well as motivation open up the opportunity to better anchor a positive risk culture in the organization and thus to do justice to holistic risk management. The willingness of employees to perceive risks within the defined bandwidths and to communicate them within the company is crucial here.