Risk managers are flirting with business ethics. Does anyone hear wedding bells?

In the wake of the 2007–2009 financial crisis and subsequent rate-rigging, money-laundering and other financial-services scandals, we are recognising that figuring out what’s wrong must include an ethical discussion of what is right and wrong.

Amoral risk management is no longer welcome, which makes hypocrisy an enterprise risk. In 2015, Shell was called to account by Louise Rouse, an investor-relations specialist and consultant to Greenpeace, for claiming that it raised living standards in the developing world by supplying the energy needed for economic expansion.

All the while, Shell was pursuing a business strategy based on a 4°C global warming scenario—that is, twice the level considered safe by scientists.

Accusations like this, coming not from muckrakers but from investors or shareholders, are a new development in governance. An “ethical turn” in risk management looms, focusing the attention of boards and executive teams on a plurality of “values at risk”, rather than a single or composite—and primarily financial—“value at risk”.

New moral narrative

An influential report on risk culture reform in the UK, by Mike Power, Simon Ashby, and Tommaso Palermo, highlights the risk manager’s role in creating a “new moral narrative of organisational purpose” as part of the authors’ agenda of reconnecting risk-taking with control processes.

The corporate-governance advisory group, the Committee of Sponsoring Organizations, in its new edition of Enterprise Risk Management: Aligning Risk with Strategy and Performance, explicitly urges risk managers to challenge decisions involving ethical dilemmas by asking, for example, whether a business proposal “infringes on the entity’s standards of conduct”, or by asking of a business practice, “Would we want our shareholders, customers, regulators, external parties, or other stakeholders to know what we’re doing?”

Is this ethical turn for real? It is. Some practices of risk management, particularly those that supposedly operationalise “risk appetite” and influence “risk culture”, can no longer sidestep ethics. Consider the risk-calculation tool known in banks as Value at Risk, and elsewhere as Earnings at Risk. The very names declare that money matters most.

Cases of ethical dysfunctionality at Enron, Goldman Sachs, Wells Fargo and others have shown us where that approach can lead. Managers at Goldman Sachs, for example, could monitor and contain their financial risks during the subprime mortgage crisis using superior risk-quantification processes, yet these tools told them nothing about the conflicts of interests that arose when the firm engaged in activities that “promoted its own interests at the expense of investors” (US Senate Subcommittee, 2010).

Adequately equipped

But the risk manager cannot go forth to battle like Don Quixote, convinced that the barber’s basin on his head is a knight’s helmet. He, or she, must be adequately equipped with techniques and a mandate. Here’s what that can look like.

In 2012, risk-management pioneer Rob Quail  (then director of risk management at Canadian electric utility Hydro One) published his article, Defining Your Taste for Risk. Cutting the Gordian knot of confusion in the risk-appetite debate, he addressed “the practical realities of making trade-offs across business objectives”. He recognised that the risk-appetite discourse was essentially about “tough choices”:

“How much financial risk should we take to meet environmental goals? How should we trade off customer satisfaction against employees’ wellbeing?”

Quail hit upon the ethical dimension that surfaces as soon as an organisation recognises not only the plurality of its objectives, but also the plurality of its values and of its stakeholders. “Providing ‘naked’ objectives isn’t enough”, he argued, “to allow [decision-makers] to understand … what kinds of risks we like and what kinds of risks we don’t like.”

Recognising that risks could be seen as good and less good, or bad and less bad, and that “softer” risks to reputation or customer relationships couldn’t be quantified or monetised, Quail debunked two myths about risk appetite.

First, “there is no such thing as a single ‘catch-all’ statement that will meaningfully communicate risk appetite; the term Risk Appetite Statement is itself misleading”. For Quail, risk appetite exists only in relation to individual objectives: “When faced with multiple options, how willing are we to select an option that might place this objective at risk? How willing are we to trade off the achievement of this objective against other objectives?”

Second, he challenged the quantification spirit: “Circumstances where risk appetite can be expressed as a fixed numerical limit or ratio are few.” Unquantifiable problems aren’t solvable with numbers. But they aren’t unsolvable. He proposed a monitoring and control process for the discussion of risk appetite, starting with the board and executive team.

Step 1: Define the “target” enterprise risk appetite

Based on the “mission, vision and values of the organization”, the board and executive team should rate on a scale of 1 (non-negotiable) to 5 (negotiable) each strategic objective in terms of how willing they are to place it at risk for the sake of another.

As shown in Figure 1 (below), the “risk appetite radar” (RAR) visualises the ethical dimension of strategic decision-making. Hydro One, for instance, has an objective to be “Number 1 in safety in the world”. The safety objective is rated 1—non-negotiable—as is employee relationships. Revenue growth, shareholder return, and technical innovation, though obviously important, can be traded off to protect safety or employee relationship.

For example, Hydro One intended to be the first Canadian electricity company to introduce “smart meters”. But having prioritised employee relationships over technical innovation and shareholder value, the board and executive team declared their willingness to compromise on financial objectives and spend what was necessary to retrain, reassign or retire meter readers who were rendered obsolete by the new technology.

Step 2. Assess the “exhibited” risk appetite

Actions speak louder than words. Quail wanted to know if Hydro One meant what it said. When important values conflicted, which prevailed? As a risk-workshop facilitator, he used surveys and conversations to gather data on risk appetite perception at all levels. He produced a gap analysis (such as the example given in Figure 2, below) showing the “target vs. exhibited risk appetite”.

Step 3: Address the gaps

The gaps visible in the RAR highlighted important issues. In the example given, one can see the evident reluctance of managers to spend the necessary money on retraining, reassigning and retiring employees respectfully (shown in the “exhibited” primacy of shareholder return over employee relationship, the opposite of what was intended).

Gaps indicate confusion, suggesting the incubation of risks. This is particularly important for safety-critical organisations and might save us from another Bhopal or Deepwater Horizon.

Making Values at Risk visible is just the first step in gaining control over “risk appetites” and, ultimately, over organisational culture. If risk managers’ flirtation with ethics becomes a long-term relationship, it will be a tumultuous one. Risk managers will enter, or initiate, explosive discussions of which values and stakeholders to stand up for and which to compromise on.

It won’t be easy. But it will be a huge and healthy step forward. As the philosopher Paul Tillich argued, it takes courage to affirm one’s inner aim, in spite of many self-serving temptations and ambiguities. As risk managers and board members are increasingly expected to affirm the values and priorities of their organisation, they too need this essential courage.

Anette Mikes is professor of accounting and control, HEC Lausanne.