The rise of digital business is bringing more interconnected risks to every organization – and in equal measure, is increasing the importance of enterprise level risk management. However, banks and other highly regulated industries have been dealing with the rise of complexity that comes with it for decades. In the early 2000s, American politicians attempted to crack down on the widespread risk taking by major banks in the form of opaque financial instruments like derivatives. The subsequent legislation was supposed to decrease risk-taking by major financial institutions– and hopefully to help the US economy avoid the very crisis that hit in 2008. Yet, in spite of the uptick in regulation, risk-taking exploded. A recent study from the American Sociological Review put forth an interesting thesis. They were able to trace the increase in risk-taking among major financial institutions back to the advent of the CRO or Chief Risk Officer. As a response to the increased regulatory environment, big banks appointed CROs as a way to show both internal and external stakeholders that they were serious about risk management. In 2000, less than 1% of major financial institutions had a CRO; six years later, more than a quarter had one. On the face of it, the appointment of a risk officer seems like an appropriate and measured response; but why then did it have the exact opposite effect?
Moral Licensing and Risk Taking
The appointment of a CRO changed two primary facets of the organizations studied. First off, the introduction of the Chief Risk Officer increased the risk taken by banks because shareholders were being promised “maximum risk-adjusted returns” which left no margin for error. Second, and arguably more interesting, was the effect it had on the internal organization. Because there was now one person in charge of managing risk, the managers and employees were less likely to moderate their own risky behaviors. Psychologists call this “moral licensing” and it is used to explain a broad range of behaviors such as workplace discrimination. For example, when a company promotes themselves as an equal opportunity employer, employees are less like to self-police for workplace bias.
What does this mean for risk management?
As a discipline, risk management is undergoing renewal. Most organizations manage their governance, risk, and compliance in isolated silos. Yet, the ever-growing regulatory environment and increased focus on accountability make it imperative to manage risk and compliance initiatives in an integrated fashion. To understand the full scope of risk, organizations need a holistic view across all business units, key partners, and risk & compliance functions, as well as product & service lines. This type of approach requires the collaboration of multiple stakeholders (including IT, legal, finance, risk, compliance, audit, strategy and business unit leaders) in pursuit of greater risk awareness, accountability and, ultimately, better decision-making capabilities. However, this study is a cautionary tale about human behavior. It is not enough to simply hand off accountability. A fundamental culture change needs to be enacted in order to address risk at its roots.