Risk Management: processes matter, but culture makes the difference

Rethinking the role of a Risk Management as a cultural attitude with Simone Aurighi. Companies are advised to invest in their fraud prevention teams just like they invest in their products

When typing ‘Sales and Marketing’ on Google, some of the first associated words that pop up are ‘jobs’ and ‘salary’. Whereas if you search Risk Management, you get process, plan, framework. Not as fancy, is it?

Traditionally, Risk Management has a reputation of being a very tedious function, performed by bureaucratic looking people that always show up at the most inconvenient time. When combined with Governance or Internal Audit, tumbleweeds magically materialise, rolling around the office.

In my opinion, this reputation sparks from the fact that Risk Management, by designation, has to ensure that companies do not make silly mistakes and therefore, in the pursue of this goal, it removes most of the fun from the jobs of everyone around. I often say that a company that implements a Risk Management function is like a child growing into an adult, many times “play and fun” morphs into “work and misery”.

A young company usually focuses on its primary mission, which is to develop and sell a product or a service. As it grows and matures, it has to establish ancillary functions to survive and thrive: Finance, Marketing, Human Resources, and so on. Eventually, the company reaches a size by which a Risk Management function becomes necessary, mainly if adverse events have already occurred. 

Subsequently, the strategy is to create something that was not there before. This tactic, I believe, is a crucial mistake. The approach is typically to choose a framework and place it on top of the existing environment. Processes need to be strengthened and controlled, and Risk Management frequently achieves that by imposing unwelcome changes and requirements.

In turn, employees tend to resist these changes and requirements, as they are perceived as an unnecessary obstacle to their actual goals. Bottom line, conflicts arise, and energies are spent to essentially bypass the Risk Management features that have just been put in place (password sharing as a simple example), ultimately making them ineffective.

Moreover, individuals that genuinely want to harm the company, the ones that Risk Management desperately aims to detect and stop, can easily take advantage of processes while cleverly sneaking through the checks created appositely to catch them. At the same time, all the other employees endure the pains of complying with burdensome mandatory monitoring.

All of the above help understanding why I believe that companies should embed Risk Management within all of their processes, making it a cultural attitude, rather than artificially implement a top-down framework. The founders of a company should ensure from day one that all their future employees understand what the most significant threats and risks for their business are and expect them to act accordingly to prevent them.

Furthermore, founders and top management should lead by example and be the very first ones to act with mindfulness when it comes to preventing risks. Encouraging colleagues to think before they act and expect them to be accountable for their actions are two very successful tricks that help drive a risk-conscious culture within the organisation.

More proactively, Human Resources should invest time in developing and shaping new employees, training them on the challenges that the company is facing. But even before that, the effort should begin at the recruiting level, making sure that the right employees are hired. Today still too many companies hire employees based on two or three conversations that revolve around their previous experience, without placing sufficient scrutiny on the cultural nature of the person.

People that understand risks and know how to manage them should be preferred over reckless ones, as a lying employee will always cost more than an annoying employee. Please don’t get me wrong, I honestly invite you always to judge the moral and ethics of the people you bring inside your business. This assessment can hardly be done with two one-hour interviews.

I understand the consequences of a car crash, so I always wear a seatbelt because I want to and not because I have to. Similarly, a salesperson that understands the consequences of your company becoming associated with money laundering activities will want to ask their client for the additional mandatory certification, rather than asking your Risk Management team for a waiver.

In conclusion, your risk processes will only be as robust and safe as the people you have onboard. Choose your people carefully and invest in them as you would invest in your products, I guarantee you that the return on prevented losses will significantly outweigh any direct cost you will incur.

About Simone Aurighi

Simone Aurighi is a business-oriented Risk specialist with more than fourteen years’ experience within the international payments sector, dispensing risk management awareness across the world. He started his career at First Data, where he quickly moved through the Risk Management ranks, learning the basics from the bests. In 2014, Simone joined PayU as their Global Head of Risk and Internal Control. The six years spent at PayU allowed him to gain an extensive understanding of Risk Management in payments in emerging markets, from India to Colombia, from Russia to South Africa, subsequently also experiencing a vast range of different cultures. After a very short stint at Mastercard, Simone decided to concentrate his energies towards his beautiful family. During his spare time, he shares his Risk Management knowledge through writing as well as consultancy services.