Five house rules for managing risky behavior

How can organizations protect themselves from their own employees?

If risky behavior can happen at the house of Morgan under the watchful eyes of Jamie Dimon, it can happen anywhere. It comes with the territory of employing people.

A 1980s study by the security firm Pinkerton concluded that 30 percent of the population will not only steal if an opportunity exists, but will actively create an opportunity to do so. Another 40 percent will take the opportunity if they're convinced they won't get caught. Only 30 percent will not steal at all.

Lam sascom
James Lam is President of James Lam & Associates and author of Enterprise Risk Management: From Incentives to Controls.

The best defenses for preventing reckless or unethical behavior come down to five house rules:

  1. Safeguard the front door. It isn’t enough to study resumes closely; studies have shown that more than 50 percent contain inaccuracies. Basic controls include employment and background checks, while a growing number of companies also conduct behavioral and honesty testing. As a recent example, a simple background check would have saved the Yahoo! board the trouble of ousting Scott Thompson, the company’s fourth CEO in five years, because he falsely claimed a computer science degree.

  2. Set clear policies. For enterprise risk management, key policies include a statement of risk appetite and explicit risk tolerance levels for critical risks. Appropriate risk, compensation and financial policies will set the incentives and boundaries for employee behavior. Of course, the right people have to be dictating policy. Jeff Skilling, as a condition of his employment at Enron, insisted the company adopt mark-to-market accounting. That meant Enron was able to report $3.3 billion in net income during the five years prior to its bankruptcy in 2001, while only $114 million in net cash was generated. Skilling created an opportunity to steal.

  3. Create a risk culture. Intelligent risk taking, even if it results in failure, should be encouraged, while there should be zero tolerance for unauthorized and unethical behavior. The "tone from the top" is important for how employees value honesty and integrity. Ongoing training and communication, as well as installation of leaders with high integrity, further reinforce a risk culture. In his congressional testimony regarding the Colombia prostitution scandal, Secret Service Director Mark Sullivan denied that the agency had long condoned a culture of misconduct. Sen. Susan Collins from Maine countered by pointing out that (1) the agents made no attempt to conceal their identity despite bringing the women to their hotel rooms; (2) misconduct was not limited to one group of individuals but rather several smaller groups; (3) two of the agents were leaders with more than 20 years of service; and (4) a survey indicated that fewer than 60 percent of the Secret Service personnel said they would report ethical misconduct.

  4. Fix the broken windows. According to Rudy Giuliani's "broken windows" theory, credited with reducing crime in New York City, when urban environments are well monitored and maintained, vandalism doesn't escalate into more serious crime. Keeping this in mind, organizations must identify and discourage risky behavior at every turn. Risk escalation and whistle-blower processes can enhance monitoring and transparency. One of my clients, a CEO of an asset management firm, said to me, "I would not blink if one of my fund managers lost $10 million due to a wrong bet, but I would fire him immediately if he cheated $10 on his expense report."

  5. Have strong guardians. The board and management are in place to provide leadership and oversight. Organizations must ensure that key risk, compliance and audit positions are filled with highly qualified professionals. This extends to the board-room. Critics have pointed out that the risk committee of JPMorgan's board consists of three directors with no significant banking or risk experience. In contrast, the boards of the five next-largest banks have all placed directors with deep banking and risk experience on their risk committees. Senior risk staff must also have sufficient stature relative to the line executives they are responsible for overseeing. JPMorgan's chief risk officer, Barry Zubrow, earned less than his peers at global banks and was not among the top tier in compensation at JPMorgan.

Even when they don't set out to cheat, steal or lie, people can do stupid things at the wrong times. Organizations should minimize all these behaviors and their effects by establishing appropriate culture and controls. Doing so ensures that risky behavior will not bring down the house.

Originally published by Harvard Business Review in 2012. Copyright 2012 Harvard Business Review. All rights reserved. Reprinted by permission.

sascom magazine logo 50% gray

Improvements your firm can duplicate

Since the financial crisis, financial institutions have increased investment and attention to most aspects of their risk management, including:  

  • Restructuring internal control infrastructures.
  • Increasing authority of chief risk officers.
  • Strengthening management of liquidity risk.
  • Introducing more robust processes to cost of capital assessment.
  • Revamping risk models.
  • Strengthening stress-testing procedures.

What you don't know can hurt you

Governance, risk and compliance (GRC) is about ensuring that your business is in control rather than out of control. It's about being proactive, rather than waiting to see what happens next. What can you do?

  • Integrate GRC with business strategy and decision-making processes.
  • Automate common GRC processes.
  • Manage policies throughout their life cycles.

Back to Top