If risky behavior can happen at the house of Morgan under the watchful eyes of Jamie Dimon, it can happen anywhere. It comes with the territory of employing people.
I recall a study conducted by the security firm Pinkerton in the 1980s that concluded that 30 percent of the population will not only steal if an opportunity exists, but will actively create an opportunity to do so. Another 40 percent will take the opportunity if they’re convinced they won’t get caught. Only 30 percent will not steal at all.
If all organizations face the risk that their people will undertake reckless or unethical behavior, how should they protect themselves? The best defenses come down to five house rules:
- Safeguard the front door. Rule one in minimizing risky behavior is to prevent questionable job candidates from ever becoming employees. It isn’t enough to study resumes closely; studies have shown that over 50 percent of them contain inaccuracies. Basic controls include employment and background checks. As a recent example, a simple background check would have saved the Yahoo! board the trouble of ousting Scott Thompson, the company’s fourth CEO in five years, because he falsely claimed a computer science degree. A growing number of companies also conduct behavioral and honesty testing to screen employees.
- Set clear policies. For enterprise risk management, key policies include a statement of risk appetite and explicit risk tolerance levels for critical risks. The company’s performance measurement and incentive systems, and the degree to which risk management is considered, will also have a profound impact on employee behavior. It has been wisely said that people don’t do what you tell them to do; they do what you pay them to do. Of course, the right people have to be setting the rules. Jeff Skilling, as a condition of his employment at Enron, insisted the company adopt mark-to-market accounting. That meant Enron was able to report $3.3 billion in net income during the five years prior to its bankruptcy in 2001, while only $114 million in net cash was generated (or a mere 3 percent of reported income). In the phrasing of the Pinkerton study, he created an opportunity to steal. Appropriate risk, compensation and financial policies will set the incentives and boundaries for employee behavior.
- Create a risk culture. In addition to policies, an organization must find other ways to foster a strong risk culture. Intelligent risk taking, even if it results in failure, should be encouraged, while there should be zero tolerance for unauthorized and unethical behavior. The “tone from the top” is important for how employees value honesty and integrity. Ongoing training and communication, as well as installation of leaders with high integrity, further reinforce a risk culture. In his congressional testimony regarding the Colombia prostitution scandal, Secret Service Director Mark Sullivan denied that the agency had long condoned a culture of misconduct. Maine Senator Susan Collins countered by pointing out that (1) the agents made no attempt to conceal their identity despite bringing the women to their hotel rooms; (2) it was not one group of individuals who engaged in misconduct but rather several smaller groups; (3) two of the agents were leaders, each with more than 20 years of service; and (4) a survey indicated that fewer than 60 percent of the Secret Service personnel said they would report ethical misconduct. Leadership and culture are key drivers of behavior.
- Fix the broken windows. Rudy Giuliani is widely credited with reducing crime in New York City by applying the “broken windows” theory. According to it, when urban environments are well monitored and maintained, vandalism doesn’t escalate into more serious crime. Keeping this in mind, organizations must identify and discourage risky behavior at every turn. Risk escalation and whistle-blower processes can enhance monitoring and transparency. One of my clients, a CEO of an asset management firm, said to me, “I would not blink if one of my fund managers lost $10 million due to a wrong bet, but I would fire him immediately if he cheated $10 on his expense report.”
- Have strong guardians. The board and management are in place to provide leadership and oversight. Organizations must ensure that key risk, compliance and audit positions are filled with highly qualified professionals. This extends to the board-room. Critics have pointed out that the risk committee of JPMorgan’s board consists of three directors with no significant banking or risk experience. In contrast, the boards of the five next-largest banks have all placed directors with deep banking and risk experience on their risk committees. Senior risk staff must also have sufficient stature relative to the line executives they are responsible for overseeing. JPMorgan’s chief risk officer, Barry Zubrow, earned less than his peers at global banks and was not among the top tier in compensation at JPMorgan.
Even when they don’t set out to cheat, steal or lie, people can do stupid things at the wrong times. Organizations should minimize all these behaviors and their impacts by establishing appropriate culture and controls. Doing so ensures that risky behavior will not bring down the house.
NOTE: Originally published by Harvard Business Review in 2012. Copyright 2012 Harvard Business Review. All rights reserved. Reprinted by permission.
Download the white paper, The Art of Balancing Risk and Reward. This paper outlines the board’s role in setting, implementing and monitoring risk appetite – developing a risk culture from the top down.