The Determinants Factors of an Effective Risk-Aware Culture of Firms in Implementing and Maintaining Risk Management Program

The borderless and intense global competition has contributed much to the dynamics of the business world. This dynamic business environment contributes significantly to the existence of risks. In general, risk is the effect of uncertainty, which can normally deviate a firm from achieving its planned goals and objectives. However, deviation is not necessarily bad as besides than affecting a firm negatively, it could also lead to a positive outcome for the firm. From the perspective of implementing and maintaining an effective risk management program, developing a risk-aware culture is one of the important factors for consideration. The importance of culture has been mentioned in the risk management standard, ISO 31000, and numerously, in published studies and articles. However, there are no definite indications tools for firms to develop and embed the risk-aware culture into their organisational culture. According to Chugh (2013), risk-aware culture is a set of values shared within the organisation. It entails acceptance and knowledge about the risks surrounding the organisation. As such, to ensure an effective implementation and maintenance of a risk management program, it is crucial for an organisation to have a risk-aware culture. Fundamentally, culture relates to human behaviour and this requires identification of human-related determinants relevant to develop a risk-aware culture. Hence, this study shall look into the determinants for developing and effective risk-aware culture within firms. This study review the literature on the determinants factors of effective risk-aware culture of the various published articles, online articles, and surveys done by reputed experts in this field. The finding of this study shall facilitate better understanding for firms to develop and maintain their own risk-aware culture, leading to an effective implementation and maintenance of their risk management program.


Introduction
The effects of globalisation and the risks synonym to it had affected businesses and its marketplace in many ways. To survive, businesses are compelled to improve its way of conducting business (Thoumrungroje, 2004;Rosli & Siong 2018). In order to remain relevant, firms need to create their own unique competencies and competitive advantage to address the uncertainties surrounding their business environment. The opportunities and threats from globalisation have steered firms to fine-tuning their organisational structures and strategies as required (Thoumrungroje, 2004;Takele, 2018). One of the common strategies adopted by firms globally is to improvise the management of their risks.
The emergence of risk management as a crucial factor for sustaining and improving an organisation in terms of sustainability and growth have been acknowledged by both public and private organisations, globally. The collapse of Enron, the WorldCom scandal, the 2008 financial crisis, British Petroleum's Deepwater Horizon disaster and the European debt crisis have all been examples called out by regulators and news media evidencing the need for more inclusive, effective risk management practices and oversight (IIA & RIMS, 2012). This had inevitably led to a paradigm shift in the management thinking process, organisational practices, and had even changed the way firms interact with their shareholders and stakeholders. With the objective to either sustain or enhance business performance, firms experimented with various management system concept and practices. Management system concepts such as risk management have emerged as a prominent management tool for firms intending to enhance their business performance. The conceptual development and practices for this management field have evolved extensively over the years and, there are numerous studies and researches on this management practice (Umrani, Mahmood & Ahmed, 2016;Yildirim, 2018).
Considering the progressive development of risk management in the business world, the main objective of this paper is to examine the determinants factors that are critical for a risk-aware culture, and which is significantly important to ensure the effectiveness of the firm's risk management program. The review for the various past studies was performed in the risk management field. The focus of the review is on the determinants factors for a risk-aware culture, and how it affects the effectiveness in implementing and maintaining a risk management system.

Risk Management
Risk is the probability of a deviation from achieving planned objectives or expectations. A typical organisation's objectives would be to achieve excellent business performance results, typically in its financial and operations. In the course of achieving excellent business performance, a firm face both internal and external risks. Generally, internal risks refer to risk matters that the firm are normally able to manage and within its scope of control, while external risks refer to risk matters that the firm has less or no control at all, as it is not within the firm's scope of control. In spite of the category of the risk, addressing key risks is a prerogative for firms (Shortreed, Craig & McColl, 2001;. The main purpose of having a risk management program is to protect the firm from deviations that are negative and ones that could prevent the achievement of the firm's goals and objectives. Risk management standards such as ISO 31000:2009, Risk management -Principles and guidelines; and, COSO's ERM Framework are among the commonly used risk management standards globally, across all types of business segments and trades. These standards are almost comprehensive where it contains effective approach or methods in developing an effective risk management program for firms. Taking this comprehensive risk management standard as an example and considering the exhaustiveness of information available in this standard, one could not think of any reason on how risk management could fail (Jermsittiparsert & Sriyakul, 2014;Yulisutiany, 2018). However, there have been studies that reported even a robust risk management framework is not able to safeguard firms from the impact of risks when it occurs (Landier, Sraer & Thesmar, 2009;Bozek & Tworek, 2011;Sandy, 2018) and this is due to the dynamics of the business environment and commonly due to a breakdown in the firm's risk culture. According to a 2014 report by Organisation for Economic Co-operation and Development (OECD, 2014), the consequences of risk management failures are often under-estimated. Firms often overlook the total impact of risks including the time required to remedy the situation. Failure of risk management attributed to the U.S financial crisis from 2007 to 2009 (Golub & Crum, 2009; and as a major economy power, the downturn had a ripple effect on other countries as well. Chugh (2013) attributed these failures due to breakdown in the risk culture. This is evidence that even if the risk management framework were robust, theoretically, it can never guarantee there would be minimal impact when a risk occurs (Kimball, 2000;Stulz, 2008;Jorion, 2009;Zafarullah, 2018). Nevertheless, it is not necessary that the risk management framework was inefficient but rather the effectiveness of its implementation by the human factor. Hence, it is crucial that firms manage their human resources as the key to an effective and efficient risk management program.
According to Hillson and Webster (2004), research and experience both indicate that risk management's effectiveness is dependent upon the individuals in organisations (Hillson & Webster, 2006). Firms can have and implement the most robust risk management system and framework but in the end, it shall always be dependent on the human factor as its success factor. The human attributes play an important role in the way forward for an effective risk management system. People and their behaviour influence the effectiveness of a firm's risk management system (Goto, 2004). Arising from what is perceived as failures in risk management, organisations have started to look into the soft factors such as incentive structures that reward business successes, as well as awareness and management of risk (OECD, 2014). These have prompted organisations to look into the human-value aspect and organisational culture that supports risk-aware development. In other words, a risk-aware culture is supported by management system that supports human values. This leads to studies that infer risk-aware culture is one of the critical factors for a firm's risk management architecture Stroh, 2005;RIMS, 2009;Hampton, 2009

Determinants for Risk-Aware Culture
The review on determinants for risk-aware culture focuses on studies and papers on the critical success factors for risk management. The attributes taken into consideration are mostly leading factors significant to the development of a risk-aware culture. Whilst the lagging factors are equally important but this type of attributes are normally results of the leading factors. The identification of attributes for risk-aware culture is endogenous and based upon human behavioural leading attributes that could possibly contribute to the development of a risk-aware culture. Stroh (2005) conducted a study on his own company, the United Health Group, a diversified Fortune 40 company focussing on healthcare system. In his published journal, he indicated four main factors such as support of top management; risk ownership; risk-aware culture; and, communication as the main factors that support risk management at this company. As top management support and communication are human behavioural activity that affects the development of a firm's culture, thus this factors is consider as an essential attributes for risk-aware culture.
RIMS (2009) highlighted in their report that any risk management framework can be effective if the firm exhibit behavioural aptitude. Supported by top management, these attributes include adoption of an enterprise risk management based approach; risk management process; risk appetite management; root cause discipline; uncovering risks; performance management; and, business resiliency and sustainability. It was also highlighted that the reason for the 2008 global financial crisis was due to an over-reliance on the use of financial models, with the mistaken assumption that the risk quantification tools based solely on financial modelling were both reliable and sufficient to justify decisions to take risk, in the pursuit of profit (Zainudin et al., 2017a(Zainudin et al., , 2017b. This report also highlighted on the importance of a risk practitioner to have certain set of skills such as interpersonal and business skills. The leading human behavioural indicators from this report show that top management support; knowledge; and, interpersonal skills of risk practitioners are important for the success of a risk management program. Interpersonal skills of risk practitioners can be categorised as under the communication label. Hampton (2009) mentioned eight criteria as fundamental to maintaining a risk management system. He stated that risk categories should be aligned to business model and there should be sub-categories of risk; a central risk management function with link to the board of directors, provide oversight on risk matters, and, focal point disseminate risk information; risk knowledge database to share the status of risk identification and mitigation; management's accountability; and, consistent processes and training. Among the leading factors for development of a risk-aware culture are oversight on risk matters, which can be categorised as under the top management support label; management's accountability simplified as accountability; risk knowledge database simplified as knowledge; and, focal point to disseminate risk information simplified as communication. Dafikpaku (2011) conducted a study on Rolls-Royce Corporation and Infosys using a case study research approach. This study highlighted the importance for firms to have a risk-aware culture that support firm's objectives; risk and reward system to motivate the workforce; training for risk management staff; communication as a method to gain staff commitment; and, risk management should be integrated into performance measurement. The leading factors for a risk-aware culture identified from this study are risk and reward system to motivate the workforce, which is related to reward system; training for risk management staff related to training; and, communication to solicit employee's commitment is related to communication. Althonayan, Killackey, and Keith (2012), in a significant review on surveys conducted by professional bodies, highlighted the significance of risk-aware culture in ensuring an effective risk management system. Their review highlighted that top management's commitment; alignment of risk management and corporate strategy; robust talent management; communication; metrics to measure process effectiveness; and, a common risk language, are some of the key areas for strengthening a firm's risk culture. This review is significant as the objectives were to identify determinants for a risk-aware culture. Alignment of risk management and corporate strategy is related to risk strategy; talent management related to employee management; and, metrics to measure process effectiveness is related process, in its broadest meaning.
Boniface and Ibe (2012) conducted a study on how risk management could provide reasonable assurance towards achieving a firm's goals and objectives. The study adopted the cross section survey design and copies of questionnaire were distributed to 375 respondents comprising top and middle level management staff of three major brewing firms in Nigeria. Using Z-test statistic, the researchers found that risk management enhances the performance of firms in the brewery industry in Nigeria. This paper points out that managing risks should be at enterprise level; top management's involvement; system to identify potential events; and, managing risk within the firm's risk appetite framework. The leading human behavioural factors highlighted in this study were top management support; and, system to identify potential events, which is related to process.
Abdul Manab, Othman and Kassim (2012), conducted a survey on 14 financial and 41 non-financial companies. The data collection and analysis were based on the triangulation approach. They noted that that organisational culture is the most critical factor, contributing to the success of implementing a risk management system and it has an effect on shareholder value. In fact, the function and effectiveness of other critical success factors were dependent on strong organisational culture. The other critical success factors identified were risk management base, compliance, resource, cross-functional staff, knowledge management, and authority. The leading human behavioural factor for risk-aware culture highlighted in this study are organisational culture; top management support; and, knowledge management. It focusses on the capability of the organisation empowered by managing knowledge on the subject matter of risk management. Hallowell, Molenaar, and Fortunato (2013) conducted a comprehensive survey with responses from 43 of the 52 US department of transport. The results from the survey were validated through interviews with top management. The results of the survey indicated that only 39 percent have a formal risk management program and that over 40 percent of the agencies felt that their risk management procedures were not effective. The results also indicated that executives play a critical role in a risk management program; employees must be involved at all stages in the development of the risk management program; adequate resources should be allocated for implementing risk management; and, in developing a risk-aware culture, it should involve everyone in the organisation (Rosli & Dusuki 2018). The leading human behavioural factors for risk-aware culture highlighted in this study are the critical role of executives, rearticulated as top management support; and, employee's involvement. Curran (2014) stressed that risk practitioners should develop their interpersonal skills. Strong risk management program requires practitioners to be able to sell the concept, get buy-ins from every level of the organisation. To achieve this, there must be top management involvement; common risk language; robust risk management framework that is tailored to the culture; and, training within an organisation . The leading human behavioural factors for a risk-aware culture are interpersonal skills of risk practitioner, which is critical to get buy-ins from every level of the organisation and this is related to communication; top management involvement is related to top management support; common risk language; and, training.

Finding From Review for Risk-Aware Culture Determinants
Based on the review, critical factors that could potentially contribute to the development of a risk-aware culture have been identified. The toughest phase of developing a risk-aware culture is to solicit the buy-in from the majority of the population. Hence it requires addressing the subject-matter from the organisational culture perspective. The identified attributes are endogenous variables critical to the development of a risk-aware culture. As these factors contribute to a risk-aware culture, it is therefore crucial for the effectiveness of a risk management system. In a risk-aware culture, risks and opportunities are always taken into consideration during management's decision-making process. This can be traced to a well-defined risk management process embedded within the organisation and most importantly a positive risk culture will lead to the effectiveness of a risk management program. This is considering that when the risk management program is ineffective, the organisational culture would be the opposite, which is a risk-averse culture. Table 1, summarized the critical factors that could potentially contribute to the development of a risk-aware culture.

Risk-aware culture determinants Explanation
Top management support 1. Involvement Management's involvement is the main driver to developing a risk-aware culture. Top management will guide and motivate the organisational behaviour towards the desired path and thus lead to a positive risk culture. 2. Reward system Providing a compensation system to reward management of risks will motivate personnel to be more involved and this will lead to a positive risk culture.
2. Culture 1. Accountability Proactively accepting risk management responsibilities will nurture a positive risk culture.

Communication
Communication is critical to building a positive risk culture. This is important, especially for risk practitioners to have good interpersonal skills when promoting risk management practices. Good communication will lead to a positive risk culture.

Employee involvement
Engaging employees are critical to solicit their buy-ins and in developing a positive risk culture.

Common risk language
Common risk language is important to ensure that everyone in the organisation understand one common risk language and not confused by any fancy terminologies. This is critical in developing a positive risk culture.
3. Training 1. Knowledge Knowledge on risk management can be obtained through formal and informal training. Acquiring and practicing knowledge is essential towards developing a positive risk culture.

Talent Management
Talent management is vital to ensure continuity of risk management programs where employees are developed and motivated to accept risk management as an important area in their day-to-day operations and this will lead to a positive risk culture.

Strategy
1. Policy A well-defined risk strategy will provide clear directions for the organisation's risk management strategy and therefore will support the development of a positive risk culture.

Process
Clear and simple process will encourage employees to accept risk management better and thus developing a positive risk culture.

Conclusion
This study focusses on the human behavioural aspect, as it is concentrated on the determinants or critical success factors for a risk-aware culture. Risk-aware culture play as an important role that support the building of a robust risk culture. Nurture risk-aware culture where risk management shall be adding value instead of as additional burden for firm's employees. As such, identifying the determinants for a risk-aware culture is crucial as a risk-aware culture relates to the daily routine, rituals, and behaviour of the people in an organisation with regards to managing risks. This study shall promote efficiency for firms in terms of having a set of determinants for developing their risk culture instead of allocating additional resources to improve their risk management program. Firms could have better understanding for firms to develop and maintain their own risk-aware culture, leading to an effective implementation and maintenance of their risk management program. Furthermore, this study could motivate future studies to expand the determinants for a risk-aware culture.