Risk management identifies, assesses, and manages risk threats and opportunities to a business.
The importance of risk culture within risk management cannot be underestimated.
Risk culture is the values, beliefs, knowledge, attitudes and understanding of risk shared by stakeholders associated with a business.
Associated with risk culture is the business risk appetite – the amount and type of risk a business is willing to accept in pursuit of key objectives.
Risk tolerance reflects the acceptable variation in outcomes linked to key objectives the company seeks to achieve.
Risk culture definition
The Institute of Risk Management (IRM) describes a risk culture as the values, beliefs, knowledge, attitudes and understanding about risk shared by a group of people with a common purpose. This applies to all businesses and organisations, including private companies, public bodies, governments and not-for-profits.
What do we mean by a great risk culture?
Risk culture is the encouraged and acceptable behaviours, discussions, decisions and attitudes toward taking and managing risk within a business.
A great risk culture binds the stakeholders, risk management framework and process together to reflect the values, strategic goals and practices; and embed these into a business’ decision-making processes.
What is a great risk culture for a business?
A great risk culture for a business aligns a business’ risks to its key objectives.
The elements of a risk culture framework
The IRM has developed a risk culture framework to help influence an effective risk culture within any organisation.
The diagram simplifies a complex and interrelated set of relationships into a high-level approach to the various influences on risk culture.
Behaviours and personal predisposition to risk
The business may employ people with a different view of risk than the Board. For example, these individuals may be more willing to take risks and break the rules. There may also be a concern that the corporate culture attracts and encourages individuals who have a different ethical stance from the Board.
It’s important to note that people are different and come to companies with varying perceptions of bias and predispositions towards risk.
Personality research identified two traits that contribute to bias – the extent to which people are:
- spontaneous and care less about tradition, or they are organised, systematic and compliant
- cautious, pessimistic and anxious, or optimistic, resilient and fearless
Businesses should pay attention to the ethical profile of their employees. Every individual comes with a mix of moral values concerning different issues. These have significant influence over the decisions they make on a day-to-day basis. Ethical principles include:
- Obedience – rule compliance, the spirit of the law etc.
- Care – empathy, concern, respect etc.
- Reason – wisdom, experience, prudence etc.
An individual’s values, beliefs, and attitudes towards risk are affected by the overall organisational culture. It’s helpful to employ the sociability vs solidarity model (Goffee and Jones, 1998), also called the “Double S” model, which considers culture with two dimensions:
- sociability (people focus – based on how well people get on socially)
- solidarity (task focus – based on goal orientation and team performance)
The model identifies four distinct organisational cultures described:
- Networked (high people focus, low task focus)
- Communal (high people, high task)
- Mercenary (low people, high task)
- Fragmented (low people, low task)
Risk culture can be hard to understand because it covers an organisation’s overall ability to manage risk.
It may seem like a background concept, but business culture influences risk culture. Risk culture is a broad topic because it covers an organisation’s collective ability to manage risk. Still, the more general case of a business’s culture is also influenced by its risk culture, including:
- Attitude – the way an individual or group perceives and deals with risk, influenced by perception, predisposition, and mindset
- Behaviour – observable, observable, risk-related actions, including risk-based decision-making, processes, communications, etc.
- Culture – values, beliefs, knowledge and understanding of the risk shared by a group of people with a common goal. In particular, it is the values, beliefs, knowledge, and understanding shared among leadership and employees
One of the many cultural issues is that people naturally head towards others who share the same culture, so an organisation’s culture can self-propagate if recruitment processes and environment remain unchallenged.
Every organisation has a risk culture, or indeed cultures: the question is whether that desired culture effectively supports or undermines the organisation’s long-term success.
What impacts an organisation’s risk culture
The right people
Behavioural risk management refers to controlling and mitigating employee and organisational behaviour risks.
Individual risks are the behaviours of employees and leaders that could open the business up to risk.
Organisational behaviour is collective behaviour, and some of these behaviours could be too high a risk for the business.
A robust regulatory compliance system within effective risk management will considerably impact a business. It will make it less likely to experience risk threat events and ethics violations.
From a health and safety viewpoint, employees have rights and responsibilities for their own and colleagues’ well-being.
This is expanded into the risk culture to include risk associated with the business, ensuring the company culture is in and maintains a healthy position.
Senior management involvement
The Board must make effective risk decisions about what they expect from the business.
They need to communicate their attitude towards risk-taking and risk tolerance and explain the difference in impact between a successful and unsuccessful risk as measured by target metrics.
What is risk governance?
It’s the rules, methods, processes, and measures by which we make decisions about risk. It’s both negative and positive because it analyses and formulates risk management strategies to avoid (threat) or achieve (opportunity) risks.
Accountability is a term known to many but not appreciated for the value that it can bring to an organisation’s long term success, including safeguarding against irreversible damage and reputational risk.
To make risk accountability practical, the business line must know the acceptable limits on risk-taking.
The accountable person must have the resources and authority to manage the risk.
Issues and escalation
Escalation is the progressive increase in the intensity or spread of risk.
A risk management system must have a process where an increasingly higher level of authorisation is required to approve a continuous tolerance of increasingly higher levels of risk.
A contingency (plan) is designed to reduce the impact if a risk materialises. Consideration should be given to developing contingencies for threats and opportunities against the business risk attitude and risk tolerance.
Assessment and Evaluation
An excellent risk culture will improve risk management performance, whether stakeholders realise it. Because risk culture often evolves as the organisation grows, it may make sense for organisations to self-assess, survey, and use focus groups and other techniques to understand the current state of risk culture.
The tone of the organisation
The term tone is the combined impact of all stakeholders on risk management. Communication from the Board level will have little effect if the business employees and other stakeholders see and hear a different message from line managers, supervisory interaction and other contacts every day.
Information often gets distorted as it moves from one management level to another. There is always a greater possibility for contradictions in communication between team members at the organisation’s top, middle, and bottom. Equally, the risk of executive management being unaware of profound financial risk, operational risk and compliance risk that may be of common knowledge to one or more middle managers and employees.
Physical mechanisms driving risk culture
It’s essential to think about the tone of your organisation and how tangible physical mechanisms can help control it. These mechanisms include a risk governance structure, corporate values, code of conduct and ethics statements, policies, procedures, risk oversight activities, incentive programs, risk assessment processes, risk indicator reporting, performance management reviews, reinforcement processes, etc. Companies and boards must examine various risks, including strategic and operational, financial, IT, etc. They must also consider the organisation’s appetite for risk, how the different types of risks can interact with one another, and how they are managed daily.
Internal attributes driving risk culture
These internal attributes include the attitudes, belief systems and values that drive behaviour, activities and decision making throughout the organisation.
While not as quickly seen and understood as physical, tangible mechanisms, they demand attention. For example, how a business handles risk management, control, and audit often manifests itself in how they address weaknesses, escalate issues, and resolve problems. The method and timely nature, or not, in which such activities are carried out provide information regarding a business’s risk culture. So, too, does leaderships reaction, or lack of, to warning signs offered by the risk management process.
External attributes driving risk culture
These external characteristics include regulatory requirements and expectations of customers, investors and others.
How an organisation seeks out these requirements and expectations, and aligns business processes through actionable improvements reveals its resilience.
Subcultures that impact risk management
In response to a changing business environment, a subculture permits a business to be agile in solving problems, sharing knowledge, and serving customers.
However, they can also lead to rogue actors and risk-taking behaviours that can harm the organisation.
Relationship to the overall business culture
A positive risk culture does not operate in a vacuum. As previously mentioned, the business’s culture influences it in many ways. Many argue they are one and the same thing.
How to improve risk culture
As risk is about future uncertainty, it would seem logical that a desirable risk culture would position the business to be proactive and agile. It should quickly recognise a threat or opportunity and use that knowledge to evaluate its response.
Such a risk culture would provide leadership and management with a time advantage and better decision-making.
Another example of an attractive risk culture might be maintaining a healthy tension between the business’s activities for creating value and its activities for protecting value. Ideally, one activity must not be disproportionately stronger in relation to the other activity.
Once an assessment of the current risk culture is completed, executive management should consider whether any organisational changes are needed and define the steps required to implement change.
In transitioning to the desired risk culture, management should try to achieve the following:
Embed the change in the organisation
Risk culture should be affected through the business’s overall risk governance process.
For example, risk management accountability should be reinforced through committee charters, policies, job descriptions, limit structures, and escalation protocols. To illustrate the importance of responsibility, accountabilities for risk management should be reinforced through committee charters, policies, job descriptions, and limit structures. Procedures and escalation protocols can also support the desired cultural risk behaviour.
Make it a priority for all stakeholders
All stakeholders must support the positive and desired risk culture by demonstrating the desired behaviours through actions and decisions over time and periodically communicating the value contributed by the organisation’s risk culture.
Undertake an integrated approach to the change
If addressed as a stand-alone initiative, change programs with intermittent communication, awareness promotions, and training strategies are mere surface dressing and provide little in the way of a positive cultural change.
When integrated into a comprehensive program that aligns performance expectations, roles, responsibilities, and operational structures with appropriate risk attitude and tolerance, they reinforce the critical aspects of the desired risk culture.
Periodically evaluate progress
Regularly evaluate stakeholders during the change process. Before commencing, and to provide a baseline for the initiative, you need to assess the business and understand what pitfalls might exist. Here are some things to consider before putting things in place:
- Leadership support – Is leadership driving this initiative?
- Ownership of the business’ risk management process – Who owns responsibility and is accountable for risk management, including the controlling and mitigating actions?
- Effectiveness of risk management and governance processes – Have the strategies been proven effective?
- Evidence of crucial business decisions taking risk and solvency into consideration – Consider the consequences of high impact events and contingency plans
- Quality of leadership discussions on risk issues and escalated matters – Are these discussions honest, open and transparent?
- Is there a risk appetite statement and risk tolerances in decision-making? Do you measure how many risks were taken in the past year? How does this compare with how many were tolerated?
- Is there alignment and incorporation of risk into strategic planning and direction – Is this aspect handled with care?
Every organisation is different. It is crucial to evaluate the business risk culture and make necessary adjustments to shape it over time in response to internal and external change.
What should now be clear from the article is that any approach to changing risk culture must be carefully planned within the overall business strategy.
The recipe and mix of tools adopted within a business depend on the current situation. There is no perfect answer to how these elements are combined to address the risk culture and maturity of the company. Several techniques can drive forward the adoption of risk management and hence embed a great risk culture.
Creating a strong risk culture that encourages honest, open and transparent disclosure of risks is an important starting point. What can be measured can be managed and, in many ways, is the first step in recognising that risks are real, and we need to take this on board. Accountability is critical in ensuring that leadership acts upon this information and makes the most of these insights. These approaches can be reinforced by effective performance risk management.
It’s not about being risk-averse. Great risk culture also enables individuals to take suitable risks in an informed manner. However, as seen in the run-up to the financial services crisis of the late noughties, taking inappropriate and unsuitable actions can create immediate and systemic risk.
Finally, communication and training programmes have a pivotal role in reaching out to the broader organisation and stakeholders to raise the general risk awareness levels. Clearly defined goals are required for these programmes to ensure that they deliver benefits within the overall culture change programme. Goals imply that performance should be tracked over time, and hence a move to developing risk culture dashboards.
Business leaders must recognise that changing to a great risk culture requires strong organisational change and risk management skills.
Source: Risk Culture