Risk management identifies, assesses, and manages risk threats and opportunities to a business.
The importance of risk culture within risk management cannot be underestimated.
Risk culture is the values, beliefs, knowledge, attitudes and understanding of risk shared by stakeholders associated with a business.
Associated with risk culture is the business risk appetite – the amount and type of risk a business is willing to accept in pursuit of key objectives.
Risk tolerance reflects the acceptable variation in outcomes linked to key objectives the company seeks to achieve.
Don’t be fearful of risks. Understand them, and manage and minimise them to an acceptable level.Naved Abdali
Risk culture definition
The Institute of Risk Management (IRM) describes a risk culture as the values, beliefs, knowledge, attitudes and understanding of risk shared by a group with a common purpose. This applies to all businesses and organisations, including private companies, public bodies, governments and not-for-profits.
What do we mean by a great risk culture?
Risk culture is the encouraged and acceptable behaviours, discussions, decisions and attitudes toward taking and managing risk within a business.
A great risk culture binds the stakeholders, risk management framework and process together to reflect the values, strategic goals and practices; and embed these into a business’ decision-making processes.
What is a great risk culture for a business?
A great risk culture for a business aligns its risks with its key objectives.
The elements of a risk culture framework
The IRM has developed a risk culture framework to help influence an effective risk culture within any organisation.
The diagram simplifies a complex and interrelated set of relationships into a high-level approach to the various influences on risk culture.
Behaviours and personal predisposition to risk
The business may employ people with a different view of risk than the Board. For example, these individuals may be more willing to take risks and break the rules. There may also be a concern that the corporate culture attracts and encourages individuals with a different ethical stance from the Board.
It’s important to note that people are different and come to companies with varying perceptions of bias and risk predisposition.
Personality research identified two traits that contribute to bias – the extent to which people are:
- spontaneous and care less about tradition, or they are organised, systematic and compliant
- cautious, pessimistic and anxious, or optimistic, resilient and fearless
Businesses should pay attention to the ethical profile of their employees. Every individual comes with a mix of moral values concerning different issues. These have a significant influence over the decisions they make on a day-to-day basis. Ethical principles include:
- Obedience – rule compliance, the spirit of the law etc.
- Care – empathy, concern, respect etc.
- Reason – wisdom, experience, prudence etc.
The overall organisational culture affects an individual’s values, beliefs, and attitudes towards risk. It’s helpful to employ the sociability vs solidarity model (Goffee and Jones, 1998), also called the “Double S” model, which considers culture with two dimensions:
- sociability (people focus – based on how well people get on socially)
- solidarity (task focus – based on goal orientation and team performance)
The model identifies four distinct organisational cultures described:
- Networked (high people focus, low task focus)
- Communal (high people, high task)
- Mercenary (low people, high task)
- Fragmented (low people, low task)
Risk culture can be hard to understand because it covers an organisation’s ability to manage risk.
It may seem like a background concept, but business culture influences risk culture. Risk culture is a broad topic because it covers an organisation’s collective ability to manage risk. Still, the more general case of a business’s culture is also influenced by its risk culture, including:
- Attitude – the way an individual or group perceives and deals with risk, influenced by perception, predisposition, and mindset
- Behaviour – observable, risk-related actions, including risk-based decision-making, processes, communications, etc.
- Culture – values, beliefs, knowledge and understanding of the risk a group shares with a common goal. In particular, it is the values, beliefs, knowledge, and understanding shared among leadership and employees
One of the many cultural issues is that people naturally head towards others who share the same culture. An organisation’s culture can self-propagate if recruitment processes and environment remain unchallenged.
Every organisation has a risk culture, or indeed cultures: the question is whether that desired culture effectively supports or undermines the organisation’s long-term success.
What impacts an organisation’s risk culture
The right people
Behavioural risk management refers to controlling and mitigating employee and organisational behaviour risks.
Individual risks are the behaviours of employees and leaders that could open the business up to risk.
Organisational behaviour is collective behaviour, and some of these behaviours could be too high a risk for the business.
A robust regulatory compliance system within effective risk management will considerably impact a business. It will make it less likely to experience risk threat events and ethics violations.
From a health and safety viewpoint, employees have rights and responsibilities for their and colleagues’ well-being.
This is expanded into the risk culture to include risk associated with the business, ensuring the company culture is in and maintains a healthy position.
Senior management involvement
The Board must make effective risk decisions about what they expect from the business.
They need to communicate their attitude towards risk-taking and risk tolerance and explain the difference in impact between a successful and unsuccessful risk as measured by target metrics.
What is risk governance?
It’s the rules, methods, processes, and measures by which we make decisions about risk. It’s negative and positive because it analyses and formulates risk management strategies to avoid (threat) or achieve (opportunity) risks.
Accountability is a term known to many but not appreciated for the value that it can bring to an organisation’s long-term success, including safeguarding against irreversible damage and reputational risk.
To make risk accountability practical, the business line must know the acceptable limits on risk-taking.
The accountable person must have the resources and authority to manage the risk.
Issues and escalation
Escalation is the progressive increase in the intensity or spread of risk.
A risk management system must have a process where an increasingly higher level of authorisation is required to approve a continuous tolerance of increasingly higher levels of risk.
A contingency (plan) is designed to reduce the impact if a risk materialises. Consideration should be given to developing contingencies for threats and opportunities against the business risk attitude and risk tolerance.
Assessment and Evaluation
An excellent risk culture will improve risk management performance. Because risk culture often evolves as the organisation grows, it may make sense for organisations to self-assess, survey, and use focus groups and other techniques to understand the current state of risk culture.
The tone of the organisation
The term tone is the combined impact of all stakeholders on risk management. Communication from the Board level will have little effect if the business employees and other stakeholders hear a different message from line managers, supervisory interaction and other contacts daily.
Information often gets distorted as it moves from one management level to another. There is always a greater possibility for contradictions in communication between team members at the organisation’s top, middle, and bottom. Equally, the risk of executive management being unaware of profound financial risks, operational risks and compliance risks that may be of common knowledge to one or more middle managers and employees.
Physical mechanisms driving risk culture
It’s essential to think about the tone of your organisation and how tangible physical mechanisms can help control it. These mechanisms include a risk governance structure, corporate values, code of conduct and ethics statements, policies, procedures, risk oversight activities, incentive programs, risk assessment processes, risk indicator reporting, performance management reviews, reinforcement processes, etc. Companies and boards must examine various risks, including strategic, operational, financial, IT, etc. They must also consider the organisation’s appetite for risk, how the different risks can interact, and how they are managed daily.
Internal attributes driving risk culture
These internal attributes include the attitudes, belief systems and values that drive the organisation’s behaviour, activities and decision-making.
They demand attention while not as quickly seen and understood as physical, tangible mechanisms. For example, how a business handles risk management, control, and audit often manifests in addressing weaknesses, escalating issues, and resolving problems. The method and timely nature, or not, in which such activities are carried out provide information regarding a business’s risk culture. So, too, does leadership’s reaction, or lack of, to warning signs offered by the risk management process.
External attributes driving risk culture
These external characteristics include regulatory requirements and expectations of customers, investors and others.
How an organisation seeks out these requirements and expectations and aligns business processes through actionable improvements reveals its resilience.
Subcultures that impact risk management
In response to a changing business environment, a subculture permits a business to be agile in solving problems, sharing knowledge, and serving customers.
However, they can also lead to rogue actors and risk-taking behaviours that harm the organisation.
Relationship to the overall business culture
A positive risk culture does not operate in a vacuum. As previously mentioned, the business’s culture influences it in many ways. Many argue they are the same thing.
How to improve risk culture
As risk is about future uncertainty, it would seem logical that a desirable risk culture would position the business to be proactive and agile. It should quickly recognise a threat or opportunity and use that knowledge to evaluate its response.
Such a risk culture would give leadership and management a time advantage and better decision-making.
Another example of an attractive risk culture might be maintaining a healthy tension between the business’s activities for creating value and its activities for protecting value. Ideally, one activity must not be disproportionately stronger than the other activity.
Once the current risk culture is assessed, executive management should consider whether any organisational changes are needed and define the steps required to implement change.
In transitioning to the desired risk culture, management should try to achieve the following:
Embed the change in the organisation
Risk culture should be affected through the business’s overall risk governance process.
For example, risk management accountability should be reinforced through committee charters, policies, job descriptions, limit structures, and escalation protocols. To illustrate the importance of responsibility, accountabilities for risk management should be reinforced through committee charters, policies, job descriptions, and limit structures. Procedures and escalation protocols can also support the desired cultural risk behaviour.
Make it a priority for all stakeholders
All stakeholders must support the positive and desired risk culture by demonstrating the desired behaviours through actions and decisions over time and periodically communicating the value contributed by the organisation’s risk culture.
Undertake an integrated approach to the change
If addressed as a stand-alone initiative, change programs with intermittent communication, awareness promotions, and training strategies are mere surface dressing and provide little in the way of a positive cultural change.
When integrated into a comprehensive program that aligns performance expectations, roles, responsibilities, and operational structures with appropriate risk attitude and tolerance, they reinforce the critical aspects of the desired risk culture.
Periodically evaluate progress
Regularly evaluate stakeholders during the change process. Before commencing, you must assess the business and understand the pitfalls to provide a baseline for the initiative. Here are some things to consider before putting things in place:
- Leadership support – Is leadership driving this initiative?
- Ownership of the business’ risk management process – Who is responsible for risk management, including the controlling and mitigating actions?
- Effectiveness of risk management and governance processes – Have the strategies been proven effective?
- Evidence of crucial business decisions taking risk and solvency into consideration – Consider the consequences of high-impact events and contingency plans
- Quality of leadership discussions on risk issues and escalated matters – Are these discussions honest, open and transparent?
- Is there a risk appetite statement and risk tolerances in decision-making? Do you measure how many risks were taken in the past year? How does this compare with how many were tolerated?
- Is there alignment and incorporation of risk into strategic planning and direction – Is this aspect handled with care?
Every organisation is different. It is crucial to evaluate the business risk culture and make necessary adjustments to shape it over time in response to internal and external change.
What should now be clear from the article is that any approach to changing risk culture must be carefully planned within the overall business strategy.
The recipe and mix of tools adopted within a business depend on the current situation. There is no perfect answer to how these elements are combined to address the risk culture and maturity of the company. Several techniques can drive risk management adoption and embed a great risk culture.
Creating a strong risk culture that encourages honest, open and transparent disclosure of risks is an important starting point. What can be measured can be managed and, in many ways, is the first step in recognising that risks are real, and we need to take this on board. Accountability is critical in ensuring leadership acts upon this information and makes the most of these insights. These approaches can be reinforced by effective performance risk management.
It’s not about being risk-averse. Great risk culture also enables individuals to take suitable risks in an informed manner. However, as seen in the run-up to the financial services crisis of the late noughties, taking inappropriate and unsuitable actions can create immediate and systemic risk.
Finally, communication and training programmes are pivotal in reaching the broader organisation and stakeholders to raise general risk awareness. Clearly defined goals are required for these programmes to ensure they deliver benefits within the overall culture change programme. Goals imply that performance should be tracked over time, hence a move to developing risk culture dashboards.
Business leaders must recognise that changing to a great risk culture requires strong organisational change and risk management skills.
Source: Risk Culture