Risk culture is the encouraged and acceptable behaviours, discussions, decisions and attitudes toward taking and managing risk within a business or organization.
A great risk culture binds the stakeholders, risk management framework and process together to reflect the values, strategic goals and practices and embed these into a business’ decision-making processes.
Organisational Culture
The overall organisational culture affects an individual’s values, beliefs, and attitudes towards risk. It’s helpful to employ the sociability vs solidarity model (Goffee and Jones, 1998), also called the “Double S” model, which considers culture with two dimensions:
- sociability (people focus – based on how well people get on socially)
- solidarity (task focus – based on goal orientation and team performance)
The model identifies four distinct organisational cultures described:
- Networked (high people focus, low task focus)
- Communal (high people, high task)
- Mercenary (low people, high task)
- Fragmented (low people, low task)
Risk culture can be hard to understand because it covers an organisation’s ability to manage risk.
It may seem like a background concept but business culture influences risk culture. Risk culture is a broad topic because it covers an organisation’s collective ability to manage risk. Still, the more general case of a business’s culture is also influenced by its risk culture, including:
- Attitude – the way an individual or group perceives and deals with risk, influenced by perception, predisposition, and mindset
- Behaviour – observable, risk-related actions, including risk-based decision-making, processes, communications, etc.
- Culture – values, beliefs, knowledge and understanding of the risk a group shares with a common goal. In particular, it is the values, beliefs, knowledge, and understanding shared among leadership and employees
One of the many cultural issues is that people naturally head towards others who share the same culture. An organisation’s culture can self-propagate if recruitment processes and environment remain unchallenged.
Every organisation has a risk culture, or indeed cultures and the question is whether that desired culture effectively supports or undermines an organisation’s long-term success.
What impacts an organisation’s risk culture
The right people
Behaviour
Behavioral risk management refers to controlling and mitigating employee and organizational behaviour risks. Individual risks are the behaviours of employees and leaders that could open the business up to risk.
Organizational behavior is collective behaviour and some of these behaviours could be too high a risk for the business.
Compliance
A robust regulatory compliance system within effective risk management will considerably impact a business. It will make it less likely to experience risk threat events and ethics violations.
Employees
From a health and safety viewpoint, employees have rights and responsibilities for their and colleagues’ well-being. This is expanded into the risk culture to include risk associated with the business ensuring the company culture is in and maintains a healthy position.
Senior management involvement
The Board must make effective risk decisions about what they expect from the business. They need to communicate their attitude towards risk-taking and risk tolerance and explain the difference in impact between a successful and unsuccessful risk as measured by target metrics.
Governance
What is risk governance?
It’s the rules, methods, processes, and measures by which we make decisions about risk. It’s negative and positive because it analyses and formulates risk management strategies to avoid (threat) or achieve (opportunity) risks.
Senior management involvement
The Board must make effective risk decisions about what they expect from the business. They need to communicate their attitude towards risk-taking and risk tolerance and explain the difference in impact between a successful and unsuccessful risk as measured by target metrics.
Accountability
Accountability is a term known to many but not appreciated for the value that it can bring to an organization’s long-term success, including safeguarding against irreversible damage and reputational risk. To make risk accountability practical, the business line must know the acceptable limits on risk-taking.
The accountable person must have the resources and authority to manage the risk. Issues and escalation
Escalation is the progressive increase in the intensity or spread of risk.
A risk management system must have a process where an increasingly higher level of authorization is required to approve a continuous tolerance of increasingly higher levels of risk.
A contingency (plan) is designed to reduce the impact if a risk materializes. Consideration should be given to developing contingencies for threats and opportunities against the business risk attitude and risk tolerance.
Assessment and Evaluation
An excellent risk culture will improve risk management performance. Because risk culture often evolves as an organization grows, it may make sense for organizations to self-assess, survey and use focus groups and other techniques to understand the current state of risk culture.
The tone of the Organization
The term tone is the combined impact of all stakeholders on risk management. Communication from the Board level will have little effect if the business employees and other stakeholders hear a different message from line managers, supervisory interaction and other contacts daily.
Information often gets distorted as it moves from one management level to another. There is always a greater possibility for contradictions in communication between team members at the organization’s top, middle, and bottom. Equally, the risk of executive management being unaware of profound financial risks, operational risks and compliance risks that may be of common knowledge to one or more middle managers and employees.
Physical mechanisms driving risk culture
It’s essential to think about the tone of an organisation and how tangible physical mechanisms can help control it. These mechanisms include a risk governance structure, corporate values, code of conduct and ethics statements, policies, procedures, risk oversight activities, incentive programs, risk assessment processes, risk indicator reporting, performance management reviews, reinforcement processes, etc. Companies and boards must examine various risks, including strategic, operational, financial, IT, etc. They must also consider the organisation’s appetite for risk, how the different risks can interact and how they are managed daily.
Internal attributes driving risk culture
These internal attributes include the attitudes, belief systems and values that drive the organisation’s behaviour, activities and decision-making.
They demand attention while not as quickly seen and understood as physical, tangible mechanisms. For example, how a business handles risk management, control and audit often manifests in addressing weaknesses, escalating issues, and resolving problems. The method and timely nature, or not, in which such activities are carried out provide information regarding a business’s risk culture. So, too, does leadership’s reaction, or lack of, to warning signs offered by the risk management process.
External attributes driving risk culture
These external characteristics include regulatory requirements and expectations of customers, investors and others.
How an organisation seeks out these requirements and expectations and aligns business processes through actionable improvements reveals its resilience.
Subcultures that impact risk management
In response to a changing business environment, a subculture permits a business to be agile in solving problems, sharing knowledge, and serving customers.
However, they can also lead to rogue actors and risk-taking behaviours that harm the organisation.
Relationship to the overall business culture
A positive risk culture does not operate in a vacuum. As previously mentioned, the business’s culture influences it in many ways. Many argue they are the same thing.
How to improve risk culture
As risk is about future uncertainty, it would seem logical that a desirable risk culture would position the business to be proactive and agile. It should quickly recognise a threat or opportunity and use that knowledge to evaluate its response.
Such a risk culture would give leadership and management a time advantage and better decision making.
Another example of an attractive risk culture might be maintaining a healthy tension between the business’s activities for creating value and its activities for protecting value. Ideally, one activity must not be disproportionately stronger than the other activity.
Once the current risk culture is assessed, executive management should consider whether any organizational changes are needed and define the steps required to implement change.
In transitioning to the desired risk culture, management should try to achieve the following: Strategies for Achieving the Desired Risk Culture
Embed the change in the organization
Risk culture should be affected through a business’s overall risk governance process. For example, risk management accountability should be reinforced through committee charters, policies, job descriptions, limit structures, and escalation protocols. To illustrate the importance of responsibility, accountabilities for risk management should be reinforced through committee charters, policies, job descriptions, and limit structures. Procedures and escalation protocols can also support the desired cultural risk behaviour.
Make it a priority for all stakeholders
All stakeholders must support the positive and desired risk culture by demonstrating the desired behaviours through actions and decisions over time and periodically communicating the value contributed by the organisation’s risk culture.
Undertake an integrated approach to the change
If addressed as a stand-alone initiative, change programs with intermittent communication, awareness promotions, and training strategies are mere surface dressing and provide little in the way of a positive cultural change.
When integrated into a comprehensive program that aligns performance expectations, roles, responsibilities, and operational structures with appropriate risk attitude and tolerance, they reinforce the critical aspects of the desired risk culture.
Periodically evaluate progress
Regularly evaluate stakeholders during the change process. Before commencing, it is important to assess the business and understand the pitfalls to provide a baseline for the initiative. Some of the key strategic considerations in this regard to consider before putting things in place are as follows:
- Leadership support – Is leadership driving this initiative?
- Ownership of the business’ risk management process – Who is responsible for risk management including the controlling and mitigating actions?
- Effectiveness of risk management and governance processes – Have the strategies been proven effective?
- Evidence of crucial business decisions taking risk and solvency into consideration – Consider the consequences of high-impact events and contingency plans • Quality of leadership discussions on risk issues and escalated matters – Are these discussions honest, open and transparent?
- Is there a risk appetite statement and risk tolerances in decision-making? Do you measure how many risks were taken in the past year? How does this compare with how many were tolerated?
- Is there alignment and incorporation of risk into strategic planning and direction – Is this aspect handled with care?
Every organisation is different. It is crucial to evaluate the business risk culture and make necessary adjustments to shape it over time in response to internal and external change.
Conclusion
What should now be clear from the article is that any approach to changing risk culture must be carefully planned within the overall business strategy.
The recipe and mix of tools adopted within a business depend on the current situation. There is no perfect answer to how these elements are combined to address the risk culture and maturity of an organization. Several techniques can drive risk management adoption and embed a great risk culture.
Creating a strong risk culture that encourages honest, open and transparent disclosure of risks is an important starting point. What can be measured can be managed and, in many ways, is the first step in recognizing that risks are real and we need to take this on board. Accountability is critical in ensuring leadership acts upon this information and makes the most of these insights. These approaches can be reinforced by effective performance risk management.
It’s not about being risk-averse. Great risk culture also enables individuals to take suitable risks in an informed manner. However, as seen in the run-up to the financial services crisis of the late noughties, taking inappropriate and unsuitable actions can create immediate and systemic risk.
Finally, communication and training programmes are pivotal in reaching the broader organisation and stakeholders to raise general risk awareness. Clearly defined goals are required for these programmes to ensure they deliver benefits within the overall culture change programme. Goals imply that performance should be tracked over time, hence a move to developing risk culture dashboards.
Business leaders must recognise that changing to a great risk culture requires strong organisational change and risk management skills.