Are you need IT Support Engineer? Free Consultant

The Essential Elements of a Great Risk Culture What do we mean by a great risk culture? 

  • By vt3a2
  • June 24, 2024
  • 293 Views

Risk culture is the encouraged and acceptable behaviours, discussions, decisions and attitudes  toward taking and managing risk within a business or organization. 

A great risk culture binds the stakeholders, risk management framework and process together to  reflect the values, strategic goals and practices and embed these into a business’ decision-making  processes. 

Organisational Culture 

The overall organisational culture affects an individual’s values, beliefs, and attitudes towards  risk. It’s helpful to employ the sociability vs solidarity model (Goffee and Jones, 1998), also  called the “Double S” model, which considers culture with two dimensions: 

  • sociability (people focus – based on how well people get on socially) 
  • solidarity (task focus – based on goal orientation and team performance)

The model identifies four distinct organisational cultures described: 

  • Networked (high people focus, low task focus) 
  • Communal (high people, high task) 
  • Mercenary (low people, high task) 
  • Fragmented (low people, low task)

Risk culture can be hard to understand because it covers an organisation’s ability to manage risk. 

It may seem like a background concept but business culture influences risk culture. Risk culture  is a broad topic because it covers an organisation’s collective ability to manage risk. Still, the  more general case of a business’s culture is also influenced by its risk culture, including: 

  • Attitude – the way an individual or group perceives and deals with risk, influenced by  perception, predisposition, and mindset 
  • Behaviour – observable, risk-related actions, including risk-based decision-making,  processes, communications, etc. 
  • Culture – values, beliefs, knowledge and understanding of the risk a group shares with a  common goal. In particular, it is the values, beliefs, knowledge, and understanding shared  among leadership and employees 

One of the many cultural issues is that people naturally head towards others who share the same  culture. An organisation’s culture can self-propagate if recruitment processes and environment  remain unchallenged. 

Every organisation has a risk culture, or indeed cultures and the question is whether that desired  culture effectively supports or undermines an organisation’s long-term success.

What impacts an organisation’s risk culture 

The right people 
Behaviour 

Behavioral risk management refers to controlling and mitigating employee and organizational  behaviour risks. Individual risks are the behaviours of employees and leaders that could open the  business up to risk. 

Organizational behavior is collective behaviour and some of these behaviours could be too high a  risk for the business. 

Compliance 

A robust regulatory compliance system within effective risk management will considerably  impact a business. It will make it less likely to experience risk threat events and ethics violations. 

Employees 

From a health and safety viewpoint, employees have rights and responsibilities for their and  colleagues’ well-being. This is expanded into the risk culture to include risk associated with the  business ensuring the company culture is in and maintains a healthy position. 

Senior management involvement 

The Board must make effective risk decisions about what they expect from the business. They  need to communicate their attitude towards risk-taking and risk tolerance and explain the  difference in impact between a successful and unsuccessful risk as measured by target metrics. 

Governance 
What is risk governance? 

It’s the rules, methods, processes, and measures by which we make decisions about risk. It’s  negative and positive because it analyses and formulates risk management strategies to avoid  (threat) or achieve (opportunity) risks. 

Senior management involvement

The Board must make effective risk decisions about what they expect from the business. They  need to communicate their attitude towards risk-taking and risk tolerance and explain the  difference in impact between a successful and unsuccessful risk as measured by target metrics. 

Accountability 

Accountability is a term known to many but not appreciated for the value that it can bring to an  organization’s long-term success, including safeguarding against irreversible damage and  reputational risk. To make risk accountability practical, the business line must know the  acceptable limits on risk-taking. 

The accountable person must have the resources and authority to manage the risk. Issues and escalation 

Escalation is the progressive increase in the intensity or spread of risk. 

A risk management system must have a process where an increasingly higher level of  authorization is required to approve a continuous tolerance of increasingly higher levels of risk. 

A contingency (plan) is designed to reduce the impact if a risk materializes. Consideration  should be given to developing contingencies for threats and opportunities against the business  risk attitude and risk tolerance. 

Assessment and Evaluation 

An excellent risk culture will improve risk management performance. Because risk culture  often evolves as an organization grows, it may make sense for organizations to self-assess,  survey and use focus groups and other techniques to understand the current state of risk culture. 

The tone of the Organization 

The term tone is the combined impact of all stakeholders on risk management. Communication  from the Board level will have little effect if the business employees and other stakeholders hear  a different message from line managers, supervisory interaction and other contacts daily. 

Information often gets distorted as it moves from one management level to another. There is  always a greater possibility for contradictions in communication between team members at the  organization’s top, middle, and bottom. Equally, the risk of executive management being  unaware of profound financial risks, operational risks and compliance risks that may be of  common knowledge to one or more middle managers and employees. 

Physical mechanisms driving risk culture

It’s essential to think about the tone of an organisation and how tangible physical mechanisms  can help control it. These mechanisms include a risk governance structure, corporate values,  code of conduct and ethics statements, policies, procedures, risk oversight activities, incentive  programs, risk assessment processes, risk indicator reporting, performance management reviews,  reinforcement processes, etc. Companies and boards must examine various risks, including  strategic, operational, financial, IT, etc. They must also consider the organisation’s appetite for  risk, how the different risks can interact and how they are managed daily. 

Internal attributes driving risk culture 

These internal attributes include the attitudes, belief systems and values that drive the  organisation’s behaviour, activities and decision-making. 

They demand attention while not as quickly seen and understood as physical, tangible  mechanisms. For example, how a business handles risk management, control and audit often  manifests in addressing weaknesses, escalating issues, and resolving problems. The method and  timely nature, or not, in which such activities are carried out provide information regarding a  business’s risk culture. So, too, does leadership’s reaction, or lack of, to warning signs offered by  the risk management process. 

External attributes driving risk culture 

These external characteristics include regulatory requirements and expectations of customers,  investors and others. 

How an organisation seeks out these requirements and expectations and aligns business  processes through actionable improvements reveals its resilience. 

Subcultures that impact risk management 

In response to a changing business environment, a subculture permits a business to be agile in  solving problems, sharing knowledge, and serving customers. 

However, they can also lead to rogue actors and risk-taking behaviours that harm the  organisation. 

Relationship to the overall business culture 

A positive risk culture does not operate in a vacuum. As previously mentioned, the business’s  culture influences it in many ways. Many argue they are the same thing. 

How to improve risk culture

As risk is about future uncertainty, it would seem logical that a desirable risk culture would  position the business to be proactive and agile. It should quickly recognise a threat or opportunity  and use that knowledge to evaluate its response. 

Such a risk culture would give leadership and management a time advantage and better decision making. 

Another example of an attractive risk culture might be maintaining a healthy tension between the  business’s activities for creating value and its activities for protecting value. Ideally, one activity  must not be disproportionately stronger than the other activity. 

Once the current risk culture is assessed, executive management should consider whether any  organizational changes are needed and define the steps required to implement change. 

In transitioning to the desired risk culture, management should try to achieve the following: Strategies for Achieving the Desired Risk Culture 

Embed the change in the organization 

Risk culture should be affected through a business’s overall risk governance process. For  example, risk management accountability should be reinforced through committee charters,  policies, job descriptions, limit structures, and escalation protocols. To illustrate the importance  of responsibility, accountabilities for risk management should be reinforced through committee  charters, policies, job descriptions, and limit structures. Procedures and escalation protocols can  also support the desired cultural risk behaviour. 

Make it a priority for all stakeholders 

All stakeholders must support the positive and desired risk culture by demonstrating the desired  behaviours through actions and decisions over time and periodically communicating the value  contributed by the organisation’s risk culture. 

Undertake an integrated approach to the change 

If addressed as a stand-alone initiative, change programs with intermittent communication,  awareness promotions, and training strategies are mere surface dressing and provide little in the  way of a positive cultural change.

When integrated into a comprehensive program that aligns performance expectations, roles,  responsibilities, and operational structures with appropriate risk attitude and tolerance, they  reinforce the critical aspects of the desired risk culture. 

Periodically evaluate progress 

Regularly evaluate stakeholders during the change process. Before commencing, it is important  to assess the business and understand the pitfalls to provide a baseline for the initiative. Some of  the key strategic considerations in this regard to consider before putting things in place are as  follows: 

  • Leadership support – Is leadership driving this initiative? 
  • Ownership of the business’ risk management process – Who is responsible for risk  management including the controlling and mitigating actions? 
  • Effectiveness of risk management and governance processes – Have the strategies been  proven effective? 
  • Evidence of crucial business decisions taking risk and solvency into consideration – Consider the consequences of high-impact events and contingency plans • Quality of leadership discussions on risk issues and escalated matters – Are these  discussions honest, open and transparent? 
  • Is there a risk appetite statement and risk tolerances in decision-making? Do you measure  how many risks were taken in the past year? How does this compare with how many  were tolerated? 
  • Is there alignment and incorporation of risk into strategic planning and direction – Is this  aspect handled with care? 

Every organisation is different. It is crucial to evaluate the business risk culture and make  necessary adjustments to shape it over time in response to internal and external change. 

Conclusion 

What should now be clear from the article is that any approach to changing risk culture must be  carefully planned within the overall business strategy. 

The recipe and mix of tools adopted within a business depend on the current situation. There is  no perfect answer to how these elements are combined to address the risk culture and maturity of  an organization. Several techniques can drive risk management adoption and embed a great risk  culture. 

Creating a strong risk culture that encourages honest, open and transparent disclosure of risks is  an important starting point. What can be measured can be managed and, in many ways, is the  first step in recognizing that risks are real and we need to take this on board. Accountability is  critical in ensuring leadership acts upon this information and makes the most of these insights.  These approaches can be reinforced by effective performance risk management.

It’s not about being risk-averse. Great risk culture also enables individuals to take suitable risks  in an informed manner. However, as seen in the run-up to the financial services crisis of the late  noughties, taking inappropriate and unsuitable actions can create immediate and systemic risk. 

Finally, communication and training programmes are pivotal in reaching the broader  organisation and stakeholders to raise general risk awareness. Clearly defined goals are required  for these programmes to ensure they deliver benefits within the overall culture change  programme. Goals imply that performance should be tracked over time, hence a move to  developing risk culture dashboards. 

Business leaders must recognise that changing to a great risk culture requires strong  organisational change and risk management skills.

Leave a Reply

Your email address will not be published. Required fields are marked *