Tough to measure and tricky to implement, how can organisations bolster risk culture?

Tough to measure and tricky to implement, how can organisations bolster risk culture?

The latest StrategicRISK Global Benchmarking Risk survey, revealed the extent to which risk culture has rocketed up the risk agenda.

Asked where risk professionals would be focusing their efforts going forward, the top three priorities – according to survey respondents – were risk culture (40%), risk appetite (36%) and ESG and sustainability risk (32%).

The fact that risk culture now sits atop many risk leaders’ priority list means a period of significant cultural change is brewing.

Coming so soon after the troubles at Credit Suisse, this would appear timely. An independent report commissioned in the aftermath of the collapse of hedge fund Archegos zeroed in on the Investment Banking team’s lack of ‘accountability’ and ’responsibility’, for instance.

Risk culture itself is centred on the importance of shared values, beliefs, behaviours, and attitudes within an organisation. A common thread which sows a business together.

A study by the Institute of Internal Auditors Research Foundation found that organisations with a strong risk culture had a significantly lower likelihood of experiencing a significant risk event than those with a weak risk culture.

So how can risk managers get it right?

Why risk culture matters

According to Garry Marling, CEO of Culture Radar, risk culture is important because it can impact the effectiveness of an organisation’s risk management practices and, ultimately, its ability to achieve its objectives.

“A strong risk culture ensures that risk management is integrated into all levels of an organisation, from top leadership to front-line employees, and that risk management practices are consistently applied throughout the organisation,” he says.

Risk culture is a subset of broader corporate culture. But “what is so special about risk culture that it needs to be called out?” asks risk consultant Bryan Whitefield.

“I answer the question by defining risk culture as ‘a culture based on values-based decision making with a strong awareness of the impact of personal and team bias’. In other words, a culture where decision making takes into account the values of the organisation, and leaders take steps to manage bias.”

For Ryan Swann, founder at RiskSmart, risk culture is important because risk management is really about informed decision making, learning from mistakes and incidents, and understanding what boundaries within a business.

“If you promote a culture that recognises this and is open and transparent to continuing to do the best it can, then this adds immense credibility, trust and confidence with customers, colleagues and the community,” he says.

The old saying that ‘culture eats strategy for breakfast’ is equally true when considering the importance of risk culture.

“A brilliant risk framework can clearly enhance and enable a healthy risk culture to guide decision making, but if the culture towards engaging with risk is poor – whether too reckless or too conservative – a framework and process will not effectively remedy that,” said Peter Duffy, director – enterprise risk, at consultancy Battleground.

Can you measure it?

Despite the industry-wide focus on risk culture, when it comes it measuring it, matters become complicated.

“When I run sessions on risk culture for teams I use examples of where things have gone so wrong the result was an enquiry and a report, such as by a regulator. I quote from the report, emphasising how easy it was for the author to articulate the culture that pervaded in the lead up to the poor decision making,” says Whitefield.

“Having said that, the methods I am most familiar with are surveys with quantitative analysis and qualitative independent assessments by internal audit, or an external party using a pre-agreed methodology to maintain consistency across teams.”

But while it can be relatively easy in hindsight to describe a company’s risk culture, or the weaknesses in it, there is no single way to measure it. Rather it is a combination of several aspects, often stemming from looking for key indicators.

“Does the business have open communication channels? Does it praise people when they raise problems or concerns? Do board minutes talk about customer outcomes and the wider community impact or are they just financial focused? Can the business articulate what its risk are and are they tracking their performance?” says Swann.

Risk management platforms can help too, as they allow risk managers to track incidents, issues, controls and risks. This gives demonstrable evidence whether risks are being managed proactively.

But there is no escaping that it can be a complex and challenging task.

Improving risk culture

Without doubt, the biggest impact on culture is what the executive team does, not what it says.

“If executives are missing in action when the risk workshop is run or ignores the provided risk assessment along with a business case, you know it is not important to them and so it will not be important to those who report to them,” says Whitefield.

“Another method is to write down a list of poor decisions and ask of each one: did the decision making align to our values? If not, how did it not? And finally, how can we learn a lesson from this that can be shared across the organisation.”

Improving risk culture within an organisation is an ongoing process that requires commitment from all levels of the organisation.

“An organisation can only see improvement in its risk culture if it knows where it is now and where it wants to be,” adds Marling.

  • Set a clear tone from the top. Leaders must demonstrate a strong commitment to risk management and set the tone for a culture that values risk management. This can include promoting open communication, emphasising the importance of risk management, and leading by example.
  • Foster a culture of learning. Organisations should encourage a culture of continuous learning and improvement by promoting training and development opportunities for employees at all levels. This can help build knowledge and skills related to risk management and promote a culture of open communication and collaboration.
  • Align incentives with risk management. Organisations should align incentives and rewards with behaviours that support effective risk management. This can include tying bonuses and other incentives to risk management goals and metrics and ensuring that performance evaluations reflect an individual’s contributions to risk management.
  • Encourage open communication: Organisations should encourage open communication and collaboration among employees at all levels. This can include promoting a culture of discussing risks and encouraging employees to report potential issues or concerns.
  • Monitor and measure risk culture: A business should regularly monitor and measure their risk culture to identify areas of strength and weakness. This can include using surveys, focus groups, and other tools to gather employee and stakeholder feedback.

Topics