Risk culture or culture risk?

The term “risk culture” has created significant buzz globally over the past few years. In Australia this term has become more prominent over the past year, given the focus from both the Royal Commission into Financial services and the Australian Prudential Regulatory Authority (APRA) self-assessments of governance, accountability and culture.

Risk teams in large organisations have been trying to implement methodologies to demonstrate that their organisations have an acceptable “risk culture”, or are taking action to address unacceptable “risk culture”. However, the term “risk culture” has not been defined and general ambiguity remains on how to resolve this issue. Consequently, the recent APRA Information Paper: “Self-assessments of governance, accountability and culture” stated : “Risk culture is not well understood and therefore may not be re-enforcing the desired behaviours.” This statement in itself is ambiguous – it focuses on desired behaviours which influence risk outcomes. If this is the case, this statement implies that behaviours impacting risk outcomes are not well understood in organisations and therefore, are not being strategically addressed. This is in our opinion behavioural/culture risk.

In this article, we will try to unpack the meaning of “risk culture” and assess whether the role of risk teams is to measure “risk culture” or culture risk.

Current methodologies being used to measure “risk culture”

Several methods have been developed by Risk teams (often in consultation with human resources) to measure “risk culture”. The two most common methods are:

• Assessing the maturity of risk frameworks and how these support business decisions. Interestingly, these are the methods put in place to enhance non-financial risk governance and have been highly criticised as being “tick box” activities that have limited practical relevance in day-to-day risk management.
• Forming insights from staff surveys, generally led by human resource departments. In some cases a “risk culture index” comprising a small number of risk culture questions have been added to staff surveys, giving organisations some comfort that they have a defensible position for measuring “risk culture”.

Unpacking these methods a bit more…

Assessing the maturity of risk frameworks and how these support business decisions

Despite heavy investment in governance, risk and compliance systems worldwide, improved understanding of operational risk and compliance, an increased understanding of non-financial risk by business leaders, things are still going wrong. Companies are finding their way into investigations, regulatory enforcement actions, reputational harm, scandals or worse.

Modern risk management still focuses on the processes and system people work with, not the environment they work within.

Some of the disconnect between risk management frameworks and the topic of culture include:

• Risk management frameworks are often technical in nature and do not resonate with people in the business who day-to-day business decisions.
• Business leaders accountable for investing in controls to mitigate their risks find that they often cannot link their control spend to data in risk management framework artifacts.
• Business representatives often perceive risk management framework compliance as a ‘tick box’ exercise to satisfy Risk teams, auditors and regulators.

There is little, if any, alignment between these activities and culture. Traditional risk teams do not have skills in organisational culture and generally lack substantial data points to measure behaviour which has been found too often to be the root determinant of Risk. So, to objectively manage culture using evidence-based techniques, behaviours within teams should be a prominent component of Risk measures.

Insights from staff surveys

Many organisations currently use a single source of data to measure “risk culture”, forming conclusions based on a limited set of questions (perceived to be risk related) in employee staff surveys.

We have observed that organisations tend to follow this approach when Risk tries to over-collaborate with Human Resources in measuring “risk culture”. Risk and human resources often collaborate because Risk teams are trying to solve a problem (measuring something culture-related) when they do not have skills in organisational culture.

In our opinion, some of the limitations associated with this approach include:

• “Risk culture” indexes from staff surveys may lack statistical validity when a limited number of questions are used to measure “risk culture”.
• Staff surveys generally focus on assessing whether employees in an organisation are engaged. Cultural factors that engage employees may be different to cultural factors that support risk management. Think about an example where there may be a disconnect between cultural factors that drive engagement and cultural factors that drive good risk management. An organisation may have great flexibility, keeping people engaged. If there is an aggressive sales culture within a team (attribute not generally assessed by the staff survey), staff may do anything to meet sales targets because they love working for the organisation, even if it means doing the wrong thing for customers. Most organisations do not triangulate multiple data points to identify this disconnect when solely relying on “risk culture” measures from a staff survey.
• There is generally limited engagement with teams following completion of these surveys. This impacts organisations’ ability to understand the underlying causes of culture insights. Surveys only provide an indication of strengths and challenges. When limited further action is taken to understand the environment within which teams work, the underlying cause of problems are often not well understood and therefore cannot be addressed.

In the recent APRA Information Paper identified above, it was highlighted that a single data source from a survey is insufficient for measuring risk culture. Take an example of a typical “risk culture” question in staff surveys, such as ability to speak up without fear of reprisal. If there is a culture where people are afraid to raise issues about inappropriate investment in systems that impact their ability to make responsible decisions, there is an increased risk that inappropriate decisions get made. This is culture risk.

 

 

Helping Risk teams fulfill their accountability

Whilst the buzz has been around “risk culture”, we believe that global regulators, particularly in the financial services sector, have been explicit in their views that many of the issues that have emerged are rooted in “culture”. Perhaps the underlying ask of risk teams is that they enhance the sophistication of their structures and methodologies to measure culture risk.

If this is the case, a more human-centred approach to risk management will be required in the future. We are seeing some emerging shifts in the way Risk teams are responding to this challenge around measuring culture. Some examples include:

• The skills in Risk teams are slowly starting to become more diversified. People who have skills in organisational culture/behavioural science are supplementing teams with traditional Risk experience.
• Shifting risk management oversight to focus as much on people as they do documents and data. Risk managers with culture skillsets mentioned above are interacting with employees across roles and job grades to measure the cultural factors that influence day-to-day decision making.
• Multiple data points are being used to objectively measure culture risk. Specifically, insights from evidence-based measurement such as behavioural card sorting exercises and focus groups are helping identify culture risk indicators that give insight into how things go wrong from a behavioural standpoint. Importantly, these data points should then be triangulated with traditional risk and control data, other business data such as sales patterns and potentially other data from staff surveys.
• Culture risk insights are providing rich information about some of the underlying root cause of risk issues that have occurred. Culture risk insights are also showing up as leading risk indicators that require attention from management (and sometimes Boards).

If culture risk is another example of a “non-financial” risk that should be measured in order to form a view of an organisation’s risk environment, it is important that there are strong links between culture and risk management outcomes. Organisation’s that try to measure where their culture sits against some random aspirational cultural attributes may struggle to make traction in demonstrating the link between culture and effective risk management outcomes.

Where is risk governance becoming more sophisticated?

Over the past few months, the Australian Securities and Investments Commission (ASIC) has placed an organisational psychologist who specialises in culture risk into board rooms of some of Australia’s largest companies.

This is a strong example of the regulator ‘walking the talk’, by shifting the way it oversees organisations. ASIC is demonstrating that it may no longer be relevant to assess Board effectiveness by simply reading documents such as board agendas, information packs and minutes of meetings. ASIC is observing the behaviours of decision-makers at the top of an organisation to assess the cultural attributes that could expose the organisation to unintended risk. This is a practical example of a mechanism to measure culture risk.

Conclusion

Despite increased focus on “risk culture” over the past few years, confusion remains as to what this means in Risk teams. Evidence is suggesting that there is an expectation for Risk managers to objectively measure culture risk with well-substantiated evidence. When this has been done successfully, relevant professionals across the organisation have taken action to address challenges that exist (for example, Human Resources have been allocated responsibility for implementing strategies to address leadership challenges that impact risk management outcomes).

In order to continuously mature some of these practices, it is important that Risk managers strategically re-set some of their approaches to measuring this class of non-financial risk. Evidence suggests that some of the current practices identified above are not being explicitly endorsed by regulators and risks directly related to behaviour continue to emerge.

We think that the recent move by ASIC in Australia has been a very powerful symbol of regulators’ expectations of risk governance. If this hypothesis is accurate, we may find that non-financial risk governance and “risk culture” may no longer be de-coupled. What may start to emerge are new ways of measuring and managing risk where there is less dependence on “risk data” on dashboards and a more holistic view of risk management, encapsulating a point of view on prevalent behaviours that influence risk-based decisions in teams, business units and organisations.

Gavin Freeman is a Director of the Business Olympian Group, a boutique risk advisory firm. Gavin is an organisational psychologist who has worked with Risk teams across multiple industries for a number of years focusing on the psychology of risk. Gavin has a keen interest in behavioural risk and the impact this has on decision making in teams and organisations.

Gavin@businessolympian.com.au