An observation from the global financial crisis is that organisations with a weak risk culture can experience extensive or even catastrophic damage. Significant investment in risk management people, processes and technology is only part of a sound business risk environment. The key component is the risk culture.
According to the Institute of Actuaries of Australia, only half of 250 surveyed organisations have "embedded" a risk culture.
Their survey reported that the main barriers to developing a risk culture are a lack of commitment from the leadership (51%), a poorly defined risk culture (46%) and poor communication to staff (37%).
This survey strengthens the case that if the tone at the top is not supporting risk-based behaviour, it is unlikely that risk management will be adequately valued throughout the organisation.
What is risk culture?
There is no industry-wide accepted definition for risk culture, which can add to the complexity. However, a common definition of risk culture is 'an organisation’s system of ethics, values and risk-based behaviours: from the beliefs of the chair of the board, to the attitudes of the most junior staff members'.
Risk-based behaviours cover the attitudes, beliefs, decisions and actions of board members, executives and all staff. For instance, individuals making decisions on strategy, programs or operations will need to understand the behavioural parameters and level of risk that is acceptable to the organisation.
They will also need to know what is acceptable to them in order to protect the achievement of their objectives. This will enable them to proactively identify and manage risks to an acceptable level in their decision making.
Why is risk culture important?
Risk culture enables ethical and responsible risk-based decisions to be made, such as which business activity, product or service to invest in or which customers or business partners to select. It also ensures that day-to-day operational decisions are made considering the risks and rewards to the organisation.
Investing in risk culture and risk management capabilities assists organisations to achieve their strategic and operational objectives. This is done by staff reporting potential issues that fall outside of risk tolerance, that may prevent achievement of those objectives and request funding, resources or action to close the gap.
It also includes proactive planning to ensure risk events in the market can be converted into business opportunities. Having a dynamic and systematic governance system to respond to these requests and events is the key to success and competitive advantage.
Assessing business risk culture
Proactive board members, executives, risk and audit leaders assess their business risk culture to gain clarity on the existing status. They define a risk culture vision and have a roadmap on how to achieve that vision.
- What are the risk-based behaviours of (i) our business leaders and (ii) our staff?
- Are we aware of and using best practices?
- Do we have the right strategy?
- Are we doing the right things, the right way?
- Do we have the right capabilities?
- What is the value proposition of a mature risk culture?
Governance Architects has developed and successfully implemented a comprehensive assessment tool which is used as a mechanism to help organisations answer the above questions and evaluate their risk culture, from the tone at the top to behaviours across all staff.
Below is a short risk culture questionnaire derived from this service. It illustrates just some of the strategic and operational best practices in relation to risk culture. Invite your leaders to join the discussion and kick-start your journey to an improved risk culture.
Do your organisation’s leaders:
- Promote moving from a culture of blame to advocating ‘let’s understand our mistakes and learn to support each other’?
- Reward those who demonstrate compliance with risk based behaviour?
- Consistently communicate the need and value of a mature risk environment?
- Openly discuss and debate risks that will prevent achievement of objectives?
- Openly discuss risk policies, appetite and tolerance levels when making decisions?
- Ensure that strategy, program and operational process owners proactively identify and manage risks to an acceptable level, in day-to-day decision making?
- Ensure proactive planning takes place to convert risk events in the marketplace to business opportunities?
- Perceive risk managers as trusted advisors and invite them to provide assurance when they are planning changes to the work environment?
David Roche is principal and founder of Governance Architects. Governance Architects support organisations to evaluate and improve business, risk and IT governance.