Embedding risk culture

Organisations with a weak risk culture can experience extensive or even catastrophic damage

An observation from the global financial crisis is that organisations with a weak risk culture can experience extensive or even catastrophic damage. Significant investment in risk management people, processes and technology is only part of a sound business risk environment. The key component is the risk culture.

Survey results

According to the Institute of Actuaries of Australia, only half of 250 surveyed organisations have "embedded" a risk culture.

Their survey reported that the main barriers to developing a risk culture are a lack of commitment from the leadership (51%), a poorly defined risk culture (46%) and poor communication to staff (37%).

This survey strengthens the case that if the tone at the top is not supporting risk-based behaviour, it is unlikely that risk management will be adequately valued throughout the organisation.

What is risk culture?

There is no industry-wide accepted definition for risk culture, which can add to the complexity. However, a common definition of risk culture is 'an organisation’s system of ethics, values and risk-based behaviours: from the beliefs of the chair of the board, to the attitudes of the most junior staff members'.

Risk-based behaviours cover the attitudes, beliefs, decisions and actions of board members, executives and all staff. For instance, individuals making decisions on strategy, programs or operations will need to understand the behavioural parameters and level of risk that is acceptable to the organisation.

They will also need to know what is acceptable to them in order to protect the achievement of their objectives. This will enable them to proactively identify and manage risks to an acceptable level in their decision making.

Why is risk culture important?

Risk culture enables ethical and responsible risk-based decisions to be made, such as which business activity, product or service to invest in or which customers or business partners to select. It also ensures that day-to-day operational decisions are made considering the risks and rewards to the organisation.

Investing in risk culture and risk management capabilities assists organisations to achieve their strategic and operational objectives. This is done by staff reporting potential issues that fall outside of risk tolerance, that may prevent achievement of those objectives and request funding, resources or action to close the gap.

It also includes proactive planning to ensure risk events in the market can be converted into business opportunities. Having a dynamic and systematic governance system to respond to these requests and events is the key to success and competitive advantage.

Assessing business risk culture

Proactive board members, executives, risk and audit leaders assess their business risk culture to gain clarity on the existing status. They define a risk culture vision and have a roadmap on how to achieve that vision.

Common questions:

  • What are the risk-based behaviours of (i) our business leaders and (ii) our staff?
  • Are we aware of and using best practices?
  • Do we have the right strategy?
  • Are we doing the right things, the right way?
  • Do we have the right capabilities?
  • What is the value proposition of a mature risk culture?

Governance Architects has developed and successfully implemented a comprehensive assessment tool which is used as a mechanism to help organisations answer the above questions and evaluate their risk culture, from the tone at the top to behaviours across all staff.

Below is a short risk culture questionnaire derived from this service. It illustrates just some of the strategic and operational best practices in relation to risk culture. Invite your leaders to join the discussion and kick-start your journey to an improved risk culture.

Do your organisation’s leaders:

  1. Promote moving from a culture of blame to advocating ‘let’s understand our mistakes and learn to support each other’?
  2. Reward those who demonstrate compliance with risk based behaviour?
  3. Consistently communicate the need and value of a mature risk environment?
  4. Openly discuss and debate risks that will prevent achievement of objectives?
  5. Openly discuss risk policies, appetite and tolerance levels when making decisions?
  6. Ensure that strategy, program and operational process owners proactively identify and manage risks to an acceptable level, in day-to-day decision making?
  7. Ensure proactive planning takes place to convert risk events in the marketplace to business opportunities?
  8. Perceive risk managers as trusted advisors and invite them to provide assurance when they are planning changes to the work environment?

David Roche is principal and founder of Governance Architects. Governance Architects support organisations to evaluate and improve business, risk and IT governance.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

More about Roche

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Roche

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place