Embedding risk culture

Organisations with a weak risk culture can experience extensive or even catastrophic damage

An observation from the global financial crisis is that organisations with a weak risk culture can experience extensive or even catastrophic damage. Significant investment in risk management people, processes and technology is only part of a sound business risk environment. The key component is the risk culture.

Survey results

According to the Institute of Actuaries of Australia, only half of 250 surveyed organisations have "embedded" a risk culture.

Their survey reported that the main barriers to developing a risk culture are a lack of commitment from the leadership (51%), a poorly defined risk culture (46%) and poor communication to staff (37%).

This survey strengthens the case that if the tone at the top is not supporting risk-based behaviour, it is unlikely that risk management will be adequately valued throughout the organisation.

What is risk culture?

There is no industry-wide accepted definition for risk culture, which can add to the complexity. However, a common definition of risk culture is 'an organisation’s system of ethics, values and risk-based behaviours: from the beliefs of the chair of the board, to the attitudes of the most junior staff members'.

Risk-based behaviours cover the attitudes, beliefs, decisions and actions of board members, executives and all staff. For instance, individuals making decisions on strategy, programs or operations will need to understand the behavioural parameters and level of risk that is acceptable to the organisation.

They will also need to know what is acceptable to them in order to protect the achievement of their objectives. This will enable them to proactively identify and manage risks to an acceptable level in their decision making.

Why is risk culture important?

Risk culture enables ethical and responsible risk-based decisions to be made, such as which business activity, product or service to invest in or which customers or business partners to select. It also ensures that day-to-day operational decisions are made considering the risks and rewards to the organisation.

Investing in risk culture and risk management capabilities assists organisations to achieve their strategic and operational objectives. This is done by staff reporting potential issues that fall outside of risk tolerance, that may prevent achievement of those objectives and request funding, resources or action to close the gap.

It also includes proactive planning to ensure risk events in the market can be converted into business opportunities. Having a dynamic and systematic governance system to respond to these requests and events is the key to success and competitive advantage.

Assessing business risk culture

Proactive board members, executives, risk and audit leaders assess their business risk culture to gain clarity on the existing status. They define a risk culture vision and have a roadmap on how to achieve that vision.

Common questions:

  • What are the risk-based behaviours of (i) our business leaders and (ii) our staff?
  • Are we aware of and using best practices?
  • Do we have the right strategy?
  • Are we doing the right things, the right way?
  • Do we have the right capabilities?
  • What is the value proposition of a mature risk culture?

Governance Architects has developed and successfully implemented a comprehensive assessment tool which is used as a mechanism to help organisations answer the above questions and evaluate their risk culture, from the tone at the top to behaviours across all staff.

Below is a short risk culture questionnaire derived from this service. It illustrates just some of the strategic and operational best practices in relation to risk culture. Invite your leaders to join the discussion and kick-start your journey to an improved risk culture.

Do your organisation’s leaders:

  1. Promote moving from a culture of blame to advocating ‘let’s understand our mistakes and learn to support each other’?
  2. Reward those who demonstrate compliance with risk based behaviour?
  3. Consistently communicate the need and value of a mature risk environment?
  4. Openly discuss and debate risks that will prevent achievement of objectives?
  5. Openly discuss risk policies, appetite and tolerance levels when making decisions?
  6. Ensure that strategy, program and operational process owners proactively identify and manage risks to an acceptable level, in day-to-day decision making?
  7. Ensure proactive planning takes place to convert risk events in the marketplace to business opportunities?
  8. Perceive risk managers as trusted advisors and invite them to provide assurance when they are planning changes to the work environment?

David Roche is principal and founder of Governance Architects. Governance Architects support organisations to evaluate and improve business, risk and IT governance.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

German researchers hack Galaxy S5 fingerprint login

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]

Comments

Risk Culture Builder

1

Risk Culture Building is the process of growth and continuous improvement in the way each and every person in an organisation will respond to a given situation of risk as to mitigate, control and optimize that risk to the benefit of the organisation.

No two people will respond the same way to a situation of risk, the way any person responds to risk is influenced by a number of factors, the main ones are:

• Nationality & culture
• Childhood experiences (and formative environment)
• Work ethics, trust & honesty
• Education (and the way it was obtained)
• Work experience
• Religion and other spiritual thinking
• Attitude towards life (and death)

Risk practitioners generally fail to address the underlying human aspect. Since the publication of the Basle accord, ISO 31000 and other standards and regulations, it has often been argued that compliance with these standards and regulations will mitigate and control risk, but this is only true if the standards and regulations are embraced in an effective Enterprise Risk Management Culture. Just like the policies, procedures and systems, these are worthless if human attitude, acceptance and desired response lack.

Addressing the aspect of people risk is the only way an organisation can improve the way their people respond to a situation of risk and the effectiveness of their risk management function. No organisation can ever have a perfect risk management culture, but organisations can achieve a level of maturity where they have an effective risk culture process and every employee is risk-minded and does something on a daily basis to mitigate, control and optimize risk

The development of Risk Culture Building is focused on awareness and training in business ethics and human behaviour, both the behaviours we want to encourage and the behaviours we want to avoid.

For current thought leadership, see our blog:
http://blogs.zawya.com/Risk%20Culture%20Builder/

Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Trend Micro Data Loss Prevention

Comprehensive Data Loss Prevention Lowers Cost and Complexity

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.