Article

A new imperative for risk culture

August 24, 2018
| Australia

The Royal Commission into the banking, superannuation and financial services sectors has sent corporate Australia scrambling to look into its approach and appetite towards risk culture.

But rather than being seen as something that must be addressed for the benefit of regulators or stakeholders, a good and balanced risk culture can help organisations identify competitive advantage and reduce their total cost of risk.

It comes down to setting the right risk culture. After all, risk is a necessary part of doing business and some risk taking is often needed to create value. Taking an overly cautious approach can result in below-potential growth, while a risk culture that sits high on the spectrum, without a suitable risk management framework in place, can lead to significant losses as well as reputational damage.

Risk culture is a constant presence and enduring proposition to manage, and this can sometimes be seen at odds with the pressure from boards and shareholders to achieve shorter term targets.

So what is risk culture? According to the Institute of Risk Management, it’s the “shared values, beliefs, knowledge, attitudes and understanding about risk” that is built, shaped and reinforced by individuals, groups and leaders within organisations. So far, the Royal Commission has lifted the veil on a number of instances of where risk culture is not optimal, as evidenced by flaws in risk behaviour, including inaction where issues were identified.

Part of the “risk culture” is speaking up when you see something wrong, confident that you won’t be blamed, and some positive action will take place to fix the immediate problem as well as preventative action taken for the future. Risk culture also needs to be considered as part of the broader organisational culture, in which certain beliefs, behaviours, attitudes and rituals are the norm, and are accepted or even promoted.

The need for a framework

Establishing a consistent and enterprise-wide risk management framework gives leaders the confidence to shape strategy to match desired outcomes.

The role of boards and chief risk officers, as well as other risk specialists, is to clearly articulate a balanced and business-orientated view of risk. Business leaders should also be involved – they need to own this. It is crucial that this view is used as the basis for educating and advising the rest of the organisation and it must come from the business leadership for it to be taken seriously.

To influence and improve risk culture, an organisation must understand both a top-down and bottom-up perspective. This understanding highlights risky behaviours which, if eliminated, will lead to a reduction in for example, incidents, accidents, fines and claims; reducing the total cost of risk. Risk culture is a fundamental part of a risk management framework, led from the Board down and seen to be “everyone's responsibility”.

Our point-of-view is that risk culture needs to be considered and managed within a broader context:

  • A culture that ensures shared ownership for risk and risk-oriented action
  • A governance structure that recognises the importance of different roles (including front-line)
  • Policies and standards that document and support the framework and
  • An agreed risk appetite structure (with measures), as well as how economic value is assessed so that transparency and consistency is applied in allocating capital.

The key to effective risk management is to make sure the right people are aware of the right things at the right time. This in turn facilitates effective governance, risk-based decision making, and management of risks within risk appetite. It is important that everyone has the confidence that appropriate action will be taken when risks emerge.

The importance of quantification

Measuring risk culture is important for internal assessment and risk culture management because much of an organisation’s risk culture lies ‘beneath the surface’. Important cultural characteristics may not be immediately apparent but they can be identified, measured and understood using two key assessments.

Individual risk profile

Applying a well-proven psychometric assessment to employee groups that manage risk or represent material risk exposure can help organisations understand their combined risk profile. For example, assessing leadership can help organisations measure their senior management group’s propensity for unduly risky or risk-averse behaviour, and whether the tone set from the top matches the desired risk profile.

Employee risk culture survey

A risk culture survey uncovers the collective impact of employee views and behaviours. A survey enables measurement of key aspects of risk culture and an assessment of findings, in the context of external norms, to identify the drivers of employee risk attitudes, highlight potential risk ‘hotspots’ and answer core questions such as:

  • How safe do employees feel it is to speak up?
  • How do employees view the example set by leaders?
  • How confident are employees that appropriate action will be taken?
  • Do employees feel a sense of personal responsibility for managing risks in the business and do they feel it is necessary to adhere to risk controls?
  • Does performance management or bonus metrics make employees more prone to risky behaviour?

Analysis and reporting tools in these two areas not only provide key insights for senior management but are also suited to engaging and involving line managers in the local risk culture of their own areas of control.

Operational risk culture can also target specific functions. Let’s look at cyber risk as an example – an area of concern for all organisations, but particularly in financial services. While companies make significant investment in infrastructure to defend against external threats, they increasingly recognise their biggest security vulnerability is internal and hiding in plain sight – their employees.

By assessing the actual employee experience, organisations can identify links between their employees’ attitudes, beliefs and behavioural tendencies, and the frequency and severity of incidents. Employees often lack awareness of cybersecurity risks at a basic level – the Willis Towers Watson 2017 Cyber Risk Survey found around 45% of employees believe it’s safe to open any email on their work computer, thinking their company’s central IT systems are their ultimate protection.

The financial benefits for an organisation are clear – a robust mitigation approach and fewer claims will have an impact on insurance premiums and retained costs. In addition, this approach to managing risk will significantly reduce the threat to brand and reputation by the potential for fewer incidents and more impactful communication.

The outcomes

The outcomes can help risk and HR functions identify key interventions that will improve risk culture. In combination with HR data, claims statistics and risk exposure data, the outcomes of the two assessments become more powerful, helping shape targeted interventions that lead to improved risk management and stronger risk cultures. Armed with a better understanding of current risk culture and how it links to key risk factors, leaders and managers can utilise a range of tools to shape their organisation’s risk culture. When you’re looking to evaluate your company’s approach to risk culture, ask yourself:

  • Has your organisation articulated its desired organisational culture, and its risk culture within that?
  • How much attention does your executive leaders give to the elements of the risk management framework we’ve outlined here?
  • Are you measuring your risk culture? If not, why not?
  • Do employees understand and participate in creating the right risk culture, and managing operational risks?
  • Do you need independent assessment of your risk culture to ensure that employees can openly share views and experiences?

Only when you develop a holistic approach to corporate risk culture, ensuring all activities from strategy to communications are correctly aligned, will you influence employee attitudes and behaviours.

Related solution


Contact us