Jon Johal shares his thoughts on embedding risk culture in organisations and how to make this an effective process.
Embedding risk culture is never an easy thing to do. By its very nature, it isn’t tangible and therefore requires thought and vision to be a real strategic enabler. What is clear, over the past few years at least, is that the topic is increasing in importance to Boards and Executive Management. There is little wonder in this really if we consider business risk and governance failings the have occurred in the recent past.
What is Risk Culture?
When I think of Risk culture, I always come back to three things which I feel define it – attitudes, behaviours and values, and how these influence and inform the management of risk within an organisation. Risk culture is a constant for any business – always in play because it reflects the shared values, goals and practices that embed risk into a business’s decision-making processes and risk management into its operating processes.
The basics of risk culture
I think there are two fundamental elements which underpin risk culture:
- Board and Executive ownership. By this, I mean that it is the responsibility of the Board and Executive to define their desired culture, to set and live the tone that they want to permeate throughout the organisation. To me, this is crucial, it isn’t something that should just be documented and communicated through management layers – tone should be effectively set at the top and modelled throughout middle management and the operational staff population.
- Robust Risk and Governance Frameworks. This includes corporate values, code of conduct and ethics programs, policies and procedures, the risk governance structure and processes (committees charged with management and oversight of risk) incentive programs and the risk management process (risk assessment, control testing, risk appetite, tolerance and key risk indicator reporting and assurance activity).
Wrapped around these two elements are daily operating attitudes which drive risk culture. These include the belief systems and core values that drive behaviour and guide daily activities and decision making throughout the organisation, particularly with respect to strategic pursuits. These attitudes, behaviours and beliefs are rarely tangible but require careful attention. For example, behaviours around risk management and internal control often manifest in how people address audit issues and address control weaknesses and confidence in escalating and resolving issues. The timeliness with which these activities are carried out provides a powerful insight regarding risk culture. So, too, does executive management’s reaction to issues raised by independent risk management and audit functions.
The influence of external factors, such as regulators, investors and customers should also not be overlooked. All will affect organisational risk culture to a degree as businesses attempt to align their operations to the requirements of multiple stakeholders.
Embedding Risk Culture
The one key enabler to effectively embed risk culture in any organisation is vision. Once again, we look to the most Senior Levels to develop a desired state for its risk culture, a clear target which management can work towards. This is where risk management starts to interplay quite heavily with corporate strategy – effectively pinpointing the healthiest level of tension between the organisation’s entrepreneurial activities to create growth and enhance value and its activities to protect enterprise value. Basically identifying and working towards the environment which allows business growth and risk management to work together harmoniously.
Once this target is known an assessment of the current risk culture should be completed. There are many ways this can be completed, through surveys (internal or external) targeted at a broad spectrum of the staff population for example, or assurance reviews (by independent risk management and/ or internal audit functions). I personally think the most valuable assessments are those where all elements of the business (all three lines of defence) are engaged in assessing risk culture. When you consider the data points available in any business it should be fairly straightforward for the first line of defence to conduct a risk culture self-assessment, which coupled with outputs from second and third line assurance activity can provide invaluable snapshots through different lenses. To facilitate effective assessments, there needs to be a defined framework in place. As a minimum, any assessment of risk culture ought to include the following:
- Level of Board and Executive Management ownership and discussion and escalation of risk issues.
- Business ownership of risk management.
- Strategic / Decision-Making
- Alignment and incorporation of risk into strategic planning.
- Evidence of key business decisions taking risk into consideration, learning from failure and associated read-across across the organisation.
- Use of risk appetite to inform decision making.
- Risk Management Framework
- Effectiveness of risk management and governance processes.
- Quality and availability of risk subject matter expertise (SME) skill and resource.
However the assessment is conducted, what is critical is assimilating it all for Executive Management (and Board) governance. The key thing is for Executive Management to digest these assessments and develop actions (which they own!) which should form a part of the next assessment process. The desire here is not to make risk culture assessments ‘a thing’ which happens annually and then disappears. Rather it is an on-going process where management seek to hold themselves to account through assessing and implementing action as they move towards their desired state, improving and refining iteratively. Organisations should be constantly evaluating their risk culture and re-evaluating associated targets to allow them to proactively address downstream challenges.