What is risk culture? Is it distinct from corporate culture or should risk and corporate cultures be treated as one? Should risk or HR managers own risk culture or work together to establish and strengthen it? How can you encourage your board and leadership to take risk culture seriously, and does risk management effectively influence decision making?
No matter what your industry, risk culture will likely be a fundamental priority, with the above questions cropping up regularly.
You may:
- Have been asked by your executive to conduct a risk culture audit
- Be aware of risk culture issues anecdotally that you wish to address
- Have conducted a culture survey and reviewing how to effectively apply the findings
- Be struggling to build reporting mechanisms
- Be pondering how to drive an effective risk culture
Earlier this year, we placed risk culture under the microscope to understand how it is being approached and implemented. Here’s what we discovered:
Key learnings
- Risk culture is valued as a concept that produces the right risk outcomes – so long as it is well-defined and embedded within the fabric of an organisation.
- Risk culture can help drive effective decisions from directors to department heads and project owners, and everyone in between.
- However, corporate values of trust, transparency and risk accountability must be identified and clearly aligned with the company’s values.
- We also heard of common misconceptions: culture and risk culture are often narrowly viewed in the context of remuneration, incentives and organisational structure.
- Barriers exist around stakeholder engagement, with the principal challenge of winning over HR (who often own corporate culture) and breaking down political boundaries that may inhibit risk and HR collaboration.
- Then there is the thorny challenge of turning findings from risk culture investigations into action.
Each one of these themes will be reviewed in greater detail as we unpick the risk culture journey and bring you practical tips, as part of our membership service launching in April. As these are being finalised, we’ve rounded-up the common threads from our investigation so far. Here are five topics you can expect from our Intelligence section from April onwards.
1. Tools to effectively measure your risk culture
Risk culture is a key indicator of how well a company’s risk management framework has been adopted, as well as the attitudes and behaviours that employees have towards risk. A focused assessment will help identify the current state of an organisation’s risk culture, pinpoint gaps and areas that may require immediate attention or a longer-term, holistic approach. They provide the basis from which to track cultural change and progress and are often the main starting point of any risk culture project. But canvassing a targeted or enterprise-wide perspective is easier said than done: what methods should we deploy: a quantitative or qualitative approach, or both?
A focused assessment will help identify the current state of an organisation’s risk culture, pinpoint gaps and areas that may require immediate attention
In an upcoming Intelligence article, we review some of the most common approaches, including:
- Employment engagement surveys
- Focused one-on-one interviews
- Focus groups
2. The most valuable risk culture indicators to include in your assessments
A company’s risk culture maturity can be tricky to quantify because they are often based on more ‘qualitative’ issues – tone from the top, attitudes, feelings and behaviours. With this in mind, we review some of the most recommended metrics in an upcoming Intelligence article, and compile an aggregated checklist of the indicators to consider, including:
- Knowledge: the extent to which employees understand the company’s risk appetite and principal risks and how they can affect the company
- Accountability and risk ownership: how well do risk owners understand their role and responsibilities?
- Processes: the extent to which risk monitoring and identification, among other risk processes, are formalised and incorporated within policies and procedures
- Openness: how comfortable do employees feel about raising concerns and reporting poor behaviour and cases of misconduct?
- Corporate values: to what extent is risk management embedded within the company’s strategy and objectives and how well are these areas understood across the enterprise?
3. How to present your risk culture data for optimal impact
What do you do with the data you’ve collated from your surveys, interviews and focus groups? How do you organise the findings, analyse and extract meaning from them? And, crucially, how do you present the results to the leadership and senior management teams in an impactful way?
Matrices, heatmaps, and scorecards are some of the ways in which data is commonly presented by risk managers. Over the next few months, we take a closer look at how they are used in the context of risk culture, with commentary, tips and more.
4. Top tips for getting HR on board
Getting to the stage where you can begin to measure the effectiveness of your risk culture requires buy-in from the stakeholder who owns corporate culture. Generally, this sits with HR, but engagement can be difficult if the value of risk management or the aims of your risk culture project is poorly understood.
Conflicts in opinions can arise over what should be prioritised, the values that should be measured, and the lines of accountability – with the overriding question being, should risk culture be managed by risk managers or remain with HR?
Getting to the stage where you can begin to measure the effectiveness of your risk culture requires buy-in from the stakeholder who owns corporate culture
We interview risk managers from various industries to bring you real experiences and tips for winning over HR, in our upcoming series on risk culture.
5. How to audit the risk culture of your audit team
Internal audit can have a positive impact on risk culture – they force a focus on risk and accountability, ensure procedures are adhered to and standards are upheld. But they can also have a negative impact on culture if they are instilling fear or behaving in a way that causes employees to deliver ‘form over function’ risk actions.
Performing an audit of the audit team’s risk culture can be crucial to cementing its risk culture approach but the process of doing so can be lengthy and challenging. Over the next few months, we will hold interviews and focus groups with risk managers to bring you the lessons learnt in auditing your audit team’s risk culture.
Access to our Intelligence platform will be available from April. To find out more about the benefits of becoming a Member of the Risk Leadership Network, click here.