What metrics are organisations using to measure risk culture?

5 min read
Jun 2, 2023

Risk leaders have discussed and shared the metrics they find most useful when monitoring and assessing organisational risk culture, as well as the importance of combining qualitative and quantitative indicators to measure more intangible aspects of culture such as behaviour and psychological safety.


Auditing and improving risk culture is a key priority for several multinational organisations right now, and many are facing similar obstacles. Chief amongst them is the fact that a nebulous concept like “culture” can be difficult to understand, measure and transform.

In the face of these challenges, risk leaders agree that establishing appropriate indicators, and monitoring them closely, are key to effectively identifying where good culture is, and is not, reflected across the business. 

To address this priority for members, we facilitated a series of collaborative meetings where members were able to share the metrics their organisations are using and finding success with. We have also amalgamated these peer insights into a library of more than 80 culture metrics. 

Below, we have captured a wide range of these indicators and explored how risk teams are using them in practice.

Control environment

Metric

Qualitative/
Quantitative

Type

Value

Details of use in practice

KRIs and thresholds linked to risk appetite Quantitative Volume Connected to behavioural risk and, specifically, tone from the top Gauged by monitoring the percentage of KRIs that are within the upper and lower limits set to measure risk appetite
Automation of key controls Quantitative  Volume Percentage of active key controls that are automated  This metric – and any target set – will likely have buy-in and support from IT department to continue pushing the trend
Percentage of project risks overdue Quantitative Volume Can be symptomatic of poor change management Don’t just focus on the headline numbers – ensure background context is evaluated. Needs to be triangulated with other data

An important lens through which to view the risk culture of the business is to assess its control environment – this is emphasised by the fact that of all the risk culture areas covered by our library of metrics, more indicators are used to measure the effectiveness of controls than any other area.

If controls are not being applied as required within the organisation, which can be determined using both qualitative and quantitative metrics, it is possible to conclude that employees are not sufficiently engaged with risk. For example, the percentage of overdue business continuity plan (BCP) reviews may be a good indication of how well employees are using the latest information on emerging trends and testing exercises to update their BCPs.  

Equally, if there are any recurring issues with specific controls not being applied, as highlighted by audit findings, it is possible to target the relevant areas of the business and raise better awareness of the risks they are facing.

Escalation of risks

Metric

Qualitative/
Quantitative

Type

Value

Details of use in practice

Perception metric: the extent to which employees know when they need to escalate Mix Survey question Provides feedback on people’s perceptions; good for identifying sub-culture weakness Can collect data via engagement survey or specific risk culture survey; relies on self-reporting, which can be inaccurate so must be interpreted/analysed correctly (appropriate filtering and sense-checking)
Number of whistle-blowing escalations, substantiated or not Quantitative Volume Demonstrates use of confidential escalation channels, which may suggest a willingness to escalate Many firms have good whistleblowing processes - useful to monitor trends and spikes. Care needed to understand the context

Risk leaders are using a mixture of qualitative and quantitative indicators to understand the extent to which risks are (or, in some cases, are not) being escalated to senior management. For example, one qualitative measure is to review examples of appropriate risk escalation and use these to positively reinforce good practice to the rest of the organisation. 

It is important to focus on positive examples, as only calling out specific instances where risks have not been escalated properly could have a negative impact on psychological safety. 

A more optimal way to assess where risks are not being escalated appropriately is to conduct a review of instances where material risks are known, but there is insufficient communication or visibility of these at the executive level. While a root-cause analysis (see below) of cultural weaknesses should be performed in addition – as without context, escalation data may be misleading – identifying where there is a breakdown in escalation processes can help determine areas for improvement.

Where did these metrics come from? 

Our risk culture metrics library is one of many outputs we have delivered to address the specific priorities of Risk Leadership Network members. By facilitating virtual collaboration, we help our members gain insights from relevant peers who have already tackled a particular issue or challenge so that they can inform, validate and benchmark their approach. 

Find out more about membership >>

Risk Leadership Network combination logo_RGB

 


Root cause of cultural weaknesses

Metric

Qualitative/
Quantitative

Type

Value

Details of use in practice

Investigation of high-potential incidents / near misses Mix Review Highlighting recurring issues and investigating underlying causes Repeat events are monitored for trends and investigated to determine if  cultural issues are a cause
Issues review - evidence of behaviours when issues have been reported such as psychological safety Qualitative  Review Good for understanding the root causes of behaviours and environmental factors that support or prevent openness and transparency. Can be used to provide a deeper understanding of other metrics e.g. survey responses and issue volumes Forensic analysis of past issues based on focus groups and interviews

As mentioned above, a root-cause analysis seeks to diagnose weaknesses in risk culture and overall business culture, and there are several metrics organisations use as part of this analysis. 

A key example is to investigate certain categories of repeat event (e.g. control failures). As well as monitoring where repeat events are happening most frequently, common trends across these reoccurrences should also be assessed to help the business remedy any cultural factors influencing the problem.

Another approach is to conduct a post-mortem analysis of business decisions that were successful, and those that were not. Again, looking for trends that track across both “good” and “bad” decisions, before feeding that back to the organisation, can solidify lessons learned and instil decision-making behaviours that are backed up by experience, not just estimation. The number of business teams that proactively conduct post-mortems can also reveal the state of a business’, or business unit’s, risk culture. 

Engagement with risk-related training and activities

Metric

Qualitative/
Quantitative

Type

Value

Details of use in practice

Culture training modules Quantitative  Volume Percentage of mandatory or voluntary learning modules completed Can also track the percentage of training modules completed on time versus incomplete/ completed late
Risk-related mandatory training completed on time Quantitative  Volume Percentage of mandatory or voluntary learning modules completed Can also track the percentage of training modules completed on time versus incomplete/ completed late

One of the simpler quantitative metrics that many organisations use is risk (or risk culture) training completion rates. While it is important to note that non-completion of training does not necessarily correlate with poor culture – just as the completion of training does not always equate to good understanding – monitoring completion rates can provide an indicator of the level of employee engagement with risk management.

Completion rates can also be applied to other activities to assess culture and engagement levels: for example, the percentage of material risk evaluations completed on time may raise issues with complacency or demonstrate prioritisation of other business activities above risk management. 

When using indicators like this, companies should remember to look beyond headline numbers and always ensure background context is evaluated.


Is risk culture a priority for you? 

Our members are collaborating on several priorities within this area, including developing and leveraging internal culture surveys; creating culture improvement programmes; and getting first-line business managers more involved in risk management roll-out.

Please get in touch to discuss your specific priorities and how our network could help you, or click here to find out more about Risk Leadership Network membership.

Get new posts by email