What is Risk Culture Building

Modern risk management is much more about the human factors than processes, procedures and the following of standards and frameworks; there is no one-size-fits all. You can follow ISO31000 to the last letter and still be ineffective at the actual management of risk, purely based on the human factors of conduct and risk-response decisions made by people.

Risk Culture Building is the process of growth and continuous improvement in the way each and every person in an organisation will respond to a given situation of risk as to mitigate, control and optimize that risk to the benefit of the organisation.

  • In a bad risk culture, people do not care and will not do the right things regardless of risk policies, procedures and controls
  • In a typical risk culture, people tend to care more and will do the right things when risk policies, procedures and controls are in place
  • In a good risk culture, people care and will do the right things even when risk policies, procedures and controls are not in place
  • In an effective risk culture, people care enough to think about the risks associated with their jobs before they make decisions on a daily basis
  • In the ultimate risk culture, every person acts as a risk manager and will constantly evaluate, control and optimise risks to make informed decisions and build sustainable competitive advantage for the organisation

No two people will respond the same way to a situation of risk, the way any person responds to risk is influenced by a number of factors, the main ones are:

  • Nationality & culture
  • Childhood experiences (and formative environment)
  • Work ethics, trust & honesty
  • Education (and the way it was obtained)
  • Work experience
  • Religion and other spiritual thinking
  • Attitude towards life (and death)

Risk practitioners generally failed to address these underlying human aspects. Since the publication of the Basle accord, ISO 31000 and other standards and regulations, it has often been argued that compliance with these standards and regulations will mitigate and control risk, but this is only true if the standards and regulations are embraced in an effective Enterprise Risk Management Culture. Just like the policies, procedures and systems, these are worthless if human attitude, acceptance and desired response lack.

Addressing the aspect of people risk is the only way an organisation can improve the results of how their people respond to a situation of risk and the effectiveness of their risk management function. No organisation can ever have a perfect risk management culture, but organisations can achieve a level of maturity where they have an effective risk culture process and every employee is risk-minded and does something on a daily basis to mitigate, control and optimize risk

The development of Risk Culture Building is focused on awareness and training in business ethics and human behaviour, as mentioned, both the behaviours we want to encourage and the behaviours we want to avoid. Organisations should frequently evaluate the progress (or regress) they are making on the path to maturity and implement action plans.

To start the process of Risk Culture Building, an organisation first needs to get an accurate picture of the current level of risk culture maturity in the organisation. Various attempts have been made to do this and generally most revert to some kind of questionnaire or checklist approach linked to a scoring sheet that is eventually tabulated to quantify an overall score which is linked to a perceived level of maturity. In some cases organisations call in consultants who use an interview process combined with some of the attempts already mentioned, the outcomes are then debated and agreed upon by consensus with the client.

Although most inputs in any kind of culture maturity assessment are subjective, there is value in using a combination of approaches, but generally the outcome, due to human nature and perception, is always mid-point or average. These processes also fail to identify specific weaknesses or action plans. There is also no standard definition for the different levels of maturity, but an interesting aspect is that most practitioners working on this use the concept of 5 different levels of maturity, this in itself also contributes to most consolidated assessment results ending up at mid-point.

In an attempt to improve the accuracy of these kinds of assessments, Genius Methods; a leading UK consultancy in governance has recently developed and launched an on-line assessment tool. The tool uses sets of questions focused on six operational areas within the risk management discipline:

  1. Policies
  2. Processes
  3. People and Organisational Design
  4. Reporting
  5. Management and Control
  6. Systems and Data

One or more of the questions in each operational area is linked to a specific level of risk culture maturity in the defined 5 levels of risk culture maturity. The questions are not in any kind of sequence which relates to the different levels of maturity and the user can also not see the underlying mathematical calculations, thus the assessment process cannot be manipulated and the outcome cannot be predicted by the user. Various combinations of reporting of the outcomes are produced, but the most important aspect, other that the accurate measurement of the level of maturity; is that by comparing the maturity levels in each of the six operational areas, the organisation can pinpoint the areas in which improvement is needed and focus their action plans accordingly.The five levels of Risk Culture maturity have been defined in the assessment tool as follows:

Level 1, Bad Risk Culture: Urgent review required, no progress and possibly no strategy

Level 2, Typical Risk Culture: Some progress made to establish an ERM Culture, focus and drive ERM Strategy

Level 3. Good Risk Culture: Below ERM Culture Maturity Average, review implementation process

Level 4, Effective Risk Culture: Reasonable Level of ERM Culture established, review outcomes and reporting

Level 5, Ultimate Risk Culture: Mature ERM Culture, focus on continuous improvement and value add

The five levels of maturity in the six operational areas are underpinned by a set of guidance standards to support organisations in formulating their action plans. These guidance principles are built as a result of years of research, supplemented by reviews of most global risk management standards and guidance documents from a number of organisations.

Once an organisation has established the level of maturity in each of the six operational areas within risk management, the Board of Directors and Executive Management can commence the process of Risk Culture Building. It is not possible to implement risk culture in any organisation; it is a process of building, starting at the top. There are no best practices that can be implemented, the risk culture must be built upon the underlying corporate culture, so each risk culture building process is organisational specific and unique. Risk Culture Building is thus a process of change to instill new behaviours in the workforce, both the behaviours the leadership want to encourage and the behaviors they want to avoid.

Every business decision is a RISK decision; what is your level of risk intelligence and how is your Risk Culture?

Leave a Comment

Your email address will not be published. Required fields are marked *