To start the process of Risk Culture Building, an organisation first needs to get an accurate picture of the current level of risk culture maturity in the organisation. Various attempts have been made to do this and generally most revert to some kind of questionnaire or checklist approach linked to a scoring sheet that is eventually tabulated to quantify an overall score which is linked to a perceived level of maturity. In some cases organisations call in consultants who use an interview process combined with some of the attempts already mentioned, the outcomes are then debated and agreed upon by consensus with the client.
Although most inputs in any kind of culture maturity assessment are subjective, there is value in using a combination of approaches, but generally the outcome, due to human nature and perception, is always mid-point or average. These processes also fail to identify specific weaknesses or action plans. There is also no standard definition for the different levels of maturity, but an interesting aspect is that most practitioners working on this use the concept of 5 different levels of maturity, this in itself also contributes to most consolidated assessment results ending up at mid-point.
In an attempt to improve the accuracy of these kinds of assessments, Genius Methods; a leading UK consultancy in governance has recently developed and launched an on-line assessment tool. The tool uses sets of questions focused on six operational areas within the risk management discipline:
- Policies
- Processes
- People and Organisational Design
- Reporting
- Management and Control
- Systems and Data
One or more of the questions in each operational area is linked to a specific level of risk culture maturity in the defined 5 levels of risk culture maturity. The questions are not in any kind of sequence which relates to the different levels of maturity and the user can also not see the underlying mathematical calculations, thus the assessment process cannot be manipulated and the outcome cannot be predicted by the user. Various combinations of reporting of the outcomes are produced, but the most important aspect, other that the accurate measurement of the level of maturity; is that by comparing the maturity levels in each of the six operational areas, the organisation can pinpoint the areas in which improvement is needed and focus their action plans accordingly.
The five levels of Risk Culture maturity have been defined in the assessment tool as follows:
· In a bad risk culture, people will NOT do the right things regardless of risk policies and controls
· In a typical risk culture, people will do the right things when risk policies and controls are in place
· In a good risk culture, people will do the right things even when risk policies and controls are not in place
· In an effective risk culture every person will do something about the risks associated with his/her job on a daily basis
· In the ultimate risk culture every person is a risk manager and will evaluate, control and optimise risks to build sustainable competitive advantage for the organisation
Urgent review required, no progress and possibly no strategy | Level 1, Bad Risk Culture |
Some progress made to establish an ERM Culture, focus and drive ERM Strategy | Level 2, Typical Risk Culture |
Below ERM Culture Maturity Average, review implementation process | Level 3. Good Risk Culture |
Reasonable Level of ERM Culture established, review outcomes and reporting | Level 4, Effective Risk Culture |
Mature ERM Culture, focus on continuous improvement and value add | Level 5, Ultimate Risk Culture |
The five levels of maturity in the six operational areas are underpinned by a set of guidance standards to support organisations in formulating their action plans. These guidance principles are built as a result of years of research, supplemented by reviews of most global risk management standards and guidance documents from a number of organisations.
Once an organisation has established the level of maturity in each of the six operational areas within risk management, the Board of Directors and Executive Management can commence the process of Risk Culture Building. It is not possible toimplement risk culture in any organisation; it is a process of building, starting at the top. There are no best practices that can be implemented, the risk culture must be built upon the underlying corporate culture, so each risk culture building process is organisational specific and unique. Risk Culture Building is thus a process of change to instill new behaviours in the workforce, both the behaviours the leadership want to encourage and the behaviors they want to avoid.
Risk Culture Building is the process of growth and continuous improvement in the way each and every person in an organisation will respond to a given situation of risk as to mitigate, control and optimize that risk to the benefit of the organisation.
No two people will respond the same way to a situation of risk, the way any person responds to risk is influenced by a number of factors, the main ones are:
• Nationality & culture
• Childhood experiences (and formative environment)
• Work ethics, trust & honesty
• Education (and the way it was obtained)
• Work experience
• Religion and other spiritual thinking
• Attitude towards life (and death)
Risk practitioners generally failed to address these underlying human aspects. Since the publication of the Basle accord, ISO 31000 and other standards and regulations, it has often been argued that compliance with these standards and regulations will mitigate and control risk, but this is only true if the standards and regulations are embraced in an effective Enterprise Risk Management Culture. Just like the policies, procedures and systems, these are worthless if human attitude, acceptance and desired response lack.
Addressing the aspect of people risk is the only way an organisation can improve the results of how their people respond to a situation of risk and the effectiveness of their risk management function. No organisation can ever have a perfect risk management culture, but organisations can achieve a level of maturity where they have an effective risk culture process and every employee is risk-minded and does something on a daily basis to mitigate, control and optimize risk
The development of Risk Culture Building is focused on awareness and training in business ethics and human behaviour, as mentioned, both the behaviours we want to encourage and the behaviours we want to avoid. Organisations should frequently evaluate the progress (or regress) they are making on the path to maturity and implement action plans.
Every business decision is a RISK decision; what is your level of risk intelligence and how is your Risk Culture?
Comments