Now that Risk Practitioners are finally catching on to Risk Culture and Risk Culture Building (…..way after my first article on People Risk in the old GARP Risk Review Journal back in 2004), we suddenly find a whole bunch of Risk Culture “Experts” talking absolute garbage when it comes to the doing this thing.
Let us get the basics right:
Basics No 1: Governance structure: Firstly, the reporting line for the Head of Risk/ Chief Risk Officer is directly to the Board. If you run your business by Committees, that would be the Chairperson of the Board Risk Committee; if not, it should be a Non-executive Director who knows something about the management of risk. If the risk knowledge lacks at board-level, contact Risk Culture Training and Advisory Services ( link below) and request details of the Executive Risk Think-Tank Program
Secondly, do not appoint your Risk Champions, select them from volunteers (how to do this is covered in the Think-tank program)
Basics no 2: The Definitions: Before you formulate your own understanding, rather use these definitions:
- “Risk culture is the system of values and behaviours present in an organization that shapes risk decisions of management and employees. One element of risk culture is a common understanding of an organization and its business purpose” NC State ERM Initiative
- “Risk culture is a term describing the values, beliefs, knowledge, attitudes and understanding about risk shared by a group of people with a common purpose” Institute of Risk Management
And here is the Definition of Risk Culture Building:
- Risk Culture Building is the training of mind, of heart and of personal character to respond effectively to any situation of risk and take the right decision to mitigate, control or optimise risk to the advantage of the organisation.
Basics No 3: The Levels of Maturity:
- Level 1: In a bad risk culture, people do not care and will not do the right things regardless of risk policies, procedures and controls. Generally reflecting an environment of risks managed in silos, people always “firefighting” with no clear risk owners, no real communication and weak accountability.
- Level 2: In a typical risk culture, people tend to care more and will do the right things when risk policies, procedures and controls are in place. Risk owners are clearly defined and roles and commitments are understood, but effective awareness is still lacking.
- Level 3: In a good risk culture, people care and will do the right things even when risk policies, procedures and controls are not in place. At this level, there are integrated risk management teams with standardised roles and clear accountabilities, normally controlled by a central function that coordinates all activities.
- Level 4: In an effective risk culture, people care enough to think about the risks associated with their jobs before they make decisions on a daily basis. Strong cross-functional teamwork and employees who apply sound judgement in the management of risk. A small central risk management advisory team that understands the enterprise fully supports the business at all levels. Organisations at this level are well prepared for crisis management.
- Level 5: In the ultimate risk culture, every person act as a risk manager and will constantly evaluate, control and optimise risks to make informed decisions and build sustainable competitive advantage for the organisation. At this level, organisational and individual performance measures are fully aligned and risk sensitive. Every employee is a risk manager and knowledge and skills are upgraded continuously. Such an organisation is agile and designed to adapt to changes.
Basics No 4: Assess the Current Level of Maturity and Build the targeted action plans:
To start the process of Risk Culture Building, an organisation first needs to get an accurate picture of the current level of risk culture maturity in the organisation. Various attempts have been made to do this and generally most revert to some kind of questionnaire or checklist approach linked to a scoring sheet that is eventually tabulated to quantify an overall score which is linked to a perceived level of maturity.
In some instances, organisations call in consultants who use an interview process combined with some of the attempts already mentioned. These outcomes are then debated and agreed upon by consensus with the client. These processes can easily be manipulated to support the perception of those in charge and also fail to identify specific weaknesses to support targeted action plans.
A full Risk Culture Maturity Assessment must cover the following six operational areas associated with the effective management of risk:
- People and Organisational Design
- Management and Control
- Systems and Data
You have two options:
The Manual process to do this is part of the formal Risk Culture Workshop training (Contact Risk Culture Training and Advisory Services through the link below)
In an attempt to improve the accuracy of these kinds of assessments, a leading UK consultancy developed and launched an on-line assessment tool that is now commercially available. ( Contact: Genius Methods through the link below)
The five levels of maturity in the six operational areas are underpinned by a set of guidance standards to support organisations in formulating their action plans. These guidance principles are built as a result of years of research, supplemented by reviews of most global risk management standards and guidance documents from a number of organisations.
Basics No 5: What do you have to do next:
Building an Effective Risk Culture requires a detailed method of aligning the structured approach in the innovation framework and the 4-pillar Risk Culture Building approach with the Organisation’s vision and purpose to be the most trusted and inspiring connector of positive change. This must be done within the context of the existing corporate culture, driven by the Organisation’s Strategic Goals and Objectives with the outcome to realise the key benefits of Risk Culture Building and build sustainable competitive advantage through the optimisation of the management of risk within the Organisation.
Building an effective Risk Culture is much more than changing your organizational culture in line with your Vision, Mission, corporate values and risk appetite—you must factor in the interests of competing national cultures, sub-cultures, Maslow’s theory on individual self- actualization and the informal groups in the company. The interactions between these are not predictable and variables cannot accurately be isolated.
An effective risk culture is not a matter of risk assessment or level of compliance; it is a matter of individual ownership of risk and personal “conviction” -- a state of mind where human beings own the risks and the process of managing those risks through making well-informed risk decisions because they want to, not because they have to. Driving value through optimising risk management rather that a culture of compliance where they will do only what is required.
Basics no 6: Do not try to re-invent the wheel:
In addition to the things already mentioned, the following aspects are fully covered in the Risk Culture Workshop: (Contact Risk Culture Training and Advisory Services)
- Risk Culture Building approach
- Risk Culture Building Innovation Framework
- Critical Success Factors
- Risk Culture Building Principles
- People Risk Management Framework
Basics no 7: The “do not even think about it” -list:
- You can NEVER build an effective Risk Culture if you use the “old” 3 Lines of Defense model or the (even worse) new 3 Lines model
- If you are promoting a “Culture of Compliance” do not waste money attempting to build an effective Risk Culture
- Building an effective Risk Culture is not a “project”, it never stops
- Even a BAD Risk Culture can be STRONG, so stop talking about a strong Risk Culture as a “good” thing
- If you are NOT going to link it to the performance management of each employee, at all levels, forget about it
- You can follow any risk management Framework or Standard to the last letter and still be USELESS at the actual management of risk……just because of culture
- You can be a brilliant CRO in one company and a total failure in the next…...just because of culture