What is risk culture?System of values and mandates and has to evolve. It has to be imbedded. If business presents Wednesday and risk Thursday there needs to be an embeddingRegulations are too prescriptive...when their knowledge of our business is not as rich as it could be.How do you design and Benchmark for risk culture? It is company specific...a range of options, i.e., a monthly risk meeting with the management and showing metrics to demonstrate what has changed and improved.How do u keep your management spend for the spirit of the law not just the letter of the law?Most firms have to prioritize spending.Regulatory reporting is the letter of the law and the cost of doing business and internal awareness, monitoring and reporting is more the spirit of the law.How do you think of Risk appetite?Track and analyze your appetite to lose money. You need to have relative and real performance to see, quantify, demonstrate and decide. Try VaR and stress testing.How do you manage the risk of having conflicting metrics?The metric has to have an actionable result otherwise why pay attention to it.
Votes: 0
E-mail me when people leave their comments –

You need to be a member of Global Risk Community to add comments!

Join Global Risk Community


  • I am new to the site but I couldn't help but make note of the following comment "Track and analyze your appetite to lose money. You need to have relative and real performance to see, quantify, demonstrate and decide. Try VaR and stress testing."

    In addition to VaR and Stress testing, gaining a better understanding of what a manager is really doing 'on your behalf' can help in better managing the risk. On my site, I have posted some of the benefits that fall out of individual trade detail analysis. For those that are interested the site is www.behaviorisk.com .

  • @ Terry, great comments!!

    You are welcome to find the Risk Culture Builders- group on Linked-in and join us there. We also have a page on Facebook for Risk Culture Builders and a blog on Zawya:


  • What I like most about "Risk Culture Builder" and the comments below is I feel it is an accurate picture of where the majority of most business and management are at in today ever-difficult world of business and management. The chronological sequence of the post is a solid approach.

    In reading the post I could not help but consider that for the general audience the hardest hurdle to overcome in any risk solution has 4 main influences:

    1. Director's / Executives ability to grasp the concept of what is Risk and why it's acknowledgement and management is  Essential to today's business, shareholders and owners to ensure their readiness, robustness, alerts, responses and protection for longevity and continued success
    2. The implementation and deployment of ready-built packages thinking that they are the solution or worse just to satisfy a "Tick-the-box" requirement all of which end in poor Business Models & Foundations and often highlight the immaturity of the business and or its management
    3. The inability or desire for Management / Owners / Shareholders to identify the real weight of Administrative Support Services and their base-line contribution or understanding of core business process (Typical 30+ %) - not simply just a cost centre, and the subsequent inability of Management & Business to communicate at common levels and interact in an effort to assess and develop a Risk Model with practical solutions and purposeful controls and reporting
    4. If engaged - A Consultant that acts to the benefit of its client not simply the retainer or longevity of contract, one that is willing to put Management & Business first, one that will stay the path and has the prime objective in challenging their client based on experience and ability to scope multi-level, practical solutions aimed at delivering the right cultural maturity and growing the client and business as they navigate the journey that is often completely foreign to their beliefs or past activity, process or structure

    I trust this is read in the correct context and i can attest to this through my 20 years experience, backed by the fact that the majority of my client base or business's i have worked in all have eventually undergone the realisation and dis-comfort only to wish they had been able to have someone identify it for them and assist far earlier on than when they sought help.

  • Risk Culture Building is defined as the process of growth and continuous improvement in the way each and every person in an organisation will respond to a given situation of risk as to mitigate, control and optimize that risk to the benefit of the organisation.

    No two people will respond the same way to a situation of risk, the way any person responds to risk is influenced by a number of factors, the main ones are:

    • Nationality & culture
    • Childhood experiences (and formative environment)
    • Work ethics, trust & honesty
    • Education (and the way it was obtained)
    • Work experience
    • Religion and other spiritual thinking
    • Attitude towards life (and death)

    Risk practitioners generally failed to address these underlying human aspects in building corporate risk management frameworks and programs. Since the publication of the Basle accord, ISO 31000 and other standards and regulations, it has often been argued that compliance with these standards and regulations will mitigate and control risk, but this is only true if the standards & regulations are embraced in an effective Enterprise Risk Management Culture. Just like the policies, procedures and systems, these are worthless if human attitude, acceptance and desired response lack.

    An effective Risk Management framework must consider the behavior, beliefs and values required to support the defined ERM processes.

    To start the process of Risk Culture Building, an organisation first needs to get an accurate picture of the current level of risk culture maturity in the organisation. Various attempts have been made to do this and generally most revert to some kind of questionnaire or checklist approach linked to a scoring sheet that is eventually tabulated to quantify an overall score which is linked to a perceived level of maturity. In some cases organisations call in consultants who use an interview process combined with some of the attempts already mentioned, the outcomes are then debated and agreed upon by consensus with the client.

    Although most inputs in any kind of culture maturity assessment are subjective, there is value in using a combination of approaches, but generally the outcome, due to human nature and perception, is always mid-point or average. These processes also fail to identify specific weaknesses or action plans.

    There is also no standard definition for the different levels of maturity, but an interesting aspect is that most practitioners working on this use the concept of 5 different levels of maturity, this in itself also contributes to most consolidated assessment results ending up at mid-point.

    In an attempt to improve the accuracy of these kinds of assessments, Horst Simon, in collaboration with Genius Methods, a leading UK consultancy in governance, recently developed and launched an on-line assessment tool. The tool uses sets of questions focused on six operational areas within the risk management discipline:

    1. Policies
    2. Processes
    3. People and Organisational Design
    4. Reporting
    5. Management and Control
    6. Systems and Data

    One or more of the questions in each operational area is linked to a specific level of risk culture maturity in the defined 5 levels of risk culture maturity. The questions are not in any kind of sequence which relates to the different levels of maturity and the user can also not see the underlying mathematical calculations, thus the assessment process cannot be manipulated and the outcome cannot be predicted by the user.

    Various combinations of reporting of the outcomes are produced, but the most important aspect, other that the accurate measurement of the level of maturity; is that by comparing the maturity levels in each of the six operational areas, the organisation can pinpoint the areas in which improvement is needed and focus their action plans accordingly.

    The five levels of Risk Culture maturity have been defined in the assessment tool as follows:
    • In a bad risk culture, people will NOT do the right things regardless of risk policies and controls
    • In a typical risk culture, people will do the right things when risk policies and controls are in place
    • In a good risk culture, people will do the right things even when risk policies and controls are not in place
    • In an effective risk culture every person will do something about the risks associated with his/her job on a daily basis
    • In the ultimate risk culture every person is a risk manager and will evaluate, control and optimise risks to build sustainable competitive advantage for the organisation
    The five levels of maturity in the six operational areas are underpinned by a set of guidance standards to support organisations in formulating their action plans. These guidance principles are built as a result of years of research, supplemented by reviews of most global risk management standards and guidance documents from a number of organisations.

    Once an organisation has established the level of maturity in each of the six operational areas within risk management, the Board of Directors and Executive Management can commence the process of Risk Culture Building. It is not possible to implement risk culture in any organisation; it is a process of building, starting at the top. There are no best practices that can be implemented, the risk culture must be built upon the underlying corporate culture, so each risk culture building process is organisational specific and unique. Risk Culture Building is thus a process of change to instill new behaviours in the workforce, both the behaviours the leadership want to encourage and the behaviours they want to avoid.
    Addressing the aspect of people risk is the only way an organisation can improve the results of how their people respond to a situation of risk and the effectiveness of their risk management function. No organisation can ever have a perfect risk management culture, but organisations can achieve a level of maturity where they have an effective risk culture process and every employee is risk-minded and does something on a daily basis to mitigate, control and optimize risk

    The development of Risk Culture Building is focused on awareness and training in business ethics and human behaviour, as mentioned, both the behaviours we want to encourage and the behaviours we want to avoid. Organisations should frequently evaluate the progress (or regress) they are making on the path to maturity and implement action plans.
    Life after the crisis- The future of risk management

    The biggest change is shifting organisations from having a rear-view risk focused based on historic data, past events and modeling to a forward-looking perspective of an effective risk culture based on pro-active risk mitigation, scenario analysis and risk optimization.
This reply was deleted.

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!