Risk culture generally is accepted as a subset of organisational culture.
Its assessment has been dominated by a focus on perceived risk behaviours. This has its limitations, and it’s time that assessment of risk-culture maturity looked beyond behaviours and gave equal recognition to how organisations determine accountabilities for risk and the tools and processes that enable, support — and sometimes impede — consideration of risk in decision-making.
Risk culture — a pragmatic definition
While an academic and technical definition of risk culture may include words and phrases such as ‘norms, attitudes and behaviours’, pragmatically, a good risk culture can be succinctly and meaningfully expressed as ‘the right people doing the right things in the right way’.
- ‘The right people’ refers to roles and responsibilities in relation to managing risk — WHO does what.
- ‘The right things’ relates to processes and frameworks used to manage risk — WHAT we do.
- ‘The right way’ refers to the behaviours brought to the activities of managing risk — HOW we behave.
Only when all three dimensions are strongly embedded can an organisation claim their risk culture is mature.
Measuring risk culture
Many organisations have developed, or are developing, internal capabilities to assess risk behaviours.
Organisational staff-engagement surveys record staff perceptions of how well risk-culture behaviours are embedded.
Internal audit functions are increasingly undertaking behavioural-risk reviews to provide insights on practices that could give rise to future risks. These tend to be ‘deep dives’ on specific business areas, or thematic reviews following an adverse event. They often do not assess overall organisational risk culture.
Risk culture surveys are increasingly offered by professional service firms and industry bodies. They offer some level of external benchmarking of perceived risk behaviours.
The focus on behavioural surveys as the primary risk-culture diagnostic tool limits insight into all the other key drivers of risk culture and/or the identification of the most critical and powerful actions needed to embed a more mature risk culture. This is because surveys report perceptions of risk culture at a given point in time and against previous surveys. They can identify relative strengths and weaknesses for further thematic reviews, but organisations should be aware of, and mitigate, the potential weaknesses in surveys that are designed to provide insights on risk culture.
Behavioural surveys often don’t:
- Provide an assessment against what good risk-culture maturity looks like, or report relative to a target state;
- Differentiate between risk culture and organisational culture;
- Explicitly reference risk or risk management in the question design;
- Differentiate whether respondents are answering questions within the context of the broader organisation or their specific business unit or function;
- Consider internal and external environmental factors at the time the survey is undertaken;
- Provide meaningful insights on the strength of responses — they tend to focus on ‘total favourable’;
- Seek to link outcomes with observed business and financial performance, including customer trust;
- Seek to challenge or align perceived risk behaviours to risk-management metrics that evidence actual outcomes of risk management actions;
- Provide insights on actions to address weaknesses; or
- Provide meaningful external benchmarking. Benchmarks are limited by the pool size, timeliness and frequency, and are generally bespoke to the participant’s industry. Comparing banks against each other is not necessarily providing an assessment against of what may be perceived to be best practice.
Most critically, risk-culture behavioural surveys do not offer meaningful insights on whether ‘the right people’ are doing the right things” in relation to considering risk in decision making. This refers respectively to roles and responsibilities for risk and the effectiveness of processes and frameworks that enable effective risk management.
An effective, integrated assessment of risk-culture maturity needs to recognise the importance of all of the above and how each factor is embedded across the organisation. This brings into focus the following drivers of risk culture:
For Who does what in managing risk — ‘The right people’ — an assessment of:
- Three Lines of Defence models and their effectiveness;
- Risk governance;
- Prescribed regulatory responsibilities (including individual regulatory accountabilities);
- Role profiles and individual performance objectives;
- Performance, reward and incentive programs; and
- People leadership, including the tone from the top.
For What we do to manage risk — ‘Doing the right things’ — the effectiveness of:
- Risk frameworks, policies and processes and their implementation (including conduct risk);
- Risk-appetite frameworks; and
- Risk-management information and key risk-management performance indicators.
Most of the information to perform the above already exists within organisations.
An advanced approach to the assessment of risk culture is the bringing of these elements together into a coherent and meaningful framework that provides the Board and management the greatest insights into risk-culture maturity. One where, when it comes to risk, ‘The right people are doing the right things in the right way all of the time.’