Organisational culture plays a big role in good risk management — if staff feel like they’ll get in trouble for notifying management about something not quite right, it’s less likely a problem will be addressed before it develops into something bigger.
So it’s with concern that the NSW Audit Office has revealed that a significant number of public servants would not feel safe reporting things that have gone wrong.
In a report into risk culture and capability, the auditor found that in the agencies it examined, 18% of staff surveyed in four agencies said that if things went wrong they would not feel safe in calling these out. Another 12.5% of staff neither agreed nor disagreed.
“When even a small number of people are deterred from calling out issues, opportunities to share learnings and improve outcomes are missed,” says Auditor General Margaret Crawford.
The report highlights the importance culture plays in effective risk management.
“Over the past decade, governments and regulators around the world have increasingly turned their attention to risk culture,” she notes.
“It is now widely accepted that organisational culture is a key element of risk management because it influences how people recognise and engage with risk. Neglecting this ‘soft’ side of risk management can prevent institutions from managing risks that threaten their success and lead to missed opportunities for change, improvement or innovation.”
Some agencies are taking a proactive approach to managing risk, the auditor says, including developing data analytics tools to help identify problems early.
Crawford also highlighted the rise of the chief risk officer, but noted that in some agencies, their responsibilities did not extend to a formal role in challenging risk decisions inside the agency.
“This contrasts with a trend that is emerging in the private sector following the 2008 global financial crisis, in which challenging senior management and business lines is expected,” she said.
“While providing ‘effective challenge’ should be encouraged at all levels of an organisation, the chief risk officer is particularly well placed to perform this function. There is scope to extend this role in the public sector to challenge ideas and provide different perspectives in decision-making.”
The report includes a list of sector-wide lessons for improving agencies’ risk management culture:
- Before changing risk culture, senior management needs to develop a view of their agency’s existing organisational culture, as well as their target risk culture for the organisation.
- Heads of agencies will be best placed to make decisions and provide advice when they have relevant and reliable information on risks at their disposal.
- Risk management as a discipline is an enabler and cannot replace leadership. Risk management tools give a framework but are not a substitute for good judgement.
- While formal training plays a role in building risk management capability, there remains a place for insights based on experience and shared learnings.
- Risk management, when used well, is a tool that can help senior management focus on the issues that really matter.
- The chief risk officer plays a crucial role in driving a sound risk culture by translating the concepts of risk management into language easily understood by line managers. Further, it is critical for them to build strong relationships with other functions across the agency.
- It is important that agencies communicate lessons learnt to staff who can benefit from them, rather than moving on quickly from problems or mistakes without reflecting on how things could have been done better.
- In rapidly changing times, it is important to update risk registers regularly to capture new and emerging risks and close off on past issues.
- Informal, open and frequent communication from staff to line managers plays a key role in developing a sound risk culture.
Identification of risks
- It is important to win support for risk management from the line managers who conduct the agency’s day-to-day business. They may be in a better position to identify emerging threats.
- There is a distinction between risk aversion and risk ignorance. If risks are not proactively identified, agencies may take large risks without being aware that this is the case.
- Extensive knowledge of an organisation’s operating environment plays a significant role in identifying the most relevant risks.
- While enterprise risk management is mainly the preserve of senior executives, all staff should be capable of identifying and managing risks.
- Building risk resilience is fundamental for an agency to respond to the unpredictable and adapt to a rapidly changing environment.