Shaping the right risk culture is an internal activity which includes integrity, hard controls and the division of duties, internal controls, and soft controls to develop the kind of culture the organisation wants. There should be guidelines for ethics, and staff should be trained and aware of what their rights are. Discussions between staff and management should be open and ongoing. Risk culture is articulated primarily through soft controls; ways of applying instruments and controls in an agile, effective manner should be developed, and the organisation should ensure that its people have an awareness of risk in whatever they do.
Luisa Evaristo, CRO of a leading Insurance Company, shared her own experiences in a session entitled Risk Culture Journey, presented at the recent IERP International Conference. “The risk management function should have different approaches to align the transformation of the organisation,” she said. “It should identify where the organisation is, and where it should be, in its moves to establish a viable risk culture. It should identify where the gaps are.” Risk culture usually refers to the values, beliefs, knowledge, attitudes and understanding shared by a group with a common purpose. But more than that, a good risk culture is about accountability and ownership.
It comes with responsibility and a sense of being invested and engaged with what one is doing. In developing a viable risk culture, Evaristo urged risk management professionals to consider a few questions. For instance, have people looked at different ways of identifying, recognising and mitigating the risks that may affect them? They need certain levels of competency to be able to do this, and to articulate their concerns without fear. They also need to share their knowledge; risk training for new staff is critical, and refresher courses for more established staff will do a great deal for maintaining awareness, understanding and action of the risk issues that confront them on a daily basis.
All this cannot involve the risk management function exclusively. Sometimes what works in one department will not work in another. Implementation of assessments are possible, however, if done regularly, and feedback elicited from as many parties as possible, so that the information collected is insightful and relevant, and reflects the true picture of the organisation. This information contributes greatly to bringing about best practices, and encourages employees’ commitment to ethical, responsible behaviour, which in turn is channelled into a process of continuous improvement. The people involved will, on their own, realise what they require to be able to do a good job.
“What is important is that the data gathered can be helpful in supporting the performance of the staff,” Evaristo stressed. “Make sure that things are do-able, and that issues can be satisfactorily addressed. Strike a balance. While issues cannot be ignored, they shouldn’t be given too much attention either.”
How do organisations achieve this balance? Evaristo suggested regular assessment to determine if too much attention was being given to one area at the expense of others. Her presentation also covered some key principles that foster the “right risk culture, such as the correct behaviour of the Board and senior management.
Risks and risk management expectations must be understood by all staff, she stressed, and the risk management framework should be able to support the business, besides creating value for it. As value is created and business is optimised, the value of the franchise grows. “Risk management processes need to be efficient,” she pointed out. “They must have easy-to-understand principles. Good behaviour and actions should be recognised and rewarded. Bad behaviour should not be tolerated without consequences.” Organisations which want to jump-start a risk culture but are not sure what this entails, should initiate programmes with specific objectives.
They may, for instance, want to increase their workforce’s understanding of how data supports decision-making, or increase the use of benchmark data. They may need to pay closer attention to weak signals (or listen in on the office grapevine!) as well and be alert to the small signs which may slip under the radar. Better interaction should be cultivated between the different levels of the organisation. This could be achieved to a certain extent through better workplace design (e.g. open-plan offices) or concrete attempts to stimulate engagement. It is also helpful to establish a culture that does not allocate blame to individuals or departments when something goes wrong.
Establishing a risk culture in an organisation is not an easy task, nor should it be taken lightly. Firms would do well to honestly evaluate the culture that is already existing, before determining what kind of culture they want to cultivate. They also need to make an assessment of what kind of impact the organisation will experience, in the development of the desired culture. It may not go down well with everybody; the people tasked with the development of organisational risk culture may find themselves facing resistance, and their efforts will not achieve the intended results. Risk management professionals need to first understand what the current risk culture of the organisation is built on.
Different organisations have different cultures, even if the businesses are similar, and the respective workforces are similarly skilled. “We have to decide where and what our risk cultures are, and where we want to be,” advised Evaristo. “They need to be properly identified and recognised. We need to have open mindsets to approach the various issues related to risk culture (or the lack of it). The Board and senior management will depend on the risk management team to point out the risk culture deficiencies of the organisations. The risk management team will therefore have to be sincere, open and honest – and be prepared if people speak up and ask for help.”