Cultivating a Risk Culture within an Organisation
Is there value or benefit to cultivating a risk culture in an organisation? This entails the utilisation of resources and effort which the organisation may not be able to afford but when risk and integrity failures are studied, it is often found that the core of these failures is cultural weaknesses. To address this, organisations are strengthening their culture and sustaining the change. “Risk and integrity from a cultural perspective refers to the mindset and behavioural norms that determine how organisations identify and manage risk,” said presenter Ramesh Pillai, Group MD of Friday Concepts. “A good risk culture allows an organisation to move with speed without breaking things.”
A strong risk culture is a critical element of institutional resilience, particularly at this time when the world and business environment has never been more uncertain. “Organisations which have developed a mature risk and integrity culture outperform their peers through economic cycles and in the face of challenging external shocks,” he added. Companies which have a strong or good risk culture are often less likely to suffer from self-inflicted wounds like operational mistakes or reputational difficulties. They also tend to have a more engaged and satisfied customer and employee base. The starting point of improving risk culture is the diagnosis of an organisation’s current state.
A good risk culture helps the firm deal with challenges and is its best cross-enterprise, cross-organisational, cross-functional defence mechanism. To build strong risk and integrity cultures, companies must understand and address three mutually-reinforcing drivers: risk mindsets, risk practices and contributing behaviour. Risk mindsets usually refer to the assumptions about risk that individuals hold within an organisation. Risk practices are the daily actions that determine the effectiveness of risk management. Contributing behaviour comprises the collective actions that build risk attitudes.
“If you want to understand and inculcate a positive risk and integrity culture, you must have a proper, concrete definition of risk culture that spells out what it is,” he said. “Only then can you establish aspirations and measure progress.” Risk culture, he said, can be understood as having ten dimensions – confidence, openness, challenge, speed of response, level of care, communication, tolerance, level of insight, adherence to rules, and cooperation – which are covered under four topics: acknowledgement, responsiveness, transparency, and respect. These are all interconnected, and once risk and integrity culture is defined, measurement can begin.
The assessment looks at mindsets, practices and behaviour, and may be conducted in the form of surveys across the entire organisation. These surveys should consist of about 20-30 questions for the response of the board, senior management and everyone in the company. “Make sure that the questions asked are sufficiently detailed, and will allow for the establishment of a baseline,” Ramesh advised, emphasising the importance of sharing the results when the survey has been conducted and analysed. “Maturity levels across all the different dimensions matter. You want to know what the norm is, then concentrate on the outliers.”
Organisations should try and learn from their strengths and improve on or bolster their weaknesses. Although this will not be the perfect or ideal solution, it is primarily about managing the change, and moving forward. It will also depend on the different levels of maturity, according to how long people have been in the organisation. Measuring risk culture results makes it easier to prioritise, but it also means that the leadership team needs proper support from the central coordinating team. Intervention needs to be measured throughout the whole organisation. For example, HR needs to ensure that there is proper intervention in the form of compensation or training.
The various business units, too, will have to take charge of their redesign work or unblocking of processes. “Where possible, all interventions and applications need to be driven and owned by the front line,” Ramesh said. “Cultural change needs to be locally linked to day-to-day business and outcomes, driven by the people that matter the most, the forward-facing people, the first line of defence.” The sharing needs to go across the whole organisation, and the actioning process is critical, he stressed. Capacity building must be addressed as staff must have the proper training to develop the appropriate skill sets to behave in the new desired way.
Formal and informal channels should be put in place to escalate risk, and ensure fit-for-purpose systems which reinforce the desired change. Organisations should ensure that their people know what they need to change, and want to change; simultaneously, risks should be systematically and effectively communicated. The importance of communication cannot be overstated. Also briefly discussed was the Influence model, useful because it was a tried and tested one, and could enable a wide range of approaches, thus increasing the probability of success of the organisation’s transformation efforts. Targeted short-term interventions allow organisations to respond flexibly to changing needs.
Longer-term interventions, on the other hand, reinforce the core elements of desired risk avoidance. These are often formal programmes like speak-up hotlines or training and compensation standards that continually reinforce desired behaviours. When launching a risk culture programme, leadership needs to ensure that it can lead change; it needs to maintain risk culture under transformation. “As leaders, you need to be proactive about how to do these things, understand the impacts of the crisis or internal stimuli on the organisation and how to strengthen the culture,” Ramesh stressed. “You need to identify what the system is vulnerable to.”
It is also about ensuring that the human aspects are appropriately managed because dealing with humanity is the only way that cultural change can be successfully driven. While culture, integrity and compliance are central, there was no need to take major steps. “Take baby steps,” he said. “Simple things like setting up a confidential hotline, and communication from the top to set the tone about the importance of speaking up – these first steps are a gesture of commitment to the larger effort of changing risk culture. Set yourself up for risk culture success.” Organisations need to ensure that true ownership and responsibility for risk culture sits in the front line, he added.
Dedicated ownership has to be assigned for coordinating the definition, measurement, reporting and reinforcement of risk culture. “If you want action, you need to ensure that you assign responsibility,” he emphasised. “You have to ensure that the case for change is visible and compelling, and you need to carry on reinforcing this. The effort you have to put into this has to be sustained over time.” Organisations should formally plan how they intend to drive the entire project, create compensation packages, and reward people according to proper KPIs. They should ensure that their cultural health, particularly their risk culture, is maintained.
“This puts them in a better position to serve their clients, employees and society more effectively,” Ramesh concluded. “It will help them avert risks that could potentially be catastrophic because they are more pre-emptive, their employees are more transparent, happier and more aware. By taking these steps, organisations can prepare, reap near-term rewards and be ready for future uncertainties and challenges.”