The starting point of identifying and improving the resilience of any risk culture is the diagnosis of an organisation’s current state. Companies must understand the risk mindsets, risk practices and contributing behaviour that prevail in their organisations, address the shortfalls, and improve accordingly. Risk mindsets usually refer to the assumptions about risk held by individuals within an organisation. Risk practices are the daily actions that determine the effectiveness of risk management. Contributing behaviour comprises the collective actions that build risk attitudes.
Cultivating a risk culture in an organisation entails the utilisation of resources and effort which the company may not be able to provide but when risk and integrity failures are studied, cultural weakness is often found at the core of these failures. Cultivating a robust risk culture is not just about risk culture itself, but about combining it with ethics and integrity, and inculcating the right values. Developing a positive risk culture starts with having a concrete definition that details what it is. This enables it to be measured.
Organisations need to move from measuring and planning, to taking action through tailored interventions to lift risk culture. Risk culture is often understood as having ten dimensions: confidence, openness, challenge, speed of response, level of care, communication, tolerance, level of insight, adherence to rules, and cooperation. These are, in turn, covered under four topics: acknowledgement, responsiveness, transparency, and respect, which are all interconnected. People need to have the right values; there must be shared values in the organisation as well.
But in today’s increasingly complex environment, risks may not be easily perceived. How then could the impact of risk culture be measured in real terms? There are a few areas that organisations need to concentrate on, particularly communication at all levels. Communication helps people understand what the organisation is trying to achieve, and how this fits into overall decision-making. There should always be respect for rules, fellow employees and colleagues. Once the risk and integrity culture is defined, measurement can begin.
Systematic assessment should look at mindsets, practices and behaviour. Assessment may be based on interviews with units and functions, followed by comprehensive surveys to set a baseline for the organisation. Follow-up interviews may detail strengths, weaknesses and root causes. Everyone in the company should respond to the surveys, from board and senior management to middle, lower management, and non-executive levels. Survey questions should be sufficiently detailed, and once an initial baseline is developed, results shared with leadership teams and the broader organisation.
With the help of these results, weaknesses may be addressed, and the leadership team, with the support of the team coordinating risk culture efforts, can use the strengths, weaknesses and cultural differences identified, to agree on a set of prioritised interventions or intervention areas. Where possible, interventions or their application should be driven and owned by the front line to ensure that cultural change is truly lived locally and linked to day-to-day business activities and outcomes. Organisations should try and learn from their strengths and improve on or bolster their weaknesses.
Governance, policy, framework and systems are important; technology could provide the tools necessary for staff to be effective, and for conducive conditions for people to speak up, act and give feedback. Strengthening risk culture is a challenge but employees must be empowered to challenge, and the organisation must be open to dissent because this improves decision-making. The consistent message across the organisation should be one of absolutely no tolerance for unethical practices.
Staff should also take responsibility for identifying, assessing, monitoring and reporting risk, responding to and escalating it as necessary. Whistleblowers should be provided with appropriate channels, and enforcement such as disciplinary action is a must. Many companies with mature risk cultures know that having the right organisational culture includes having staff who know how to engage with risk; staff should thus be educated about risk and risk management. The driving force behind all this should be consistent leadership commitment.
One of the most indispensable elements of a strong risk culture is the tone from the top. It sets guiding values and an ethical climate, and it has a trickle-down effect. Boards and senior management need to change the way they think about risk and how to respond so that they can quickly seize opportunities while continuing to protect employees, customer health and safety, and evolving to adapt to new ways of working. A good risk culture allows an organisation to move at speed, maximise cost-cutting, and build institutional resilience.
Developing a viable risk culture must include well-calculated and understood risk-return trade-offs and a comprehensive ERM strategy. The organisation’s various business units will have to be responsible for redesigning their work or unblocking work processes which may be bottlenecks. Experts advocate front-line-driven interventions and applications where possible, as cultural change must be driven by forward-facing people who are the first line of defence. Change can only be effected when the human aspects of the issue are appropriately managed.
Simple things like setting up a confidential hotline or communication from the top about the importance of speaking up, are powerful gestures of commitment to cultural change. Dedicated ownership has to be assigned for coordinating the definition, measurement, reporting and reinforcement of risk culture because responsibility must be assigned if action is required. To generate meaningful, lasting changes in risk and integrity culture, leaders can use something called the influence model which has proven useful.
This model addresses different issues and ensures the right skill sets, understanding and commitment are developed, and formal reinforcement mechanisms and alignment of values are in place. Organisations should also learn from their competition. Building and sustaining risk culture requires proactive attention, which means addressing it before issues arise; this includes understanding its evolution and then taking action to improve it. Proactive leaders may be able to see early signs of concern or even spot inadequate processes.
A strong risk culture is a critical element of institutional resilience, particularly when the world and business environment today are plagued with uncertainty. Companies with good risk culture are less likely to make operational mistakes or suffer reputational difficulties. They also tend to have more engaged, satisfied, and productive employees. Organisations with developed, mature risk cultures often outperform their peers. A resilient risk culture helps the firm deal with challenges and is its best cross-enterprise, cross-organisational, cross-functional defence mechanism.
