April 15, 2021
Building an Effective Risk Culture
by Horst Simon
Risk practitioners are finally catching on about building risk culture, but a whole bunch of self-proclaimed experts are talking absolute garbage.
“Culture is the soul of the organization — the beliefs and values, and how they are manifested. I think of the structure as the skeleton, and the process as the flesh and blood. And culture is the soul that holds the thing together and gives it life force.” – Henry Mintzberg
The prevailing risk culture within an organization can make it significantly better or worse at managing these risks. It also significantly affects the organizational capability to take strategic risk decisions and deliver on performance promises. Risk culture arises from the repeated behaviors of the employees of the organization. These behaviors are shaped by the underlying values, beliefs and attitudes of individuals, which are partly inherent; and by the existing corporate culture in the organization.
Now that risk practitioners are finally catching on to risk culture and risk culture building; way after my first article on people risk in GARP Risk review back in 2004, we suddenly find a whole bunch of risk culture “experts” talking absolute garbage when it comes to the doing this thing.
Let us thus get the basics right:
Basics No 1: Governance Structure:
Firstly, the reporting line for the head of risk/chief risk officer is directly to the board. If you run your business by committees, that would be the chairperson of the board risk committee; if not, it should be a non-executive director who knows something about the management of risk.
Secondly, do not appoint your risk champions; select them from volunteers.
Basics No 2: The Definitions:
Before you formulate your own understanding, use these definitions:
- “Risk culture is the system of values and behaviors present in an organization that shapes risk decisions of management and employees. One element of risk culture is a common understanding of an organization and its business purpose” –NC State ERM Initiative
- “Risk culture is a term describing the values, beliefs, knowledge, attitudes and understanding about risk shared by a group of people with a common purpose” –Institute of Risk Management
- Risk culture building is the training of mind, of heart and of personal character to respond effectively to any situation of risk and take the right decision to mitigate, control or optimize risk to the advantage of the organization.
Basics No 3: The Levels of Maturity:
- Level 1: In a bad risk culture, people do not care and will not do the right things regardless of risk policies, procedures and controls. Generally reflecting an environment of risks managed in silos, people are always “firefighting” with no clear risk owners, no real communication and weak accountability.
- Level 2: In a typical risk culture, people tend to care more and will do the right things when risk policies, procedures and controls are in place. Risk owners are clearly defined and roles and commitments are understood, but effective awareness is still lacking.
- Level 3: In a good risk culture, people care and will do the right things even when risk policies, procedures and controls are not in place. At this level, there are integrated risk management teams with standardized roles and clear accountabilities, normally controlled by a central function that coordinates all activities.
- Level 4: In an effective risk culture, people care enough to think about the risks associated with their jobs before they make decisions on a daily basis. Strong cross-functional teamwork and employees who apply sound judgment in the management of risk. A small central risk management advisory team that understands the enterprise fully supports the business at all levels. Organizations at this level are well-prepared for crisis management.
- Level 5: In the ultimate risk culture, every person acts as a risk manager and will constantly evaluate, control and optimize risks to make informed decisions and build sustainable competitive advantage for the organization. At this level, organizational and individual performance measures are fully aligned and risk-sensitive. Every employee is a risk manager, and knowledge and skills are upgraded continuously. Such an organization is agile and designed to adapt to changes.
See also: Perspectives on Risk Culture Building
Basics No 4: Assessing the Current Level of Maturity and Building Action Plans:
To start risk culture building, an organization first needs to get an accurate picture of the current level of risk culture maturity in the organization. Various attempts have been made to do this, and most revert to some kind of questionnaire or checklist approach linked to a scoring sheet that is eventually tabulated to quantify an overall score, which is linked to a perceived level of maturity.
In some instances, organizations call in consultants who also conduct interviews. The outcomes are then debated and agreed upon by consensus with the client. These processes can easily be manipulated to support the perception of those in charge and also fail to identify specific weaknesses to support targeted action plans.
A full risk culture maturity assessment must cover the following operational areas associated with the effective management of risk:
- People and Organizational Design
- Management and Control
You have two options:
- A manual process: (offered as part of the formal Risk Culture Workshop training)
- An on-line assessment tool: In an attempt to improve the accuracy of these kinds of assessments, a leading U.K. consultancy developed and launched an on-line assessment tool that is now commercially available.
* (Contact firstname.lastname@example.org for details of either)
Basics No 5: What to Do Next:
Building an effective risk culture requires aligning the structured approach in the innovation framework and the four-pillar risk culture building approach with the organization’s vision and purpose to be the most trusted and inspiring connector of positive change. This must be done within the context of the existing corporate culture, driven by the organization’s strategic objectives, with the outcome to realize the key benefits of risk culture building and create sustainable competitive advantage through the optimization of the management of risk within the organization.
Building an effective risk culture is much more than changing your organizational culture in line with your vision, mission, corporate values and risk appetite—you must factor in the interests of competing national cultures, sub-cultures, Maslow’s theory on individual self-actualization and the informal groups in the company. The interactions among these are not predictable, and variables cannot accurately be isolated.
An effective risk culture is not a matter of risk assessment or level of compliance; it is a matter of individual ownership of risk and personal “conviction” — a state of mind where human beings own the risks and the process of managing those risks through making well-informed risk decisions because they want to, not because they have to. Companies drive value through optimizing risk management rather than a culture of compliance where people will do only what is required.
Basics No 6: The Four Pillars
- Think differently
- Get the whole picture
- Build a risk nervous system
- Make every employee a risk manager
Each of these pillars represents a structured approach to address the underlying mindsets and behavioral aspects of organization and individuals to influence their attitudes and responses to risk in the context of the organizational demographics and their education, experiences, circumstances, attitudes, beliefs, emotions, social status and other factors and filters.
See also: 5 Risk Management Mistakes to Avoid
Basics No 7: The “Do Not Even Think About It” List:
- You can NEVER build an effective risk culture if you use the old Three Lines of Defense model or the (even worse) new Three Lines model
- If you are promoting a “culture of compliance,” do not waste money attempting to build an effective risk culture
- Building an effective risk culture is not a “project”; the work never stops
- Even a bad risk culture can be strong, so stop talking about a strong risk culture as a good thing
- If you are not going to link risk culture to the performance management of each employee, at all levels, forget about it
- You can follow any risk management framework or standard to the last letter and still be useless at the actual management of risk… just because of culture
- You can be a brilliant chief risk officer in one company and a total failure in the next… just because of culture.