Tag Archives: risk culture

Building an Effective Risk Culture

“Culture is the soul of the organization — the beliefs and values, and how they are manifested. I think of the structure as the skeleton, and the process as the flesh and blood. And culture is the soul that holds the thing together and gives it life force.” – Henry Mintzberg

The prevailing risk culture within an organization can make it significantly better or worse at managing these risks. It also significantly affects the organizational capability to take strategic risk decisions and deliver on performance promises. Risk culture arises from the repeated behaviors of the employees of the organization. These behaviors are shaped by the underlying values, beliefs and attitudes of individuals, which are partly inherent; and by the existing corporate culture in the organization.

Now that risk practitioners are finally catching on to risk culture and risk culture building; way after my first article on people risk in GARP Risk review back in 2004, we suddenly find a whole bunch of risk culture “experts” talking absolute garbage when it comes to the doing this thing.

Let us thus get the basics right:

Basics No 1: Governance Structure:

Firstly, the reporting line for the head of risk/chief risk officer is directly to the board. If you run your business by committees, that would be the chairperson of the board risk committee; if not, it should be a non-executive director who knows something about the management of risk. 

Secondly, do not appoint your risk champions; select them from volunteers. 

Basics No 2: The Definitions:

Before you formulate your own understanding, use these definitions:

  • “Risk culture is the system of values and behaviors present in an organization that shapes risk decisions of management and employees. One element of risk culture is a common understanding of an organization and its business purpose” –NC State ERM Initiative
  • “Risk culture is a term describing the values, beliefs, knowledge, attitudes and understanding about risk shared by a group of people with a common purpose” –Institute of Risk Management
  • Risk culture building is the training of mind, of heart and of personal character to respond effectively to any situation of risk and take the right decision to mitigate, control or optimize risk to the advantage of the organization.

Basics No 3: The Levels of Maturity: 

  • Level 1: In a bad risk culture, people do not care and will not do the right things regardless of risk policies, procedures and controls. Generally reflecting an environment of risks managed in silos, people are always “firefighting” with no clear risk owners, no real communication and weak accountability.
  • Level 2: In a typical risk culture, people tend to care more and will do the right things when risk policies, procedures and controls are in place. Risk owners are clearly defined and roles and commitments are understood, but effective awareness is still lacking.
  • Level 3: In a good risk culture, people care and will do the right things even when risk policies, procedures and controls are not in place. At this level, there are integrated risk management teams with standardized roles and clear accountabilities, normally controlled by a central function that coordinates all activities.
  • Level 4: In an effective risk culture, people care enough to think about the risks associated with their jobs before they make decisions on a daily basis. Strong cross-functional teamwork and employees who apply sound judgment in the management of risk. A small central risk management advisory team that understands the enterprise fully supports the business at all levels. Organizations at this level are well-prepared for crisis management.
  • Level 5: In the ultimate risk culture, every person acts as a risk manager and will constantly evaluate, control and optimize risks to make informed decisions and build sustainable competitive advantage for the organization. At this level, organizational and individual performance measures are fully aligned and risk-sensitive. Every employee is a risk manager, and knowledge and skills are upgraded continuously. Such an organization is agile and designed to adapt to changes.

See also: Perspectives on Risk Culture Building

Basics No 4: Assessing the Current Level of Maturity and Building Action Plans:

To start risk culture building, an organization first needs to get an accurate picture of the current level of risk culture maturity in the organization. Various attempts have been made to do this, and most revert to some kind of questionnaire or checklist approach linked to a scoring sheet that is eventually tabulated to quantify an overall score, which is linked to a perceived level of maturity. 

In some instances, organizations call in consultants who also conduct interviews. The outcomes are then debated and agreed upon by consensus with the client. These processes can easily be manipulated to support the perception of those in charge and also fail to identify specific weaknesses to support targeted action plans.

A full risk culture maturity assessment must cover the following operational areas associated with the effective management of risk: 

  1. Policies
  2. Processes
  3. People and Organizational Design
  4. Reporting
  5. Management and Control

You have two options:

  1. A manual process: (offered as part of the formal Risk Culture Workshop training) 
  2. An on-line assessment tool: In an attempt to improve the accuracy of these kinds of assessments, a leading U.K. consultancy developed and launched an on-line assessment tool that is now commercially available. 

* (Contact chungarisk@yahoo.co.uk for details of either)

Basics No 5: What to Do Next: 

Building an effective risk culture requires aligning the structured approach in the innovation framework and the four-pillar risk culture building approach with the organization’s vision and purpose to be the most trusted and inspiring connector of positive change. This must be done within the context of the existing corporate culture, driven by the organization’s strategic objectives, with the outcome to realize the key benefits of risk culture building and create sustainable competitive advantage through the optimization of the management of risk within the organization.

Building an effective risk culture is much more than changing your organizational culture in line with your vision, mission, corporate values and risk appetite—you must factor in the interests of competing national cultures, sub-cultures, Maslow’s theory on individual self-actualization and the informal groups in the company. The interactions among these are not predictable, and variables cannot accurately be isolated.

An effective risk culture is not a matter of risk assessment or level of compliance; it is a matter of individual ownership of risk and personal “conviction” — a state of mind where human beings own the risks and the process of managing those risks through making well-informed risk decisions because they want to, not because they have to. Companies drive value through optimizing risk management rather than a culture of compliance where people will do only what is required.

Basics No 6: The Four Pillars

  1. Think differently
  2. Get the whole picture
  3. Build a risk nervous system 
  4. Make every employee a risk manager

Each of these pillars represents a structured approach to address the underlying mindsets and behavioral aspects of organization and individuals to influence their attitudes and responses to risk in the context of the organizational demographics and their education, experiences, circumstances, attitudes, beliefs, emotions, social status and other factors and filters.

See also: 5 Risk Management Mistakes to Avoid

Basics No 7:  The “Do Not Even Think About It” List:

  • You can NEVER build an effective risk culture if you use the old Three Lines of Defense model or the (even worse) new Three Lines model
  • If you are promoting a “culture of compliance,” do not waste money attempting to build an effective risk culture 
  • Building an effective risk culture is not a “project”; the work never stops
  • Even a bad risk culture can be strong, so stop talking about a strong risk culture as a good thing
  • If you are not going to link risk culture to the performance management of each employee, at all levels, forget about it
  • You can follow any risk management framework or standard to the last letter and still be useless at the actual management of risk… just because of culture
  • You can be a brilliant chief risk officer in one company and a total failure in the next… just because of culture.

Risk Culture Revisited: A Case In Point

True, a great deal has been written about the importance of inculcating a positive risk culture if an organization is serious about managing its enterprise risk. Yet, when it comes to discussions about organizational culture, many executives’ eyes glaze over because the topic is too nebulous or because they have no idea how to influence or develop a particular type of culture. Underwriters, considering an application from a commercial customer, generally do not look too deeply into the company’s risk culture. Given that risk is growing in magnitude and variety and with increasing speed of onset, it behooves leaders to take concrete actions to establish a sound risk culture or to maintain one if it already exists. And underwriters should also be interested in the risk culture of accounts they write for the same reasons.

Often, I am inspired to write about something because of some news I hear or read about. In this case, something on the law360 website caught my attention: A woman slipped and fell near a collapsed “wet floor” sign at a casino. This person, Ms. Sadowski, suffered serious injuries and was awarded $3 million by an Ohio jury.

“The sign lay flat on the floor that day in September 2016, and a Jack Cincinnati Casino employee even walked around it but did not pick it up,” Sadowski’s attorney, Matt Nakajima, said, according to the Cincinnati Enquirer. He said that, moments later, Sadowski tripped over it and broke one of her knee caps. There were no safety measures in place for floor inspections or fall prevention, he said, and the employee who walked around the collapsed sign was not reprimanded. So, despite the use of “wet floor” signs, other aspects of risk management were purportedly absent.

It seems the jury believed Nakajima’s description. If the description is accurate, the part about an employee walking around a collapsed “wet floor” sign is very troubling, as is the fact that there were no consequences for the employee. These kinds of actions point to a lack of a risk aware culture at various levels.

See also: Building a Risk Culture Is Simple–Really  

So, how do leaders build a risk culture and how do underwriters probe to see what kind of risk culture exists in their prospective insureds’ organizations.

Three Basic Steps to Build Risk Culture

  • Articulate the organization’s position on managing risk at key communication junctures and through different media with employees: 1) hiring interview, 2) orientation, 3) staff meetings, 4) webcasts, newsletters, bulletin boards.
  • Include a risk culture criterion in all performance reviews; e.g., does the employee perform duties safely and address or report hazards/risks when they are identified? Evaluate positively or negatively, as warranted. Celebrate exemplary cases of risk awareness or risk mitigation.
  • Ensure that policies, procedures and work instructions all describe what is expected in terms of safety, precaution and risk reporting

Three Basic Data Points for Underwriters to Ascertain

  • Does the organization have any losses in the loss history that show an egregious lack of risk awareness?
  • Does the organization practice ERM or, at least, have policies around required safety measures, risk/hazard reporting, training on avoiding cyber and other risks, etc.?
  • Does the organization discuss or evaluate risk awareness as part of normal performance management?

At a time when every insurer is streamlining the information it requests from potential insureds, adding more requests for data seems antithetical. However, in light of the thousands of ways that employees can create, increase or decrease risk in an organization, the culture they embrace is very important. For example, an HR staffer who delays inputting an employee termination to the appropriate systems can create huge data and physical security risks. Likewise, a factory worker who leaves equipment running while going on break, when it should be turned off, can create safety and property risk. Or, consider a finance employee who thinks a spoofed email is actually from the CEO and sends a payroll check to the hacker’s account because there was no secondary control or it was not adhered to. The questions above will help underwriters to get a glimpse of the risk culture at the company they are evaluating.

See also: Thinking Differently: Building a Risk Culture  

A risk aware culture plays a role regardless of the category of risk: financial, operational, legal, cyber, human resource, strategic, etc. Everyone from the top to the bottom of the organization needs to have an automatic and quickfire gut check regarding their actions – am I creating a risk by taking this action; have I recognized the risks in the situation that is leading me to action; do I need to vet a recognized risk with others? When an organization reaches the point where this type of thinking is natural, and almost universal, then it can be said that a positive risk culture has been embedded.

Her latest book, “Enterprise Risk Management: Straight Talk for Nonprofits,” can be found here.

Formula for Creating a Positive Risk Culture

The insurance industry is all about understanding and taking risk prudently. In other words, it is about assuming risk from individuals or organizations for the right return. Thus, it makes sense that insurers should be excellent at managing their own strategic, financial and operational risk. But is that always the case?

Regulators and rating agencies have done a great deal to require robust enterprise risk management at insurance companies and to consider how well they are implementing it in evaluating them. However, their focus is decidedly on capital risk management and to a much lesser extent on other risk categories. Yet, other risk categories can certainly affect financial stability.

Are insurers being asked to show regulators and rating agencies how they have measured their risk culture? Are they asked to explain to what extent their strategies have been influenced or revised based on risk-related input? Likewise, is there inquiry into how deep within the insurers’ ranks the risk-identification process goes to gather input? Is there much questioning about how financial targets are set, such as whether non-management or field input is gathered before setting these targets?

If the answer is no, then some vital evaluative data is being missed. That is because risk culture, and the things that strongly influence it, can make a huge difference in the financial success or failure of an insurer.

What Is Risk Culture?

There are various definitions for it, but the best I have found is the one suggested by the Institute of International Finance, “‘Risk culture’ can be defined as the norms and traditions of behavior of individuals and of groups within an organization that determine the way in which they identify, understand, discuss and act on the risks the organization confronts and the risks it takes.”

See also: Building a Risk Culture Is Simple–Really  

The prevailing risk culture can be one explanation for why some insurers have more negative surprises than others, or why some have a poor track record for reserve increases whereas others do not. or why some experience adverse results from significant growth whereas others can do so profitably.

What Influences Risk Culture

The things that influence risk culture and help to create a risk-aware culture are:

  • Message from the top – board, CEO, senior team
  • Behavior at the top
  • Existence of board and management-level risk committees
  • Existence of risk appetite, risk tolerances that are well-communicated
  • How far down in the organization risk identification methods delve
  • How unauthorized/excessive risk-taking is handled by management
  • Whether there is a risk reporting hotline
  • Whether goals are aligned with risk appetite and risk tolerances
  • Whether incentives are aligned with risk appetite and risk tolerances
  • Whether risk culture is measured

How Management Behavior Can Create Risk and Block Risk Culture

There are many ways that management can contribute to a poor or non-existent risk culture. Below are just a few examples.

By setting unreasonable goals, management creates obstacles for a healthy risk culture. There is a difference between stretch goals and unreasonable ones. Good managers know this and know how to set a proper goal. Unreasonable goals beget unreasonable behavior, e.g. risky behavior. Such behavior might play out in underpricing business to meet a premium growth goal; it might play out in bad faith claims to meet an average paid loss goal. These things can happen in any environment but are more likely when goals are set too high and the risk associated with that is ignored.

Another management action that can produce risk is developing a strategy without input from the field. A strategy that is based only on the ideas in the corporate suite can lead to the risk of failure or the risk of producing negative or unintended consequences. For example, field staff may have more insight about how a change in compensation practices or local contacts may be reacted to by agents and brokers than home office strategy pundits. Getting field input might avoid losing business, losing agents or brokers or some equally undesirable business result. In a study sponsored by the Casualty Actuarial Society, the authors Shaun Wang and Robert Faber state, “In running an enterprise, it is essential to recognize both global and local views: Without inputs from the field, any development of business strategy lacks a solid footing; while the strategic directions are set at the company level, the success and failure of the strategy depends on the local business execution.”

Insurers are introducing many types of innovations into their operations to stay relevant in today’s digital world and sharing economy. If it is perceived that management is not taking into account the risks inherent in any new way of doing things, then a strong signal is being sent to the rest of the organization. The signal is that managing risk is not always important. Taking risk into account should never stop forward movement. Instead, it should ensure that innovations are optimized. Management should be able to point to the risks that were identified and how they were addressed, regardless of whether those risks pertain to cyber security, system integration, scalability, customer or distributor satisfaction and any number of other matters.

See also: A New Paradigm for Risk Management?

How Management Can Create a Positive Risk Culture

Management’s behavior becomes the model for the rest of the organization. Generally, each level of management tends to mimic the approach of the level to which it reports. Even when such cascading is not perfectly distributed, the overall tone and modus operandi of top managers tend to influence most employees of the organization over time.

Thus, management must be continually aware of what message it is sending about risk awareness by its own actions as well as by designed communications. Where a risk-aware culture is nurtured, there will be many ways in which management reinforces it:

  • Rewarding staff when risks are handled well and holding staff accountable when risks are not handled well
  • Ensuring that risk is discussed during decision-making not after decisions are made
  • Treating those who report a risk as a team player rather than a naysayer or trouble seeker – encouraging the person to become a problem solver by being asked to help address the risk
  • Discussing risk and the status of risk mitigation plans in staff meetings or whenever appropriate.

In risk-aware cultures, risk is considered as part of every key decision or action. Thus, the bottom line is improved.

What Gets Missed in Risk Management

Risk management is ultimately about creating a culture that would facilitate risk discussion when performing business activities or making any strategic, investment or project decision.

Here are some of the key points that are often missed:

  • Risk management is not just about tools and techniques; it is about changing the corporate culture and the mindset of management and employees. This change cannot happen overnight. Risk managers need to start small by embedding elements of risk analysis into various decision-making processes, expanding the scope of risk management over time.
  • It is vital to break the status quo where risk management is seen as a separate and independent activity. Instead, risk managers should integrate risk management into all core business activities. This can be achieved by integrating risk analysis into decision-making processes, assisting management in evaluating projects and strategic initiatives with the use of risk analysis tools, integrating risk management into strategic planning, budgeting and performance management, incorporating responsibilities in job descriptions, providing management training, etc.
  • Risk managers should strive to become advisers to senior management and the board, advisers who are trusted and whose recommendations are listened to. To achieve this, risk managers may need to break away from traditional models like “three lines of defense” and instead choose to actively participate in the decision-making, take ownership of some risks and provide an independent assessment of risks associated with important business decisions, maybe even vetoing some high-risk activities.

See also: A New Paradigm for Risk Management?  

To explore these topics, Elena Demidenko and I have written a free book, “Guide to Effective Risk Management 3.0” It talks about practical steps risk managers can take to integrate risk management into decision-making and core business processes. Based on our research and the interviews, we have summarized 15 practical ideas on how to improve the integration of risk management into the daily life of the organisation. These were grouped into three high-level objectives: drive risk culture, help integrate risk management into business and become a trusted adviser.

This document is designed to be a practical implementation guide. Each section is accompanied by checklists, video references, useful links and templates. This guide isn’t about “classical” risk management with its useless risk maps, risk registers, risk owners or risk mitigation plans. This guide is about implementing the most current risk analysis research into the business processes, decision making and the overall culture of the organization.

To download for free or read online, click here: https://www.risk-academy.ru/en/download/risk-management-book/

Building a Risk Culture Is Simple–Really

Yes, building risk culture is easy! Before I explain, let me first clear up a few weird misconceptions about risk culture that have been floating around in non-financial companies:

Making decisions under uncertainty is not natural for humans.

Back in the 1970s, scientists had a breakthrough in understanding how the human brain works, what influences our decisions, how cognitive biases affect our perception of the world and so on. Daniel Kahneman and Vernon Smith received a Nobel prize in economics back in 2002 “for having integrated insights from psychological research into economic science, especially concerning human judgment and decision-making under uncertainty.” I am amazed how many risk managers and consultants continue to simply ignore this research. Identifying, analyzing and dealing with risks is against human nature. Stop kidding yourself. The sooner we, as a professional community, accept this, the easier it will be to integrate risk management into decision making.

Managers do not take risks into account by default.

One of the biggest deceptions floated around is that most business processes already take into account risks and that decisions are made by management after careful consideration of risks. Not so. Naturally, managers do consider some of the more obvious risks, and there are exceptional cases where risk analysis is already integrated into the decision making. For the other 95% of the companies, existing processes and management tools ignore or purposefully hide significant risks. I bet that if risk managers, instead of running useless risk workshops, had a deep hard look, they would soon discover that budgets are overly optimistic, project plans are unrealistic and some corporate objectives are borderline naïve. Of course, the rest of the company is fine with how things are and will do everything to stop risk managers from getting involved.

See also: Building a Strong Insurance Risk Culture  

Making risk management everyone’s responsibility is just wishful thinking.

I don’t quite understand why, but there seems to be an idea that strong, robust, risk-aware culture is the ultimate objective. It sounds great, but it is physically impossible. And this is why I think so many risk managers have failed and so many more are struggling to make an impact. They are trying to move the rock that is not meant to be moved. This is probably the most important point of this article:

The only person in the company who thinks strong risk culture is a positive thing is the risk manager. The rest of the organization sees risk management as a direct threat to their personal interests, their income and their position in the corporate world.

Let me repeat: Most managers ignore risks and take uncalculated risks for a reason.

But not all managers and not all the time. And that’s where the risk manager comes in, trying to change the culture of CERTAIN individuals SOME of the time.

Risk management culture is not about hearts and minds.

By now, after reading everything I tried to communicate above, I hope you realize that management doesn’t care about risk culture. I mean they will still say the right words when the risk manager is present, but deep down nobody will care. The only chance for risk culture to stick is if it makes business sense for the individuals. And I don’t mean soft things like transparency, corporate governance and other nonsense, I mean direct impact on the bottom line or the personal security of an individual. The best examples of managers suddenly becoming very risk-aware were when I was able to show that by better managing risks individuals could protect their role, avoid prosecution, have a better business case for investors, save on insurance, save on financing costs or get higher bonuses.

And yet….  

And yet despite everything I said above, building risk culture is a piece of cake. Risk managers just have to realize that they won’t be able to convert everyone and that some people are beyond help. There is also no single solution that will do the job. It’s all about finding what makes each individual tick. It’s time-consuming, yes, but not difficult at all. Hence it can be equally applied by large corporations and small and medium-sized businesses.

Here are some practical ideas (make sure you click on the links in the article; each one leads to a short video explanation) to get you started:

  • Develop high-level risk management policy – It is generally considered a good idea to document an organization’s attitude and commitment to risk management in a high-level document, such as a risk management policy. The policy should describe the general attitude of the company toward risks, risk management principles, roles and responsibilities and risk management infrastructure, as well as resources and processes dedicated to risk management. Section 4.3.2 of the ISO31000:2009 also provides guidance on risk management policy.
  • Integrate risk appetites for different risk types into existing board-level documents; don’t create separate risk appetite statements.
  • Regularly include risk items on the board’s agenda
  • Consider establishing a separate risk management committee at the executive level or extend the mandate of the existing management committee – this worked like a miracle for me personally
  • Reinforce the “no blame” culture, on why to disclose and account for risks
  • Include risk management roles and responsibilities in existing job descriptions, policies and procedures and committee charters, not in a risk management framework document
  • Update existing policies and procedures to include aspects of risk management
  • Review and update remuneration policies
  • Provide risk awareness training regularly
  • Use risk management games
  • And, most importantly, get personally involved in business activities.

See also: Thinking Differently: Building a Risk Culture