eBusiness Weekly
Elgin Chetsanga
It is often said that culture eats strategy for breakfast. Major corporate failures have now also taught us that this famous statement holds true for risk culture.
Risk culture also eats strategy for breakfast! Many cultures exist such as personal cultures, industry cultures, organisational cultures and these sometimes tussle and overlap each other in one individual.
Organisations can influence their employees’ culture through various approaches.
There is compelling evidence that strategically shaping and influencing culture results in improved organisational performance. Culture has become so critical that many companies display lists of their cultural values and behaviours and even seek to recruit people that align with their culture.
As with broader organisational culture, risk culture is a complex and sometimes little understood concept that has the power to impact an organisational performance.
The Institute of Risk Management defines risk culture as the values, beliefs, knowledge, attitudes and understanding about risk shared by a group of people with a common purpose.
Risk culture manifests in the behavioural norms that shape how any organisation identifies and manages its risks. Risk culture can thus also be “deliberately influenced and shaped with effort, strategy, and resources”
A weak risk culture will impact the quality of decision-making across the organisation. Business decisions involve taking calculated risks which not only focus on both upside and downside risks.
Without a good risk culture as a company, the default approach to decision-making will sometimes be based on personal biases, instinct, or a desire to maintain the status quo. A poor risk culture leads to suboptimal decisions that might produce short term wins while compromising the organisation’s long-term resilience and sustainability.
Depending on your assessment of your risk culture strength there are some widely acknowledged approaches to create or strengthen your risk culture. Below we discuss a few. Good place to start is usually with the risk appetite. Risk appetite is a central framework that helps to determine what comprises the “right risks”.
Businesses find it hard to build a good risk culture without the necessary organisation-wide understanding and assimilation of the risk appetite.
The values and vision of the organisation set the scene for the broader organisational culture. Risk culture when viewed as a sub-culture of organisational culture is heavily influenced by the values of the company.
Organisational values which are expressed clearly and include risk elements such as safety, ethics, honesty tend to convey the message to every employee that risk matters are taken seriously within that organisation.
However, having risk aligned values and vision is not enough. Building and or strengthening your risk culture is also heavily shaped by “the tone from the top”.
The level of participation of top leadership in risk matters sets the tone for lower-level employees.
To further strengthen the risk culture, it also necessary to enlist individuals who will be risk champions or ambassadors and these need to come from key individuals along the organisational hierarchy.
Another way to build a good risk culture is to establish a management-level risk committee. While most board compositions now include different variations of a risk committee, this important structure is sometimes not mirrored at a management level.
A management level risk committee significantly advances the rate at which diverse functions interact with risk issues.
In addition, it allows every stakeholder to have an enterprise view of risks which helps in understanding the bigger picture. The risk committee should meet regularly to avoid lagging on pertinent risk issues.
Policies and procedures are another method of building a strong risk culture. Policies and procedures for various business areas now incorporate risk management elements.
There exists a link between risk management and policy management. Policies contain specific controls that set boundaries on risk taking activities.
There is a high chance that policies that are created without consulting risk will end up as rogue policies that expose the entity.
One other aspect of a strong risk culture is training and communication. Risk training should be conducted for both the board and employees.
Risk management training has proven to help upskill people to better identify, assess and mitigate risks associated with their business functions. Regular and effective communication ensures that stakeholders are alive to potential risks and are prepared to respond appropriately.
Good communication should be frequent enough, easily accessible, and easy to understand to allow everyone to maintain interest and fully understand.
In many industries incident and near miss reporting have been adopted as a tool to enhance risk culture.
What constitutes incidents varies with each industry type. From a banking sector perspective, a risk incident is defined as an event which has had or could have had, a negative financial, business, or reputational impact on the business.
Incident reporting is a structured way to report on which would have occurred or near misses which might have led to losses. A culture where incidents are reported and investigated allows companies to learn and improve their control environment.
Lastly an organisation can also look to its people management framework to create a good risk culture.
An organisation can align performance incentives with risk management outcomes to balance the rewards with costs of failures. Key risk indicators can be integrated with the performance management system to allow simultaneous measuring of both outcomes.
Monitoring risk management KRIs for employees can significantly improve risk ownership, awareness and overall improve the risk culture.
In summary the advantage of having good risk culture is an improved decisions making.
A good risk culture built on firm and deliberate organisational effort, decision makers will tend to underestimate or overlook risks and make choices that do not adopt a balanced risk adjusted view.
Elgin Chetsanga is a head of risk and compliance at a local financial institution. He writes in his personal capacity. Elgin can be reached on [email protected]
