A strong culture underpins effective risk management

What is risk culture and why does it matter?

Risk culture encompasses the shared attitudes, values, and behaviours towards managing risk. Some definitions include risk architecture, such as governance and controls.

A weak risk culture impacts customers, increases financial loss, affects employee morale, damages reputations and intensifies regulatory scrutiny. Trust in controls diminishes and organisational resources are diverted from core activities to remediation.

Conversely, a strong risk culture underpins effective risk management, and can result in increased trust, psychological safety, collaboration, and morale. Employees ‘do the right thing’ by customers, the company and the community. Employees are guided by a set of shared principles and know what to do even when faced with an unknown scenario. A good risk culture yields financial, cost and reputation benefits.

Measuring risk culture

Objectively measuring risk culture can be challenging due to its dynamic nature, varied perceptions, and the complexity of the underlying components. There are many ways to measure risk culture, whether through quantitative surveys, qualitative focus groups/ interviews, or measures of risk maturity.

Risk culture can be indirectly measured and inferred through outcomes-based indicators from systemic issues such as compliance breaches to increased lost time to injury. Or the state of play can be inferred from deteriorating risk performance metrics such as customer complaints, issue resolution time, or increased employee turnover. People and culture scores can also reveal a level of distrust between management and employees. Seemingly positive metrics, such as significant sales outperformance, may actually indicate miss-selling.  

Whilst these approaches have their limitations, they can be useful in providing a basis for comparison through time. Through measurement, entities can assess the effectiveness of their risk culture, and improve and shape as desired.

Improving risk culture

To enhance risk culture, leadership commitment is critical. Clearly communicated values and expectations, often through a code of conduct and risk appetite statement, is crucial.

Expectations can be set at on-boarding and periodically reinforced. A simple mantra such as ‘risk is everyone’s responsibility’, is easily repeated and remembered.  

Accountabilities and responsibilities should be clearly delineated through position descriptions, Committee Charters, statements of responsibility or delegations of authority. Employees at every level should understand their responsibilities and boundaries for taking and managing risk.

Incentives play a key role. Incentives should be aligned to desired behaviours. Mechanisms such as key performance indicators, short- and long-term incentives should be designed in such a way to encourage longer term thinking.

Organisations should cultivate an environment where employees feel comfortable in speaking up. Effective consultation channels and timely management response is important.

Responding to risk events requires a balanced approach and a focus on continuous improvement. Extracting lessons learned, should be preferred to punitive measures. Poor behaviours should be addressed through structured coaching and performance reviews.

Improving risk culture is vital for effective risk management and organisational success. Expert assistance can facilitate this process and ensure sustained growth and success.