Before you answer…
Cast your mind over recent publicly prominent investigations that have raised organisational risk management failings, with ever-increasing scrutiny of organisational risk culture.
Imagine for a moment a research department seeking to be the first to deliver new technologies. What if, in the race to deliver, staff take unacceptable risks and develop work-around technologies to meet the targets at any cost? What if these technologies go on to dupe millions of customers and cause untold reputational damage to the company? You don’t have to imagine, just remember Volkswagen’s recent failings.
Now consider a company that incentivises its employees using aspirational sales targets – these employees go on to not only exceed the targets but achieve unimaginable growth. What if these staff were taking risks and not following company policies to meet the targets at any cost? What if that same company then went on to charge customers for products/services they didn’t want? What if this company also suffered massive data breaches? It’s not a what if. Not long ago, Wells Fargo was found to have pursued a business strategy that prioritised growth without ensuring appropriate management of risks.[1] What does this say about risk culture?
Closer to home, reflect on the now very public risk management failures of the Crown Resorts Group. The public inquiry, led by Patricia Bergin SC, highlighted (amongst other things) the misalignment between day-to-day practices, management reporting and the Board’s own risk appetite. What does this say about the Crown’s risk culture if the management team determined to handle important developments themselves…without “troubling the Board”?
So – how’s your organisational risk culture?
An organisation’s risk culture encompasses an array of behaviours, beliefs attitudes and competencies associated with perceptions of risk and related decision-making.
Risk culture is a subset of broader organisational culture, or ‘the way we do things around here” - noting that there may be several such cultures within an organisation.[2]
Collectively, risk culture determines a team, division, department or possibly an organisation’s commitment to the principles and practices of risk management. Alongside risk management frameworks, culture is a key influencing factor with respect to how individuals, teams or groups identify, manage, report and escalate risks.
Mature organisations effectively manage their risks. Such organisations have well-developed risk management frameworks, comprising formal policies, procedures, systems and processes.
More importantly, organisations with mature risk cultures have:
There are a number of common pitfalls and/or reoccurring themes amongst organisations with less mature risk cultures
Perhaps the most common issue is that of a poorly constructed, broken risk management system. Or worse still, an IT system that drives rather than supports risk management. Risk management systems that fail to adequately capture and report risks become a hindrance to risk culture. Over time, such systems become sidelined and eventually all but ignored.
Typical pitfalls include the capture of too many risks; inconsistencies between system and organisational risk levels; overly complicated monitoring and review processes; insufficient training; and inadequate consideration of the resources required to both administer the system and ensure ongoing compliance.
A mature risk culture is underpinned by a system that is capable of capturing, managing and manipulating risk data. Implicit in this requirement, is that there are processes by which risk owners keep this information up-to-date to enable accurate analysis and reporting.
No two people perceive risk in the exact same manner and as such, an organisation made of many individuals will generate many differing views on risks. By way of example, a retrospective examination of critical incident causation will generally highlight differences in individual perceptions of risks and possible consequences.
Better practice organisations define and communicate risk behaviours and attitudes, and ensure that these are built into recruitment, induction, as well as training, information and awareness initiatives. Lessons learned are communicated so that corrective action can be taken, and employees are encouraged to report concerns.
Organisations often promote positive achievements/activities irrespective of the fact that such actions incorporated a level of risk that attracted (or should have attracted) additional scrutiny and management oversight. This can lead to an escalation of risk tolerance and related attitudes/behaviours outside the desired culture, possibly increasing the overall risk.
Within a strong risk culture, risk roles, responsibilities and tolerances are clearly defined. While achievements are celebrated, lessons learned are reviewed to consider impacts on risk tolerances. In addition, risk tolerances are periodically reviewed by governance committees, including the Executive, Board and Audit & Risk Committee. Importantly, decision-makers understand the organisation’s risk appetite and act/escalate matters outside agreed tolerances.
Another common issue associated with poor organisational risk culture is inadequate or unclear communication regarding acceptable and unacceptable activities/behaviours.
Organisations with mature risk cultures communicate clearly, consistently and often. These organisations look for every opportunity to incorporate conversations about risk management into day-to-day activities and performance discussions; include risk management as a standing agenda item on team meetings, and ensure risk policies, procedures and systems are accessible and understood by staff.
It should come as no surprise that regulatory bodies are increasingly scrutinising risk culture. Public sector organisations are also increasingly coming to value a strong risk culture and hold their organisational leaders accountable. Independent assessment of risk culture is also an expectation of Boards and governance committees.
As recently noted by the Institute of Internal Auditors (IIA) Australia, there is currently no prescriptive role for the internal audit activity to audit risk culture. However, given the requirement to independently assess risk maturity and culture, there is an increasing role for internal audit in this regard. External collaboration with like organisations and risk specialists is also central to a mature risk culture.
There are a number of fit-for-purpose tools available to assess risk culture maturity, including Auditing Risk Culture: A Practical Guide (IIA 2021). The NSW Treasury has also released a Risk Maturity Assessment Tool Guidance Paper that can be adapted for various sectors and business contexts.
Risk management is frequently perceived as a defensive discipline. At Centium, we see risk management as a positive force that benefits all organisations. Properly executed and integrated into strategic and operational planning models, risk management can be used to prevent or mitigate negative events.
Risk management is also important in enabling organisations to take better advantage of positive events and opportunities for growth. Risk culture and risk maturity assessments are thus an exciting extension of this discipline. These services are further enhanced by expert advice and support to assist organisations build risk maturity via a fit-for-purpose program of works.
Contact our Director Risk & Assurance for a no-obligation discussion on 0409 251 011 or at penelope.corkill@centium.com.au. Alternatively, browse Centium's range of Risk & Assurance services.
[1] Press Release, US Federal Reserve, 2 February 2018.
[2] Auditing Risk Culture Guide, IIA, 2021.
Our Clients
