Logo of Centium
Contact Us

Why failing to build strong organisational risk culture could be your biggest risk

September 1, 2021

How would you describe your company’s organisational risk culture?

Before you answer…

Cast your mind over recent publicly prominent investigations that have raised organisational risk management failings, with ever-increasing scrutiny of organisational risk culture.

Imagine for a moment a research department seeking to be the first to deliver new technologies. What if, in the race to deliver, staff take unacceptable risks and develop work-around technologies to meet the targets at any cost? What if these technologies go on to dupe millions of customers and cause untold reputational damage to the company? You don’t have to imagine, just remember Volkswagen’s recent failings.

Now consider a company that incentivises its employees using aspirational sales targets – these employees go on to not only exceed the targets but achieve unimaginable growth.  What if these staff were taking risks and not following company policies to meet the targets at any cost? What if that same company then went on to charge customers for products/services they didn’t want? What if this company also suffered massive data breaches? It’s not a what if. Not long ago, Wells Fargo was found to have pursued a business strategy that prioritised growth without ensuring appropriate management of risks.[1] What does this say about risk culture?

Closer to home, reflect on the now very public risk management failures of the Crown Resorts Group. The public inquiry, led by Patricia Bergin SC, highlighted (amongst other things) the misalignment between day-to-day practices, management reporting and the Board’s own risk appetite. What does this say about the Crown’s risk culture if the management team determined to handle important developments themselves…without “troubling the Board”?

So – how’s your organisational risk culture?

Risk Culture & Maturity

An organisation’s risk culture encompasses an array of behaviours, beliefs attitudes and competencies associated with perceptions of risk and related decision-making. 

Risk culture is a subset of broader organisational culture, or ‘the way we do things around here” - noting that there may be several such cultures within an organisation.[2]

Collectively, risk culture determines a team, division, department or possibly an organisation’s commitment to the principles and practices of risk management.  Alongside risk management frameworks, culture is a key influencing factor with respect to how individuals, teams or groups identify, manage, report and escalate risks.

Mature organisations effectively manage their risks. Such organisations have well-developed risk management frameworks, comprising formal policies, procedures, systems and processes. 

More importantly, organisations with mature risk cultures have:

  • A documented and shared understanding of their risk appetite and target maturity
  • Systems in place to regularly (and independently) check the consistency or “current state” of their risk culture
  • Achieved “buy-in” at all levels of the organisation as to the value of risk management
  • An inclination towards continuously improving against key risk maturity indicators.

When organisations don’t quite get it right… and what you can do…

There are a number of common pitfalls and/or reoccurring themes amongst organisations with less mature risk cultures

Deficient IT risk management systems 

Perhaps the most common issue is that of a poorly constructed, broken risk management system. Or worse still, an IT system that drives rather than supports risk management. Risk management systems that fail to adequately capture and report risks become a hindrance to risk culture. Over time, such systems become sidelined and eventually all but ignored.  

Typical pitfalls include the capture of too many risks; inconsistencies between system and organisational risk levels; overly complicated monitoring and review processes; insufficient training; and inadequate consideration of the resources required to both administer the system and ensure ongoing compliance.

A mature risk culture is underpinned by a system that is capable of capturing, managing and manipulating risk data. Implicit in this requirement, is that there are processes by which risk owners keep this information up-to-date to enable accurate analysis and reporting.

Limited recognition that variation in individual risk perception impacts culture

No two people perceive risk in the exact same manner and as such, an organisation made of many individuals will generate many differing views on risks. By way of example, a retrospective examination of critical incident causation will generally highlight differences in individual perceptions of risks and possible consequences.

Better practice organisations define and communicate risk behaviours and attitudes, and ensure that these are built into recruitment, induction, as well as training, information and awareness initiatives. Lessons learned are communicated so that corrective action can be taken, and employees are encouraged to report concerns.

Positive outcomes are emphasised over extant risk 

Organisations often promote positive achievements/activities irrespective of the fact that such actions incorporated a level of risk that attracted (or should have attracted) additional scrutiny and management oversight. This can lead to an escalation of risk tolerance and related attitudes/behaviours outside the desired culture, possibly increasing the overall risk.

Within a strong risk culture, risk roles, responsibilities and tolerances are clearly defined.  While achievements are celebrated, lessons learned are reviewed to consider impacts on risk tolerances. In addition, risk tolerances are periodically reviewed by governance committees, including the Executive, Board and Audit & Risk Committee. Importantly, decision-makers understand the organisation’s risk appetite and act/escalate matters outside agreed tolerances.

Absent or inappropriate communication of risk

Another common issue associated with poor organisational risk culture is inadequate or unclear communication regarding acceptable and unacceptable activities/behaviours.

Organisations with mature risk cultures communicate clearly, consistently and often. These organisations look for every opportunity to incorporate conversations about risk management into day-to-day activities and performance discussions; include risk management as a standing agenda item on team meetings, and ensure risk policies, procedures and systems are accessible and understood by staff.

Building a Strong Risk Culture

It should come as no surprise that regulatory bodies are increasingly scrutinising risk culture.  Public sector organisations are also increasingly coming to value a strong risk culture and hold their organisational leaders accountable. Independent assessment of risk culture is also an expectation of Boards and governance committees.

As recently noted by the Institute of Internal Auditors (IIA) Australia, there is currently no prescriptive role for the internal audit activity to audit risk culture. However, given the requirement to independently assess risk maturity and culture, there is an increasing role for internal audit in this regard.  External collaboration with like organisations and risk specialists is also central to a mature risk culture.

There are a number of fit-for-purpose tools available to assess risk culture maturity, including Auditing Risk Culture: A Practical Guide (IIA 2021). The NSW Treasury has also released a Risk Maturity Assessment Tool Guidance Paper that can be adapted for various sectors and business contexts.

So, before you get started, there are a few final things to consider:

  1. Is your in-house internal audit team independent?  If like many organisations, you combine your risk and audit activities, the answer is probably not. This was the recent experience of a health-related client, which in turn, opted to outsource their risk culture assessment to an independent and specialist provider.
  2. Is your organisation ready for the results?  While your organisation may have documented its risk management policies and procedures, they might not be understood or consistently adopted. The results of a comprehensive, ‘deep dive’ risk culture audit might thus be too confronting. Consider instead the path of a small mutual bank client, which has opted for a phased approach involving the executive in the first instance, with ‘deep dive’ audits to be rolled out across various divisions in future years.
  3. To what level of maturity does your organisation aspire?  Depending on the size and context of your organisation, it might not be cost effective or practicable to aim for ‘gold’ when ‘silver’ or ‘bronze’ is perfectly acceptable. This was a consideration for a moderate-sized NSW Local Council client when collaboratively developing a risk maturity program of works (i.e. ‘roadmap’).
  4. What is your risk appetite and is it shared by all layers of the organisation?  Key decision-makers should have a shared understanding of organisational risks and related tolerances. There should be consistency between the risk appetite of the oversight body (e.g. Board) and day-to-day decisions made by management/executive. Often an independent, specialist facilitator is required to elicit responses and craft the risk appetite statement, particularly given the divergence of views - this was the case for several, recent Not for Profit and Government sector clients.

How can Centium help you?

Risk management is frequently perceived as a defensive discipline. At Centium, we see risk management as a positive force that benefits all organisations. Properly executed and integrated into strategic and operational planning models, risk management can be used to prevent or mitigate negative events.

Risk management is also important in enabling organisations to take better advantage of positive events and opportunities for growth. Risk culture and risk maturity assessments are thus an exciting extension of this discipline. These services are further enhanced by expert advice and support to assist organisations build risk maturity via a fit-for-purpose program of works.

Contact our Director Risk & Assurance for a no-obligation discussion on 0409 251 011 or at penelope.corkill@centium.com.au. Alternatively, browse Centium's range of Risk & Assurance services.

[1] Press Release, US Federal Reserve, 2 February 2018.

[2] Auditing Risk Culture Guide, IIA, 2021.

Our Clients