Risk culture is increasingly a hot topic, but how can risk managers move the needle? Strategic Risk caught up with Clive Thompson, technical adviser at the Institute of Risk Management to find out.
What is risk culture and why is it important?
The IRM describes risk culture as the values, beliefs, knowledge, attitudes and understanding about risk shared by a group of people with a common purpose.
It recognises that people control organisations and whatever risk management approach is adopted, ultimately it is the people in the organisation that will operate that approach. They do so according to the style of behaviours inherent in the organisation.
That organisational culture when applied to the risk management approach becomes the risk culture. I guess you can sum it up as ‘the way we do things here’.
The IRM’s thought piece on risk culture from 2012 is still current thinking and suggests that it comprises a complex interrelationship between personal predisposition to risk, personal ethics, behaviours, and organisational culture.
Its importance is recognised in both the standards and by regulators: ISO 31000 refers several times to the need for managing risk to be integrated into the organisation’s culture, and particularly in the financial services world risk culture is measured and managed since, according to the European Central Bank risk culture “shapes management’s and employees’ day-to-day decisions and has an impact on the risks they take”.
What are some of the challenges when creating a risk culture?
I think here we mean the challenges of ‘shaping’ a risk culture.
The organisation will have a risk culture anyway because it comprises a group of people who will have their own values, beliefs and personal attitude to risk.
The challenges to ‘shaping’ a good or preferred risk culture arise firstly from the need to understand where you are starting from; what is the prevailing attitude to risk and to the risk management approach.
From here you can then describe where you want to be and plan how to make that inevitable change. That may involve rolling out new training methods, applying new forms of control, or finding different ways to reward and incentivise people.
What are some of the practical steps that risk managers can take to embedding risk culture measurement in their organisations?
Risk Managers should always be thinking to themselves: ’What is the organisation’s risk culture and how is it changing over time?’
The IRMs risk culture model suggests four key aspects to look for:
- How the leadership drive the organisation with respect to risk management. Do they set a clear direction with consistent messaging on the issue of managing risk?
- How do leaders respond to ‘bad news’? This often provides the clearest example of the risk culture. Are the people who operate the risk framework encouraged to act in an open and transparent way? Or are the messengers ‘sacked’?
- How is the governance of risk applied? Are accountabilities for managing risk aligned with accountabilities for key business decisions? Are people allowed to ‘get away with it’ if success follows even though controls may have been breached?
- How transparent is the communication around risk management? Is timely information communicated widely and in an easily understood and meaningful format? Are examples of appropriate risk-taking widely shared when it is successfully applied?
Can you give any examples of successful culture-building initiatives?
Looking at the company from the outside I would say that BP has probably successfully changed its risk culture.
They were at a catastrophically low point following a series of mergers coupled with disinvestment in risk which could be said to have been underlying reasons for both Texas City refinery explosions killing 15 and injuring 500 in 2005, before Deepwater Horizon in 2010 which killed 11, injured 17 and caused untold pollution on the Louisiana coast and in the Gulf of Mexico.
From there a change at the board level is said to have re-prioritised risk management and the incentive structure was altered to bring risk to the fore.
Of course, they are currently reaping financial rewards from the volatility in carbon markets currently and they have a stated vision of transitioning out of carbon fuels.
They now state that “at BP, safety comes first and is foundational to everything we do” and they also openly communicate their failures.
In a similar vein of transforming risk culture because it was catastrophically bad would be RBS.
The FSA review led by Lord Turner said RBS had “underlying deficiencies in… its culture, particularly its attitude to the balance between risk and growth”.
The bank now works to a different regulatory regime which has also forced a change (along with Government control) but the company has had to change its name (back to NatWest) and they state that “Risk culture is at the centre of both the risk management framework and risk management practice”.
They have introduced a new code, and policies, and have identified standards of behaviour they expect from employees.
Such actions haven’t distanced them from controversy, however; Coutts being part of the group suffered the recent Farage farrago which precipitated the fall of another CEO of the Group.
Join our webinar to learn more about embedding risk culture in your organisation.
Modern risk management is about more than simply cataloguing risks and producing heatmaps. Instead, risk managers need to ensure that risk is embedded in every decision organisation-wide from the boardroom to the shop floor.
Achieving this means building a risk culture that empowers employees to make risk-informed decisions, but where to start?
StrategicRISK’s webinar explores key strategies that risk managers can adopt to ensure that risk management is everyone’s responsibility, not just the risk team’s.
5th September, 2pm
Alex Sidorenko, Group Head of Risk, Insurance and Internal audit, Serra Verde
Tom Hughes, Head of Risk & Financial Crime, Simplyhealth
Claire Hopper, Sales Engineer, Riskonnect