In the current era of global regulatory change, much focus has been directed towards the substantive and structural elements of risk management and regulatory compliance. Issues range from: What is your solvency margin and capital sufficiency?; and What is your governance structure?; to What process ensures that you are compliant with regulatory, licencing and legislative requirements? The often overlooked and underappreciated element is that of the organisational culture and the impact it has on the company’s response to risk.

While the structural implementation and operation of your Governance, Risk and Compliance framework is important, having an appropriate Risk Culture aids the transition from mere compliance to something that creates value for an organisation. This is evident from the instances of the employee-created reputational damage to financial service institutions. In most cases, adequate frameworks are in place but they are not embedded in business operations due to misaligned risk culture.

Risk Culture, although widely defined in conflicting manners, generally includes the values, beliefs, knowledge, attitude and understanding of risk shared across an organisation. It’s manifested in how an organisation reacts to uncertainty and risk, and is organisation-wide (operational, strategic, market/investment, and underwriting). An appropriate Risk Culture will differ between organisations and industries, but it’s one that’s aligned with business strategy and ensures all members of your entity approach risk in the manner which senior management and the Board expects.

Ultimately, a company’s Board and senior management own the Risk Culture. While Organisational Culture is a topic for human resources, Risk Culture should be the focus of your Business Operations and Risk Management functions.

Some elements of Risk Culture are:

• Governance - A company’s Board or senior management should form a clear and communicable approach to risk, which is understood by all levels of the employee hierarchy.
• Tone from the top - Consistency in corporate communication, decision making and actions is critical to avoid misinterpretation. Employees may otherwise adopt “what you do” over “what you say.”
• Accountability - Lines of accountability need to be clear and enforced, preferably to individuals rather than committees where accountability is often lost.
• Incidents and Escalation - The focus should be on the identification of what actually went wrong, what can be learned, and whether changes to process or controls are required. Deal with disciplinary or assignment of accountability as a separate matter to encourage open discussions.
• Incentives and Remuneration - Measure and reward performance based on your desired Risk Culture, both financially and non-financially. Setting goals around key performance indicators will influence the culture you create.
• Training, Succession Planning and Talent Management - These elements should support and enforce the desired culture and behaviour. Be conscious of your Risk Culture when making decisions around them.
• Acceptance - Understand your risk appetite (what you are willing to risk), should a loss occur within this appetite; learn what you can from it and move on. Many organisations expect perfection especially in operational processes. Layering controls on top of controls to avoid acceptable errors only adds bureaucracy, which deters employees from enforcing your framework. Find the right balance.
• Core competency - The Risk Culture should support your business strategy and core competency. There is a close link between the success of a strategy implementation and the organization culture. If they are not already aligned, then changing one is critical to changing the other. Ask yourself if what you see in your Risk Culture mirrors what your clients perceive?

3 Ways to Measure Risk Culture

1. Assess it with managers - Objectively engage with your managers to discuss the above topics, form an opinion of your culture and compare this with that of senior management or the Board.

2. Survey - This is a quick tool to obtain insight into your Risk Culture. Comparing year-on-year, or benchmarking results against industry, provides guidance on areas for improvement or misalignment. It also assists your Board in forming an opinion about your company culture and offers a measure to be able to define what is appropriate.

3. Interview Employees and Teams - A more intensive approach is to interview employees where the survey results indicate hot spots, especially if your understanding of the result is unclear, or to discuss potential action points.