Key elements to developing and maintaining a Risk Culture

25 July 2019

The strength of organisational culture determines how a company responds to risk. Risk culture is an invaluable aid in moving from a “have to do” compliance attitude to adding proper value for an organisation.

History is littered with corporate failures and risk culture is often a major reason. Company values and norms do change over time as the company matures and a perfect example of this is Uber. In late 2017, the Uber CEO publicly shared the new cultural norms including “We do the right thing. Period” and “We celebrate differences”. Former values included “always be hustling” and “toe-stepping” which although intended to encourage employees were often misunderstood and used as an excuse for bad behaviour.

Five core requirements for risk culture:

1. Employees should drive the company culture – Board or senior management to provide guidance on risk taking and awareness and ensure they live the culture. Employees are more likely to adhere to a culture that they have essentially developed.
2. Employ the correct people – During the recruitment process far more emphasis should be placed on soft skills especially alignment of personal and company values. Products or service offerings can be learned, but a good culture is still the best value add.
3. Continuous training – Risk culture, risk awareness, risk appetite and ethics. Make it simple, clear and ensure the required behaviour and consequence is included.
4. Consequence and reward – Correct behaviour must be recognised and rewarded while bad behaviour must have consequences.
5. All must be treated equal – Individual accountability is required. “What you say” must be the same as “What you do” and equal treatment at all levels of the organisation is key.

One definition of risk culture is “the values in a company that guides risk decision taking”, but this cannot be actioned without the equivalent personal employee norms and their relationship to risk. Employees must want to take informed risks and not have to. Ideally, new recruits are selected with culture in mind, however regular ongoing monitoring is always needed.

Risk culture is difficult to measure as is common with many soft skills, however regular staff surveys will provide valuable feedback and can be compared to industry norms. Interviews can be performed if indicated by the survey results. The main takeaway is that risk culture is an ‘all the time’ exercise and needs to be continually monitored and actioned.

How risk management can help:

• Risk awareness. All staff should understand the basics of risk management and their own responsibility.
• Ensure accountability if the risk decision process is not followed correctly.
• Enable full participation is risk management – it is not just the job of the risk management team as essentially all employees are risk managers.
• Risk framework should assist business and not hinder. Should be efficient, simple and easy to understand.
• Promote the understanding of balancing risk taking with the internal control environment.
• Treat reported incidents seriously and respond properly.

Author – Warrick Asher

Acknowledgement:

Washington post – ‘Hustlin’ is out. Doing ‘the right thing’ is in. Uber has rewritten its notorious list of core values.