The benefits of a healthy risk culture may be well-understood, but how can risk managers establish where their organisation is on the spectrum of good to bad, and make measurable improvements? Sara Benwell investigates. 

Every organisation has a risk culture of some sort, whether it’s something the company has actively shaped or not.

Risk culture is about how employees make decisions every day of their working lives. It encompasses behaviours, attitudes and underlying understanding of risk. As one risk manager puts it: “It’s how we act when nobody is watching.”

confused, no strategy, road sign

For risk managers, that means that you can’t afford to hope for the best. Just because you haven’t been measuring risk culture, it doesn’t mean it’s not there, and whether it is positive or negative could have significant implications for your organisation.

Stefan Gershater, director of risk at Burberry, says; “‘Risk culture’ just describes the decision-making culture of a business. I don’t believe there’s a separate thing called risk culture because, actually, we should all be making good decisions as quickly as we can, with all the available evidence. You should be aspiring to that.”

Clive Thompson, technical adviser at the Institute of Risk Management (IRM) says: “The organisation will have a risk culture anyway, because it comprises a group of people who will have their own values, beliefs and personal attitude to risk.” 

The challenge, then, is to understand your existing culture, which means measuring the prevailing attitude to risk and to the risk management approach within your firm.

Proactive risk assessment should be embedded in every decision made at an organisation. Your job is to shape the culture to make risk a company-wide priority.  Learn how in our risk culture special report.

Knowing where you’re at

A major complication is that risk culture is fluid, so risk managers need to monitor how it changes over time. When you start trying to influence culture, this allows you to measure the impact of your strategies.

The IRM suggests four key questions to consider:

  • How is leadership driving the organisation in respect to risk management? Do they set a clear direction with consistent messaging on the issue of managing risk?
  • How do leaders respond to ‘bad news’? Are the people who operate the risk framework encouraged to act in an open and transparent way, or are the messengers ‘sacked’?
  • How is the governance of risk applied? Are accountabilities for managing risk aligned with accountabilities for key business decisions? Are people allowed to ‘get away with it’ if success follows, even though controls may have been breached?
  • How transparent is the communication around risk management? Is timely information communicated widely and in an easily understood and meaningful format? Are examples of appropriate risk taking widely shared?

Matt Handley, chief risk officer at Handelsbanken, says audit processes are a key gauge of organisational culture. “When risk culture is good, the governance is there to challenge and bring problems to fruition. Nothing’s hidden away. In a poor risk culture, you find that governance was just a box-ticking exercise.”

Another indicator is how forward-looking your organisational decision-making is. Part of risk culture is a company’s collective awareness of the need to proactively prepare for future threats and opportunities.

Maya Wellig, head of global risk management at Sunstar, explains: “Organisations are faced with increasing levels of complexity, with shocks and crises appearing stronger and faster than ever before.

“People tend to be optimistic and underestimate the likelihood of something going wrong, until it is staring them in the face.”

“Rather than waiting for adverse events to happen and having to firefight when they do – utilising funds and resources that are elsewhere engaged, and risking losses and turmoil – organisations need to put in place robust mechanisms of preparedness.”

Kerry Balenthiran, operations vice-president, group manager, business risk consulting (EMEA & Asia Pacific) at FM Global, adds: “It is too easy to cut corners when it comes to dealing with risk, and it often goes unnoticed in the short term.”

“People tend to be optimistic and underestimate the likelihood of something going wrong, until it is staring them in the face. Therefore, cultivating a robust risk culture often isn’t a priority until something breaks. In the worst case, this could lead to significant business disruption, highlighting the importance of protecting today to help drive prosperity tomorrow.”

MOVING THE NEEDLE

Once you’ve evaluated your organisation’s current approach to risk-based decision-making, the next step is positively shaping it to promote better outcomes.

For Balenthiran, this starts from the top. “Having risk management as a standing item for discussion by senior management, or a separate risk management committee that reports to the board, is a great way to set a positive and proactive tone,” he says.

“A risk framework needs to become part of the operational processes of all parts of the business. Manufacturing and service functions have this already to ensure quality and customer satisfaction, but it needs to include supply chain, marketing and facilities, and be broader than just quality. The organisation’s values need to reflect… what is and isn’t permissible in the pursuit of the organisation’s goals.”

One way to convince boards that they need to engage in proactive risk management is to track and disclose events that impacted results in recent years. This quantified approach has successfully improved risk culture at Sunstar.

“Sunstar’s risk function works closely with the business to not only identify risks, but also to mitigate them, via action-oriented workshops”

Wellig explains: “Sunstar’s risk function has spent much time putting together such tracking lists – which include various adverse events from quality issues to failed investments, fraud cases, HR incidents, cyber-attacks and so on – and quantifying the losses that had incurred. Very often, when management – of all levels – is faced with these lists as well as with the actual monetary damage that they caused, it brings to life the need for proactive risk management.

“Sunstar’s risk function works closely with the business to not only identify risks, but also to mitigate them, via action-oriented workshops that it runs across the company, and by getting involved in cross- organisational risk mitigation activities. This allows the risk culture to trickle through the organisation and creates an environment of trust and collaboration.”

At Handelsbanken, one key driver of culture is the way the company thinks about reward and remuneration. When onboarding new candidates, significant time is spent talking about whether they are culturally aligned and have the same risk appetite or tolerance as the business.

Handley says: “We don’t pay bonuses. That drives a longer-term view and a little bit more commitment and ownership around the way the bank is operating and behaving.

“You have to take risks, because you can’t create value out of thin air. It’s about taking risk more knowingly”

”Everybody has risk-based objectives, because we want people to think about the risk that they are taking in their job and the risks that they are helping the bank to manage or reduce.”

He says that to achieve this, risk managers need strong allies, particularly in the HR department and the C-suite.

Gershater agrees that having a strong network of allies is critical, adding that it’s important to include strategists, financial planners and the operations team, so you can use risk as a tool for value creation. To achieve this, risk managers must focus on the positives.

He concludes: “You have to take risks, because you can’t create value out of thin air. It’s about taking risk more knowingly and if you manage to do that by tying the risks to objectives and by showing how risk is supporting value creation as well as value protection, then you move into the realm of decision support. You’re still looking at threats, but you’re showing how you can grow the business as well as protect it.”  

 

Proactive risk assessment should be embedded in every decision made at an organisation. Your job is to shape the culture to make risk a company-wide priority.  Learn how in our risk culture special report.