AIRMIC Risk Forum 2025: Using culture to improve risk management

No comments

Risk managers must ensure that their company’s risk appetite is not only communicated to all staff but is also fully understood.

The question of how culture can support risk management and prevention was addressed at the Airmic Risk Forum in London where risk managers were told that a successful delivery of a risk appetite statement can not only add clarity to the business but also engage employees to assume more responsibility for risk and its management.

Tom Teixeira partner at Arthur D Little said companies needed to better communicate their risk appetite to those outside of the risk function and the boardroom.

clarify, risk appetite

“A company’s culture and its risk appetite go hand in hand,” he explained. “However, operations need to know they can never create a situation where you are taking zero risk, you will have to take risks and do so in an informed manner.”

Teixeria added: “You need to ensure that people across your business also understand the risks they are able to take and also the risks for which there is no tolerance whatsoever, taking risks around health and safety for example.

“You also need to ensure that the risk appetite is clear. It will do a lot to overcome risk appetite stigma in which staff are unwilling to take a risk that is within the company’s tolerance.”

He added: “If you are truly going to drive the culture you are seeing it will men anyone reading the risk appetite statement will be able to recognise that it is relevant to their organisation.”

While some risks remain generic across business today such as cyber risk, Teixeria explained that there needed to be a hefty dose of realism in the statement.

“We cannot quote from the theory books,” he added. “It is a question of how do we do this practically. I am often asked whether there is a guide that businesses can simply access around risk appetite. There is not.”

Putting statements to good use

The panel said that businesses needed not only to create a risk appetite statement but also to ensure that it was put to effective use.

Teixeria commented: “The challenge for boards is, ‘now we are comfortable the risk appetite statement is specific to the organisation, we need to understand where we are operating outside of our risk tolerances’.

“It does not mean that the risk has already materialised it just means that you have an early warning of the risk and the ability to make better decisions down the road.”

Jeremy Waters senior risk manager at QBE told the delegates that a successful risk appetite statement and framework had to be “dynamic and action focused”.

He added that the risk appetite statement depended on key areas, relevance, alignment, the ability to be measurable, a document that led the conversation and understanding and ensured that firms looked at the root cause.

“If anything, the root cause area is one where many firms fall down,” he explained. “You need to look beyond the risk itself and tackle the root cause if you are to truly put in place the ability to prevent the risk.”.

“Take for instance the risk that you lose your best and most talented staff. You need understand what if anything would make those staff seek a role elsewhere. It could be pay, it could be progression opportunities. If you understand what the root cause might be you can take action to prevent it becoming an issue.”

He added: “You need to get to the knub of these root causes and look at the data at a very low level to drive the dynamism of your risk appetite statement. It has to be a living document. Companies’ risks change and so do their appetites.”

Going back to basics

When asked what the dos and don’ts are when establishing a risk appetite statement Waters said on many levels the lines can be blurred.

“Advances in data analytics are improving significantly,” he explained. “But a pitfall in this advance is that it leads to the temptation of creating new sources of data. Given the level of data already available, creating new sources can often be unhelpful.

“One of the dos is using data to engage the business and help drive wider ownership of the risks rather than keeping it within the risk function.”

Waters said that with any document of such importance, risk expectations needed to be managed.

“Do not underestimate that time it takes to do this,” he said. “It takes time and it takes effort.

“Set clear expectations and do not look to utilise the strategy only when it is 100 percent complete. You need to take a drip feed approach and continue to build and design it as you go.

“Also resist the need to fill a piece on your dashboard with data that does not add anything.”