Embedding an active risk culture



Brought to you by Comcover with the support of our service providers Major Training Services and Deloitte

Your feedback is important to Comcover. Please complete the survey at the end of this microbite as your feedback will inform the future development of learning resources that are designed to meet the needs of you and others within your organisation.

Kevin: Hello and welcome to Comcover’s microbite on risk culture. My name is Kevin Riley and over the last few years, I have been facilitating Comcover’s face-to-face risk management education activities. For those of you familiar with Comcover’s refreshed approach to risk management education, you will know that a series of microbite learning activities have been launched this year. Today’s microbite learning activity is a little different to the earlier ones. Today I will be joined by two of Comcover’s risk management subject matter experts, to discuss risk culture. Let me introduce our special guests. Joining us from a COVID-Safe studio in Sydney is Victoria Whitaker, Partner with Deloitte’s Risk Advisory practice. Welcome Victoria. And here with me in Canberra is Sal Sidoti. Sal is an independent risk consultant and is well known to many of you watching. Like me, Sal also facilitates Comcover’s face-to-face risk workshops. Welcome Sal. Sal, if I can turn to you first. Thinking about our workplaces, I often read and hear that the modern workplace engages with risk. Is it important? And if so, maybe you could explain why?

Sal: Yes it is important because of the challenges being faced in our constantly changing environment. Market and economic uncertainty, digital disruption, innovation and change, even the increasing need to ensure employees have a safe workplace all drives us to actively engage with risk. And so we need to see an organisational culture that supports this active engagement.

Kevin: So an organisation’s culture will provide norms about how to engage with risk. Victoria what do you see in an organisation’s culture when it supports engaging with risk? And also, what do you see that tells you the organisation’s culture doesn’t support engaging with risk?

Victoria: There are a handful of things we see consistently across organisations that engage well with risk. For example, when it’s part of everyday conversations. People talk about it without fear or intimidation, they get that in order to achieve their big goals they need to understand the risks and appropriate ways to manage them. The Leadership sets the tone from the top and promotes a culture of learning and risk-focused professional behaviour. People don’t feel afraid to have challenging conversations – they are challenging the risk, not the people. The relationship between risk and the business is one of partnership, facing into challenges together. When an organisation doesn’t have a strong risk culture, risk is done as a check-box exercise after the decision is made. It is a compliance activity. Or it can be overly conservative. Sometimes it’s perfectly acceptable to accept the risk, where we want to innovate and take risk. Or it isn’t central to conversations and decisions where there is uncertainty.

Kevin: Sal, let’s consider the Commonwealth’s environment. Reviews in the last five years across the APS suggest there is a culture of managing risk to the point of risk aversion. What do you believe causes this to be the case?

Sal: In part, it’s a communication issue, both in how people present risk information and the manner in which the information is received. Both need improvement. Being unable to properly communicate risk gives the impression that sometimes people are unaware of the risks their entity faces, or are perhaps over confident. Similarly, a deeply embedded belief that low risks are good risks leads to a desire to make them all low, whether that is necessary and appropriate or not. Not all risks need to be low, and great things are often not achieved without engaging with risk.

Kevin: And so what do we need to do to overcome that?

Sal: A good starting point is acknowledging that there is the “right” level of risk for every risk. For some risks, for example workplace health and safety, they should be low. But for others, higher levels of risk might be ok, and might lead to better, more economical, faster outcomes. Innovation is a word used a lot in the public sector today. Innovation requires staff to see risk as a part of their operating environment and not as something to be avoided but rather to be engaged with to realise opportunities.

Kevin: What about you Victoria, what are your views on the importance of a culture that openly discusses and embraces risk?

Victoria: Risk culture is essential to effective risk management. Risk culture emerged following the financial crisis in 2008 when regulators recognised that you can have all the risk policies and systems in the world to manage risk, but if the leaders and people of the organisation chooses to ignore them, chooses to put profit before everything, then the risk management systems are ineffective. They simply don’t work.

What is Risk Culture?

Kevin: What is risk culture? Can you characterise it for us?

Sal: Risk culture is that set of values, perceptions, attitudes and behaviours that characterize how people think about and manage risk every day. I often refer to it as “how your people manage risk when they think no one is watching.” Your risk culture will determine how the majority of your risks are managed on a day-to-day basis - the thousands of risks that might never find a home in a risk register or framework.

Victoria: Sal is right. Risk culture is all those things. It is the beliefs, mindsets and behaviours that are normalised within a workplace to be ‘the way we do things around here’. When we come into a workplace we receive symbols and messages about how to do things, and these can be written – like values and codes of conduct; or unwritten like the way we talk to each other, the way we dress, or the physical landscape. All of this provides us with messages about what we should do in the workplace, and influences our decision making. When we are thinking about culture, we are looking at how these things influence people’s choices at work, and how this becomes normalised within the workplace.

Kevin: Can you both talk about a real-life example of where you have witnessed active risk culture working? Maybe you can’t name the organisations, but what were they doing to make it real?

Victoria: I know of a financial services company who have really taken risk culture by the horns during COVID and have lived it. At a time when their risk controls were weaker, when they had a big role to play in the economic stability of Australia, they worked as a team with a clear purpose, and navigated risk to get products to market to help Australians respond to COVID. Their leaders spoke regularly and risk was always in the conversation. Where silos would normally exist they teamed to solve problems across divisions, and risk was brought in early. They met daily to understand emerging problems. They designed risk controls into technology solutions from the outset. They documented the justification of their decisions when the decisions were made.

Sal: An organisation I worked with was able to move the risk conversation away from “risk severity” to one of “desirability”. Instead of arguing where a risk was on matrix of coloured squares, they instead considered the opportunity or “prize” that was available, and asked “was the risk at the right level?” Was the risk too high, too low or just right? They also considered the impact of not taking the risk. People weren’t afraid to communicate risk, because it became part of a conversation about “what do we need to manage to be successful?”

Kevin: That brings us to the end of Part 1 of this Comcover microbite learning activity. I hope you have found today’s discussion informative and useful. In Part 2 we will discuss the Benefits of an active Risk Culture, Understanding where you are and where do you want to be, Risk culture building blocks and influencing behaviour change. See you then.

End of Part 1

1. Have you found this form of online education engaging?
2. Do you now have a better understanding of the importance of developing an active risk culture in an organisation ?

Did you find this content useful?