An entity’s risk management framework must support a culture where risk is managed and communicated across all levels of the entity and individuals are encouraged to adopt positive risk behaviours.
This information sheet is intended to assist Commonwealth officials at the Specialist and Executive levels understand:
- how culture is developed and influenced
- assessing an entity’s current cultural state for managing risk
- determining a target culture state
- implementing a risk culture change program
Risk culture is a subset of organisational culture of an entity and refers to the system of beliefs, values and behaviours throughout an organisation that shape the collective approach to managing risk and making decisions. A positive culture for managing risk is strongly influenced by organisational culture and exists when officials understand the risks facing their entity and consistently make appropriate risk-based decisions. A positive risk culture is one where staff at every level appropriately manage risk as an intrinsic part of their day-to-day work. Such a culture supports an open discussion about uncertainties and opportunities, encourages staff to express concerns, and maintains processes to elevate concerns to appropriate levels.
Any entities culture is complex and will be driven by a number of factors. Before attempting to change an entity’s culture it is first useful to understand the ways in which people are influenced. The key channels through which people in an entity are influenced and pick up cultural messages are:
1. Role Models. The risk management behaviours that role models display will be influential on others, including both positive and negative behaviours. In doing this, they instil values that over time become the core beliefs about acceptable behaviour in an entity.
2. Explicit messages. Explicit messages incorporated in entity policies and procedures set out expectations and influence behaviour. During their careers, officials are provided with many instructions and guidelines from their entity. These are influential in determining how officials view and manage risk. The first few weeks and months of an official joining an entity are particularly crucial as this is when they can be influenced the most. During recruitment and induction procedures you are able to clearly articulate the kind of entity they are joining, what values are important to the entity and what behaviour is expected of them. It is also important to consider who conveys these messages and how they are delivered.
3. Incentives. The manner in which officials are rewarded and recognised for displaying good risk management behaviours will indicate how risk management is valued. Officials will be unlikely to take appropriate risks if there is no incentive to do so or where risk taking is punished. Remuneration policies will positively influence the desired risk culture if they are designed to encourage and provide incentives for staff to actively engage with risk in line with the entity’s risk management framework.
4. Symbols and actions. The daily actions of senior officials are noticed by staff and often mirrored. Think about whether senior officials manage risk in the manner in which they would like their staff to. Small, positive actions by senior officials can take on much wider symbolic importance and can help spread values across the entity.
5. Business strategy, risk appetite statement and internal policies. An entity’s strategic outlook and willingness to accept or retain risk in order to achieve its objectives helps formulate and shape the culture for managing risk. Well-understood business strategy, policies and a risk appetite statement will create an environment where the way in which staff at the operational level view and interact with risk is culturally aligned with the leaders and management of the entity. This can be achieved through establishing robust and prudent internal policies and communicating them effectively.
6. Education and training. Initial induction training as well as ongoing risk education and awareness programs helps instil an entity’s desired risk culture and approach to engaging with risk. An entity is able to embed and reaffirm to staff what is expected of them in relation to their behavioural approach to engaging with risk.
Culture is also heavily influenced by behaviour. Some examples of desirable and detrimental risk behaviours are provided below.
The first step in developing a positive risk culture is understanding your entity’s current risk culture and how well it supports the entity’s approach to managing risk. One way in which this can be done is to break down risk culture into more measurable attributes, some of which are illustrated below. Investigating these attributes provide a baseline against which any attempts to shape the risk culture of an entity can be measured.
Appendix A to this information sheet briefly explains each of these indicators and provides examples of corresponding attributes of a positive risk culture which can be used to derive goals for a cultural change programme.
One way to measure the current status of each of these indicators is to undertake a survey. This not only provides information on the current risk culture but also provides a benchmark which can be used to measure progress over time.
An analysis of the survey results can also provide a detailed understanding of how staff think and act in relation to risk management. This can assist in identifying the root causes of any undesirable attitudes and behaviour.
Some issues to consider when developing a risk culture survey include:
- Do role models display the right behaviours?
- Are we communicating consistent and useful risk-related messages?
- Are people comfortable discussing risk, or are they afraid to raise difficult issues? How quickly do they raise issues?
- Do our reward and recognition programmes reinforce a positive risk culture?
- Is the effective management of risk an integral part of the entity’s performance?
- Are people clear on the risks they are accountable for? – Do people have the right skills to manage risk effectively?
- Does the time required to complete risk management processes exceed the value they add?
- Do people sometimes need to bend the rules to get things done?
Another method to consider is supplementing any questionnaires by interviewing officials in the entity. This can assist in validating the results of the survey and uncovering any additional issues. Interviewing senior officials can be particularly useful in determining the current and desired risk culture.
Some questions to consider when interviewing senior officials include:
- Who has primary accountability for the entity’s risk culture – are they sufficiently senior, knowledgeable and engaged?
- Do our governance systems and culture support the implementation of our strategy?
- What values are – and are not – expressed in our culture?
- Are we truly practicing good governance and adhering to our values?
- How can we best align our goals and our risk culture with our corporate plan?
- Where we see misalignment between our goals and our culture, what is the cause?
- How can we drive positive values throughout our culture?
- Have we developed a common language around risk that defines risk-related terms and measures and promotes risk awareness in all activities and at all levels?
- What tools are we using to gauge our risk governance effectiveness, and with what results?
Once the entity’s current risk culture is understood, it is important to determine your target risk culture. A useful technique to determine this is to use a risk management maturity model such as the maturity model adopted in Comcover’s Risk Management Benchmarking Program. This allows you to plot your current maturity and identify what level of risk management maturity is most appropriate for the entity. This can also allow you to target specific areas of the framework that need to be improved.
As with any cultural change programme, it is important to determine what changes are most critical, and to target them with practical and focused actions. One particular strategy is to review those areas where the risk management culture is particularly positive to understand how they can be leveraged and replicated in other areas.
Importantly, regardless of what tool you use to measure and influence risk culture it will be most effective if undertaken regularly in a structured and deliberate manner. This will allow for trends from year-to-year to be analysed and make it easier to identify areas for improvement.
All officials are responsible for communicating risk and sharing risk information within an entity and with external stakeholders as appropriate. Open communication requires time to develop and relies on officials acknowledging that good risk communication provides an opportunity to innovate and improve performance.
As part of effective communication, entities are encouraged to provide regular, candid briefings on key risks, threats and opportunities. Where appropriate, significant issues can then be escalated to the accountable authority and/or minister. This will help create an environment where there are transparent discussions about risk information, which encourages people to speak up and escalate their concerns.
Communicating risk information within an entity is important, as it maintains confidence and trust and develops a common understanding of the entity’s risks. External stakeholders such as ministers, other government entities, suppliers and the wider community may need an opportunity to communicate their views and feel involved in decision making where appropriate.
Cultural change will likely require meaningful changes to established ways of operating and will take time. It is rarely possible to successfully change more than 5 aspects of an entity’s culture in a 12 to 18 month period.
Therefore, entities may wish to consider focusing on the few key changes that are most important.
It is important to adopt a targeted, systematic approach to cultural change that focuses on a few key issues at a time. Understand the risk behaviours you want to change most, develop practical strategies to achieve this, and then repeat the process over time.
Improving risk culture is a process that can be separated into 3 broad stages which are depicted below:
Stage 1: Building awareness of risk culture
The awareness stage involves establishing the basic expectations for managing risk in the entity and defining relevant roles and responsibilities around risk. Clear, consistent and continuous communication from leadership is an important aspect of setting these expectations.
Educate officials about risk either informally or through formal training so that they can meet the entity’s expectations for managing risk. It can be useful for training and development programmes to leverage real examples and scenarios as a powerful catalyst to prepare individuals for change.
Stage 2: Changing an entity’s culture
Once the desired culture for managing risk has been established and communicated, the next step is to develop and implement practical strategies to achieve this. This is the stage where motivational systems are developed to reward the desired risk behaviours and discourage the wrong behaviours.
The information located in the Understanding how culture is influenced and developed section, describes the 4 primary channels through which officials receive indicators about their entity’s culture. Entities may wish to consider these channels when developing strategies to change the entities risk culture.
In designing strategies to change the risk culture, an effective review process can be used to identify the root cause of any behavioural shortcomings or weaknesses. Communications and training alone will not be effective without understanding the underlying drivers of risk attitudes and behaviours. Assessment and communication of lessons learned are an opportunity to enhance the entity’s risk culture, and to enact real change for the future.
Where possible, it can be useful to integrate any risk management improvement initiatives with other major change programmes in the entity.
Stage 3: Refining the entity’s culture
Entering the third stage, entities will have achieved many of the desired changes to their risk culture. The next step is to begin monitoring cultural performance versus expectations. An ongoing regular programme of risk culture assessment and comparison to prior results provides an objective way to demonstrate the real impact of changes achieved while also identifying any new or emerging areas requiring attention.
Having successfully achieved change in Stage 2, it is important to continue to make considered adjustments of strategies and communications in order to maintain a positive risk culture. Only entities that can demonstrate that they have the ability to adjust and adapt will be able to maintain a positive risk culture when their operating environment changes.
All Commonwealth Officials.
Risk culture is the component of an organisation’s culture that encourages informed risk taking through decisions made within the entity’s appetite and tolerance for risk. An organisation’s risk culture is critical in driving the day-to-day behaviours that support an entity’s strategy and how it manages risk.
Some ways Commonwealth Officials can instil a positive risk culture include:
- Implementing basic risk management practices in day-to-day work.
- Being a positive role model to the team with regards to discussing and engaging with calculated risk.
- Developing and fostering a culture where everyone in the team understands the entity’s approach to risk.
- Leveraging expertise within the organisation to improve the team’s understanding of the entity’s risk environment.
There are tools that can help a team with implementing basic risk management practices such as identifying, assessing, tracking and communicating risk. Having a risk register, and status reporting to communicate and escalate risks, lays a strong foundation for maturing the risk culture of a team.
Risk registers can be a useful way to document, manage and track risks that have been identified and assessed. This usually includes: a brief description of each risk, the likelihood and consequence, and a list of actions to manage the risk. Risk registers can only facilitate meaningful discussions to inform decision making if they contain risk information that is well maintained and relevant to the achievement of the team’s strategic objectives.
Incorporating a summary of key risks into regular status updates can help identify any emerging risks and draw the attention of decision makers. Integrating a team’s key risks into status updates to their leaders can help to draw clearer links between the team’s risks and the risks across their Branch or Division. This in turn can provide the leaders of a business unit or division with a holistic view of their risk environment and any emerging risks.
Risk champions demonstrate behaviours that support a positive risk culture. Team leaders can role model these behaviours, as well as support others in team to do so.
The role of a risk champion
- Communicating risk information.
- Supporting others with managing risk appropriately.
- Helping identify emerging opportunities or opportunities associated with risks.
- Identifying issues or concerns, and raising these with leaders for support and early intervention.
- Hosting relevant training sessions for their teams.
- Testing and providing feedback on risk culture surveys and encouraging their team to participate in risk culture data collection exercises.
Being a risk champion is an effective way to contribute to the organisation’s culture, and can provide learning, networking and leadership opportunities across the business.
There are some effective habits that team leaders can introduce to foster more risk intelligent cultures. These include:
- Clearly outlining roles and responsibilities with respect to risks: Ensuring people are clear on their responsibilities in terms of risk management processes contributes to accountability and ownership of those responsibilities. This is especially important when it comes to responsibility for controls and treatments.
- Conducting regular risk meetings: Setting up a recurring meeting, or adding risk as an agenda item in a regular team meeting, is helpful for normalising the discussion of risk. Ensuring the agenda encourages people to discuss opportunities and raise emerging risks is also important for nurturing more positive mindsets in relation to risk.
- Implementing positive risk management practices: Implementing risk registers and regularly reporting on risk to leaders, and reinforcing the importance of risk in communications and role modelling, are a foundational elements of establishing a positive risk culture.
- Fostering psychological safety: Psychological safety is a belief that no-one will be punished for speaking up with ideas, questions, concerns or mistakes. When team leaders share their own mistakes, ideas, concerns or questions it empowers others to do the same. Recognising when others in the team have done this and positively reinforcing it can help build psychological safety in the team and raising risks.
- Having explicit discussions about preferred ways of working: Encouraging discussions about ways of working and working preferences can help to highlight the diversity of styles of individuals within the team, can ensure a more efficient operating environment and help the team collectively manage risk while playing to their strengths.
This guidance is intended to assist Specialist Risk Practitioners with measuring risk culture and using those findings to create change towards a positive risk culture.
A positive risk culture is one where everyone in the team manages risk as part of their day-to-day work.
Some ways risk practitioners can develop a positive risk culture include:
- Defining the desired risk culture behaviours.
- Leveraging data to measure, monitor and evaluate the risk culture and change activities.
- Changing risk behaviours across the organisation.
- Supporting the business and leadership in enabling an effective risk culture.
Risk culture is the component of an organisation’s culture that encourages informed risk taking through decisions made within the entity’s appetite and tolerance for risk. An organisation’s risk culture is critical in driving the day-to-day behaviours that support an entity’s strategy and how it manages risk.
Articulating a target risk culture state informed by the purpose, values, strategy and risk appetite of the organisation allows an organisation to measure progress towards its target state. A target risk culture provides a basis for measuring the current risk culture state, determining the gap between the target state and current state, and establishes the roadmap for change.
To define the organisation’s target risk culture state, consider the desired behaviours (what people do) and mindsets (what people think and feel), that would support the values, strategy and risk appetite of the organisation.
To define the behaviours and mindsets, consider asking open-ended questions such as:
- What should people stop doing to manage risk effectively?
- What should people start doing to manage risk effectively?
- What should people continue to do to manage risk effectively?
- How should people think and feel about risks and risk management?
- How should people within the organisation speak about and communicate risks?
Comcover’s risk culture model provides an important starting point when considering the drivers and behaviours underpinning an effective risk culture.
After defining the target risk culture state, it is important to then understand the current risk culture state as well as the drivers of behaviours that are creating a distance between current state and target risk culture state.
Why measurement and data are important
By engaging with employees to gather data on their perceptions of risk management, it is possible to better understand the mindsets and the drivers of behaviours that support effective risk management. Perception based data, gathered through surveys, interviews, and focus groups, can be aligned with business data to paint a picture of how beliefs, norms and perceptions are impacting risk outcomes, as well as establish the drivers that bring about those beliefs, norms and perceptions.
Measuring and monitoring risk culture
The measurement of risk culture needs to use multiple sources of data and provide insight into the drivers of any areas of concern. To best achieve these outcomes, the following data collection and analysis procedures could be used:
1. Defining areas of interest
Before collecting data, it is important to first develop the questions that need answered. These should be developed to align to the desired state of the behaviour and mindsets in relation to risk, and the areas of risk that management are curious about. Once the questions are established, data collection and analysis should be targeted to reveal the most useful insights.
When trying to understand the risk culture, some questions to help clarify those areas of interest include:
- Does the current risk culture state align with the target risk culture state?
- What are the strengths and opportunities for improvement in relation to risk culture?
- Are the risk culture change initiatives effective?
- Are there subcultures within the organisation with respect to risk culture?
2. Getting senior leadership buy-in
Some strategies to get buy-in from senior leaders to undertake a risk culture assessment include:
- Identifying a champion in the senior leadership team who might be more receptive to risk culture as a topic. They can then support the exercise among their peers.
- Linking risk culture with the risk and organisational strategy. Senior Leaders are focused on achieving Strategic Objectives and using data or indicators to determine if those objectives are being met. Buy-in from leaders to gather risk culture data can be improved by linking risk metrics and indicators to the strategic objectives that have their attention.
- Involving senior leadership in survey planning, design and communications. Getting their early and regular feedback throughout the survey process can help to build a sense of ownership and ensure that any concerns they have are quickly addressed. It also ensures that the survey process allows for their key areas of curiosity or concern to be explored.
- Planning survey or data collection at times of the year that senior leaders are able to dedicate appropriate time and support to them.
3. Collecting data
It is important the data collected is relevant to the question(s) asked and is collected from multiple sources.
Below are some different methods to collect data:
4. Analysing data
Survey analysis may be simple analysis such as sorting questions from highest to lowest performing using basic spreadsheets, or complex statistical analysis using more advanced software to provide insights into relationships between questions or variables. Qualitative data can also be grouped into common themes to provide further insight. It is important to consult with experienced data analysts to ensure insights from the data are maximised.
5. Triangulating data and data validity
Data triangulation is essentially looking for common findings between data sources to draw conclusions and validate findings. For example, it might be observed in the survey that there is low agreement that leaders in one business unit are effective at risk management. Focus groups reinforced this perception with examples of ineffective risk leadership being provided. This data together would draw the finding that the leaders in this business unit may be contributing to a poor culture.
6. Reporting on risk culture
Good governance will ensure regular reporting on risk culture. This might include an annual or biannual risk culture assessment being undertaken, and the findings being provided to the leadership team and board. Others may choose to do an annual survey, with deep dive interviews and focus groups complementing the survey every other year.
Some general tips on reporting to leadership include:
- Simplify - don’t overload the reader by presenting too much data. Focus on the key themes and the most important insights.
- Summarise - consider using a dashboard or executive summary to share key data and important results and provide detail elsewhere.
- Showcase - Use a mixture of graphics and tables to present the data, ensuring all tables and graphs showcase the data clearly and accurately.
- Use perception-based language - for any data drawn from interviews, surveys or focus groups, it is important to use language in the report which reflects that these are the perceptions of the people, rather than fact (unless this is able to be supported by fact based business data). For example, it would be appropriate to say “10% of people held a strongly negative sentiment to the adequacy of risk training” rather than saying “risk training is inadequate”. Similarly, in identifying drivers, it is important to recognise one cannot exclude all factors when reporting perceptions related to drivers. As such one would say “x may be influenced by y”, rather than “x is a result of y”, unless one is able to be definitive.
- Seek Feedback - Ask the executive or board for feedback on the report. Did it meet their expectations? What could be done differently?
Several levers of change can be used to enable cultural improvement to established ways of operating. Once the desired risk culture has been established, the organisation should continually monitor and refine it to reflect ongoing changes in business strategy and risk appetite.
Creating sustained change
Creating sustained changes in mindsets and behaviours is a gradual, multifaceted process and not a “once-off” transition. It is often about shaping the environment and removing barriers to elicit the desired behaviour, rather than shaping the behaviour to fit the environment. Articulating milestones and having a deep understanding of levers to create that change is therefore critical for navigating that change successfully.
Organisations should seek to align their risk culture to the purpose, values, and risk appetite through a holistic lens. It may include changes to the organisations governance, systems and processes; enhancing organisational communications and relationships; identifying mechanisms to motivate people towards certain behaviours; and targeting individual capability and competency.
The systems and processes that guide the way leaders and staff work and what they prioritise must be designed in a way that encourages the desired behaviours. Leaders’ values and behaviours are instrumental in driving and reinforcing cultural change, therefore it crucial to shift the mindset and develop capabilities within leaders to clearly communicate and behave in line with the desired values.
Comparing baseline data to data after a change intervention
When looking to measure the impact of a particular intervention, it is important to gain a baseline data set before the intervention has been implemented. Once the intervention has been completed, data should be collected using the same data collection methods as before to ensure a direct comparison. This “before” and “after” analysis will assist in validating the hypothesis about change or assist to further examine the drivers of the behaviour where the data does not move in the anticipated direction.
Supporting line areas
Through regular engagement with line areas, risk practitioners can seek to seamlessly embed risk management discussions and activities into business as usual. Risk practitioners can support line areas by:
- Organising introductions with teams or team leads throughout the organisation so people are aware of when and how to reach out to Risk Practitioners for support or involvement.
- Preparing a communications plan to share lessons learnt, common areas of misunderstanding or other key insights related to risk across the entity.
- Proactively reaching out to projects or programs to ensure risk practitioners are involved at the appropriate stages of the project.
- Developing a clear and two-way communication channel for engaging with risk practitioners (for example, SharePoint page, group email inbox, consultation hours).
- Providing education to project or program leads on risk management, and how to effectively communicate risks to the organisation or leadership.
Supporting Senior Leadership
The way people think about, identify, and manage risk, is heavily influenced by their leaders.
Senior leaders set the tone for risk, which is then cascaded down. The ‘tone’ determines the accepted workplace behaviours and shapes the characteristics of the organisation which are beyond the reach of policies and systems. Setting the right tone for risk is what enables the organisation to harness positive risk opportunities and manage the downside risks they are exposed to.
Risk practitioners can support their leaders to lead with the right tone and capability by ensuring that senior leaders:
- Are appropriately informed and understand the organisation’s current risk framework and key business risks.
- Are provided with guidance on considering all the aspects of risk on key decisions, including constructive challenge.
- Understand both the target risk culture and the current risk culture.
- Have the appropriate risk management capability to make risk intelligent decisions.
- Have an awareness of their performance as risk leaders. Risk practitioners can work with human resources to develop a risk leadership framework and assessment, which includes 360-degree feedback on relevant competencies. Risk practitioners and human resources could then provide target insights to guide risk leadership development and transform the tone leaders set.
- Are supported with communication and positioning on key areas of behavioural insight through a clear and targeted communications plan to influence the risk culture.
This guidance is intended to assist senior leaders in understanding their role in nurturing and enabling an effective risk culture.
A positive risk culture is one where employees at every level appropriately manage risk as an intrinsic part of their day-to-day work. The way people think about, identify and manage risk, is heavily influenced by the leaders of the organisation. The ‘tone’ leaders set determines the collective beliefs, attitudes and behaviours towards risk management, which ultimately shapes the entity’s risk culture.
Three common challenges leaders face in developing a positive risk culture include:
- Developing their risk leadership capability and demonstrating positive risk leadership behaviours.
- Using data intelligently to guide risk-based decision making and risk culture change.
- Changing and embedding risk behaviours across the organisation.
Risk culture is the component of an organisation’s culture that encourages informed risk taking through decisions made within the entity’s appetite and tolerance for risk. An organisation’s risk culture is critical in driving the day-to-day behaviours that support the organisation’s strategy and how it engages with risk.
To support an intelligent risk culture, the desired risk behaviours and norms for the organisation should be clearly defined, owned, monitored, and demonstrated by senior leaders.
Setting the right tone from the top
Senior leaders must ensure they role model expected behaviours aligned to the values and principles of the entity and its approach to managing risk. Senior leaders should also ensure they have the knowledge and skills to manage risks effectively, and demonstrate explicit consideration of the entity’s risk appetite in conversations and key decisions.
Aligning risk with strategy
Employees look to senior leaders for strategic direction, guidance and clarity. Senior leaders need to agree on the level of acceptable risk taking for an entity in line with the entity’s strategy, regulatory requirements, and the changing external environment. This should then cascade across the entity to inform decision-making at lower levels.
One way senior leaders can align risk culture with strategy is by ensuring strategic plans articulate the amount of risk that will be accepted in pursuit of those strategic objectives. It should also be clear how risks, both upside and downside, can impact the achievement of the entity’s strategic objectives.
Nurturing an environment of psychological safety
Psychological safety is a belief that no-one will be punished or humiliated for speaking up with ideas, questions, concerns or mistakes, and if not maintained can hamper risk management efforts. Leaders can foster an environment of psychological safety by:
- Ensuring standards of respect are consistently upheld across the organisation.
- Sharing their own learnings and failures in communications and interactions with others.
- Actively seeking out feedback and challenge from individuals of all backgrounds and levels of the organisation.
- Ensuring appropriate and confidential mechanisms are in place to raise grievances and feedback.
- Taking a just approach for wrong doings by being curious about and resolving the root causes, and by balancing intention and outcome when applying consequences.
Monitoring risk leadership impact
The competencies and capabilities that contribute to building positive risk leadership are underpinned by how leaders decide, communicate, support, embed and live risk management (see image).
Senior Leaders should continuously monitor and seek to improve their risk leadership. They can do this is by reflecting on their own attitudes, behaviours and capabilities related to risk management, and seeking feedback from others at all levels of the entity on how well they are setting the tone for and influencing effective risk management and the risk culture within their entity.
Measuring and reporting on risk culture
To lead risk management effectively, it is important a leader understands the drivers of the mindsets and behaviours of their people in relation to risk. Risk culture assessments measure the attitudes, behaviours and decisions related to risk-taking and risk management.
Risk culture measurement must be holistic, use multi-source data and include root-cause analysis to understand the drivers of the risk culture and enable change towards the target risk culture state. Risk culture metrics can be obtained through surveys, focus groups, observations, business data or desktop reviews, and should be included in regular risk reporting to the board and management. Risk culture reports enable executives to discuss cultural indicators in the context of risk management objectives. Evaluation should be a central consideration of risk and risk culture transformation programs, and be focused on both the short-term and medium-term outcomes as well as longer-term impact.
Culture change involves having a clear picture of the current risk culture state (obtained through measurement), a clear articulation of the target risk culture state (described through desired risk mindsets and behaviours), and an understanding of the levers that can be pulled to bridge the gap between the current and target risk culture state.
When seeking to change the risk culture, people are influenced through channels such as role modelling, messaging, symbolic actions and stories, and incentives. It also extends to ensuring policies, processes, systems, and technology are aligned to make risk intelligent decision making easy.
Understanding the root causes of mindsets and behaviours and creating change to enhance risk intelligent decision making will strengthen an organisations risk culture. Senior leaders provide one of the most effective levers for changing behaviours, through their communication (what they say) and role modelling (what they do), as well as what they don’t say or do.
This case study is intended to assist Commonwealth officials at Specialist and Executive levels to:
- develop and establish a positive risk culture
- understand practical tips to implement a risk culture change program
- understand how risk culture can be transformed and embedded in their agency.
This case study can be useful to newly created entities or entities wanting to refresh their approach to risk management and instil a positive risk culture across the organisation. It provides guidance to entities seeking to develop or formalise their approach to developing a culture where risk is managed and communicated across all levels of the entity and individuals are encouraged to adopt positive risk behaviours
This case study outlines the National Health Funding Body’s (NHFB) strategy to embed a robust organisational culture that continues to support risk-aware decision making whilst at the same time encourages innovation and creativity. This case study details how the NHFB has developed and fostered a risk culture that has enabled them to engage with risk in pursuit of continuous improvement and better solutions in their business activities.
The NHFB and the Administrator of the National Health Funding Pool were established through the National Health Reform Agreement of August 2011. The NHFB were tasked with assisting the Administrator in calculating and advising the Treasurer in the Commonwealth’s contribution to public hospital funding in each State and Territory, which totalled over $24 billion in 2021-22. They were also responsible for monitoring payments (over $59 billion in 2021-22) of Commonwealth, State and Territory public hospital funding into the National Health Funding Pool.
With an operating budget of just over $7 million and as an agency of approximately 28 staff, it was critical that the NHFB developed and maintained effective and robust systems for risk management to ensure they meet their obligations. To do this, the NHFB encouraged everyone to take responsibility for risk by promoting an active engagement with risk.
Risk culture is a subset of organisational culture and refers to the system of beliefs, values and behaviours throughout an entity that shape the collective approach to managing risk and making decisions.
A positive risk culture involves staff adopting an open and proactive approach to risk that fosters collaboration, encourages debate and values independent views. In order for risk management to be effective, it needs to align with the entity’s strategic goals and be part of the organisational culture, internal policies, decision making and individual’s behaviour.
Culture is shaped by the behaviours and attitudes of leaders. The desired culture for managing risk should be clearly defined and demonstrated by the executive in a form that is communicated and actively promoted to staff.
By establishing a positive risk culture, everyone within the organisation is encouraged to take responsibility for managing risk as it is included as a core responsibility within an individual’s job description. Such an environment can lead to early engagement and open conversations about risk and any potential threats or pressures to the entity. This allows for the identification and assessment of emerging and new risks that could impact business activities and have the potential to hinder achievement of organisational objectives.
A positive culture for managing risk can create an environment where there is a distinctive awareness of the entity’s risk profile by staff across all levels and the responsibility for managing these risks is sufficiently understood. This can lead to appropriate actions being taken by the right people in a timely manner for issues and risks that are identified to be out of set thresholds and tolerance.
The NHFB worked towards embedding a robust organisational culture that continued to support risk–aware decision making and encouraged innovation and creativity. Managing risk has become a natural part of the NHFB’s core business activities through consistent language, methodologies and documentation across the organisation. Risk is discussed at all levels to ensure every member has the opportunity to raise potential risks in their business area as well as potential opportunities.
The following levers were called upon in order to positively drive change in NHFB’s risk culture:
With a collective effort and strong communication in the roll-out of risk appetite and tolerance statements, these statements helped shape and define a strong culture within the NHFB that encouraged active engagement with risk. The risk tolerance statement articulates the amount of risk that the entity is willing to accept to successfully achieve their strategic objectives and was openly communicated and understood across the organisation. In doing so, the establishment of these key documents helped set objectives, define the desired risk culture, allocate resources, comply with legal obligations, and improve transparent decision making. By knowing these boundaries, NHFB staff are empowered to confidently make risk-aware decisions in the workplace.
The NHFB adopted a ‘near miss’ approach to reporting risks. This involved a deep dive into the source, impact and consequence of each near miss. This is undertaken immediately after the event to ensure that it was rectified quickly, while minimising the likelihood of a similar occurrence. This process embodied an open and proactive approach to risk that became indicative of the positive organisational culture seen throughout the NHFB that embraced the opportunities contained within each risk event.
Through this reporting approach that encouraged frank discussions about the ramifications and resolutions related to realised risk events, the NHFB did not let any fear or concern that impact the organisation’s psyche surrounding near misses. Instead, a pragmatic analysis of the control breakdowns and any required new risk treatments allowed the organisation to move forward and rectify any deficiencies in their processes or systems.
Strong and regular communication from the CEO about the NHFB’s risk tolerance and expected risk behaviours, helped transform the organisational culture with respect to risk management. There was an active display of leadership and consistent messaging, supported by the executive group, that encouraged risk-based fit-for-purpose practices that helped champion the implementation of the NHFB’s revised risk management approach. These messages shaped and set the parameters of what is considered best practice risk management and fostered a culture that considered the opportunities associated with risk events.
Underpinning this transparent and concerted effort from the executive leadership was their desire to embed an understanding of risk appetite across the agency. This ‘tone from the top’ encouraged innovative thinking and provided supporting mechanisms to ensure that risk was able to be managed effectively (that is, through updating their Risk Management Policy and Framework and Risk Management Instructions). Senior leadership also contextualised the relationship between effective risk management and key strategic objectives. This message emphasised the importance of making risk-informed decisions and fostered a culture that viewed risk management as a fundamental component to the achievement of business success.
Embracing a lessons learned mindset has enabled the NHFB to consistently evolve and improve their processes after near misses or realised risk events. Openly discussing the lessons learned arising out of these incidents, instead of attributing blame, allowed the organisation to grow and develop.
For example, there was an access error identified for users within the Payments System (critical to the NHFB operations). Using a lessons learned approach, it was determined that there was the need for better communication between the 3rd party provider and the NHFB to ensure that the Payments System remained operational for users during peak periods. This adaptive and open-minded analysis of the risk event outlined the NHFB’s positive culture that is built around a willingness to learn and improve.
Incorporating elements of risk management into every role throughout the organisation, provides everyone with a level of responsibility when it comes to managing risk and processing risk related information. A united leadership approach in the NHFB is around ‘Our Behaviours – it starts with me’, which encapsulates the desired attitude whereby all staff are empowered to take ownership of their behaviour when interacting with the different risks faced by the NHFB.
By encouraging all staff to model good risk management behaviours, new starters are more likely to adopt the positive risk culture embedded within the NHFB’s day-to-day operations.
Figure 1 – ‘Our Behaviours – It starts with me’
This case study is intended to assist Commonwealth officials at Specialist and Executive levels to:
- identify opportunities to review their risk management framework
- leverage practical tips to implement a risk culture change program
- understand how risk culture can be embedded in their agency.
This case study can be useful to newly created entities or entities wanting to refresh their approach to risk management and instil a positive risk culture across the organisation.
This case study provides guidance for entities seeking to develop a more advanced or mature risk culture, as modelled off the methods used by the Australian Financial Security Authority (AFSA). AFSA’s management board recognised an opportunity to embed more meaningful conversations and effective risk mitigation across all levels of the agency. With the active support and buy-in of senior leadership, AFSA:
- Successfully implemented a new approach to risk management
- Developed guidance materials to define risk roles and promote risk-informed decision making at all levels across the agency
- Conducted risk culture audits
- Carried out risk training.
All of this contributed towards a more mature risk culture and a proactive approach to risk management that can be sustained into the future.
There are difficulties with shifting an entity’s risk culture as it involves influencing and altering the inherent behaviours and attitudes of staff towards engaging with risk. Being able to establish and foster a positive risk culture is imperative. This is as it is an entity’s culture that ultimately determines the behaviours of officials when they are making decisions in their day-to-day role.
AFSA is an executive agency in the Attorney-General’s Portfolio responsible for Australia’s personal insolvency and personal property securities systems. Historically, AFSA adopted a compliance-based approach to risk management, however, with the agency about to embark on a digital and cultural transformation, there was a significant opportunity to invest in the agency’s approach to risk management to ensure it could support effective transformation. AFSA’s approach aims to empower staff at all levels of the organisation to make informed risk-based decisions in their day-to-day work.
Risk culture is a subset of organisational culture and encompasses the beliefs, values and behaviours throughout an organisation that shape the collective approach to managing risk and making decisions. A positive risk culture is one where staff at every level appropriately manage risk as an intrinsic part of their day-to-day work. Positive risk cultures are supported by open discussion about uncertainties and opportunities and internal processes to help manage risk. A poor risk culture is often evidenced by officials being ignorant of the agency’s risks, being excessively risk averse or overconfident.
Evidence-based risk management
AFSA reviewed its existing risk management framework and identified that it was too compliance focussed, and burdened staff by completing overly detailed and complicated risk registers. This created a culture where staff viewed risk management as a technical, paperwork driven activity that had little connection to their day-to-day work. The agency decided to invest in a contemporary approach to risk management that instead focused on utilising objective sources of evidence to verify the actual effectiveness of critical actions, activities and measures that help control key agency risks. The adoption of this approach, combined with significant investment in staff training, the development of a ‘Decision Making Model’ to support staff in their day-to-day work, and the utilisation of scenario-based control testing with key agency decision makers, has created an environment where staff are actively engaging in risk management on a day-to-day basis.
Risk management aligned with the agency’s vision and purpose
Risk management activities are an important driver of strategy. AFSA built strong links between its risk management approach and strategic objectives by prioritising risk across all major governance documents. AFSA refreshed the risk management component of its corporate plan to communicate the agency’s risks more clearly. AFSA also reconfigured its assurance mechanisms into a new assurance strategy that aligns assurance activities to the agency’s risks.
Risk culture audits
AFSA worked with its internal auditors to assess the maturity of the agency’s risk culture. A survey was distributed to staff at all levels to understand how they approached risk management and how AFSA could better equip them to manage risk and make decisions in their daily work. The process highlighted the need for greater practical support, renewed guidance documentation and simplified risk processes. Responding to the staff feedback, AFSA redesigned and streamlined its risk framework, policy and plan into a single readable document. Guidance, risk tools and reporting processes were also refined to ensure their usefulness, and a follow up audit arranged to measure improvements in risk culture.
Support of senior leadership in the agency’s transformation
An agency’s risk culture is strongly influenced by the behaviours and attitudes of leaders. AFSA’s senior leadership team actively championed the risk transformation and were advocates of the new approach. The Risk Team leveraged this buy-in to actively encourage staff to participate in the transformation journey. This enthusiasm and support created an environment where useful conversations regarding agency risks and the effectiveness of AFSA’s current controls could take place.
AFSA maintains ongoing engagement of its board with risk by utilising near misses, realised risks event or fictional yet plausible scenarios to drive a rolling program of risk walkthroughs. This process brings together the risk owner, control owners and board members to actively explore control gaps and current-state preparedness, and discuss areas for enhancement. AFSA has extended this approach across the agency and encourages staff to participate in similar conversations through risk forums. These forums have become valuable opportunities to provide assurance to the board that strong controls are in place while also creating opportunities for staff to identify areas of improvement.
New risk management roles across the agency
Whilst a positive risk culture can be established via a clear ‘tone at the top’, it is the staff at the operational level that instil and embed this culture. AFSA’s establishment of new risk roles helped entrench risk management across the workforce, and has helped foster a culture where risk is actually at the forefront of the entity’s mindset when carrying out day-to-day operations. Through the introduction of clear risk roles, a more active engagement with risk was facilitated. These new risk roles were clearly defined in AFSA’s risk documentation, with staff being supported and trained to take on these responsibilities. These new roles ensure staff clearly understand their decision-making responsibilities, how they fit in with AFSA’s approach to risk management, and procedures for escalating issues to risk owners and the board.
AFSA embedded a common understanding of the it's new risk management approach across the agency though whole-of-agency risk management training. The training was informed by the findings of the risk culture audit and focussed on practical day-to-day risk management and decision making. AFSA hosted a significant number of workshops for staff across the agency at all levels on why risk management is important, how AFSA manages risk, and how risk management links to the Corporate Plan. This training has helped the agency reach a position where risk management is normalised, staff understand risk is part of their roles, and staff discuss risk using a common language. This has created a clearer understanding of shared issues and concerns, enabling informed risk discussions at all levels across AFSA.