An entity’s culture should promote an open and proactive approach to risk that fosters collaboration, encourages debate and values independent views. In order for risk management to be effective, it needs to align with the entity’s strategic goals and be part of the organisational culture, internal policies, decision making and individual’s behaviour.
Culture is shaped by the behaviours and attitudes of leaders. The desired culture for managing risk should be clearly defined and demonstrated by the executive in a form that is communicated and actively promoted to staff. An entity’s internal policies should also be aligned to its desired culture.
Culture is more than just complying with your entity’s risk management framework. Risk culture has an important role in how undocumented risks are managed within an entity, these include decisions that may never appear in a risk register or be managed through a formal risk assessment process.
Decisions are often made, and risks managed, without complete information, with inadequate resources and against competing priorities. In these circumstances, a strong risk culture will support the proper and effective management of risk. While a risk management framework sets the foundation for how risk is managed, it is the entity’s culture that will ultimately determine the behaviour of officials when engaging with risk.
Risk culture is a subset of an entity’s culture and refers to the system of beliefs, values and behaviours throughout the entity that shape the collective approach to managing risk and making decisions. A poor risk culture is often evidenced by officials being ignorant of the entity’s risks, being excessively risk averse or overconfident in their risk taking.
A positive culture for managing risk generally includes the following attributes:
- Leaders consistently and positively demonstrate and discuss the importance of managing risk appropriately
- The entity’s risk management framework is integral to its operating model
- Officials are comfortable talking openly and honestly about risk, using commonly understood risk terms and language
- There is an awareness of the entity’s risk profile and the responsibility for managing those risks
- Risk management is incorporated as a core responsibility within individuals roles and responsibilities
- Appropriate actions are taken in a timely manner by staff for risks identified that are outside of set thresholds and tolerance/limits
- Officials understand and agree the need and value of effective risk management and how it can help an entity achieve their strategic objectives
- Officials own and manage risk and proactively seek to involve others as appropriate
- Officials own and manage shared risks with others
- Incentives reinforce appropriate risk-related behaviour
- The entity has a supportive environment for escalating risk issues with the senior executive.
An entity’s culture and outlook on managing risk is strongly influenced by the ‘tone at the top’. Strong messaging from leaders can demonstrate their commitment to risk management and foster an environment where staff are encouraged to actively engage with risk at the operational level and strategic level. This messaging is strongest when it is demonstrated by example. A leadership team evidencing how they use risk management to inform decisions to balance resources and prioritise activities conveys the importance of risk management more effectively than words in a policy statement.
Senior officials should establish their entity’s appetite for risk in line with the entity’s strategic objectives and cascade that across the entity to inform decision makers at lower levels.
Officials are often guided by the accountable authority and the entity’s executives. Some key channels through which an entity’s risk culture can be influenced by the entity’s executives include:
- Role models: influential individuals who lead by example. The risk management behaviours they display guide others. It can be useful to assign accountability of the entity’s risk culture to a visible senior executive sponsor.
- Explicit messages: during recruitment, induction and throughout their careers, officials are provided with many instructions and guidelines that will influence how they view and manage risk.
- Incentives: the manner in which officials are rewarded and recognised. How these incentives take into account risk management behaviours will indicate how risk management is valued.
- Symbols and actions: the daily actions of leaders will be noted by officials and mirrored. Similarly, in many organisations there is a strong sense of ‘this is the way we do things here’ which can be a powerful influencer.
- Business strategy, risk appetite statement and internal policies: an entity’s official business strategy and willingness to accept or retain risk in order to achieve its objectives helps formulate and shape the culture for managing risk. Well-understood internal policies that are aligned to the desired organisational culture help influence and dictate staff behaviour and risk culture as they set the boundaries and parameters of what is acceptable in relation to risk taking.
- Education and training: initial risk-based induction training as well as ongoing risk education and awareness programs help instil and reinforce an entity’s desired risk culture and approach to engaging with risk.
- Identify and prioritise key behaviours that are important to your entity to influence and shape a positive risk culture. Look out for any disincentives for good risk behaviours that might be in place.
- Encourage all officials in management roles to communicate regularly with their teams about the value of good risk management. They should be active in challenging the risk assessments and judgements of staff, ensuring they are not completed as compliance oriented ‘tick and flick’ activities.
- Reward and recognise positive risk management behaviour both publicly and through the entity’s performance management processes. Where an entity accepts an optimal level of risk, this may result in that risk being realised. Treat these events as opportunities to review, learn and improve the management of similar risks.
- In establishing a more positive risk culture, focus on changing attitudes and behaviours rather than just implementing new policies and procedures. Have a strategy that considers the entity’s current and target risk maturity and include clear steps on how you intend to change the culture.