You can take a horse to water but you cannot make it drink. You can take risk management to your business but you cannot make them do it. People, to be successful in anything they do, must have a desire to do it. This breeds passion which drives people to excel.
Getting the right culture to support risk management across your business is the most important ingredient for success.
So what does the right 'risk culture' mean, and how do we create and maintain it? Culture is embedded within people’s thoughts which then influence their behaviours and actions. Risk culture is their thinking, behaviours and actions around risk and risk management.
In order to achieve a great corporate-wide risk culture, we need to define what it is and then we embed it into our people. Let’s start with what it is.
Subscribe to our Knowledge hub to get practical resources, eBooks, webinar invites and more showing the latest developments in risk, resilience and compliance, direct to your inbox:
Thoughts
This comes down to whether a person has the knowledge of what is 'right' and 'wrong' and then whether they choose to do the 'right thing'. Corporate culture must be clear on defining what right and wrong is and then promote that across the organisation. This should come from corporate values, manifested in the risk appetite and policies, practices and behaviours of our senior management and board. The uncertain grey area between right and wrong should be minimised as far as possible.
We then need to motivate staff to do the right thing. This comes from explaining why doing the right thing is better: we will be more successful and we can all share in that, we will be positively recognised by our peers, we will create a great environment in which to work etc.
Lastly, we need mechanisms to recognise wrong behaviour, call it out and encourage staff to choose the right thought next time. Organisational creep occurs when staff push away from the right into the shade of grey and sometimes the plain wrong and no one notices and there are no consequences. They will continue to operate in the wrong and after time even encourage colleagues to join then on the 'dark side'. Over time, our culture deteriorates.
Behaviours
Once our people’s thinking is right, they will behave accordingly. This will include typically strong risk culture behaviours such as:
- Strong and open communication. Escalate as soon as a problem or issue arises
- Always considering risk in any decision that is made, prior to the decision being made
- Taking responsibility for risk and controls. Be willing to stand up and claim ownership
- Telling the truth and taking ownership of problems
- Being concerned about the impact of their risk management on others – appreciating what is downstream when something goes wrong
- Encouraging and educating others in risk and risk management
- Showing a desire to be more risk aware gain more risk management knowledge
- Demonstrating a positive attitude to risk management.
Actions
When the right thinking and behaviours exist, we can move to developing specific actions for each staff member with respect to risk management.
This will include:
- Calling out, escalating, recording, reporting and managing all risk incidents as soon as they occur
- Reviewing key risk indicators in amber and red and following them up on a timely manner
- Following up outstanding actions and ensuring they are implemented by due date
- Being risk aware at all times and updating risk assessments as risk profiles change
- Taking compliance attestations seriously. Answering then honestly and in a timely manner
- Raising risk as part of every decision
- Praising staff who call out risk incidents and issues early.
Key elements to creating and maintaining a good risk culture
In order to foster the thoughts, behaviours and actions above, some key principles must be followed:
- Risk and risk management must be understood by all of your staff. They cannot have a strong culture around what they do not understand.
- The risk management framework must be aligned as a business enabler, not a hindrance
- The risk management process must be efficient and not cumbersome
- Risk management should be simple and easy to understand. It should be kept 'real'
- Good behaviour and actions should be recognised and rewarded. Bad behaviour should have consequences
- Most importantly, the correct culture must be set at the board and senior management level and must be demonstrated to staff through walk the walk not talk the talk. Setting the tone at the top helps drive the importance of risk culture across the organisation.
Next steps
Protecht's Culture and Conduct risk eBook gives you all the information you need in order to better understand, manage and monitor your culture and conduct related risks, being culture risk and conduct risk. It also addresses risk culture as a sub component of organisational culture and provides examples of the key traits of a good risk culture. Find out more and download the eBook now:
Subscribe to our Knowledge hub to get practical resources, eBooks, webinar invites and more showing the latest developments in risk, resilience and compliance, direct to your inbox:
This article was originally published in January 2017.