The ‘culture’ of risk

The ‘culture’ of risk

The trigger for the focus on risk culture

Following the GFC there has been high levels of commentary on the issue of an organisations risk culture and what it should be defined as, and more importantly what it might look like. The Australian regulators have joined this party and issued numerous edicts and direction on their take on what culture looks like – although through slightly differing lenses – APRA focussed on risk culture and ASIC on compliance culture.

The most recent comments by John Price, ASIC Deputy Commissioner (July 2017) suggested that the GFC revealed major shortcomings in the way financial institutions managed risk -and consequently risk culture – which he defined as the norms of behaviour around how an organisation identifies, discusses, understands and acts on risk, Consequently, risk culture has been on the radar of regulators and tackling culture was the final frontier in addressing the problems highlighted by the GFC.

Line of sight needed by a Director

The common theme within the financial services sector is that directors should have a perspective and a clear line of sight on the nature of the organisations cultural approach to the management of risk(s) within the business. But this approach, whilst enshrined in relatively recent regulations issued by APRA and ASIC has in fact been in operation as an obligation/standard required of directors under the Criminal Code for over twenty (20) years.

The challenge that is faced by non-executive directors is how can you form a clear perspective on your organisations risk culture when culture reflects what is happening in the trenches amongst the operational personnel and is very much an intangible and subjective assessment. The information available to a non-executive director on aspects of cultural execution (on a range of issues not restricted to risk management) is largely provided anecdotally by management or through formal reporting arrangements.

What is risk culture?

 “Culture can be thought of as the foundation of the social order that we live in and of the rules we abide by … the culture of a group can be defined as a pattern of shared basis assumptions learned by a group as it solved its problems of external adaptation and internal integration … and therefore to be taught to new members as the correct way to perceive, think and feel in relation to those problems”

— Edgar Schein, Celebrated Organisational Development Academic

In March 2013 Lieutenant General David Morrison delivered a speech reflecting on cultural challenges within the defence forces in which he defined culture more succinctly as “The standard you walk past, is the standard you accept.”

So logically the standards of conduct that an organisation establishes – and enforces in all manner of ways – are reflective of the culture that it elects to create and embrace.

Risk culture is the application of these principles and concepts to the way that an organisation takes and manages risk, Risk culture is not separate to organisational culture, but reflects the influence of organisational culture on how risks are managed.

Commentary by APRA and ASIC has revealed that, as regulators, they consider risk culture to be important because from their viewpoint the corporate culture is a key driver of conduct which in turn reflects the existence (or absence) of certain organisational behaviours – these behaviours also being reflective of the organisations culture.

There have been many recent and very public cultural failures within the broader financial services sector. These failures have highlighted that “poor culture leads to poor outcomes for investors and consumers, impacts upon the integrity of the financial markets and erodes investor and consumer trust and confidence.”

The combined financial impact of lost market standing and remedial costs far outweighs the costs of building a robust and effective corporate culture – with an increasing body of evidence that there is tangible and measurable stakeholder value generated by a robust corporate risk culture.

Your company’s culture is like your waistline or credit card spending – when you don’t pay attention, it only goes in the wrong direction.

The hallmarks of organisational risk culture

An organisation develops a culture, whether it is being actively nurtured and influenced – or not. Fostering a desired cultural approach to managing risk should be paramount in the organisations decision making and so logically the consideration of what risks might be present – but more importantly how those risks can be actively managed – should be embedded in all the decisions made by a Board.  

The first step in creating and framing an organisational culture is through the creation of a stated position on how the Board requires employees to act. Creating a suite of policies and procedures that reflect the way in which the business should operate AND that clearly aligns with the organisations code of conduct or similar statement of standards sounds relatively simple. In the risk management space these standards will be contained within the multiple components of the risk management framework.

But this is the easy step – converting the written theory into a consistent example across the business is a constant challenge that requires all stakeholders and decision makers behaving in the same fashion and with a consistent message. Whilst the Directors can set the tone of the message – the delivery, ongoing support and monitoring is predominantly in the hands of management.

There’s a fair chance you have heard the Peter Drucker phrase – “Culture eats strategy for breakfast”.  This translates across into the arena of risk culture as heightened awareness and understanding of enterprise styled risks across ALL staff. Which means there are more eyes looking upon the improved execution and continual improvement of the strategic direction of an enterprise. Where ALL staff are actively monitoring business risks they are actively dealing with the challenges but also – and more importantly – watching for the potential opportunities triggered by the risks associated with the organisations stated strategic direction.

Culture is hard, but if you get it right, everything else gets a lot easier.

Identification of the risk culture vibe

Whilst a director might be charged with establishing and supporting a risk culture how can the Board “ensure that … a sound risk management culture is established and maintained throughout the institution” to support the annual risk culture declaration to APRA by bank and insurance entities as required by APRA Prudential Standard CPS 220.

Your organisation may not – yet – need to adopt this standard but the role of a director is to maintain awareness of means by which your organisation can develop more effective operating standards.

There are a variety of potentially embedded challenges in assessing your organisations risk culture. Does your organisation suffer from the following? –

  • The ‘traditional’ approach to risk management is a stand-alone and segregated function that is not considered to play an active role in the strategic direction setting of the business. I have even heard the Risk and Compliance personnel called “the anti-business unit”;
  • The compliance approach to risk management. This can best be described as management and the Board being more focused on ensuring that the minimum requirements of the latest iteration of regulation is in place within the required implementation period – someone’s checklist ticked. This approach creates a static compliance focussed culture rather than adopting a more strategic approach to addressing the opportunities that might be possible through leveraging more effective risk controls to generate an improved business environment (the positive approach) and at the same time addressing, capturing and identifying treatment options to protect downside impact from the risks that a business strategy might be facing (the traditional negative approach).

A Directors challenge – measuring the culture risk

For a non-executive director – regardless of the sector the organisation operates in – the focus on issues of culture present a fundamental challenge. Every organisation is unique from the perspective of the risks it faces and the regulations that it needs to satisfy. To determine the degree to which risk culture exists within your business, your conundrum is whether to rely entirely on information – prepared and filtered from management – or to somehow collect the perspectives of other stakeholders as a more accurate guide.

The board plays a role in setting the tone, influencing and overseeing culture, and ensuring the right governance framework and controls are in place. ASIC’s Deputy Commissioner John Price acknowledges that directors who are not involved in the daily operation of a company will find it challenging to monitor organisational culture. However, he does offer the following suggestions on questions to gain insight into an organisations culture, raise issues and encourage a more positive culture:

  • Has the culture of the organisation been independently assessed?
  • Do the organisations stated values match the actual experiences of customers, employees, suppliers and other stakeholders?
  • Is culture a regular feature on the board and audit/risk committee agendas?
  • Do directors have a broader interaction across the organisation -beyond the chief executive officer and senior management?
  • Do directors have relationships with key employees (eg line management) to gather insights into the company’s culture and issues?
  • Does the board engage with external stakeholders such as customers, suppliers and regulators?
  • Is data captured on key indicators (eg employee feedback and surveys, customer complaints, progress on employee training on culture issues)? Is this data monitored to see how the various indicators change?
  • Is the information in internal and external audits being fully utilised?

The future direction

The change in the focus of conversations around the board table on how to foster, enhance and measure execution of risk within an organisations culture will be a refreshing change from the myriad compliance issues that seem to have hijacked the boardroom agendas in the last two decades.

But culture is at the heart of how an organisation and its staff think and behave -it is an issue that your organisation needs to address in a fashion that will be unique to your business.

Get in touch to explore how your organisation could strengthen its execution of risk and culture through an external and independent perspective

Contact Philip Anthon

philip@governanceworx.com.au
0429 877 470

Latest Posts…

Leave a Reply

Your email address will not be published. Required fields are marked *