While formal structures, risk capabilities and maturity reviews are important for developing optimised risk culture across your organisation, they must be supported by the correct behaviours – our latest benchmarking tool, the Risk Culture Maturity Model, outlines how to level up your organisation in each of these key areas.
What is the first step to developing a more mature risk culture? For many organisations, it helps to understand why risk culture and organisational culture are not so different.
There may be nuances that distinguish “risk culture” from the overall culture of the business – for instance, the former is more specifically tied to risk awareness, risk taking and the controls that influence decisions about risk. Nonetheless, the two should not be dissociated from one another, as the same principle underpins both: you can give employees the tools needed to do a job, but without instilling the right attributes and behaviours, the job will not get done well.
As a result, the challenge of building a stronger risk culture is multifaceted.
As well as standing up formal structures or processes to develop risk awareness and determine whether certain business units at the company are risk takers (or, alternatively, risk averse), you have to set the right example for the business and create an open environment that encourages people to speak up.
Beyond this, having a system in place to regularly monitor and assess risk culture – ensuring that any negative behaviours don’t start to creep in – is also a crucial backstop. You also want to have a solid grasp on how risk culture is accommodated (or not) within key areas of your business and how those areas influence culture itself.
Improving their organisation’s risk culture is a priority for the majority of our members – global multinational organisations – who want to push their risk framework to the next level.
To help members navigate each stage of their maturity journey, we have worked with risk culture experts and practitioners to develop our Risk Culture Maturity Model – this assessment tool is designed to give risk leaders a baseline against which to compare the strength of their risk culture, as well as providing a roadmap of key activities for them to advance from immature to optimised.
As with our Emerging Risk Maturity Model, our Risk Culture Maturity Model has undergone a rigorous iteration process, with members providing suggestions on how it could be enhanced to deliver the maximum benefit.
Overall, the model consists of four dimensions:
Formal structures and processes – Visible aspects that are intended to drive culture and behaviour in a particular direction, for example, incentive systems, governance, escalation processes and process mapping.
Attributes and behaviours – Informal and often invisible aspects of human response or action, which can typically be seen to emerge as a consequence of environmental factors.
Linkages – How risk culture is accommodated within other key areas of business.
Capabilities – What resource the organisation has at its disposal to understand, assess and influence (risk) culture.
As an insight into the model, which members can already access via the Intelligence platform, we outline here how a company can optimise three behaviours pertaining to a company’s risk culture.
Encouraging the business to value Risk
If you asked the average employee to name the most important corporate functions at their company, how many would say Risk? While Finance, Legal and Operations – among others – have an integral place in the structure of an organisation, the challenge is to get the business to view Risk in the same light.
To achieve this, tone from the top is immensely important: if Risk is treated as a key item in the company agenda by senior leaders, this attitude will trickle down to other functions and business units throughout the organisation. If Risk isn’t involved in the important conversations held at a management level, it won’t be perceived as valuable by the rest of the organisation.
Align risk with corporate values
To return to the previous point about risk and organisational culture being intrinsically linked, the approach to risk management within the business should match up with the organisation’s values and expectations.
While this may sound quite obscure, corporate values should be documented and, within that document, bear some reference to risk management.
Establish accountability for risk culture
If there isn’t sufficient responsibility taken for reviewing risk-taking practices – chiefly to ensure risk appetite is not being exceeded and company objectives are not being threatened – any process you have in place for this will be rendered meaningless.
Therefore, clear accountabilities should be set at each level of the business for monitoring risk-taking behaviour; these accountabilities should feed from the bottom-up, so the enterprise risk function can get a clear overview of where too many risks – or, indeed, not enough – are being taken.
To learn more about Risk Leadership Network membership, which includes access to the full maturity model, click here.