With a range of tools out there to enhance risk culture reviews, it can feel like a minefield for those unsure where to start. Here we discuss three tried-and-tested techniques our members use that push more robust enterprise-wide awareness of risk and greater levels of accountability across a business.
When conducting a risk culture review, the role of the risk manager is to guide their organisation’s journey towards a better understanding of risk culture, rather than dictating the terms or taking responsibility for the risks identified during the process.
In other words, risk managers should be more like consultants to the first line.
In fact, some risk leaders at a recent member meeting suggested that replacing “manager” with “consultant” might help to better define their role in this context. Done successfully, this approach can result in a better-defined three-lines model, in which business functions, teams and individuals are fully accountable for their own risks – ultimately fostering greater risk culture.
Below we’ve outlined three out of five tools used by risk managers to guide the process of a second line-led risk culture review. Risk leaders took the opportunity to share and discuss these tools at a recent member meeting – the full notes of which can be read by members on our Intelligence platform. These notes go into detail over the use of all five tools discussed during the meeting and they explain how risk managers might use the results to report to the board and implement change.
1. Surveys and interviews
Surveys should be conducted first. Questions can be general, or bespoke if a deep dive into a particular issue is deemed useful. You can steer the outreach here based on what your priorities are: surveys can be sent out to large groups of employees based on region or function.
The quantitative data collected from these surveys can then be used to enhance more selective, qualitative interviews about risk culture with employees. Since interviews are a lot more time-consuming, it’s better to sample a small cross section of the business. The resulting quotes or soundbites can be useful in driving senior managers’ discussions about risk culture. Don’t forget that some risk managers support first targeting middle managers to make headway with risk culture, so engaging with them at the interview stage is likely to bear fruit.
This kind of reporting tool is useful for giving senior management a flavour of the review process, as well as for monitoring risk culture evolution on an ongoing basis. And it’s not just for comparing organisational risk culture over time; it can also be used to compare data from across different business functions, teams or regions.
3. Documentation review
One risk manager reviewed various documentation from risk and audit committees within each part of the business in order to draw out key themes relating to risk culture for discussion.
Similarly, a review of the various forms of communication across a company provides invaluable insight into the day-to-day, real-life understanding the wider business has of risk management - from high level emails and announcements by company leaders to function or business-level messages among teams. You want to see that messages are cascading down and questions are being filtered back up from employees to senior management.
Of course different organisations view and manage risks differently and so other tools may be helpful. Nonetheless, the aim should be to find a way to ensure risk culture is discussed and understood throughout the organisation within the context of the wider company culture.
Your risk culture review wants to highlight observations and opportunities drawn out from associated data points collected during the review, while also leaving room for the culture to grow.
To find out more about upcoming Risk Leadership Network member meetings, click here.