10 Questions The Board Should Ask About Risk Culture

Risk culture is a term describing the values, beliefs, knowledge and understanding of risk shared by a group of people with a common purpose, in particular the employees of an organisation or of teams or groups within an organisation. This applies whether the organisations are private companies, public bodies or not-for-profits and wherever they are in the world. We propose the use of a simple A-B-C approach (Institute of Risk Management, 2012) as helpful in understanding how culture, and hence risk culture, works in practice.

• The Culture of a group arises from the repeated Behaviour of its members
• The Behaviour of the group and its constituent individuals is shaped by their underlying Attitudes
• Both Behaviour and Attitudes are influenced by the prevailing Culture of the group.

Although there is no single right way to measure risk culture, there are a number of diagnostic tools available that can be used to indicate and then track the risk culture in an organisation. The mix of tools and the order of their deployment will depend on the context of the organisation and its risk management maturity. The RMAT ® or the Risk Management Aptitude Test is a great start for running a culture risk assessment survey before the Board, RMC and CRO develop action plans on risk culture. You can write to corporatetraining@theirmindia.org to get more information on the RMAT tool.

Corporate governance requirements around the world are increasingly demanding that boards of organisations should understand and address their risk cultures. The board has a responsibility to set, communicate and enforce a risk culture that consistently influences, directs and aligns with the strategy and objectives of the business and thereby supports the embedding of its risk management frameworks and processes. This starts with the risk behaviours, attitudes and culture of the board itself and reaches down through the organisation.

1. What tone do we set from the top? Are we providing consistent, coherent, sustained and visible leadership in terms of how we expect our people to behave and respond when dealing with risk?
2. How do we establish sufficiently clear accountabilities for those managing risks and hold them to their accountabilities?
3. What risks does our current corporate culture create for the organisation, and what risk culture is needed to ensure the achievement of our corporate goals? Can people talk openly without fear of consequences or being ignored?
4. How do we acknowledge and live our stated corporate values when addressing and resolving risk dilemmas? Do we regularly discuss issues in these terms and has it influenced our decisions?
5. How do the organisation’s structure, processes and reward systems support or detract from the development of our desired risk culture?
6. How do we actively seek out information on risk events and near misses – both ours and those of others – and ensure key lessons are learnt? Do we have sufficient organisational humility to look at ourselves from the perspective of stakeholders and not just assume we’re getting it right?
7. How do we respond to whistleblowers and others raising genuine concerns? When was the last time this happened?
8. How do we reward and encourage appropriate risk-taking behaviours and challenge unbalanced risk behaviours (either overly risk-averse or risk-seeking)?
9. How do we satisfy ourselves that new joiners will quickly absorb our desired cultural values and that established staff continue to demonstrate attitudes and behaviours consistent with our expectations?
10. How do we support learning and development associated with raising risk awareness culture and competence in managing risk at all levels? What training has we as a board had at risk?

Case study (Source: BBC Website, 2012, Barclays Press Release, 2012)

Staff at Barclays repeatedly filed misleading figures for interbank borrowings. First, between 2005 and 2008 – and sometimes working with traders at other banks – they tried to influence the Libor rate, in order to boost their profits. Then between 2007 and 2009, at the peak of the global banking crisis, Barclays filed artificially low figures. This tactic sought to hide the level to which Barclays was under financial stress at a point where their peers were being forced to accept state funding. When the scandal came to light it led to the resignation of the bank’s chief executive Bob Diamond, along with Barclays chairman Marcus Agius. Barclays was fined £290m by UK and US regulators for rigging Libor and investigations are continuing. Barclays has set up an independent review to assess the bank’s current values, principles and standards of operation and determine to what extent those need to change. It will also test how well current decision-making processes incorporate the bank’s values, standards and principles and outline any changes required.

Boost the risk culture of your organization and build risk intelligence by nominating your risk champions and teams for IRM’s global Enterprise Risk Management exams or customised corporate training programmes.

 Download IRM’s detailed guide here.