Risk culture is a complex, forward looking and qualitative component of an organisation, requiring unique approaches.
Its DNA begins with understanding the firms’ inherent culture, which considers the organisation’s own history, strategy, values, management and industry sector and how these interact within each subculture. It then monitors and adjusts the organisation’s cultural evolution overtime.
However, a failure to effectively implement and manage your organisational risk culture can result in drastic internal and external consequences, including fraud, corruption, misappropriation, cybercrime and economic crime. Therefore, it’s no surprise, since the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry, organisations are starting to assess how their culture overlays and integrates with their overall risk management framework and system.
In this article, we dissect the four key focus areas that should make up an organisations DNA to encourage a good risk culture. Including top-down tone; relationships, capability and sustainability.
1. Top down tone
You’ve probably heard about the importance of having the right ‘tone at the top’, which refers to the idea that organisation leaders set the ‘tone’ – or standard – of ethical and business behaviour. But, what does that actually mean and how can it be applied?
As history has showed us, the words and actions of management permeate throughout the organisation from the top-down. This ‘trickle-down’ effect means that’s it’s crucial for management to not only communicate the right ‘tone’ for acceptable behaviour but to live and breathe these values in all their actions, in particular, those that represent and promote the values of honesty, integrity and transparency.
However, while tone is set from the top, creating clear and fluid communication lines, instils positive ethical values, because everyone feels part of the culture. Overall, when assessing organisational ‘tone’, you must consider:
Good relationships are the backbone of good business. With our clients and customers we strive to forge meaningful, collaborative and mutually beneficial relationships and this should be the same for our employees.
Toxic employee-management relationships can make your organisation more perceptible to internal risk. Factors driving can be: unrealistic budget expectations from management; excessive pressure to hit high targets; misaligned incentive programs; autocratic management; inadequate training and the absence of a confidential reporting avenue.
As such, organisational leaders should consider the following when reviewing their organisational structure:
Focusing on improving your organisational capability - often referred to as organisational competencies -not only improves overall organisation performance, but it can also significantly mitigate organisational risks.
Risk management capability generally focuses on preparedness and responsiveness.
By preparing for various ‘worst case scenarios’ - such as fraud, data breaches and cybercrime – organisations can improve their response speed and effectiveness. That’s because, they can spot the early warning signs in advance thus reducing the likelihood of the scenario occurring, as well as the severity of the incident. Good risk cultures improve their organisational capability by investing activities such as risk awareness training, crisis plans, team-based simulations and early detection technologies to ensure their organisation is prepared for the unexpected.
Other things that you should also consider to improve your organisational risk capability are:
Facilitating a learning organisation
Is your organisation keeping up to date with relevant industry changes, new technologies, literature and processes?
Are opportunities for learning and development available at all levels?
What steps are you’re taking to create a culture that encourages continual improvements?
Root-cause analysis and training
When faced with a problem you treating the underlying problem – ‘root cause’ – or just the symptoms?
What steps are you taking to prevent the problem occurring again or to detect potential future problems?
Building resilience and accepting bad news
While we’ve covered many of the areas of improvement organisations can make to mitigate organisational risk – it’s important for improvements to be sustainable to be successful in the long-term. Many organisations tend to focus on dealing with immediate and short-term risks as their impact and severity is clearly visible. However, it’s often the long-term, systemic risks which may not be accounted for that can cause the most irreparable damage.
Therefore, if you’re trying to implement meaningful and sustainable risk management solutions, you should consider the following:
Celebrates ‘good’ risk behaviours
Consequence management strategy
What risk exposures does your organisation have and what is their impact severity?
What is your response, relief and recovery and strategic communications strategy?
Understanding sub-cultures and ongoing monitoring of cultural changes
What culture and sub-cultures does your organisation currently have and how are you looking to change them from a risk culture perspective?
How are you monitoring various data points and indicators of culture over time?
Proactive management of emerging issues
As we enter the post royal commission era, organisations need to be closely looking at risk-management practices including how these interact with a business’ goals and strategy.
Culture has now become a fundamental part of the governance, risk and compliance landscape. BDO have developed tools to help organisation’s meet regulatory risk-culture standards, assess where deficiencies lie, and implement and monitor risk cultures.
Should you have any questions about the above or require further information, please contact Tim Aman. Tim has worked alongside many organisations and businesses within Financial Services and is experienced at helping organisations design dynamic risk management methodologies and strategies to suit their individual circumstances.