Can you measure and dissect your organisation’s risk culture

30 September 2019

Tim Aman, Global Leader, Fintech
National Leader, Financial Services

Risk culture is a complex, forward looking and qualitative component of an organisation, requiring unique approaches.

Its DNA begins with understanding the firms’ inherent culture, which considers the organisation’s own history, strategy, values, management and industry sector and how these interact within each subculture. It then monitors and adjusts the organisation’s cultural evolution overtime.

However, a failure to effectively implement and manage your organisational risk culture can result in drastic internal and external consequences, including fraud, corruption, misappropriation, cybercrime and economic crime. Therefore, it’s no surprise, since the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry, organisations are starting to assess how their culture overlays and integrates with their overall risk management framework and system.

In this article, we dissect the four key focus areas that should make up an organisations DNA to encourage a good risk culture. Including top-down tone; relationships, capability and sustainability.

1. Top down tone

You’ve probably heard about the importance of having the right ‘tone at the top’, which refers to the idea that organisation leaders set the ‘tone’ – or standard – of ethical and business behaviour. But, what does that actually mean and how can it be applied?

As history has showed us, the words and actions of management permeate throughout the organisation from the top-down. This ‘trickle-down’ effect means that’s it’s crucial for management to not only communicate the right ‘tone’ for acceptable behaviour but to live and breathe these values in all their actions, in particular, those that represent and promote the values of honesty, integrity and transparency.

However, while tone is set from the top, creating clear and fluid communication lines, instils positive ethical values, because everyone feels part of the culture. Overall, when assessing organisational ‘tone’, you must consider:

  • Modelling appropriate behaviours and actions:

    • What values make up the culture you are looking to have in your organisation? What steps are you taking to build a great culture?

    • Are you as a leader truly ‘living and breathing’ your organisations’ values in your everyday actions?

  • Cyclical communication:

    • Are you regularly and transparently communicating organisational changes and performance within the organisation and allowing for feedback?

  • Articulating risk appetite and accountability

    • What is your organisation’s risk appetite or tolerance? Is this clearly communicated to everyone in your organisation.

2. Relationships

Good relationships are the backbone of good business. With our clients and customers we strive to forge meaningful, collaborative and mutually beneficial relationships and this should be the same for our employees.

Toxic employee-management relationships can make your organisation more perceptible to internal risk. Factors driving can be: unrealistic budget expectations from management; excessive pressure to hit high targets; misaligned incentive programs; autocratic management; inadequate training and the absence of a confidential reporting avenue.

As such, organisational leaders should consider the following when reviewing their organisational structure:

  • Supportive organisational design

    • How does your current ‘chain of command’ impact the translation of ideas at the top to action?

    • Are employees fairly recognised and rewarded for their achievements? And are there opportunities for employee upward or horizontal mobility?

    • Does your current organisational structure support the values?

  • Effective ‘lines of defence’ reporting

    • Which individuals or groups in your organisation are responsible for each line of defence: identification and management, monitoring and controlling and independent audit and assurance?

    • And are these lines able to operate independently?

  • Ability to raise issues

    • Are there confidential channels for employees to report misconduct or unethical behaviour?

    • How are issues or changes communicated internally?

  • Accountability

    • Are you expectations of accountability, ownership and responsibility communicated clearly and applied openly to all employees irrespective of position?

    • Are all individuals within the organisation treated fairly and equally?

    • And is the appropriate disciplinary action undertaken with transparency for poor behaviour?

3. Capability

Focusing on improving your organisational capability - often referred to as organisational competencies -not only improves overall organisation performance, but it can also significantly mitigate organisational risks.

Risk management capability generally focuses on preparedness and responsiveness.

By preparing for various ‘worst case scenarios’ - such as fraud, data breaches and cybercrime – organisations can improve their response speed and effectiveness. That’s because, they can spot the early warning signs in advance thus reducing the likelihood of the scenario occurring, as well as the severity of the incident. Good risk cultures improve their organisational capability by investing activities such as risk awareness training, crisis plans, team-based simulations and early detection technologies to ensure their organisation is prepared for the unexpected.

Other things that you should also consider to improve your organisational risk capability are:

  • Facilitating a learning organisation

    • Is your organisation keeping up to date with relevant industry changes, new technologies, literature and processes?

    • Are opportunities for learning and development available at all levels?

    • What steps are you’re taking to create a culture that encourages continual improvements?

  • Root-cause analysis and training

    • When faced with a problem you treating the underlying problem – ‘root cause’ – or just the symptoms?

    • What steps are you taking to prevent the problem occurring again or to detect potential future problems?

  • Building resilience and accepting bad news

    • What steps is your organisation taking as part of crisis preparedness?

    • Have you set your leaders and employees up to handle setbacks and disappointment constructively?

4. Sustainability

While we’ve covered many of the areas of improvement organisations can make to mitigate organisational risk – it’s important for improvements to be sustainable to be successful in the long-term. Many organisations tend to focus on dealing with immediate and short-term risks as their impact and severity is clearly visible. However, it’s often the long-term, systemic risks which may not be accounted for that can cause the most irreparable damage.  

Therefore, if you’re trying to implement meaningful and sustainable risk management solutions, you should consider the following:

  • Celebrates ‘good’ risk behaviours

    • Reward and recognition are key factors in a sustainable risk culture - how is your organisation actively encouraging good risk behaviours to motivate staff to go above and beyond when it comes to risk?

  • Consequence management strategy

    • What risk exposures does your organisation have and what is their impact severity?

    • What is your response, relief and recovery and strategic communications strategy?

  • Understanding sub-cultures and ongoing monitoring of cultural changes

    • What culture and sub-cultures does your organisation currently have and how are you looking to change them from a risk culture perspective?

    • How are you monitoring various data points and indicators of culture over time?

  • Proactive management of emerging issues

    • What risks do you have in your organisation?

    • How can you prevent and/or mitigate these risks?


As we enter the post royal commission era, organisations need to be closely looking at risk-management practices including how these interact with a business’ goals and strategy.

Culture has now become a fundamental part of the governance, risk and compliance landscape. BDO have developed tools to help organisation’s meet regulatory risk-culture standards, assess where deficiencies lie, and implement and monitor risk cultures.  

Should you have any questions about the above or require further information, please contact Tim Aman. Tim has worked alongside many organisations and businesses within Financial Services and is experienced at helping organisations design dynamic risk management methodologies and strategies to suit their individual circumstances.