Risk Culture – Under the microscopeName: Ann McFadyen,Head Of Events and TrainingThe Institute of Risk ManagementDate: 16th October 2012
An era of change and challenges• 1989 - ‘World Wide Web’ (www) is created and the Berlin Wall falls• 1995 – Collapse of Barings Bank• 2000 – Millennium bug• 2001 – World Trade Centre attacks and the collapse of Enron• 2004 – Indian Ocean tsunami• 2005 – Hurricane Katrina• 2008 – Global financial crisis• 2010 – Volcanic ash• 2011 – Middle East and North Africa - social and political change• 2012 – Collapse of the Euro ????
What is Risk ?• The effect of uncertainty on objectives – positive or negative
What isn’t Risk Management ?• Governance, risk and compliance• (nor is it Audit, Project Management, Health and Safety, Insurance, Disaster Recovery planning)• It’s both tangible – systems, processes, tools, registers• And intangible - culture
What do we mean by Risk Culture?Why is risk culture so important?How does culture affect risk management?What does a good risk culture look like?What can the board do about risk culture?How can you change a culture?
The culture of a group• Arises from its repeated behaviours• Behaviours are shaped by attitudes• Both behaviour and culture are in turn influenced by the culture
So by risk culture we mean• The values, beliefs, knowledge and understanding about risk shared by a group of people with a common purpose, in particular the employees of an organisation or of teams or groups within an organisation
Different types of organisation will have differentculturesAnd there can also be different cultures indifferent parts of the same organisation
IRM Risk Culture Framework IRM’s risk culture framework looks at component parts making up an organisation’s risk culture
Personal predisposition to risk The Risk Compass
Personal ethicsMoral DNAProfiling…only 55% of all respondents could say definitively that they would not engagein insider trading if they could make $10m with no risk of getting arrested.”Labaton Sucharow survey 2012
Organisational CultureGoffee & JonesDouble S Model –diagnosingorganisationalculture
…..we surveyed IRM members to establishwhich organisational culture types would bestsupport successful implementation of riskmanagement…..organisations required both strong Solidarityand Sociability for achieving good quality riskmanagement results
…..our survey established that the right kind ofrisk culture can actively help with riskmanagement and that the wrong type of culture,far from being neutral, actually makes it moredifficult to manage risk
…..going back to our model of organisationalculture, we refined it further to focus on types ofrisk culture
…..so how can we build solidarity and sociabilityin respect of risk management?
…..we identified eight aspects of risk culture ofan organisation that could usefully be addressed
10 Indicators of a successful risk culture• Distinct and consistent tone from the top• Commitment to ethical principles• Common acceptance of the importance of continuous management of risk• Transparent and timely risk information flowing up and down• Encouragement of risk event reporting and whistle blowing, actively seeking to learn• No process or activity too large or too complex or too obscure• Appropriate risk taking behaviours rewarded and encouraged and inappropriate behaviours challenged and sanctioned• Risk management skills and knowledge valued, encouraged and developed,• Sufficient diversity of perspectives, values and beliefs to ensure that the status quo is consistently and rigorously challenged• Alignment with employee engagement and people strategy
Sample from ’10 questions for the Board’• Are we providing consistent, coherent, sustained and visible leadership in terms of how we expect our people to behave and respond when dealing with risk?• How do we establish sufficiently clear accountabilities for those managing risks and hold them to their accountabilities?• Can people talk openly without fear of consequences or being ignored?• How do we acknowledge and live our stated corporate values when addressing and resolving risk dilemmas?• How do the organisation’s structure, processes and reward systems support or detract from the development of our desired risk culture?• Do we have sufficient organisational humility to look at ourselves from the perspective of stakeholders and not just assume we’re getting it right?• How do we satisfy ourselves that new joiners will quickly absorb our desired cultural values?• How do we support learning and development associated with raising awareness and competence in managing risk at all levels?• What training have we as a board had in risk?