This document discusses risk culture and its importance for organizations. It defines risk culture as the values, beliefs, knowledge, attitudes and understanding about risk shared by a group within an organization. A good risk culture allows employees to interact at work as they would socially, which mitigates risks and encourages performance. In contrast, traits of a poor risk culture include poor communication, lack of accountability and indifference. The document provides examples of organizations with both good and poor risk cultures.

1. Risk Culture
Risk What?
Risk culture for non-risk practitioners.
 Author: Ian Rich CEng BEng (Hons) MIET

3. 1. What is organisational culture?
2. What is risk culture?
3. Why is risk culture important?
4. What does poor risk culture look like?
5. What does good risk culture look like?
6. Improving risk culture.

5. Dictionary definitions….
……….that which is excellent
in the arts, manners, etc.
……..the behaviors and beliefs
characteristic of a particular
social, ethnic, or age group:
the youth culture; the drug
culture.
…………to grow
(microorganisms, tissues,
etc.) in or on a controlled or
defined medium.

6. Culture is….
that which is excellent in
the arts, manners, etc.
the behaviours and beliefs
characteristic of a
particular social, ethnic,
or age group: the youth
culture; the drug culture.
to grow (microorganisms,
tissues, etc.) in or on a
controlled or defined
medium.

7. [Culture….the behaviours and beliefs characteristic of a particular social, ethnic, or age group]
Organisational Culture......
...........exists because of the repeated behaviour
of its members; it encompasses values and
behaviours that...
"contribute to the unique social and psychological
environment of an organisation."
Needle, David (2004). Business in Context: An Introduction to Business and Its Environment.

8.  Organisational culture
shapes the work
environment in which
performance occurs.
 Ultimately, not paying
attention to culture
undermines sustainability.
 A good, well-aligned
culture can propel the
organisation to success,
the wrong culture stifles
its ability to adapt to a fast
changing world.

9. Organisational culture is shown in:
 The ways the organisation conducts its
business, treats its employees, customers,
and the wider community.
 The extent to which freedom is allowed in
decision making, developing new ideas, and
personal expression.
 How power and information flow through its
hierarchy, and
 How committed employees are towards
collective objectives.
http://www.businessdictionary.com/definition/organizational-culture.html

10. Sub Culture
“the cultural values and
behavioral patterns distinctive of
a particular group in a society”.**
Within any organisation, dynamic sub cultures will exist across business
units and teams.
Understand who exerts the most influence over culture - this not always the
most senior people in the organisation.*
*https://www.aonhewitt.com.au/Home/Hot-topics/Understanding-risk-culture

11. Wells Fargo Bank – (2016)
 Wells Fargo employees secretly opened unauthorised accounts to hit
sales targets and receive bonuses.
 Bank employees opened over 1.5 million deposit accounts that may
not have been authorised.
 Employees submitted applications for 565,443 credit card accounts
without their customers knowledge or consent.
5,300 Wells Fargo employees fired
The bank agreed to pay $185 million in fines, along with $5 million to
refund customers.
http://www.wday.com/news/4111061-5300-wells-fargo-employees-fired-account-scam

12. Daimler and Chrysler – (1998 - 2007)
 The Daimler (makers of Mercedes-Benz) Chrysler merger was called
a “merger of equals.” A few years later it was being called a “fiasco”.
 The German culture became dominant and employee satisfaction
levels at Chrysler dropped off the map.
 A joke circulating at Chrysler at the time was “How do you
pronounce DaimlerChrysler?… ‘Daimler’—the ‘Chrysler’ is silent.
By 2000, major losses were projected and, a year later, layoffs began.
In 2007, Daimler sold Chrysler.
http://www.globoforce.com/gfblog/2012/6-big-mergers-that-were-killed-by-culture/

14. “a term describing the values, beliefs, knowledge,
attitudes and understanding about risk shared by a
group of people with a common purpose”.*
People fundamentally want to do the right thing. Therefore,
organisations need to create a decent, open and respectful
culture which allows employees to interact at work as they
would in their home and social environment.
This is the culture which mitigates risk and reputational
damage, encourages higher performance and develops a
sustainable business model.
* https://www.theirm.org/knowledge-and-resources/thought-leadership/risk-culture.aspx

15. The risk culture onion
- reflecting the
influences on risk
culture, beginning with
the predisposition to
risk of the individual.
(2012) Risk culture - Resources for Practitioners (IRM)

16. Subcultures
Risk subculture may, akin to
organisational subcultures, have an
overriding detrimental (or positive)
affect on what is believed to be the
dominant culture.
“Organisational cultures attract like
minded people”*
Employees adopt the pervading
culture within an organisation.
* Schneider, B. (1987), The people make the place. Personnel Psychology.

18. 1. Organisations need to take risks, it is not cost effective to
eliminate all possible risks.
2. An organisation will be exposed to risk irrespective of its desire
to take risks!
Organisations that want to be sustainable need to manage those
risks.
The risk culture of an organisation will affect how these risks are
managed and therefore risk culture clearly links to the ability to
successfully execute strategy.

19. Consider process failure/neglect.
 Processes can be seen as ineffective/cumbersome.
 Processes may be slow to change/adapt/create/implement.
Culture can work to
protect organisations from
process failure/neglect.

20. Risk Culture gives effect to Enterprise Risk Management (ERM)
Effective risk management doesn’t function in a vacuum
and rarely survives leadership failure.
The risk management function can review, inform, advise,
monitor, measure and even resign, - however it cannot
control, decide or abort; that’s management’s job.
Without an effective risk culture in place to ensure that
adequate attention is given to protecting enterprise value,
‘entrepreneurial’ behavior can run amok.
http://corporatecomplianceinsights.com/the-importance-of-risk-culture

21. “It is increasingly appreciated that a healthy risk culture can help support all sorts of
management activities. Getting risk culture right is therefore a vital consideration for
anyone seeking to integrate risk management within their organisation” Dr Alasdair Marshall (2016)
Why Risk Cultures Needs Prudence

22. Whilst there are a multitude of rules, regulations, codes, guidance
documents, standards, audits, reviews, checks, processes, practises,
etc., etc, blah, blah, blah.....
Bad things still happen!
Mont Blanc Tunnel 1999 Savar building collapse 2013

23. Risk culture should be viewed as part and parcel of
organisational culture, just as risk management should be
viewed as an integral part of Business as Usual.

25. Pike River Mine – November 2010
“Managers never identified a major explosion as a potential risk.
The worst case scenario was one they never thought about – let
alone prepared for” Nicholas Davidson QC – Pike River families
Royal Commission representative.

26. Ensuring an effective risk culture is an important task
for Leadership.
Unfortunately, despite its importance, risk culture is
often either given lip service to or simply ignored.
The wrong risk culture can have disastrous
consequences.
Poor risk culture isn’t about behaving risky or about
being risk adverse, poor risk culture is about a failure
to appreciate that risk exists and that it has an effect.

27. Kodak – (1888 – 2012)
 Missed opportunity to adopt digital technology that it had invented
in 1975 but was unable to capitalise on.
 Had become highly inflexible, management ran a tight ship,
rewarded for maintaining the status quo.
 Not prepared to change direction, filed for Bankruptcy 2012.
Kodak’s failure was ultimately about its inability to take strategic risk.
(2012) Risk Culture Resources for Practioners (IRM)

30. Traits of poor risk culture include:
 Poor communications and a failure to share data
 A lack of clarity around risk appetite and risk
strategy
 A lack of accountability
 Over confidence
 A fear to challenge
 Shooting the messenger
 Indifference
 Slow response time
 Process manipulation

33.  Active (Global) RM function – providing policy, standards, oversight
for safety & security, insurance and risk training, and the
coordination and promotion of RM leadership
 Risks captured across management levels, overseen by Risk
Working Group, reported to Audit Committee
 Major risks assigned to executive members
 All functional teams have risk registers, action plans and (risk)
performance monitoring
 RM is measured in terms of personal competence, hotel
compliance, team maturity and business performance.
4500+ Hotels, established in 2003, revenue (US)$1.8Bn (2015).
(2012) Risk Culture Resources for Practioners (IRM)
Intercontinental Hotels Group (IHG) – Hotels

34. Some practical signals of what a good risk
culture looks like:
 Leadership invested in risk management and are communicating
that enthusiasm
 Strong flow of risk information throughout the organisation
 Organisation wide exposure to risk management practices
 Avoids leadership ”kow-tow” and sloppy group think
 Risk taking encouraged, knowing that sometimes it will go wrong
 Continuous learning attitude
(2012) Risk Culture Resources for Practioners (IRM)

35. Valve Software (Steam)
 Slow to hire – to ensure culture is maintained
 Staff encouraged to think carefully, and recognise and learn
when things do not go well
 Mutual sense of ownership across the organisation
 Actively seeks risk takers
 Decision are constantly tested and high distrust of assumptions
 Employees are very well paid (compared to like organisations),
risk taking is rewarded and linked to performance management
Founded in 1996, 290+ employees, 35 Million on line subscribers.

36. AstraZeneca – founded 1999 (merger of Astra AB &
Zeneca plc)
Identified need for change following 1999 issue of the Turnbull
Guidance - Adopted ERM 2002
Recognised there were opportunities' created by deeper integration of
risk and assurance functions/processes
Senior executives stated “internal controls were now aligned more
closely with AstraZeneca values and the desired culture: effective
control through empowerment and risk awareness rather than too much
bureaucracy”
(2012) Risk Culture Resources for Practioners (IRM)

37. AstraZeneca
Overall philosophy defined was “Enduring Shareholder value comes from
creating opportunities and managing risks”, supported by five
principles:
 Delivering opportunities by managing risk is a key part of all our
activities
 In all our activities, risk should be understood and visible
 Approaches to managing risk will be simple, flexible and sustained
 Business context will determine the level of acceptable risk and
control
 Risk will be managed consistent with Company Values.
Revenue 2015 – (US)$24.7Bn, 50,000 employee
(2012) Risk Culture Resources for Practioners (IRM)

39. What does your risk culture need
to do?
 Understand leadership team
expectations
 Recognise reality
 Seek out information and
promote discussion
 Promote fit for purpose risk
management
 Hold staff accountable
 Improve communication
 Promote better decision making

40. 4 steps to building a culture of Risk
Management:
◦ Lead from the front
◦ Focus on personal accountability
◦ Hold business units accountable
◦ Refocus your RM function.
PWC (2010) reproduced at http://nkg.com.au/wp-content/uploads/2014/03/4-steps-to-building-a-culture-of-risk-
management.pdf

41. Organisations have two major hurdles to
overcome with regard to improving risk culture:
 building consensus
amongst Leadership and,
 sustaining attention over
time.
patience and staying power are required; change takes
time and real effort.