Can having an appropriate risk culture help in the attainment of business goals and avoidance of potentially destructive surprises? The answer is ‘yes’ according to the Institute of Operational Risk (IOR), taking up the topic and exploring how a better understanding, assessment, and measurement of organizational risk culture can help mitigate operational risks and strengthen operational resilience, within its ‘Risk Culture – Operational Risk Sound Practice Guidance’ white paper.
Key takeaways from the white paper:
- No ‘one-size fits all’
From the very outset, the guidance asserts that there’s no such thing as an optimal risk culture to strive for, nor are there ‘strong’ risk culture characteristics to aim for or ‘weak’ ones to steer clear of. Risk culture concerns risk-taking as well as risk control and it’s worth considering that different risk cultures may exist within different areas of a business, particularly within larger, more diverse firms. Nevertheless, risk culture can be effectively managed with positive outcomes, as part of a sound operational risk management framework.
- What exactly is risk culture?
The IRM defines risk culture as: “A term describing the values, beliefs, knowledge, attitudes, and understanding about risk, shared by a group of people with a common purpose. This applies to all organizations, including private companies, public bodies, governments, and not-for-profits.”
Definition aside, a shared concept and understanding of risk culture organization-wide is what counts, particularly when it comes to what is included (or not) within the risk culture ‘umbrella’ and how values, beliefs, knowledge, attitudes, and understanding are relevant and resonant.
Take ‘values’; what are they for a particular business, and how do they relate to and influence the management of operational risk? Do staff bring their own values to the mix and if so, do these reinforce or contradict operational risk management?
As for ‘beliefs’, there will be both positive and negative takes on what people believe about the importance of operational risk and the benefits and costs of its management.
‘Knowledge’ – how much is known about operational risk and its management. Are people operational risk savvy or less competent?
And how do ‘attitudes’ towards risk interplay? Are people more risk-averse when a large potential threat is perceived and more open to risks associated with opportunities?
‘Understanding’ is gained through experience and those actively involved in the identification, assessment, and control of operational risks are likely to have greater insights.
- Assessing risk culture
“Assessing risk culture is complicated and prone to inaccuracies and biased interpretation… Also, how management interprets the results of risk culture assessments will be biased by their own beliefs, knowledge, attitudes, etc. about operational risk and its management.”
Whilst offering words of caution, the guidance provides details of the key ways in which assessment can be approached, on an enterprise-wide basis or through respective operational risk functions. In brief, the assessment methods explored cover questionnaires, with useful tips and considerations for designing them; interviews which can provide “a deeper, more complete picture, reflected in what people have said about an organizations’ risk culture” though this approach can be time and resource-heavy; focus groups allowing for common themes or issues within a risk culture to come to the ‘fore; and how direct observation can provide a powerful assessment tool in building a picture of risk culture and sub-cultures.
- Risk culture metrics
Since risk culture assessments can be resource-intensive, a more viable route may be to conduct these infrequently (perhaps annually or biennially) and combine these with more frequent risk culture metric reports.
The white paper outlines six metrics that can be used to help monitor risk culture: staff turnover, outlining the pitfalls of high levels of staff changes that can dilute risk culture and, how low levels of turnover can intensify ‘group thinks’, where entrenched views of risk culture can go unchallenged; staff conduct, where spikes or falls in staff grievances or disciplinaries can point to changes in risk culture; policy compliance, where increases in compliance are a positive risk culture indicator; internal audit, within which delays in the completion of audit actions can signal behavioural issues or lack of understanding around the need for robust operational risk management; losses and near misses, where sudden increases or decreases can reflect changes in risk culture and, risk communication – the number of times that business functions contact operational risk function for advice can be hugely telling.
The guidance also suggests that there should be cross-departmental involvement – HR and internal audit personnel should work with operational risk colleagues, providing insight to both the mix of personalities within the workforce and understanding of the way in which the organization functions.
- Influencing risk culture
“Extreme care should be taken” when trying to control risk culture. For optimum success, the guidance is to avoid far-reaching risk culture change projects and focus on targeting specific aspects of risk culture that it would be advantageous or desirable to influence.
From strategy and leadership, risk appetite and tolerance, and HR policies and procedures, through to communication (formal and informal) and process and system design, there’s a thorough exploration of the common and diverse measures used to influence risk culture.
Ultimately if as the white paper suggests, “an organisation’s risk culture is an important component in its success or failure,” surely it’s worth getting to grips with?