Increased recognition of influence culture has on management of risk

Increased recognition of influence culture has on management of risk: practical guidance and insights now available.

From Robert J Toogood, Senior Partner – Chaordic Solutions:

In recent months, there has been increased recognition of the importance and part that Culture has on the effective management of Risk within an organisation.

It is of particular interesting to see that the Institute of Risk Management (IRM) has recently published its own board guidance on Risk Culture.  As Richard Anderson, IRM Chairman, states in their introductory Risk Culture paper “Problems with risk culture are often blamed for organisational difficulties but, until now, there was very little practical advice around on what to do about it.”

So what is this thing we call Risk Culture?

The IRM definition is:

“Risk culture is a term describing the values, beliefs, knowledge and understanding about risk shared by a group of people with a common purpose, in particular the employees of an organisation or of teams or groups within an organisation. This applies whether the organisations are private companies, public bodies or not-for-profits and wherever they are in the world.”

Anderson goes on to say “This paper seeks to give guidance in this area, drawing upon the wealth of practical experience and expert knowledge across the Institute. It aims to provide advice to organisations wanting greater understanding of their own risk cultures and to give them some practical tools that they can then use to drive change.   This short document summarises our approach to risk culture for those working at board level.  There is also a longer companion document – Risk Culture: Resources for Practitioners – which covers the detailed thinking behind the concepts and models that we have found to be useful.  This remains a developing area and we do not consider that we have written the last word on the subject – we expect to see more models and tools and in particular sector and issue-specific work emerging in the future.”

But the IRM is not the only organisation currently looking at the impact of Culture on Risk.  The Centre for Analysis of Risk and Regulation (CARR) and the University of Plymouth has recently published an interim report entitled “Risk Culture in Financial Organisations”, which explores the issue of how financial institutions are increasingly investing in programmes to understand and manage their risk cultures.  It is of particular interest to read in this report that that despite almost universal agreement that the organisational risk culture of banks and other financial institutions (BOFIs) played a major role in the global financial crisis, the research has found that there is still no clear consensus on how such risk cultures can be effectively managed.

The Executive Summary of the report makes the following points:

“First, in contrast to public debates which emphasise values and the need to change mindsets, we learned of risk culture workstreams with more of an emphasis on improving oversight structures and information flows, including performance metrics for risk and good compliance.”

“Second, from our discussions it also appeared that critical issues in risk culture were being played out in the space between what are called first and second lines of defence, suggesting that this distinction, which many take for granted, may not be helpful in advancing the debate about risk culture.”

“Third, improving risk culture was also seen by CROs as a matter of improving the organisational footprint of the risk management function. This was more than just rolling out ERM systems but involved expanding the reach of informal risk processes, information sharing and escalation, and representation on key committees.”

“Fourth, we also heard concerns about a familiar issue – the role of documentation. The argument was that some documentary and evidentiary demands were creating the wrong kind of risk culture. We intend to follow up further on this.”

In the meantime, it is interesting to read that Norman Marks made the following comment last year on the importance of Culture in one of his regular blog posts:

“Culture can be excessively aggressive or passive. Striking and maintaining the right balance is not easy, but is essential to delivering sustained performance, considering risks, and remaining in compliance.”

Over the coming months, we will be investigating this important topic in much more detail and look forward to updating you later in the year with what we discover.

More …

Institute of Risk Management (IRM): http://www.theirm.org/

IRM Risk Culture Guidance Resources: http://www.theirm.org/RiskCulture.html

Centre for Analysis of Risk and Regulation (CARR): http://www2.lse.ac.uk/researchAndExpertise/units/CARR/home.aspx

Risk Culture in Financial Organisations – Interim Report:  http://www2.lse.ac.uk/researchAndExpertise/units/CARR/pdf/Risk-culture-interim-report.pdf

Norman Marks Blog Post: Questions to ask about GRC – #5: Culture: http://normanmarks.wordpress.com/2012/07/20/questions-to-ask-about-grc-5-culture