Home > Risk > The essential ingredient to effective risk management: the culture

The essential ingredient to effective risk management: the culture

About a year ago, Michael Rasmussen and I made a presentation to the Society of Actuaries’ Risk Symposium on the topic of “Creating a Risk Management Culture”. (PDF of slides is available here.) I have always felt this was a seriously overlooked aspect of risk management, and the research I conducted prior to that presentation certainly reinforced that belief.

In the presentation, I quoted from the RiskMinds 2009 Risk Managers’ Survey:

The most remarkable finding of the survey is that most risk professionals – on the whole a highly analytical, data rational group – believe the banking crisis was caused not so much by technical failures as by failures in organisational culture and ethics.

Most risk professionals saw the technical factors which might cause a crisis well in advance.  The risks were reported but senior executives chose to prioritise sales. That they did so is put down to individual or collective greed, fuelled by remuneration practices that encouraged excessive risk taking. That they were allowed to do so is explained by inadequate oversight by non‐executives and regulators and organisational cultures which inhibited effective challenge to risk taking.

Internally, the most important area for improvement is the culture in which risk management takes place (including vision, values, management style and operating principles).

In the majority of cases the culture was described as being only somewhat supportive or supportive of:

  • Effective risk management and governance of risk (65.2%);
  • Raising risks, challenging the status quo or widely held assumptions (68.2%).”

The Risk Management Association Enterprise Risk Council defines risk culture.

Risk Culture is the ‘tone at the top’ shaped by the values, strategies, objectives, beliefs, risk tolerances and  attitudes that form how everyone .. views the trade off between risk and return. The risk culture … determines how individuals and business units take risks.

While some risk-taking will be governed by rules and controls, much is governed directly by culture – where rules and controls are not effective, fail or where they do not apply.”

What does this all tell us? That you can implement all the policies, standards, processes, and organization you want. But if the culture of the organization is not one that respects the value of understanding risk and using that information to drive quality decisions, if executives ignore the risks they are taking (perhaps for personal reward), if decision-makers (including the board) choose not to hear the voice of the risk manager, then risk management will fail.

One aspect that my friend Richard Anderson shared with me is the notion of “risk clockspeed”, which is the subject of research by Keith Smith. The notion is that sometimes the time between identifying a potential adverse event and when it might occur is very short. In fact, the time available for reacting is so short that following a process for assessing and evaluating the risk is not feasible. Therefore, managers will decide how to respond in a very reactive mode, based on their inclination towards accepting or avoiding risk. Their personal risk culture will dictate their actions – which may result in a risk response that is not consistent with the organization’s risk culture or the approved risk appetite. You can see more on this topic here.

I favor the ISO 31000:2009 risk management standard. But I don’t believe the global standard addresses the topic of risk culture satisfactorily. The standard certainly talks about understanding the internal context for risk management (which includes the risk culture), but does not provide guidance on how to assess whether the culture is defective – and what to do if it is lacking.

The December 2010 issue of Risk Management Professional (www.rmprofessional.com) included an article on “Developing a risk culture”. The editor has graciously sent me a PDF version of the article (downloadable in two parts: page 1 and page 2). The author is Alex Hindson, chairman of the Institute of Risk Management and discusses a diagnostic tool for risk culture. You can also see a presentation on the topic by Alex here.

Bloomberg Businessweek had a useful article in May 2009. Written for directors, it includes not only a description of risk culture but a number of questions that can help understand and assess the risk culture.

I am interested in hearing how people assess the risk culture within their organization, how that affects the design and operation of risk management, and how you go about improving the culture.

Other materials:

PwC: The risk culture survey

KPMG – What is your company’s risk culture?

  1. Keith Ouellette
    April 25, 2011 at 9:57 AM

    As always, Norman, timing is everything. I appreciate your insights into the effectiveness of risk management and the need for “tone at the top” to improve the risk culture of an organization.

  2. April 25, 2011 at 1:58 PM

    I really like what Professor Mervyn King (King Reports, South Africa) has to say on this – “it’s not just the tone at the top that counts, it’s the tune in the middle you also need to get right.”

    As they say in our company directors courses in Australia, “culture trumps process every time”.

  3. Deb
    April 25, 2011 at 9:47 PM

    Or, as someone else said, ‘culture eats process for lunch’. Agree with Todd. While a lot of attention is paid to tone at the top, tune in the middle hardly gets the right amount of focus. In many situations, it’s actually the middle management which acts as a barrier to transmission of the tone at the top to execution levels.

  4. Alpaslan Menevse
    April 26, 2011 at 5:13 AM

    Organizational threats:
    * Extreme Risk Aversion
    * Pass the buck
    * No news is good news
    * Knee-jerk reaction
    * My mind is made up
    * Make it so
    * And I think the worst of all “Shoot the messenger” symptom. As these behavioral threats exist in an organization (usually do) the KRI’s possbily are:
    * Increase in # of late reports and products
    * Increase in Integrity loss in reports
    * Increase in uncomplete projects or frequency of re-planning
    * Increase in meetings with no results or no concensus
    * Increase in validity checks for data
    * Not up to date data dictionary
    * Not sufficiesnt data architecture
    If these are the concerns of an IA then it is very possible that the “culture” is not at the acceptable maturity level. Mora info in COBIT maturity models.

  5. April 27, 2011 at 7:39 AM

    A company isn’t ethical on paper – it takes actions. Effective leadership certainly sets the tone for the culture of an organization. As soon as employees see that management can get away with things they can’t, they won’t take management seriously because they don’t “walk the walk”. Risks should drive training programs and corporate culture so that employees are trained to make better decisions and do the right thing when faced with tough decisions. An important consideration that must be made is the different risks people face based on their role in the organization. The risks I face are much different than others in our organization and the training I receive reflects that. Another important point is that risks change. Programs and culture need to be evaluated over time to reflect new risks and how to handle them. Monitoring and evaluation should be done on an ongoing basis.

    It’s important that the culture reaches all levels of the organization, as many have mentioned above.

    July 25, 2011 at 8:39 AM

    Check out the document forwarded to you by Domenic Antonucci -section 8 on culture and embedding. I think that he captures essence of what needs to be done. Of course if management does not let you do these things, then it will be time to jump ship


  1. April 30, 2011 at 9:56 AM
  2. February 27, 2014 at 9:02 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: