Risk culture has been described as ‘the norms and traditions of behaviour of individuals and of groups within an organisation that determine the way in which they identify, understand, discuss, and act on the risks the organisation confronts and the risks it takes’.
Done well, risk culture is seen as the ‘glue’ that binds all elements of risk taking together (policies, practices, systems, people) because it reflects the shared values, goals, practices and reinforcement mechanisms that embed risk management into an organisation’s day-to-day decision making processes.
A deficient risk culture is often characterised by performance complacency or the normalisation of unwelcome behaviour and incidents. To make things worse, a poor risk culture can persist for some time without detection, or immediate damage.
Today, risk culture is on the radar of many global regulators including the Australian Prudential Regulation Authority (APRA) who have released an information paper/guideline for the financial services sector.
A good and effective risk culture is one that enables and rewards individuals and groups for taking the right risks in an informed manner.
Our Risk Culture Diagnostic and Assessment helps to answer the following questions:
Risk culture remains a developing area. Research carried out by IRM (Institute of Risk Management) indicates that little consensus has emerged amongst the risk profession on the best way to analyse risk culture. Nevertheless, Boards and regulators expect organisations to undertake periodic risk culture assessments, analyse their results, monitor and report progress made.
Risk Culture Assessment Roadmap © InConsult
We work with each client to determine their desired or target risk culture state. We look at several elements:
We then utilise a range of data collection methods to obtain Board, management and employee perspectives and attitudes – this includes surveys, focus groups and interviews.
Once data is collected, we perform analysis of the data and compare the results to the desired risk culture.
We look deeply into the results to identify trends and outliers.
We corroborate information against other surrogate data measures available e.g. incidents, issues to paint a clear picture.
Then, we assess the impact of results on the organisations future strategy and past performance.
Finally, we identify the changes required to change culture by identifying ‘cultural inhibitors’ and the desired behaviours and attitudes.
Culture change does not lead with words — it leads with action.
Our Risk Culture Assessment is likely to present further challenges to our clients and place more demands on Senior Management and employees.
InConsult is well positioned to help clients reset or refine risk culture targets and metrics and support them in the implementation of many of the changes required.
Organisations are dynamic and so are their cultures. Risk culture will require ongoing monitoring and continuous refinement and improvement.
The third edition of the Australian Standard AS 8001:2021 – Fraud & Corruption Control was released in June 2021. This better practice Standard is arguably the