What gets measured gets managed, and that certainly holds true for risk culture. But how do you measure it? The very notion of organisational culture can seem difficult to describe, let alone quantify or manage.
As a result, many companies have so far focused on risk management and control systems as drivers of risk culture. But experience shows that control systems can be well established but do little to address underlying culture. Culture runs deep, and is concerned with leadership tone from the top and employee beliefs, risk attitudes and behaviours. They, in turn, are influenced by company programmes such as performance management and pay and incentives, as well as more individual factors such as manager relationships.
A structured response
Most major companies and many smaller ones collect reams of data, which can be insightful in the area of culture but do little with it in this respect. A more structured approach offers a great deal more insight.
Organisation-wide employee survey data can offer invaluable data on the employee perspective. Risk culture surveys are well established and proven to uncover issues that management are frequently unaware of in relation to – for example – how leadership messages are understood and received, the impact of incentives, monetary and otherwise, and the degree to which risk control parameters are understood and adhered to.
Individual assessments offer in-depth behavioural evaluations of leaders, senior management or other key, risk-taking populations. Based on extensive research, the motivations, talents and capabilities of key employees can be assessed to provide a holistic picture of workplace behavioural tendencies.
Using data to build a comprehensive picture of a risk culture
Insight into employee views and individual/group-level propensity for risk taking can guide actions taken to manage and mitigate risk and highlight the relationship between individual operating styles and the broader risk culture and work environment.
Combining this data with other information commonly held by companies on performance management, pay and bonus outcomes, broader employee engagement and manager span of control, for example, greatly improves its descriptive power. And by running correlations with incident reporting or insurance claims data, a truly comprehensive picture can be built of the factors driving behaviours which lead to specific risk outcomes.
Regulatory pressure and board responsibility
In order to meet FRC requirements set out in the U.K. Corporate Governance Code, directors are being challenged by a number of complex questions:
- What is risk culture and how can it be assessed and evidenced?
- What does ‘good’ risk culture look like?
- How do you influence risk culture and what are the most effective mechanisms?
- How do you obtain assurance of success?
- What are the different roles of non-executive directors and operational management?
The code requires boards to be responsible for establishing their company’s culture, values and ethics. It also states that boards should set the right tone from the top to help prevent misconduct and unethical practices. The embedding of appropriate reward systems throughout the organisation is also emphasised as integral to an effective risk culture.
Establishing a common language for risk culture
We have found that introducing a risk culture measurement process makes the topic more accessible and tangible to internal and external stakeholders. It provides a common language and set of constructs that managers can use to discuss the topic in a constructive way, and helps both investors and regulators understand the value – and risks — of an existing risk culture.
Measuring risk culture gives leaders, managers and employees the insights they need to begin managing that culture effectively and identifying changes to governance, control, communication and supporting HR programmes that will improve culture and reduce risk.
Up next – What does a good risk culture look like where we’ll look at a series of statements that will help you understand whether you have the right risk culture to help you achieve business objectives.
For more information on risk culture, please contact your local Willis Towers Watson office of visit www.willistowerswatson.com.