Risk Culture – This is the first in a series of blogs on risk culture. We start the fundamentals and a definition. Subsequent posts will delve into how to measure, analyse, and manage an effective risk culture, how to understand what ‘good’ looks like and how to influence your risk culture to support business objectives.
What is risk culture and why is it important?
Organizations have made significant progress in developing rules, frameworks, processes and standards for managing risks. However, rules can be misunderstood and misapplied, inadvertently or deliberately. The ‘missing link’ in understanding how to balance risk and reward decision making successfully is an organisation’s risk culture.
Risk culture – you have one, but is it effective?
But what is risk culture? According to the Institute of Risk Management, it is the sum of the organisation’s “shared values, beliefs, knowledge, attitudes and understanding about risk, shared by a group of people with a common intended purpose, in particular the leadership and employees of an organisation”.
Every organisation has a risk culture. The question is whether that culture is effectively supporting or undermining long-term success.
Deficiencies in leadership, competence, communications and culture have been blamed for many of the worst industrial accidents and environmental disasters. Rogue traders causing millions of pounds of losses for investment banks can also be traced back to flaws in risk behaviour.
Equally, an inappropriate risk culture isn’t always about taking too much risk. Kodak was a trusted leading brand for over a hundred years. But its strategic failure to reinvent itself and exploit digital technology led to bankruptcy. Its culture meant that Kodak avoided risky decisions and instead, developed procedures and policies to maintain the status quo rather than adapting to the changing external environment.
Risk culture: more than just a statement of values
Clearly, the prevailing risk culture within an organisation can make it significantly better or worse at managing risks.
As a result, corporate governance requirements around the world are increasingly demanding that boards of organisations should understand and address their risk cultures. According to the Financial Reporting Council’s (FRC) Corporate Governance Code, each board member must be ‘risk aware’, establishing a company’s culture, values and ethics.
The board has a responsibility to set, communicate and enforce a risk culture that consistently influences and directs the strategy and objectives of the business. This starts with the risk behaviours, attitudes and culture of the board itself and translates into concrete actions down through the organisation.
Importantly, the management of risk culture offers more than just a way of avoiding the downside. More and more firms are forming the view that a strong risk culture, which builds consumer trust in firms and markets and inspires employees, is in the economic interests of firms and their shareholders.
All organisations need to take risks to achieve their objectives. However, establishing a consistent and enterprise-wide risk management framework, supported by a strong risk culture, aids business resilience, and minimises risks and potential losses. It also helps an organisation identify and take advantage of the right opportunities, and ultimately gain competitive advantage.
Next: Managing and improving an organisation’s risk culture. We’ll look at the role of leaders and the tools to gather data on risk culture.
For more information on Risk Culture, please contact your local Willis Towers Watson office of visit www.willistowerswatson.com.