The document discusses the importance of risk culture within organizations and the role of boards in ensuring the right culture is established. It provides perspectives from various risk experts on questions boards should ask to assess their company's risk culture, such as asking about customer feedback, the effectiveness of whistleblowing systems, reporting of near misses, and the tone set by the board. Establishing a strong risk culture requires transparency, trust, and a focus on continuous learning from mistakes or close calls.

1. Everyone within an organisation needs to take responsibility for risk.
Dawn Murden examines what questions boards should be asking
in order to ensure they are creating the right culture
Understanding
Risk Culture

2. Attitude is everything when it comes
to managing risk effectively.
“If a company doesn’t have a positive
culture you can have as many rules as
you like, but in that moment of truth
when people are under pressure, they
will tend to do the wrong things,” says
John Shelley, Chief Risk Officer at RBS
Asia Pacific.
Creating the right mindset in a global
business is a difficult undertaking.
The emissions testing scandal in the
automotive industry and the discovery
of slave labour in the supply chain of
food companies reinforce why serious
attention has to be paid to risk.
Rules and regulations, combined with
integrity around remuneration and
bonuses, will provide a framework
for making good decisions, but senior
executive and non-executive directors
need to understand that governance
won’t be enough.
Lucy Dimes, Non-executive Director
at European textile service business
Berendsen and former COO of Equiniti
says that risk must be the responsibility
of everyone in the organisation but
the board needs to test that “there
is a strategy and direction in place,
monitoring and reporting against
key measures and indicators, and a
culture of awareness and ownership”.
There must be an operational framework
that is consistent with the organisation’s
values, according to Charlie Wagstaff,
Managing Director at Criticaleye.
“This needs to be wide-ranging and
sensitive to all situations encountered,”
he says.
“Transparency and openness are also key,
so that any outcome is readily apparent.
There should be no opportunity to hide
or conceal anything.”
Rafael Gomes, Senior Manager for Finance
& Risk Services at Accenture, comments:
“The data and insight to empower people
to make better decisions comes from
many different parts of the organisation.
“To effectively measure and manage
culture, the risk function must
increasingly work with the front office,
marketing, HR and stakeholders to
identify critical touch-points where
data is available.”
Criticaleye looks at the questions
boards should ask in order to assess
their company’s risk culture:
What do customers think
about our company?
Customers can give you an entirely
different perspective from those
within the business.
Jim Meredith, Chairman at hazardous
waste management company Augean,
says they can “tell you whether
management… understand and deal
with them appropriately”.
Realistically, not all non-executives will
have the time to interact with customers,
so Jim promotes the idea of having a
“mini customer conference” during
which NEDs and others can hear
their candid feedback.
Do we have a whistleblowing
system? Is it effective?
Employees must be able to raise
concerns without fear of losing their
job or damaging their career.
Andrew Heath, interim CEO and NED
at Imagination Technologies Group
and former CEO of Alent, comments:
“We look[ed] at the whistleblower
statistics at every board meeting at
Alent. I report[ed] on it because the
only way you can get the right culture
is by people telling you the truth,
otherwise you live in a bit of a bubble.”
It’s a case of the board asking
simple, direct questions. “Is there
a whistleblowing line?” asks Lucy.
“Is it anonymous? Does it allow
employees to flag concerns and risks
against a clearly communicated set
of values and tolerances? Is speaking
up valued or discouraged?”
Andrew agrees: “You’ve got to have
various channels, such as employee
helplines and whistleblower facilities
whereby people can independently
flag things without going through the
chain of command.
“People have a duty to flag concerns,
especially when it comes to reputational >
People have
a duty to
flag concerns,
especially
when it comes
to reputational
risks
Understanding Risk Culture 2www.criticaleye.com

3. ©Criticaleye2016
risks such as things to do with ethics,
bribery, corruption and bullying.”
Where have we had
near misses?
Consider those close shaves and what
they say about your organisation.
John from RBS comments: “We
have a system of notifying senior
management about things that nearly
went wrong. Think about the airlines
reporting near misses and then put that
into the context of your company…
Getting information about them is
more valuable than going on a witch
hunt to see who almost messed up.
“We want to know if our process, or
something we did or didn’t do, almost
resulted in an error. When these things
happen we need them to be reported
so we can learn from them.”
For David Gooding, Group IT Director at
waste management company Biffa, health
and safety is critical. “The waste industry,
after agriculture, is the most dangerous
industry to work in. So, this has been a
primary focus for us,” he explains.
This kind of reporting has been an
important part of Biffa’s process for
a while but is something they have
recently pushed further. “In the last
four years we’ve had a double digit
decrease in our incident frequency –
we’ve done that by really pushing the
reporting of potential hazards and
near misses,” he adds.
What tone does the board set?
Respect for risk management has to
start in the boardroom.
Andrew Allner, Chairman at the
Go-Ahead Group, says: “That is where
the tone and culture are set. If the board
takes risk seriously then the organisation
will naturally follow that lead.”
Samantha Barber, Non-executive
Director at Spanish utility company
Iberdrola, agrees: “A strong risk culture
also requires trust, transparency and
challenge within the boardroom between
executive and non-executive directors.
“Effectively managing risk is far more
about culture and leadership, than it
is about filling in a matrix.”
According to Deepika Bal, Managing
Director and Head of Risk Architecture
for Asia Pacific at Citibank: “The
foundational elements of a strong
risk culture include, among others, a
common purpose and mission, clear
goal-setting, fair and transparent
rewards mechanisms, ethics policies
and whistleblower protection.
“Most importantly, there has to be a
culture of learning and self-improvement.
Most large companies do have many of
these elements in place. However,
boards should focus on the efficacy of
these measures in embedding a strong
risk culture. Beyond these policies and
controls, boards are in a unique position
to set the tone at the top.” 
Andrew Allner
Chairman
Go-Ahead Group
Rafael Gomes
Senior Manager
Finance & Risk Services
Accenture
Featuring Commentary From:
Contact the contributors through:
www.criticaleye.com
Deepika Bal
Managing Director &
Head of Risk Architecture
Asia Pacific, Citibank
David Gooding
Group IT Director
Biffa
Lucy Dimes
NED
Berendsen
Jim Meredith
Chairman
Augean
John Shelley
Chief Risk Officer
RBS Asia Pacific
Charlie Wagstaff
Managing Director
Criticaleye
Samantha Barber
NED
Iberdrola
Andrew Heath
Interim CEO & NED
Imagination Technologies
Group
We want
to know if our
process, or
something we
did or didn’t do,
almost resulted
in an error.
Share TweetEmail Understanding Risk Culture 3www.criticaleye.com