The document discusses the importance of risk culture within organizations and the role of boards in ensuring the right culture is established. It provides perspectives from various risk experts on questions boards should ask to assess their company's risk culture, such as asking about customer feedback, the effectiveness of whistleblowing systems, reporting of near misses, and the tone set by the board. Establishing a strong risk culture requires transparency, trust, and a focus on continuous learning from mistakes or close calls.
Ensuring the Right Risk Culture Through Board Oversight
1. Everyone within an organisation needs to take responsibility for risk.
Dawn Murden examines what questions boards should be asking
in order to ensure they are creating the right culture
Understanding
Risk Culture
2. Attitude is everything when it comes
to managing risk effectively.
“If a company doesn’t have a positive
culture you can have as many rules as
you like, but in that moment of truth
when people are under pressure, they
will tend to do the wrong things,” says
John Shelley, Chief Risk Officer at RBS
Asia Pacific.
Creating the right mindset in a global
business is a difficult undertaking.
The emissions testing scandal in the
automotive industry and the discovery
of slave labour in the supply chain of
food companies reinforce why serious
attention has to be paid to risk.
Rules and regulations, combined with
integrity around remuneration and
bonuses, will provide a framework
for making good decisions, but senior
executive and non-executive directors
need to understand that governance
won’t be enough.
Lucy Dimes, Non-executive Director
at European textile service business
Berendsen and former COO of Equiniti
says that risk must be the responsibility
of everyone in the organisation but
the board needs to test that “there
is a strategy and direction in place,
monitoring and reporting against
key measures and indicators, and a
culture of awareness and ownership”.
There must be an operational framework
that is consistent with the organisation’s
values, according to Charlie Wagstaff,
Managing Director at Criticaleye.
“This needs to be wide-ranging and
sensitive to all situations encountered,”
he says.
“Transparency and openness are also key,
so that any outcome is readily apparent.
There should be no opportunity to hide
or conceal anything.”
Rafael Gomes, Senior Manager for Finance
& Risk Services at Accenture, comments:
“The data and insight to empower people
to make better decisions comes from
many different parts of the organisation.
“To effectively measure and manage
culture, the risk function must
increasingly work with the front office,
marketing, HR and stakeholders to
identify critical touch-points where
data is available.”
Criticaleye looks at the questions
boards should ask in order to assess
their company’s risk culture:
What do customers think
about our company?
Customers can give you an entirely
different perspective from those
within the business.
Jim Meredith, Chairman at hazardous
waste management company Augean,
says they can “tell you whether
management… understand and deal
with them appropriately”.
Realistically, not all non-executives will
have the time to interact with customers,
so Jim promotes the idea of having a
“mini customer conference” during
which NEDs and others can hear
their candid feedback.
Do we have a whistleblowing
system? Is it effective?
Employees must be able to raise
concerns without fear of losing their
job or damaging their career.
Andrew Heath, interim CEO and NED
at Imagination Technologies Group
and former CEO of Alent, comments:
“We look[ed] at the whistleblower
statistics at every board meeting at
Alent. I report[ed] on it because the
only way you can get the right culture
is by people telling you the truth,
otherwise you live in a bit of a bubble.”
It’s a case of the board asking
simple, direct questions. “Is there
a whistleblowing line?” asks Lucy.
“Is it anonymous? Does it allow
employees to flag concerns and risks
against a clearly communicated set
of values and tolerances? Is speaking
up valued or discouraged?”
Andrew agrees: “You’ve got to have
various channels, such as employee
helplines and whistleblower facilities
whereby people can independently
flag things without going through the
chain of command.
“People have a duty to flag concerns,
especially when it comes to reputational >
People have
a duty to
flag concerns,
especially
when it comes
to reputational
risks
Understanding Risk Culture 2www.criticaleye.com