Slides from TPP Not for Profit's Autumn 2012 HR Seminar on risk management for charities

1. Risk Culture – Under the microscope
Name: Ann McFadyen,
Head Of Events and Training
The Institute of Risk Management
Date: 16th October 2012

2. An era of change and challenges
• 1989 - ‘World Wide Web’ (www) is created and the Berlin Wall falls
• 1995 – Collapse of Barings Bank
• 2000 – Millennium bug
• 2001 – World Trade Centre attacks and the collapse of Enron
• 2004 – Indian Ocean tsunami
• 2005 – Hurricane Katrina
• 2008 – Global financial crisis
• 2010 – Volcanic ash
• 2011 – Middle East and North Africa - social and political change
• 2012 – Collapse of the Euro ????

3. What is Risk ?
•
The effect of uncertainty on objectives – positive or negative

4. What isn’t Risk Management ?
•
Governance, risk and compliance
• (nor is it Audit, Project Management, Health and Safety, Insurance, Disaster Recovery
planning)
• It’s both tangible – systems, processes, tools, registers
• And intangible - culture

5. Risk Culture thought leadership

6. What do we mean by Risk Culture?
Why is risk culture so important?
How does culture affect risk management?
What does a good risk culture look like?
What can the board do about risk culture?
How can you change a culture?

7. What do we mean by risk culture?

8. The culture of a group
• Arises from its repeated behaviours
• Behaviours are shaped by attitudes
• Both behaviour and culture are in turn influenced by the culture

9. So by risk culture we mean
• The values, beliefs, knowledge and understanding about risk shared by a
group of people with a common purpose, in particular the employees of an
organisation or of teams or groups within an organisation

10. Different types of organisation will have different
cultures
And there can also be different cultures in
different parts of the same organisation

11. IRM Risk Culture Framework
IRM’s risk culture framework
looks at component parts
making up an organisation’s
risk culture

12. Personal predisposition to risk
The Risk Compass

13. Personal ethics
Moral DNA
Profiling
…only 55% of all respondents could say definitively that they would not engage
in insider trading if they could make $10m with no risk of getting arrested.”
Labaton Sucharow survey 2012

14. Organisational Culture
Goffee & Jones
Double S Model –
diagnosing
organisational
culture

15. Why is risk culture so important?

16. More regulations, codes and standards than ever
before…..

17. ….but these are not sufficient in themselves for
the successful management of risk….

19. …..the missing factor is how people behave in
relation to risk, at all levels of the organisation –
the risk culture

20. How does culture affect risk management?

21. …..we surveyed IRM members to establish
which organisational culture types would best
support successful implementation of risk
management
…..organisations required both strong Solidarity
and Sociability for achieving good quality risk
management results

22. …..our survey established that the right kind of
risk culture can actively help with risk
management and that the wrong type of culture,
far from being neutral, actually makes it more
difficult to manage risk

23. …..going back to our model of organisational
culture, we refined it further to focus on types of
risk culture

24. …..so how can we build solidarity and sociability
in respect of risk management?

25. …..we identified eight aspects of risk culture of
an organisation that could usefully be addressed

26. What does a good risk culture look like?

27. 10 Indicators of a successful risk culture
• Distinct and consistent tone from the top
• Commitment to ethical principles
• Common acceptance of the importance of continuous management of risk
• Transparent and timely risk information flowing up and down
• Encouragement of risk event reporting and whistle blowing, actively seeking to learn
• No process or activity too large or too complex or too obscure
• Appropriate risk taking behaviours rewarded and encouraged and inappropriate behaviours
challenged and sanctioned
• Risk management skills and knowledge valued, encouraged and developed,
• Sufficient diversity of perspectives, values and beliefs to ensure that the status quo is
consistently and rigorously challenged
• Alignment with employee engagement and people strategy

28. What can the board do about risk culture?

29. Sample from ’10 questions for the Board’
• Are we providing consistent, coherent, sustained and visible leadership in terms of how we
expect our people to behave and respond when dealing with risk?
• How do we establish sufficiently clear accountabilities for those managing risks and hold
them to their accountabilities?
• Can people talk openly without fear of consequences or being ignored?
• How do we acknowledge and live our stated corporate values when addressing and
resolving risk dilemmas?
• How do the organisation’s structure, processes and reward systems support or detract from
the development of our desired risk culture?
• Do we have sufficient organisational humility to look at ourselves from the perspective of
stakeholders and not just assume we’re getting it right?
• How do we satisfy ourselves that new joiners will quickly absorb our desired cultural values?
• How do we support learning and development associated with raising awareness and
competence in managing risk at all levels?
• What training have we as a board had in risk?

30. How can you change a culture?

31. ….. the IRM Risk Culture Aspects Model shows
the key areas for consideration to change culture

32. …..there are no quick fixes for changing culture
and no ‘recipe book’ solution

33. …..Culture change is likely to be a programme in
its own right

34. The Institute of Risk Management (IRM)
IRM is the world’s leading enterprise-wide risk education institute.

35. About 5000 members worldwide

36. Email: ann.mcfadyen@theirm.org
Tel: +44(0)20 7709 9808
Fax: +44(0)20 7709 0716
Institute of Risk Management
6 Lloyd’s Avenue
London
EC3N 3AX
United Kingdom
www.theirm.org