1. Risk Culture – Under the microscope
Name: Ann McFadyen,
Head Of Events and Training
The Institute of Risk Management
Date: 16th October 2012
2. An era of change and challenges
• 1989 - ‘World Wide Web’ (www) is created and the Berlin Wall falls
• 1995 – Collapse of Barings Bank
• 2000 – Millennium bug
• 2001 – World Trade Centre attacks and the collapse of Enron
• 2004 – Indian Ocean tsunami
• 2005 – Hurricane Katrina
• 2008 – Global financial crisis
• 2010 – Volcanic ash
• 2011 – Middle East and North Africa - social and political change
• 2012 – Collapse of the Euro ????
3. What is Risk ?
•
The effect of uncertainty on objectives – positive or negative
4. What isn’t Risk Management ?
•
Governance, risk and compliance
• (nor is it Audit, Project Management, Health and Safety, Insurance, Disaster Recovery
planning)
• It’s both tangible – systems, processes, tools, registers
• And intangible - culture
6. What do we mean by Risk Culture?
Why is risk culture so important?
How does culture affect risk management?
What does a good risk culture look like?
What can the board do about risk culture?
How can you change a culture?
8. The culture of a group
• Arises from its repeated behaviours
• Behaviours are shaped by attitudes
• Both behaviour and culture are in turn influenced by the culture
9. So by risk culture we mean
• The values, beliefs, knowledge and understanding about risk shared by a
group of people with a common purpose, in particular the employees of an
organisation or of teams or groups within an organisation
10. Different types of organisation will have different
cultures
And there can also be different cultures in
different parts of the same organisation
11. IRM Risk Culture Framework
IRM’s risk culture framework
looks at component parts
making up an organisation’s
risk culture
13. Personal ethics
Moral DNA
Profiling
…only 55% of all respondents could say definitively that they would not engage
in insider trading if they could make $10m with no risk of getting arrested.”
Labaton Sucharow survey 2012
21. …..we surveyed IRM members to establish
which organisational culture types would best
support successful implementation of risk
management
…..organisations required both strong Solidarity
and Sociability for achieving good quality risk
management results
22. …..our survey established that the right kind of
risk culture can actively help with risk
management and that the wrong type of culture,
far from being neutral, actually makes it more
difficult to manage risk
23. …..going back to our model of organisational
culture, we refined it further to focus on types of
risk culture
24. …..so how can we build solidarity and sociability
in respect of risk management?
25. …..we identified eight aspects of risk culture of
an organisation that could usefully be addressed
27. 10 Indicators of a successful risk culture
• Distinct and consistent tone from the top
• Commitment to ethical principles
• Common acceptance of the importance of continuous management of risk
• Transparent and timely risk information flowing up and down
• Encouragement of risk event reporting and whistle blowing, actively seeking to learn
• No process or activity too large or too complex or too obscure
• Appropriate risk taking behaviours rewarded and encouraged and inappropriate behaviours
challenged and sanctioned
• Risk management skills and knowledge valued, encouraged and developed,
• Sufficient diversity of perspectives, values and beliefs to ensure that the status quo is
consistently and rigorously challenged
• Alignment with employee engagement and people strategy
29. Sample from ’10 questions for the Board’
• Are we providing consistent, coherent, sustained and visible leadership in terms of how we
expect our people to behave and respond when dealing with risk?
• How do we establish sufficiently clear accountabilities for those managing risks and hold
them to their accountabilities?
• Can people talk openly without fear of consequences or being ignored?
• How do we acknowledge and live our stated corporate values when addressing and
resolving risk dilemmas?
• How do the organisation’s structure, processes and reward systems support or detract from
the development of our desired risk culture?
• Do we have sufficient organisational humility to look at ourselves from the perspective of
stakeholders and not just assume we’re getting it right?
• How do we satisfy ourselves that new joiners will quickly absorb our desired cultural values?
• How do we support learning and development associated with raising awareness and
competence in managing risk at all levels?
• What training have we as a board had in risk?