Assessing risk culture for better organisational outcomes
Risk culture is the very foundation that guides the behaviours of any organisation. It creates the benchmark for what is acceptable and what is unacceptable. It can be seen as part of an organisation’s DNA.
Unfortunately, we do not need to look far for examples of poor risk culture – from high-profile fraudulent conduct to sexual harassment scandals – organisations face the consequences of poor risk culture every day. These consequences extend beyond a tarnished reputation and can have a significant impact on an organisation’s bottom line, through legal costs, loss of market share to competitors and loss of productivity from high staff turnover.
No organisation wants to be known for their poor risk culture. This is where assessing your risk culture is essential. In this blog, we cover the importance of risk culture assessments, Hall Advisory’s assessment model, common areas for improvement and discuss bullying and harassment as outcomes of poor risk culture.
Risk culture assessment
Risk culture assessments enable the organisation to get new perspectives on how effectively risk and compliance matters are dealt with across the business, the behaviours that are accepted and what obstacles stand in the way of improving culture and minimising unexpected outcomes.
Assessing risk culture is more than just a regulatory exercise. Assessing risk culture allows you to gain greater confidence that your staff will make the right decisions in all situations and that a strong ethical framework supports your organisation. Staff will feel confident and comfortable to speak up and challenge the attitudes and actions that they see.
A direct result of assessing risk culture is stronger risk culture. Strong risk culture promotes sound risk taking. Promoting risk management throughout an organisation that is supported by a strong risk culture will also help to ensure staff are thinking ahead to emerging risks or identifying and challenging risk-taking activities they think are outside the organisation’s risk appetite.
The challenge is using an appropriate model to assess risk culture.
To assess risk culture or organisational culture more broadly, the longevity of any sophisticated assessment model is uncertain. People, organisations, and the industry at large are constantly changing and evolving. How individuals within organisations interact internally and externally changes over time due to many factors, including company-specific drivers, demographic changes in leadership and staff, and societal changes. Such factors also drive behaviour and culture norms, which need to be accounted for in any assessment model and monitored for consequential shifts in risk culture.
At Hall Advisory, we seek to recognise these variables through our risk culture assessment model.
Hall Advisory’s assessment model
Risk culture is a key element of an organisation’s overall governance and culture. Hall Advisory assesses risk culture using our five pillar model to guide the assessments, which are tailored to individual organisational needs and circumstances.
Our risk culture survey questions for directors, executives, and staff at all levels are based on these five pillars and tailored to suit the specific requirements and dynamics of individual organisations.
The survey is followed by interviews with key decision makers and staff at various levels within the organisation and scenario-based workshops incorporating a risk culture diagnostic methodology. These additional steps assist with understanding the true meaning of the indicative survey results.
We believe that a combination of approaches is often superior to one type of assessment technique, given the sensitivities involved in discussing workplace dynamics and the varying degrees of individual comfort and/or willingness to engage with survey processes. Conducting an assessment by gathering data from several information sources helps to piece together a more accurate and complete picture of an organisation’s risk culture and sub-cultures.
Using the survey results and interview and workshop findings, we conduct trend analysis and a comparison of aggregated scores by pillar. This helps us identify the areas in which the organisation demonstrates the strongest risk culture and the areas for improvement.
Common areas for improvement
From our experience in conducting risk culture assessments, we see many of the same common areas for improvement. These include:
Transparency of information flows regarding risk issues and incidents.
Adequacy of resources to manage risk effectively.
Appropriateness of articulation and adequacy of communication of risk appetite.
Sufficiency and effectiveness of risk training programs at director, executive, and employee levels.
Adequacy of challenge in decision-making processes, and the extent of communication for the basis of key decisions to relevant levels within the organisation.
Clarity of roles and responsibilities relating to risk, including delineation between the three lines of defence.
Need for greater engagement of the business or line 1 with their risk management obligations, and the potential for implementation of risk champions within the business.
Consistency in application of the risk framework.
Adequacy of delegation frameworks, including the extent of empowerment across relevant roles and decision-making bottlenecks.
Adequacy of risk reporting to the executive team, board committees and board, and lack of holistic reporting and discussion of risks at different levels.
Lack of risk workshop and risk identification/assessment across the business to carefully consider operational and other risks by business unit or key processes.
Adequacy of executive level communications/actions to reinforce organisational values and the importance of risk culture, and to demonstrate the extent to which appropriate behaviours and risk-based calls are valued by the organisation.
To address these issues and encourage continuous improvement, Hall Advisory recommends the following approach for periodic assessment of organisational risk culture:
Bullying and harassment: a reflection of poor risk culture
A key matter that can be overlooked in risk culture assessments and reviews is bullying and harassment and the board’s role in preventing it in the workplace. Bullying and harassment, including sexual harassment, are increasingly recognised as important governance issues. As several cases continue to be uncovered, organisations should consider the steps taken to manage this risk not only in terms of response but more so prevention.
This applies across all industries, both public and private. In recent cases of sexual harassment at Parliament House in Canberra, multiple women have reported sexual assaults and others have spoken up about harassment experiences in political circles. Reports have revealed mishandling of complaints of misconduct, prompting reviews of workplace culture and complaint processes at Parliament House.
These cases reflect the poor governance and risk culture that exists in these institutions, with a lack of control around acceptable workplace behaviour. Further, these recent cases reveal staff do not feel confident or comfortable enough to speak up, challenge or report such behaviours, due to fear of the repercussions.
Beyond the management of existing cases, an overhaul of risk culture is required to discourage and appropriately manage poor behaviour by revisiting codes of conduct, providing staff training and education, reviewing systems for safe reporting and empowering disclosure of inappropriate behaviours.
However, before such improvements can be made to strengthen risk culture, an assessment of risk culture is needed.
Need help with your risk culture assessment?
Hall Advisory’s core services include organisation-wide independent assessments of governance, accountability, and culture standards and development and implementation of effective governance and culture frameworks. Our risk culture assessments cover:
A review of existing risk culture frameworks.
Issuing a risk culture survey across all levels of the organisation.
Interviews and workshops with selected directors, executives, and staff.
Assessment of collated results to identify strengths and weaknesses of the organisation’s risk culture.
Recommendations to improve risk culture, focusing on areas for improvement.
In addition to the above, Hall Advisory has experience in reviewing bullying and harassment cases to identify systemic issues, learning and improvement opportunities, providing a more holistic approach to assessments.
For an independent assessment of your organisation’s risk culture and framework, contact us today and let’s start with a confidential, no-obligation conversation about how we can help you.