Risk Culture Reflections of Risk Managers March 2013 Sally Bennett Managing Director Enhance Solutions
The Think Tank As Risk Managers we are tasked with the objective to embed a risk management culture into an organisation, or words to that effect. This objective seems to be posing more questions than answers currently. To assist both ourselves, and risk managers in general, we facilitated a think tank involving a cross section of experienced risk managers across several different sectors from health to project risk. The group grappled with a few key questions: What does a risk culture really look like? What are the things that influence the risk culture? Two further questions emerged from this: What should risk champions be? What do we do if we don t have senior management buy-in? We would like to thanks those involved in the Think Tank. This paper aims to summarise the thoughts and inputs from the group and provide some guidance for risk managers in general. 1
What does a risk culture really look like? For an organisation to strive towards a risk culture, it needs to have a Vision of the Future to strive towards. So do we really know what it is we are aiming to embed in organisations. What does it look like or feel like when there is a Risk Culture? What do we see? Interestingly enough, the first question triggered a completely separate question what is culture?. For the sake of completeness the following definition or description of Culture is provided. Culture Culture is a difficult concept to define. We all intuitively know what we mean, however it is a very complex concept. Some definitions include: A pattern of shared basic assumptions invented, discovered, or developed by a given group as it learns to cope with its problems of external adaptation and internal integration that have worked well enough to be considered valid and therefore, to be taught to new members as the correct way to perceive, think and feel in relation to those problems Schein, 1992. "the specific collection of values and norms that are shared by people and groups in an organization and that control the way they interact with each other and with stakeholders outside the organization. Hill and Jones, 2001 2
The Think Tanks group defined Culture as the acted out values and behaviours and personality of an organisation, or the way an organisation looks and feels internally for employees and externally for clients and stakeholders. The challenge is how to describe the current culture of an organisation. The Roshan Institute suggests that Culture refers to the following Ways of Life, including but not limited to: Language : the oldest human institution and the most sophisticated medium of expression. Thought : the ways in which people perceive, interpret, and understand the world around them. Arts & Sciences : Most advanced expression Spirituality : the value system expressed through language and actions. Social activity : the shared pursuits within a cultural community Interaction : the social aspects of human contact, including the give-and-take of socialization, negotiation, protocol, and conventions. This definition tends to provide a more tangible set of lenses to look at a culture. 3
Risk Culture Risk culture is the collection of beliefs, values and behaviours of the people within the organisation that shape risk decisions. In order for a risk culture to exist, risk management must be embedded into the organisations culture. It should be inclusive in the organisations policies, procedures, and practices, not a separate business activity. When achieved, the entire organisation has become involved in the managing of risk, with risk management automatically being factored into decision making at all levels of the organisation. Look and Feel As risk managers, for us to achieve this we need to have a good understanding of what this looks like, and feels like. What we are hearing people say and what we are seeing people do. We asked the Think Tanks members to discuss this. 4
The key characteristics of a risk culture identified by the Think Tank group are outlined under below: Vision & Value People in the organisation see the value of risk management, namely how it can benefit their work as well as produce optimum outcomes for the organisation. People are engaged in risk management and are applying it consistently because they see the value behind managing risk. There is a consistent view of risk and opportunity across the organisation. People recognise that risk management is not only used to for preventing or minimising adverse outcomes but that it is used for realising gains and can help the organisation to grow. The organisation welcomes external audits and recommendations for continuous improvement. 5
Strategy & Appetite In a risk culture, risk management is incorporated into the organisations strategy. It is a part of the vision, mission and values of an organisation. Risk management is incorporated into the business planning cycle, starting with the strategic plan and then cascading through to operational and team plans. The risk appetite is clearly defined and expressed in the organisation and is aligned with the organisation s strategy. Organisational Structure The organisational structure is set up to enable escalation of risks to the right level. Risk management roles and responsibilities for each level of the organisation are clearly defined and acted out. Each level of the organisation is well integrated with the next level above or below, for example, there is a harmonious connection between the board, executive and operations. Key performance indicators include risk management for each level of the organisation. 6
Information Systems & Training Processes would be used that enable people to make and act on decisions quickly and efficiently with positive flow-on effects. As more people in the organisation begin to see the benefit of using the processes, adoption of such processes is likely to become more widespread. The system is set up to allow managers and staff to report and document risk, ad to treat risks. There is a strong and active risk framework, including risk management policies and procedures together with an active and transparent risk register. All managers receive training about the risk management framework, and their role in leading it, from risk and governance training for Boards, to Risk Leadership training for managers. Induction training and exists to support the risk framework and language 7
Leadership & Communication The tone at top is strong and positive and management lead by example with Executives actively engaged in the risk management process and applying it to their work. There is ownership of risk throughout the organisation, including at Board, Executive, Management and staff level. Risk leadership is evident at each level of the organisation and people are self driven and willing to take ownership of risks. This leads to better decision making at all levels. Risk management language is used consistently throughout the organisation and is understood. This includes a harmonious connection between all levels, and between operational, project and strategic levels. Dealing with Bad news There is a culture in which it is both safe and encouraged to report bad news and events, and to respond proactively to them. The organisation actively learns from mistakes and errors, and responds swiftly to continuously improve and recover from bad events. 8
Risk Analysis and Controls In a mature risk culture organisations recognise the value of data and analysis for informed decision making. There is also s strong focus on control effectiveness. For a strong risk culture to be in place BOTH are critical. Informed Risk decisions need to be made using the right data and risk assessment techniques, AND usable, accessible and appropriate controls need to be in place, and used consistently, that is embedded in the practices of the organisation. A drive for continuous improvement is consistent in all models. 9
The Architecture In a risk culture there will be artefacts such as documents, reports, procedures and tools that define how the organisation should work, and then there will be less visible and tangible things happening which are indications of how the organisation really works. In a strong risk culture these will work well together and complement each other. There are various elements that make up a risk culture. The degree to which the culture thrives depends heavily on how well these elements work together 10
What can influence a risk culture? The group provided insights into both things that could positively influence and drive a risk culture and barriers or negative influences. 11
Industry direction Legislation Competitors Government funding Annually reviewing the Risk maturity of the organisation, and having a planned approach to implement and embed the culture. Role modelling Providing training at all levels Ongoing monitoring (what interests my boss fascinates me Mandate/ clear expectations Have clear leadership roles at all levels, tome set at top, culture is embedded day-to-day through frontline leaders External Climate Drivers Having a plan Leadership behaviours Positive Influences Perceived value Governance Framework & Tools Risk Managers Risk Champions Clear picture of what s in it for me described Success stories States expectations and appetite Easy to use Provide language and tools Shows linkages and integration Links to KPI s Accessible Reports linked to decision making and action Use of websites, newsletters Fit for purpose The governance process must flow well and be responsive. Have mandate and authority Tenacity Positive change leaders Risk Champions scattered through business 12
Not influencers Not positioned at right level of the organisation Seen to own risk management rather than as a change driver. On their own No follow up Blame culture Not enough resources applied, no priority given Leadership behaviours Risk Managers Negative Influences History Governance Framework & Tools This is the way we ve always done it Fall in love with shadows backwards looking mentality allowed. Too Complex Full of Jargon Reporting processes drive poor behaviours eg lack of reporting Take too much time, too much paperwork Not practical to apply Sets up silos, or doesn t recognise natural organisational structure Limits sharing 13
Risk Champions The terminology Risk Champion is becoming commonplace; however it seems that different organisations interpret this role. So what are the pros and cons of risk champions? When implementing a risk language and culture through an organisation there are often more questions than answers. As an organisations leaders and employees are starting to try new practices, someone needs to be there to coach them, answer their questions and guide them through the confusion. In most organisations there are not enough Risk managers available to do this, therefore have Risk Champions scattered through the organisation with more in depth knowledge initially can really help to get and maintain momentum. On the downside, some organisations focus their training on Risk Champions alone, sending a clear message to the organisation that risk is the role of the Risk Champions. This approach can have the effect of letting the management team off the hook. Risk Champions need to be set up as a resource and a coach to support the role of the leadership within the organisation. 14
Senior management buy-in It almost goes without saying that the biggest hurdle or barrier to success to getting Senior Leadership support and buy-in. So one of the key questions asked was what hints or tricks help to get senior buy-in if you don t already. The overwhelming hint was that senior leaders needed to see value. As a Risk Manager, you need to paint an overwhelming need for change, and create a sense of urgency. The tactics for doing this were varied, however part of it tended to be dependent on the decision making style of the Senior leaders. The hints and tips were: Benchmark Conduct a hard document review Use specific risks Do it with people & use a tool to engage Think BIG but start small work with a few key operations people Get quick wins celebrate & communicate Honesty and integrity Flexible approach Build relationships Stealth Enhancing Lives and Livelihoods And the final hint or tip that was provide was Just keep going...!!! The three biggest characteristics required of a Risk Manager are the 3P s: PATIENCE PERSERVERENCE PASSION Good luck to you all on the journey! Enhance Solutions is an innovative consultancy firm specialising in Business Risk and OHS solutions. Our services are based on a specialised platform that focuses on: Culture Development Strategy Systems & Framework, and Learning & Development Contact Enhance Solutions today for all of your risk solutions. Unit 5, 27-33 Raglan Street South Melbourne. VIC. 3205 PH: 1300 887 746 Fax: +61 3 9686 7874 www.enhancesolutions.com.au