There is a need for organisations to develop a better understanding and a common language for risk culture. In this article I wish to demonstrate how this is possible and what tools are available to guide this process.
Risk culture is not something static. It is an evolving process that can be influenced and where changes can be managed. Organisations have therefore the ability to develop the risk culture that they wish for. To manage this, we need to look at risk culture through cultural lenses. Culture has many dimensions and we need to decide which of them are the most important to focus on. Assessing and managing risk culture should definitely not be a box ticking exercise.
The corporate culture is the most powerful control in any organization.
The box ticking syndrome
In the corporate governance field, the box ticking syndrome defines a formal approach to the implementation of corporate governance principles – doing something just because there is a rule that says that you must do it. Over the last few years, financial regulators (mainly in the banking and insurance sectors) are requiring companies to implement processes for the development and management of risk culture as part of the corporate governance framework.
Can risk culture fall into the box ticking trap?
According to the European Banking Authority (EBA) «Institutions should develop an integrated and institution-wide risk culture» (3) as a tool for effective risk management and to enable good decision making. The minimum elements of strong risk culture according to EBA are:
- Tone from the top – the management body should be responsible for setting and communicating the institution’s core values;
- Accountability – employees should know and understand the core values of the institution and must be held accoun- table for their actions;
- Effective communication and challenge – a sound risk culture promotes open communication, and
- Incentives – incentives should pay a key role in aligning risk taking with the institution’s risk profile and long-term interest.
This framework was first presented in the Financial Stability Board’s (FSB) Guidance on supervisory interaction with financial institutions on risk culture. It draws on the experience and efforts of supervisory and regulatory authorities across the FSB membership and insights garnered from the market participants through roundtables and bilateral discussions. The Guidance proposes a wide range of indicators of sound risk culture in accordance with the defined framework. The clear framework and the large set of indicators may lead to the temptation to develop a list to «diagnose» or «check» the level of risk culture in the organization and to prescribe actions to improve risk culture. Will it work?
The use of the term «indicators» to refer to elements of risk culture could be misleading as it implies a linear relationship where the performance of each element can be manipulated individually. This is not the case as it is the totality and interaction of all the elements which makes the culture, and for this reason the checklist approach to measuring culture is wholly inappropriate.
If the supervisors and management of financial institutions want to assess culture and its influence on risk management, they need to consider the organisation’s training and building of cultural experiences with a focus on behavioural analytics techniques. Culture is a complex issue and the temptation for boards and executives is to want to manage it in the same way as other business areas must be resisted.
Risk professionals (risk managers and internal auditors) need to dig below the surface and gain a deeper understanding of the true nature of the organizational and risk culture as the basis for understanding how culture can be both managed and changed.
The Competing Values Framework
• Internal focus and integration or External focus and differentiation
• Stability and control or Flexibility and discretion
You can not have both polarities at one hundred percent at the same time. Hence, they are competing values. By plotting those two dimensions in a matrix, the Competing Values Framework emerged. Its four quadrants correspond with four Organizational Culture Types that differ strongly on these two dimensions or four values: Clan Culture; Adhocracy Culture; Market Culture and Hierarchy Culture.
Read the full article first printet in SIRK 1/19 Risk culture beyond ticking boxes.