Risk, culture and the role of risk professionals

There has been a huge uplift in the link between risk and culture. This interest is from regulators, Boards and senior executives. The term risk culture is often used to describe how the culture of the organisation shapes the way it considers, manages and exploits risk.

Risk professionals, in particular, the Chief Risk Officer (‘CRO’), have a critical role in enabling effective risk culture. From their direct influence on their executive colleagues and Board members, through to the establishment of an effective risk function, through to partnering with multiple business functions to enable an effective risk culture.

The following are the crucial roles the CRO and the risk function play in enabling an effective risk culture:

1. Influence with gravitas and action

Above and beyond their functional and statutory responsibilities, risk professional influence culture through:

• Educating the organisation on ways of thinking about risk culture
• Helping the organisation to understand the factors affecting risk
• Actively and consistently promote living the risk culture (including value creation)
• Acting as an independent voice AND aligned to desired organisational outcomes
• Encouraging and enabling a responsive, pro-active risk culture
• Partnering with Board and senior executive to holding the most senior people accountable for role modelling
• Enabling the Board and senior executive to connect risk and strategy

2. Building ‘first line’ organisational capacity

The CRO and risk function have a pivotal role to partner with the organisational learning and development functions in developing initiatives to shape culture. These include:

• Create risk culture education and awareness
• Learning initiatives that enable mindsets of shared responsibility and build adaptive capacity including a culture of learning
• Establishing and cultivating networks of risk advocates 

3. Building the capacity and mindsets of the ‘second line’ risk function (individual capacity)

The risk function needs to be a role model, expert and partner in establishing effective risk cultures. In addition to the capacities required of the ’first line’, the risk function must also develop the following capacities:

• Trusted business partner – advise and mentor as well as provide constructive challenge and effective Influence
• Systems thinking – establishing risk practices aligned to organisational context and strategy
• Enabling an effective risk culture – empowering and supporting the ‘first line’ without removing responsibility. This demands a combination of compassion AND accountability

4. Influencing and enforcing structural mechanisms that enable an effective risk culture

In partnership with organisational leaders and learning and development specialists, the risk function can influence the organisation’s risk culture and ensure an effective risk culture is encouraged through:

• Recruitment and selection practices
• Induction activities
• Accountability and responsibility principles
• Procurement and stakeholder selection practices
• Communications processes
• Performance management and development planning frameworks
• Retrospectives – identifying successes and learning
• Reward and recognition processes
• Establishing links between risk and change management
• Establishing links between ‘risk health’ and performance assessment

5. Measuring and assessing risk culture

In measuring and assessing risk culture, it is essential to consider the current market and organisational context. This includes the organisation’s strategy and business plans, as well as the external environment, such as regulatory, market or competitor developments.

The risk function has a role to play in selecting measures of risk culture that:

• Consider the critical facets of risk culture (including mindsets and beliefs)
• Are fit for the organisation’s context
• Align to other culture measures that the organisation uses
• Consider stages of risk maturity

6. Partnering with ‘the third line’ internal audit

The internal audit function plays a crucial role in assessing and providing assurance as to how well the organisation is embedding an effective risk culture. In that context, the internal audit function is a critical partner on many of the above initiatives

Enabling a mature risk culture goes beyond assessing effective risk processes and behaviours. It requires building the collective ownership for risk by the whole organisation and deepening the understanding of the ripple effects of our actions on our stakeholders and our broader organisational system. It requires mindsets and attitudes that consider the potential risks and opportunities in each decision. The role of the CRO is crucial in building effective risk cultures.

Adaptive Cultures has successfully partnered with CROs in enabling more effective risk cultures. This has been through exploratory Board risk culture workshops, measuring stage of cultural evolution through the groundbreaking Cultural Insights Diagnostic and developing the capabilities of the CRO and the risk function. We are launching the CRO and Risk Leaders program in early 2019. If you would like to find out more click here.