Protecht.ERM Showcase: Manage the full lifecycle of risk management in one system
Register Now

The list of key risks that should be keeping us awake at night seems to be forever changing. Whatever your list, Culture and Conduct Risk should be a permanent fixture in your "Top 10". Firstly, the risk is enduring - as long as we have people, we have the risk. Secondly, it is a major driver of many other risks and of overall performance.  I would go as far as to say it is the foundation on which everything else is built and many years ago, I was spiritually advised to build on rock, not on sand!  

Are you adequately measuring, monitoring, managing, and controlling your culture and conduct foundation?

Risk Management is forever evolving. It has come a long way in the past 20 years but has a long way to go. This is particularly true for some of the more difficult to manage risks including Culture Risk and Conduct Risk. This article is aimed at helping that ongoing development.

This article focuses on:

  1. What is Culture and Conduct Risk?
  2. Why is Culture and Conduct Risk tricky to manage?
  3. What needs to be done?

1. What is Culture and Conduct Risk?

Using the ISO 31000:2018 definition, Risk is “the effect of uncertainty on objectives”, it follows that Culture and Conduct Risk is “the effect of uncertainty, created by culture and conduct, on objectives”

In describing the difference between Culture and Conduct, we typically consider Culture to be “What goes on around here when no one is looking” and conduct to be “What goes on around here, which affects our customers, when no one is looking!”. Culture is internally focused and Conduct, externally focused. The two are obviously connected. Poor culture usually drives poor conduct.

Using my family as an analogy, "Culture" is how my children behave at home and "Conduct" is how they behave at their grandparents!

Fig 1. Culture and ConductFig 1. Culture and Conduct

2. Why is Culture and Conduct Risk tricky to manage?

We all accept that Conduct and Culture Risk is very real. History is scattered with the damage!  It's management is therefore critical yet difficult. Why?

  1. The risk is human-based and human-driven. It is therefore unpredictable, often invisible until it's too late, and difficult to control given free will.
  2. Society, regulators, customers, and stakeholders generally are becoming much more aware and conscious of behaviour. A social licence to operate is becoming increasingly critical to earn and maintain.
  3. Culture and Conduct is difficult to measure and “you can’t manage what you can’t measure” (Peter Drucker). The historical lack of data has traditionally led to the monitoring and measurement of culture and conduct and their related risks to being subjective and open to opinion.
  4. Risk itself is the effect of uncertainty, arising from Culture and Conduct, on objectives. Uncertainty on something that itself is difficult to manage exacerbates the problem.
  5. The levers to manage and influence Culture and Conduct are not always obvious and the connection between the levers and the risk is often unpredictable and dependent on the individual.

3. What needs to be done?

We need to rise to the occasion and develop the capability to manage Culture and Conduct risk. At the Protecht Group, this is how we approach the challenge:

  1. Education
  2. Analyse and understand your Culture and Conduct Risk
  3. Setting the desired Culture and Conduct
  4. Measure and Monitor Culture and Conduct Risk
  5. Report on your Culture and Conduct Risk
  6. Determine and apply Risk Appetite for Culture and Conduct Risk
  7. Control, manage and influence Culture and Conduct
  8. Integrate your Culture and Conduct Risk Management into your overall ERM framework

1. Education

Achieve clarity and consistency across your organisation as to what Culture and Conduct Risk is. This needs to address clarity over the meaning and scope of

  1. Conduct
  2. Risk Culture
  3. Culture Risk
  4. Conduct Risk
  5. Risk Culture Risk

Confused? That’s why education is important.

Protecht delivers a 6-hour course on “Measuring and Managing Culture and Conduct Risk” delivered virtually either live or recorded on-demand.

Training

https://www.protechtgroup.com/en-au/risk-management-training

2. Analyse and understand your Culture and Conduct Risk

Analyse, understand and document your Culture and Conduct (Misconduct) Risks. At the Protecht Group, we use the Risk Bow Tie method to analyse and communicate risk

Misconduct Bow Tie

Fig 2. Misconduct Risk Bow Tie Analysis -Inherent Risk (Source: Protecht.ERM system)

3. Setting the desired Culture and Conduct

Determine, articulate and communicate your desired Culture and Conduct. This should align with your strategy and objectives and be articulated across your values and commitments, code of conduct, policies, incentive schemes etc.

4. Measure and Monitor Culture and Conduct Risk

Be able to measure your actual culture and conduct on an ongoing and consistent basis. This is where a strong suite of metrics and a good risk system are critical. 

5. Report on your Culture and Conduct Risk.  

This is where the metrics must be turned into meaningful intelligence that is reported as part of your risk reporting using Culture and Conduct Risk Dashboards.


Risk-Culture-Dashboard-Updated

                            Fig 4. Example of a Risk Culture dashboard (Source: Protecht.ERM system)

6. Control, manage and influence Culture and Conduct.

Understand how culture and conduct can be controlled, managed, and influenced. This requires a strong understanding of the drivers of culture and conduct risk. The Risk Bow Tie Analysis (refer Fig 1.) is critical for this understanding.

7. Understand how culture and conduct can be controlled, managed, and influenced.

This requires a strong understanding of the drivers of culture and conduct risk. Again the Risk Bow Tie helps this understanding. 

8. Integrate your Culture and Conduct Risk Management into your overall ERM framework. 

Build your Culture and Conduct Risk Management as an integral part of your Enterprise Risk Management Process rather than as a standalone, siloed capability.


To continue the conversation around this important topic, we have recorded a live webinar: Best Practices to Measure and Manage Risk Culture. You can access the video and transcription, below.

Watch Risk Culture Webinar-1

 

Related Articles

feature image
Risk Culture

Victorian Government raises the bar on Risk Management. How will you rise to the occasion?

The Victorian Government’s Risk Management Framework (VGRMF) which applies to Victorian Government departments and public bodies covered by the...
Read more
feature image
Risk Culture

Risk Culture Audits!

The IIA-Australia's guide is a timely reminder of the need for continued focus on risk culture. Although the guide is focused on Financial Services,...
Read more
feature image
Risk Culture, Risk Manager

How will you shape the future of Risk Management?

A futurist’s role is to help shape the future of something (risk management) in order to make it more relevant and valuable based on: Its known...
Read more