Skip to content

Webinar Q&A: Best practices to measure and manage Risk Culture

You can find here the list of questions and answers to the topics that were raised during the live session of the webinar: Best Practices to measure and manage Risk Culture.

Thank you all participants for raising the questions below.  We would also like to thank David Tattam, Nick Broome, Peter Walker and Gary Lynam for taking the time to answer the following questions. To watch the webinar recording, in case you haven't done it already, visit this page.

1. Kindly clarify what you meant by consequence management options for staff under managing risk culture?

Consequence management options for staff covers a rage of consequence types and also positive consequences for good risk management behaviour and negative consequences for poor risk management behaviour. These consequences may cover anything from impacts on incentive schemes and particularly remuneration, impact on promotions and also more immediate day to day consequences such as positive recognition and negative reprimand. So these consequences may affect bonuses, affect pay rises, affect promotions and also very importantly affecting KPIs of the person's performance. Also affecting whether they are recognized as a leader, whether they're going to be recognized for some kind of award. And the idea here is we should have a range of options to motivate staff but both positively and negatively. The negative is a problem in HR but fundamentally we have to have a range to give both positive and negative reinforcement to drive culture. 

2. Can the dashboard collate data from different size/sector/content business units?

Yes, the dashboard collates data from different (sized) business units and presents the group/enterprise wide view.  The baseline dashboard has been designed to be able to operate across differing sizes and industries. On a related topic, the baseline dashboard will be cascaded down to produce a risk culture score at a BU level and this is an enhancements we are currently working on. 

3. How do you secure data when hosting on Amazon Cloud? 

Securing data in the cloud is not a simple task, it is also something that is constantly evolving. We attack the cloud security problem from multiple angles, our information security is accredited to ISO 27001:2013, this means we have implemented all controls required by the standard and are regularly audited against the standard. The next step is secure design, security testing and following best practice rules such as AWS Well Architected review. We work with our security partner to ensure we have covered all bases. In addition to this Protecht implement technical controls such as Firewalls, Anti-malware, Intrusion detection, Intrusion prevention, DDoS protection, vulnerability scanning, logical separation, all designed to keep the bad guys out.

4. Our data resides in a range of organisational systems which don’t all play nicely together. How is disparate data automatically populated / updated into the ERMS? 

The modern approach to this problem is to use REST API's. REST API's provide data interchange for cloud application (also non-cloud). Protecht.ERM both provides and support REST APIs for this purpose. Where there are legacy applications, the integration can be more difficult. Protecht offers a number of solutions such as Protecht.ETL (Extract, Transform, Load) for further details please contact the service desk.

5. How easy is it to export the Dashboard information into a report? 

It's very easy as all dashboards (and reports) in ERM are designed to be exported into various different formats including either a PDF or a PowerPoint. In a lot of cases people export a dashboard into a PowerPoint and then each of these graphs can then be cut and pasted from the PowerPoint into a Word document e.g. for a Board report.

6. Can you drill into the data in Excel?

The best way to export the data into Excel is by going to the underlying register that contains the dashboard data and downloading from there. You can then do the usual excel things to the data.

7. How do we differentiate risk culture and risk maturity level? Is risk maturity level is used to measure risk culture? 

Risk culture is often used as a dimension in risk maturity assessments. There's so much work done on risk maturity, and culture is only but one of the elements we look at in risk maturity. We've also got to think about systems, processes, reporting, coverage and so on. So our view of that is that they are connected in the sense that risk culture should be part of any risk maturity assessment that you do. And it already goes to say that there was a very strong correlation between risk culture and risk maturity. We believe they are strongly correlated but they're not exactly the same and you should certainly have risk culture as part of your risk maturity assessment. Read the eBook A Practical Guide to Risk Maturity.

A Practical Guide to Risk Maturity CTA

8. Are users able to set the weightings of the different components on the dashboard? Also, are they also able to modify the algorithm or is that fixed? 

The algorithms, including the weightings between components, are fixed in the baseline dashboard so we maintain consistency to allow future bench-marking.  For those clients that go down the path of a custom built dashboard, then the weightings can be adjusted.

9. Is there a way to link the dashboard components/culture indicators to specific target culture values? 

Yes, individual metrics and/or sections can be linked to target culture values. In developing the dashboard, the metrics were chosen for the behaviours they reflected. If you want to demonstrate this linkage and report progress against culture targets, this would require a custom version of the dashboard or alternatively exporting it into PowerPoint and reporting from there.

10. What drives the BI tool in the system - is it an off the shelf vendor BI engine or a proprietary one developed for your system?

Protecht.ERM uses a third party BI system, Inetsoft. It is fully integrated in ERM so you do not need to buy it separately.

11. There's a huge focus on 'operational resilience' now from regulators - what is a 'resilient' culture' and how can your dashboard help demonstrate this? 

Thank you for a great question and you are very right, an area of huge focus at present around the world. An organisation with a resilient culture is likely to take a proactive approach to the management of threats, risks and maintaining the integrity of critical business services. Similar to risk culture, the tone from the top of the organisation will be very important to ensuring this culture is embedded within the organisation.

Protecht Risk Culture Dashboard supports active oversight of resilience by providing a clear view to management which business units are performing, and engaging in risk related activities in a timely and efficient manner. For example, open management actions which continue to extended beyond initial timelines or key metrics linked to resilience processes which operate outside of appetite for consecutive months are likely to be leading indicator of a reactive resilience culture and are therefore worthy of management attention and challenge.

12. How do you address concerns over privacy and data protection in using camera, social media and email feeds?

There are obviously data privacy issues both from a regulatory compliance perspective as well as from an ethical perspective. Above all else, whatever information we use for measuring and monitoring culture, we have to comply with that jurisdiction's data protection laws. In addition, we may consider ethical compliance where we set out own internal "rules" about use of data. We need the lawyers to be comfortable as we move to the more contentious data types and sources.  It's interesting to note that one of the elements of conduct risk is inappropriate use of data and that's not just legally but ethically. So I think that should override anything that we do.

13. Is there a 'Risk' culture distinguishable and separate to organisational culture? 

This is discussed in the webinar. We believe that risk culture is not separate from organisational culture. It is how organisational culture affects the risk management practice of the organisation.

14. Risk culture is strongly related to the behaviours of the people involved. How do you assess the alignment of behaviours which are the core of culture with the risk culture?

Peoples behaviours are the core of culture. Culture is what people do when no one is looking. i.e. their behaviours behind closed doors. Measuring culture is measuring behaviours. For the risk culture dashboard we are monitoring and reporting evidence of staff behaviours with respect to their interaction and use of the risk system. 

15. What is the minimum data period required for a meaningful risk dashboard?

We recommend having a 12 months of data. At that point, you can get a picture of your risk culture and the opportunities for improvement. The comparatives will become more meaningful over the following 12 months allowing you to start to identify trends and track progress. 

What's Next?

Want to know how to improve risk culture using the Risk Culture Dashboard in Protecht.ERM?

Watch the full webinar recording on demand and see how the new Risk Culture dashboard offers a new perspective of your risk culture, tracks changes over time and visualises key areas you need to target:


Risk Culture Dashboard Webinar Recording

Browse our latest webinars to learn more about other risk management best practices you can adopt and apply to your framework.

About the author

For over 20 years, Protecht has redefined the way people think about risk management with the most complete, cutting-edge and cost-effective solutions. We help companies increase performance and achieve strategic objectives through better understanding, monitoring and management of risk.