Protecht.ERM Showcase: Manage the full lifecycle of risk management in one system
Register Now

In my earlier blog “What we can all learn from the APRA prudential inquiry report into the CBA” I noted that one of the strong themes of the report was the importance of “Challenge”. In fact, it is mentioned approximately 75 times including in the following recommendations:

  • Recommendation 7. The CEO ensure that the Executive Committee…. engages in constructive challenge and debate.

  • Recommendation 10. CBA ensure that business unit Chief Risk Officers have the necessary independence to provide effective challenge to the business. 

  • Recommendation 27. Senior leaders reinforce key behaviours of increasing self-reflection, giving and receiving constructive challenge and dealing with conflict effectively.

cFor those familiar with the three lines of defence model, the second line of defence "Risk Management" has as its key role, “Review and Challenge”. Read the article: Risk Governance and the Three Lines of Defence.

This blog takes a look at:

  • The meaning of challenge.
  • The importance of challenge in supporting strong risk management.
  • The reasons why challenge is so difficult in practice?
  • What a good challenge culture looks like and how can it be practically embedded within an organisation’s culture.

So – what does “challenge” mean? 

There are many definitions of “challenge” including: 

  1. A call to prove or justify something.
  2. A calling into question; a demanding of proof, explanation, etc.
  3. A questioning of a statement or fact; a demand for justification or explanation.
  4. A call to someone to participate in a competitive situation or fight to decide who is superior in terms of ability or strength.
  5. Make a rival claim to, or threaten, someone's hold on (a position).
  6. A call to engage in a fight, argument, or contest.

The common theme in definitions 1, 2 and 3 are to “test” a decision or position by asking for justification, explanation and proof. On the contrary, the common theme to definitions 4, 5 and 6 is to contest, fight and compete. In terms of risk management, we are looking for the former, ideally without the latter.

Why is “challenge” important in supporting strong risk management?

The importance of a strong challenge culture based on the “testing” principle includes:

  • Ensuring the robustness of process and thought and identify any weaknesses/risks in the process or thought.
  • Identify errors in process or thought.
  • Identify deliberate bias, especially in decision making. This bias may, among other things, come from conflicts of interest. Bias and conflicts of interest will usually only be uncovered when the decision is tested (challenged). 
  • Allows further questioning and thought to uncover additional information that might be useful for making better decisions. 
  • Addresses unmanaged emotions. Humans are emotional beings. Many human based decisions are influenced by emotions. We cannot eliminate them but they need to be appropriately managed. Challenge often highlights where they are not being appropriately managed.
  • Challenge will often open more opportunities, a wider sphere of thinking and building a shared vision between those involved.
  • Best of all – challenge helps us learn and develop. A person who is closed to being challenged is losing a valuable learning experience.

Why is challenge so difficult in practice?

So, if a challenge culture is so effective, why do so few organisations have one? It is because we are human! Definitions 4, 5 and 6 above are aggressive, threatening and argumentative. This is unfortunately how many people deliver and receive challenge.

An act of being challenged is often met with the view that:

  • You don’t trust me?
  • I thought you were my friend.
  • You will ruin our relationship.
  • You are creating unnecessary conflict.
  • You are challenging my power and hierarchy – how dare you!
  • As you are attacking, I will be defensive.
  • Don’t challenge me, I already know it all. Anchored thinking is closing us to being challenged.

Some of the above reactions might be valid. It depends on how the challenger, challenges. Some challengers:

  • Challenge aggressively.
  • Are adversarial.
  • Abuse challenge by using it for hidden agendas, power plays and personal reasons.
  • Make the challenge personal.

And finally, the culture of the organisation may make challenge more difficult, including:


Team in Colours Icons edited

  • The working protocols require too much bureaucracy and collaboration and so it is difficult to know who to challenge.
  • The local culture. There are many cultures, where challenge is not seen as acceptable.
  • Often the risk function (the key challengers) have a weaker voice than the business, are less respected and have less stature. This makes effective challenge very difficult.
  • Challengers maybe portrayed as trouble makers and be seen to progress less well in the organisation. Hardly a motivation to be a challenger!



The APRA prudential inquiry report into the CBA provides the following observation:

"There was not sufficient challenge from the Board to Group Executives. The feedback cited a somewhat ‘intimidating’ environment with a highly intelligent Executive team and a propensity for positive and assuring messaging from optimistic senior leadership that made constructive challenge more difficult.” 

Because of the above reasons, a strong challenge culture is hard to find.  

What does good challenge look like and how can it be practically embedded within an organisation’s culture? 

The keys to a great challenge culture are:


Ensure that the correct meaning of challenge is promoted. This is one that “tests” the decision or position but does so without aggression, threat, fight or one-upmanship and without making the challenge personal. At Protecht, we often use the term “Hug and Challenge”, (an emotional hug of course!). This ensures both the challenger and the person being challenged are on the same level and that the challenge is seen as non-threatening and for the good of everyone.

In the APRA report on the CBA, the key message is “I trust you (hug), but I’ll challenge you (challenge) and “Show me, don’t tell me”.

02 The challenge culture must be promoted and practiced from the top down. The tone from the top is critical. It is much easier to do what you do, not what you say. Challenge should become part of the organisation’s DNA.
03 Challenge should be actively encouraged and appropriately rewarded.
04 The value adds of challenge should be promoted. This includes for all parties involved: learning, protection, better decision making, better outcomes etc. Read the article: How to promote Risk Culture in your team.
05 The challenge culture should be explicitly written into values, policies and other corporate artefacts. 
06 Curiosity and inquisitiveness should be encouraged. Challenging the status quo and "rocking the boat" should be welcomed.

Provide practical guidance in how to challenge and how to be challenged. This might include such things as:

  1. Speaking with candour
  2. Ask why? why? why? why? why?
  3. Show respect to others
  4. Don’t make things personal
  5. Keep on point
08 Practically implement tools and measures to support the challenge culture.


Improving your insights into Risk with Historical Models

Historical Models refers to the new functionality available in Protecht.ERM that unwraps historical data to enable analytics involving point in time snapshots, trends and predictions with historical data.

Get the whitepaper


In the APRA report on the CBA, APRA commented:

“Trust was not validated through strong metrics, healthy challenge and oversight... the degree of trust needs to be continually tested and validated through appropriate metrics and constructive challenge."

In order to support the above, there should be a formal process to evidence material instances of challenge or assurance conducted by Line 2. Below, as an example, is a “Material Challenges” register which documents the materials challenges made by line 2 onto line 1.


Logo_ERM-web_ProtechtProtecht.ERM Risk Management. Challenge Register

Source: Protecht.ERM - Challenge Register 

Next Steps

If you would like to know more as to how Protecht can help you build a better 'challenge culture' and help build better risk management practices within your business through its training, consulting and software solutions, contact us today:

  1. Book a demonstration of the Protecht.ERM system.

  2. Call us for a chat on how we can help you. Phone:  +61 (0) 2 9098 5012. 

'Subscribe now to the Risk Management Insights Blog and receive articles like this in your Inbox once a month.'

Related Articles

feature image
Risk Culture, Risk Manager

How will you shape the future of Risk Management?

A futurist’s role is to help shape the future of something (risk management) in order to make it more relevant and valuable based on: Its known...
Read more
feature image
Risk Management, Risk Manager, Risk Professionals, Protecht.ERM

Common IT questions around Risk Management Software

If you're reading this article, it's likely that you're facing one of these two scenarios: You are a risk manager looking for risk management...
Read more
feature image
ERM, Risk Controls, Risk Manager, Risk Management Software, Videos, Webinars

Controls Assurance Webinar

Awesome Controls Assurance: The Confidence to Go Faster This event was done live on Oct.22nd 2019. Access the recording here. “The greatest potential...
Read more