In my earlier blog “What we can all learn from the APRA prudential inquiry report into the CBA” I noted that one of the strong themes of the report was the importance of “Challenge”. In fact, it is mentioned approximately 75 times including in the following recommendations:
For those familiar with the three lines of defence model, the second line of defence "Risk Management" has as its key role, “Review and Challenge”. Read the article: Risk Governance and the Three Lines of Defence.
This blog takes a look at:
There are many definitions of “challenge” including:
The common theme in definitions 1, 2 and 3 are to “test” a decision or position by asking for justification, explanation and proof. On the contrary, the common theme to definitions 4, 5 and 6 is to contest, fight and compete. In terms of risk management, we are looking for the former, ideally without the latter.
The importance of a strong challenge culture based on the “testing” principle includes:
So, if a challenge culture is so effective, why do so few organisations have one? It is because we are human! Definitions 4, 5 and 6 above are aggressive, threatening and argumentative. This is unfortunately how many people deliver and receive challenge.
An act of being challenged is often met with the view that:
Some of the above reactions might be valid. It depends on how the challenger, challenges. Some challengers:
And finally, the culture of the organisation may make challenge more difficult, including:
"There was not sufficient challenge from the Board to Group Executives. The feedback cited a somewhat ‘intimidating’ environment with a highly intelligent Executive team and a propensity for positive and assuring messaging from optimistic senior leadership that made constructive challenge more difficult.”
Because of the above reasons, a strong challenge culture is hard to find.
What does good challenge look like and how can it be practically embedded within an organisation’s culture?
Ensure that the correct meaning of challenge is promoted. This is one that “tests” the decision or position but does so without aggression, threat, fight or one-upmanship and without making the challenge personal. At Protecht, we often use the term “Hug and Challenge”, (an emotional hug of course!). This ensures both the challenger and the person being challenged are on the same level and that the challenge is seen as non-threatening and for the good of everyone.
In the APRA report on the CBA, the key message is “I trust you (hug), but I’ll challenge you (challenge) and “Show me, don’t tell me”.
|02||The challenge culture must be promoted and practiced from the top down. The tone from the top is critical. It is much easier to do what you do, not what you say. Challenge should become part of the organisation’s DNA.|
|03||Challenge should be actively encouraged and appropriately rewarded.|
|04||The value adds of challenge should be promoted. This includes for all parties involved: learning, protection, better decision making, better outcomes etc. Read the article: How to promote Risk Culture in your team.|
|05||The challenge culture should be explicitly written into values, policies and other corporate artefacts.|
|06||Curiosity and inquisitiveness should be encouraged. Challenging the status quo and "rocking the boat" should be welcomed.|
Provide practical guidance in how to challenge and how to be challenged. This might include such things as:
|08||Practically implement tools and measures to support the challenge culture.|
In the APRA report on the CBA, APRA commented:
“Trust was not validated through strong metrics, healthy challenge and oversight... the degree of trust needs to be continually tested and validated through appropriate metrics and constructive challenge."
In order to support the above, there should be a formal process to evidence material instances of challenge or assurance conducted by Line 2. Below, as an example, is a “Material Challenges” register which documents the materials challenges made by line 2 onto line 1.
Source: Protecht.ERM - Challenge Register
If you would like to know more as to how Protecht can help you build a better 'challenge culture' and help build better risk management practices within your business through its training, consulting and software solutions, contact us today:
'Subscribe now to the Risk Management Insights Blog and receive articles like this in your Inbox once a month.'
Author of 'A Short Guide to Operational Risk', David Tattam is an internationally recognised specialist in all facets of risk management, particularly at the enterprise level. His career includes many years working with PwC, as well as two Australian banks. His achievements include the creation of the Middle Office (Risk Management Department) for The Industrial Bank of Japan in Australia and the complete implementation of all Australian operations, systems, procedures and controls for Westdeutsche Landesbank (WestLB).