Introducing Marketplace: Fast-track your ERM system implementation
Learn More

I have hope. Hope that my children (14 and 12) and their fellow Gen Zs and Gen Alphas will fix us. We are well on the way – the #MeToo movement and the exposing of horrendous conduct and a broken culture, both at an individual level yet often clearly supported at the corporate level, demonstrates changing expectations. Regulatory and social focus on misconduct in the financial services sector is a global movement.

From the FCA in the UK to the FED in the US and most other local regulators in between, culture and conduct is a top priority.  The behaviours exposed by the Australian Financial Royal Commissions and the financial services regulator, APRA,  have been used extensively globally, reflecting the fact that their findings were just as relevant to the global market as they were to Australia. This global regulatory focus has added much needed weight to this “movement”.

It is clear that parts of society, and much of business, have not been doing the right thing. Our conduct in many areas has been less than perfect. We need to improve and I believe society has the will to do that. My 12-year-old daughter is way more socially conscious than I ever was. She talks of becoming a Human Rights Lawyer, unlike an Airforce fighter pilot like myself at the same age!

Risk Management has an enormous role to play in fixing broken culture and conduct. Risk management has recognised this risk under the two Cs of Culture and Conduct. 

To take two regulatory examples, the UK Corporate Governance Code requires a Board to "assess and monitor culture". In Australia, the Australian Prudential Regulatory Authority’s (APRA) requires the Board of Directors to:

  • Ensure that they form a view of the risk culture in the institution

  • Understand the extent to which that culture supports the ability of the institution to operate consistently within its risk appetite

  • Identify any desirable changes to the risk culture

  • Ensure the institution takes steps to address those changes

This article focuses on:

  1. What is Risk Culture, Organisational Culture and Conduct?
  2. What is Culture Risk and Conduct Risk?
  3. How can Culture and Conduct Risk be measured?
  4. How can the measurement of Culture and Conduct risk be used?
  5. How can Culture and Conduct Risk be managed?

1. What is Risk Culture, Organisational Culture and Conduct?

1.1 Risk Culture and Organisational Culture

Risk Culture is defined in many ways. To cite two examples:

Risk culture is the system of values and behaviors present in an organisation that shapes risk decisions of management and employees[1]

Risk culture can be thought of as the impact of organisational culture on risk management. A definition of organisational culture that is often cited is: ‘…a system of shared values (that define what is important) and norms that define appropriate attitudes and behaviours for organisational members (how to feel and behave)’. Risk culture is the application of this concept to the way an organisation takes and manages risk. Risk culture is therefore not separate to organisational culture.[2] 

The first observation is that “risk culture” as a standalone concept does not exist. It is not separate from organisational culture. In simple language, culture is “What people really do around here” or “What people do when no one is looking”. 

Organisational Culture is therefore the complete set of values, beliefs, practices and behaviours across all employees, from Board to the coal face.

Risk Culture is a subset. It is the aspects of organisational culture that impact the way risk management is practiced and as a result how well the objectives of risk management are achieved.

1.2 Conduct

Conduct, on the other hand, relates to how we behave in relation to stakeholder outcomes, specifically customers but more widely, the range of external stakeholders.

Culture and Conduct are connected. Culture is the all-encompassing way our employees behave. Conduct is how that behaviour impacts our external stakeholders, specifically our customers.  I have two teenage children. They have a certain culture around the house and with us, the parents (which I am sometimes struggling to understand!). This is the same as organisational culture.  When we go out to a restaurant or visit friends, our focus is on their conduct and how external parties are affected by their behaviours. This is conduct.

Fig 1. Culture and ConductFig 1. Culture and Conduct

2. What is Culture Risk and Conduct Risk?

Once we understand Culture and Conduct, we can consider Culture Risk and Conduct Risk.

Culture Risk is the risk that our organisational culture will adversely affect the achievement of our objectives.

Conduct Risk is the Risk that our conduct (the way we behave), either intentionally or unintentionally, negatively impacts customer (stakeholder) outcomes. A common definition is

“the risk that firm behaviour will result in poor outcomes for customers”.[3]

If we focus on Risk Culture, we can then have “Risk Culture Risk” (now this is getting confusing!). This is the risk that our organisational culture will adversely affect the achievement of our risk management objectives.

3. How can Culture and Conduct Risk be measured?

In APRA’s requirements “forming a view of the risk culture” requires some form of “measurement” of risk culture.  At a practical management level, it is also easier to manage something if you can measure it.

Measuring culture involves measuring what people really do around here.  People leave “footprints” which can be used to understand what they really do.  These footprints might be in several forms including:

  1. Visual observation (e.g. noticed by others)
  2. Physical (e.g. damage to assets, theft of assets etc.)
  3. Images (the dreaded security camera!)
  4. Digital information

This gives rise to a range of possible ways to measure and track culture.

Fig 2. Range of culture measures

Fig 2. Range of culture measures

3.1 Gut feel

I used to be an auditor. I spent many hours in the auditee’s basement with no windows with audit working papers and a green ticking pen.  Then I realised that “audit” comes from latin word “audire” which means to hear and decided that I needed to listen and observe more. I then requested to sit with client staff as they worked. I spent some time up going up and down in the elevators and loitering by the coffee machine. I learnt more in these times than all the ticking put together. I was getting that gut feel for what was really going on at a client.  The issue was the audit trail, so the gut feel had to be then investigated and backed up by evidence. Listening, observing and obtaining a gut feel is important but we must support that feeling with more objective evidence.

3.2 Staff & Culture Surveys

Many organisations have resorted to the survey approach to measure and understand culture.  We too include staff survey and culture survey capabilities within our Protecht.ERM risk system.


Fig 3. Examples of survey.

Fig 3. Examples of survey. (Source: Protecht.ERM System)

The issue with staff surveys is the level of objectivity in the response. Staff will often answer how they believe the boss wants them to answer.  In addition, humans suffer all sorts of biases, anchored thinking, heuristics and the like. We are not exactly a reliable source of information. 

On their own, surveys are not robust, but they can form a source of information that can then be triangulated with other information to form a much more comprehensive and robust measure of culture.

3.3 Risk-specific behaviours

This is based on risk management digital data / metrics. This is obtained from the organisation’s risk system(s).  It is focused on gathering evidence of how employees are behaving with respect to their risk management responsibilities and accountabilities.

Some examples of useful metrics may include:

  • Number of attestations not entered
  • Number of actions overdue
  • Number of times actions have had due by date changes
  • Number of actions reopened once closed
  • Time taken to report an incident
  • Number of incidents not self-reported
  • Number of risks outside of appetite for an extended period
  • Number of risks outside of appetite without an agreed action

Fig 4- Example of a Risk Culture dashboard

Fig 4. Example of a Risk Culture dashboard (Source: Protecht.ERM system)

3.4 Non-risk-specific behaviours

This is an extension of number 3 (Risk-specific behaviours) above, but now extended to cover non-risk digital data. This is information from other internal systems which provide evidence of staff behaviour. This could include information from such sources as:

  • The HR system
    - Level of sick days
    - Instance of staff bullying
    - Unforced leave
  • The IT system
    - Times logging in and out
    - Websites visited
    - Level of system activity
  • The security system
    - Times entering and exiting the building
  • The customer complaints system
    - Number of culture / conduct related complaints

3.5 External evidence of behaviour

The use of data external to the organisation obviously must consider the privacy laws and ethical issues that arise from this. I will leave that to the lawyers.

The external digital footprint of staff, as we know, is enormous. The use of this data can indicate their culture and behaviour across the full day.  Already we accept that recruitment uses social media pages, insurance companies use evidence to deny fraudulent claims and so on.

How can we use this data (legally and ethically of course) to get a better measure of the culture and conduct of our staff?

3.6 Communication tracking

A large area of growth is developing in real time and comprehensive tracking of organisation communications. This initially would most likely be written, such as email communications but can also be voice based. The focus is to track sentiment. Trends in words that are used (positive and negative) and volume of positive and negative communications.  Again, we need to consider the legal and ethical position, but communications can provide invaluable insight to culture, including beliefs and values.

3.7 Bio scanning

This appears to be the leading edge so far. The use of bio scanners to detect human behaviours, whether it be excess flicking of eyelids to erratic movements and changed behaviour. This is the expertise of our border forces to identify potential drug mules and other illegal behaviour. 

All of this does sound like big brother but like it or not, we are already there in many other applications. We just need to harness the power and apply it to culture and conduct risk.

At present, we believe general market best practice is around level 3 (risk-specific behaviour) and for some moving to 4 (non-risk-specific behaviour).  In more specialist fields and applications, we are seeing some evidence of the other methods and over time, we would expect to see these methods becoming more mainstream.

4. How can the measurement of Culture and Conduct risk be used?

Once culture and conduct can be measured, it needs to be turned into intelligence – the “so what?” question.

In order to do this, the culture and conduct must be bench-marked against the desired culture of the organisation, which in turn may be bench-marked against peer organisations and relevant external standards.

4.1 The desired culture of the organisation

The desired culture and conduct of the organisation need to be clearly identified and articulated. This is often manifested in organisational values and commitments.  More specifically, it maybe supported by codes of conduct and the like.

For risk culture, it would be specific desired behaviour of staff in relation to their responsibilities and account-abilities with respect to risk management.

Some examples of such desired risk behaviour may include:

  1. Walking the talk, not just talking the talk
  2. Not trusting without checking
  3. Having strong and open communication, including speaking with candour
  4. Ensuring bad news as well as good news is communicated upwards
  5. Willingness to speak up and “if in doubt, call it out”
  6. Taking responsibility and being accountable
  7. Believing and speaking that risk management is an enabler rather than a hindrance
  8. Willingness to challenge and be challenged
  9. Making and evidencing decisions based on risk and reward
  10. Being curious and inquisitive and wiling to challenge the status quo
  11. Following the principles and the spirit rather than just the law and refrain from “game playing” the system
  12. Having integrity, demonstrating ethics, being honest and being authentic
  13. Motivating people with a carrot, not a stick

This targeted culture and expected behaviours should be clearly articulated and clearly communicated across the organisation.

4.2 Measuring the culture gap

Metrics should be identified for each desired culture characteristic. For each metric, an acceptable and unacceptable range should be identified. This would commonly be based on the Green, Amber, Red reporting used for Key Risk Indicators. This may include bench-marking against peers and market standards, where information is available. For example, for the “speak up” culture we could measure:

  • Average time between an incident occurring and it being reported
  • The number of incidents that were not self-reported

The measurement of our culture is then assessed against these thresholds. This highlights the gap that needs to be addressed and managed.

5. How can Culture and Conduct Risk be managed?

In order to manage culture risk, which is highlighted by the gap between actual culture and desired culture, we need to understand the drivers of culture. What makes people behave in a certain way? Much has been written on this by experts way better than me. For example, some of the key drivers are commonly seen to be:

  1. Incentive schemes, both financial and non-financial
  2. Conflicts of interest
  3. Social norms within the organisation and social norms of employees
  4. External personal pressures
  5. Weak leadership
  6. Weak governance structures and unclear boundaries
  7. Lack of understanding and knowledge

This should be analysed for each organisation to understand the root causes.

Once the drivers of culture are understood, relevant levers should be identified as ways to influence, change and control culture and culture risk.

Typical levers to influence culture and culture risk include:

  1. Deliver a clear and strong mandate from board and senior management for risk management.
  2. Set a strong tone from the top; communicated through actions as well as words
  3. Set up strong and aligned governance structures, including full alignment of risk management with objectives
  4. Define well-articulated, easily understood and well-communicated risk appetite and tolerances.
  5. Train staff in the why of risk management and controls rather than “do it because I said so!”
  6. Encourage staff to be risk aware.
  7. Have clearly articulated risk owners, risk roles, risk responsibilities and risk account-abilities.
  8. Ensure an aligned and risk-based incentive scheme that covers a range of metrics and balances Risk with Reward.
  9. Provide and promote a safe and supported space for people to call out issues / concerns.
  10. Promote a universal challenge culture that supports challenge and challenge not being met with defensiveness.
  11. Keep risk management real.  Have simple processes, words, methods and reporting.
  12. Demonstrate consistent behaviour and consistent response to risk behaviour across all staff regardless of seniority.
  13. Encourage continuous improvement and challenging the status quo.

It is clear that Culture and Conduct and their related risks are difficult to measure and manage. What is clear is that Culture and Conduct risk is very real and has an enormous impact on the sustainable success or otherwise of an organisation. They need to be better managed.

There is a long way to go in maturing this area of risk management, but I believe the future is bright. We have the motivation; we have the social and regulatory drivers and, close to our hearts, we have the technology.

Unlike the abominable snowman, although culture and conduct is elusive, we all know it’s real and we are well on the way to capturing it and managing it, so as to maximise the positive impact it can make on our sustainable and rewarding futures.

[1] NC State University ERM Initiative Faculty “Risk Culture of Companies” 2009
[2] Risk Culture Information Paper APRA October 2016.
[3] UK Financial Conduct Authority (FCA): Retail Conduct Risk Outlook 2011


To continue the conversation around culture risk management, we have recorded a live webinar: Best practices to measure and manage Risk Culture. Watch the recording on demand to learn how culture risk indicators and conduct risk indicators can help you measure and manage Risk Culture. You can access the video and transcription, here:

Watch Risk Culture Webinar-1


Related Articles

feature image
Risk Culture, Operational Risk, Risk Manager, GRC

Top 5 Risk Management Challenges for FinTechs

It’s clear that today’s operating environment is changing at a very rapid pace, which means the risks are evolving fast, too. In this blog, we...
Read more
feature image
Risk Culture

Are you really in control of your Culture and Conduct risks?

The list of key risks that should be keeping us awake at night seems to be forever changing. Whatever your list, Culture and Conduct Risk should be a...
Read more
feature image
Risk Culture

Victorian Government raises the bar on Risk Management. How will you rise to the occasion?

The Victorian Government’s Risk Management Framework (VGRMF) which applies to Victorian Government departments and public bodies covered by the...
Read more