Culture is the foundation on which every organization is built, and risk culture specifically underpins the success of your risk management. Culture also feeds your conduct – the foundation of your customer experience.
In our recent thought leadership webinar, Protecht’s Chief Research & Content Officer David Tattam and VP Risk North America Terry Lee considered the meaning of culture, risk culture and conduct, how they can be measured and managed, and how the building of risk capability is the key to success. This blog discusses the audience polls and the questions asked at the webinar.
If you missed the webinar live, then you can view it on demand here:
Almost two-thirds of those that recognize conduct risk report it or recognize it at board level. While it may differ by region, we expect that with recent focuses on conduct by regulators that this will increasingly be elevated to a concern that boards will want to see monitored and reported.
While some may have multiple measures, the most common is staff surveys. With this being the most popular, it is important to consider the design quality of those surveys. Are they focused on sentiment and what people think you want to hear, or do they focus on behaviors?
Over a quarter aren’t measuring it at all. A lack of measurement isn’t indicative that there is a poor risk culture, but there may not be a consensus of what the risk culture looks like – or perhaps a shared view of what the desirable risk culture is for the organization.
In contrast to the quarter that don’t measure risk culture, almost two-thirds don’t formally report on risk culture. This might be an indicator that some teams are measuring or attempting to address risk culture (perhaps the risk team or people and culture) may have taken on ownership or be driving these initiatives but aren’t reporting outside of their team. If you are in that position, consider how you can incorporate risk culture into broader reporting, whether management reporting, relevant committees, or board reporting. This may need to be supplemented by training and awareness of the importance of risk culture, and how it links to consistent achievement of objectives.
1. Are risk culture and compliance culture really different? Isn't compliance (regulatory or financial crime) another operational risk to be managed?
2. Does measuring the number of incidents discourage staff members from reporting them?
3. How can a strong compliance-driven culture best make the transition to a strong risk culture?
4. How would you rate a culture where staff raise and address incidents but fail to update the system and close them?
5. What type of metrics in risk culture reporting might succeed at flagging risks associated with conflicts of interest?
6. What HR metrics are used to measure culture? How do you measure the capability gap between desired and actual culture?
7. How long until culture creep typically starts?
8. How does risk culture relate to risk appetite?
9. Are there better outcome measures for risk culture than process-focused ones?
10. Do high-profile ethical failures in companies suggest futility in accurately measuring culture risk?
11. How do you start redefining the way staff think about risk?
12. Are there qualitative metrics linked to the quantitative?
13. How much weight is placed on surveys as a measuring tool for risk culture?
14. If conduct is a driver to a risk occurring, how do we add conduct risk and not overlap?
15. With regards to performance management, how do we ensure that our internal controls ensure sound financial management and public confidence?
16. Is live training more effective than digital training for understanding risk outcomes and processes?
17. How effective is exception management in helping to create a good risk culture?
Are risk culture and compliance culture really different? Isn't compliance (regulatory or financial crime) another operational risk to be managed?
At Protecht, we do consider compliance risk to be a sub-set of operational risk. However, we do see a different between compliance management and compliance risk management.
- Compliance Management – Managing compliance obligations.
- Compliance Risk Management – Managing risks that could lead to noncompliance.
Sometimes there can be a compliance culture that follows the rules at all costs – which might not be good risk management.
Does measuring the number of incidents discourage staff members from reporting them?
Great question. It depends on how the numbers are reported and used. If they are used as a ‘health’ metric so senior managers or executives know where to focus, it is achieving its goal. If they are used to blame people and look for scapegoats – and your people know it – then they will be discouraged from reporting them.
For example, I once worked in an organization that had an enterprise-wide feedback system, originally designed to improve the performance of individuals. One manager implemented an ‘individual performance target’ for maximum number of items of feedback in a month. It quickly undermined the effect, with people in the organization not wanting to report colleagues they worked closely with.
I spoke with a customer recently who rolled out training on incident management processes, and celebrated when the number of reported incidents went up. She told executives this is exactly the outcome that was expected and was evidence of improving risk culture.
How can a strong compliance-driven culture best make the transition to a strong risk culture?
Fantastic that you have a great compliance culture! One challenge with transitioning to a risk culture is that risk management may be viewed as a compliance activity itself. Make sure they don’t follow risk procedures for the sake of following them, but to achieve risk-informed decisions.
Another challenge is making sure they take enough risk or the right risks. Compliance is about following the rules – but sometimes those rules might not be designed to produce the right outcome. This starts moving us into the territory of conduct risk – you could be following rules and norms that are designed to be negative if you follow them.< Back to questions
How would you rate a culture where staff raise and address incidents but fail to update the system and close them?
At face value, the right outcome has been achieved, which is ultimately what is required. Assess the effect of the failure to formally close the incident – I’m going to guess it is mostly an administrative annoyance (I’ve been there).
However, if these failures influence reporting in a way that affects decision making, this may need to be made clear to those who are required to close those incidents. You might celebrate publicly the actions they took to address the issue, and (lightly) reprimand privately on closing out the incidents formally and finding out if there are any barriers to doing so.
What type of metrics in risk culture reporting might succeed at flagging risks associated with conflicts of interest?
This is topical given recent developments among the Big 4 advisory firms. You can report on a range of metrics related to conflict-of-interest disclosures:
- Disclosure rates
- Effectiveness of controls over specific conflicts
- Rate of abstaining from voting / involvement in decisions
This can provide a measure of those that have been disclosed, and how they may have been managed. However, they don’t surface conflicts that are not declared. This highlights the need for due diligence, commensurate with the risk. It also highlights another measure, which is clear training on the types of conflicts of interest – or perceived conflicts – that should be declared.
Care should be taken when linking risk scores (however calculated) to remuneration. This can lead to inaccurate reporting of risk and create the conflict you are looking to avoid!
What HR metrics are used to measure culture? How do you measure the capability gap between desired and actual culture?
Here are a handful of HR metrics that could be used to measure culture or inform an assessment about culture:
- Employee turnover / retention rates
- Training attendance
- Grievances and employee complaints
- Diversity metrics
- Staff survey results
These may be measures of broader culture than risk culture specifically.
To measure the capability, consider the desired culture, and the skills and capability you need to get there. This might be particular skills but should also consider an assessment of leadership and their ability to drive and embed the desired culture. You can then develop a roadmap to develop those capabilities.
How long until culture creep typically starts?
Culture creep is when culture is ‘set’ with some form of positive action but is then not maintained. When people see that culture is not being paid attention to – or behavior that veers too close to the edge is not called out – it can lead them to behaviors that are outside of desired culture. While it will always differ, and some leaders may remain champions of culture in certain areas of the organization, it can fall as quickly as six months.
How does risk culture relate to risk appetite?
They are intertwined but are different concepts. Risk appetite is about boundaries; risk culture is about how those boundaries are understood and acted upon. We've seen some recent spectacular failures where risk appetite looked good on paper, but the actions of people didn’t measure up.
Are there better outcome measures for risk culture than process-focused ones?
The ultimate measure is the sustained performance of the organization, the achievement of its objectives, and positive impact on stakeholders. The challenge is that poor culture can be dormant for a long time before those bad outcomes show up.
Some regulators around the world (and organizations themselves) are moving from sentiment surveys (“What do you think of our risk culture?”) to focusing on what is actually happening (“What happened the last time you reported an incident?”). This gets us closer to assessing whether the actual desired behaviors are evident in the organization.
Do high-profile ethical failures in companies suggest futility in accurately measuring culture risk?
The challenge of any measurement effort is that the measurements are proxies of the thing we care about. The art is in getting as close to the ‘actual’ as we can. The issue you’ve called out has driven some of the changes we are seeing in focusing measurements on observed behaviors. They act as both current indicators (what is happening) and as leading indicators (consistently observed behavior is likely to continue) – but like all types of risks, it isn’t a guarantee.
I would say it isn’t futile but highlights that efforts to measure risk culture (and act when needed) need careful consideration. Tone at the top is an oft-used saying, but that tone isn’t just about what leaders say, but what they do.
How do you start redefining the way staff think about risk?
Here are some key steps to redefine the way staff think about risk:
Understand by assessing how your people currently think about risk. It generally falls into the negative/hindrance, neutral/passive or positive/enabler categories. If you are in the latter, there is little work to do! But, if like many organizations it is the first one, it’s time to redefine! Assessment may be performed by a combination of surveys, competency assessments, interviews or observations and data on how existing risk processes and systems are used, engage with and spoken about.
Define how you want staff to think about risk – their attitudes to risk, how risk is considered in decision making, and risk-related processes to support outcome management. What does good look like? Very good sees risk as an opportunity as well as a treat and risk management as an enabler, not a hindrance.
Based on the gap, develop a training and awareness program, and deliver that program. This is where the change happens. Protecht is focused heavily on this in our Protecht Academy training programs where we begin every training session with the why? question to reframe risk management as outcome management and an enabler. Want to know more about Academy – contact us!
Monitor the program, measure results, and drive continuous improvement.
Are there qualitative metrics linked to the quantitative?
Qualitative assessments can be considered part of your risk culture assessment. These could be purely qualitative (comments and written assessments), or converted into a ‘score’ and integrated into other metrics. The approaches taken should be informed by how the information may be used, with the ultimate goal to use it to improve risk culture.
How much weight is placed on surveys as a measuring tool for risk culture?
This will vary depending on what else you measure, the quality of those measures, and the quality of your survey questions (of course, if you were going to reduce the weighting based on question quality, you should improve them).
Given your other measures, you need to consider which provide you the most objective information. If I had measures which more effectively measured actual behavior, I would weight those higher. However, if you capture written feedback from your surveys, these may provide additional insights.
If conduct is a driver to a risk occurring, how do we add conduct risk and not overlap?
Excellent question. We recommend the risk bow tie method, which separates causes (drivers), the main risk event (when it becomes out of your control), and impact (effect on objectives). There are a few options, which may be a matter of granularity:
- Capture misconduct as the main event. Once the misconduct has occurred, it has become out of your control, with interim effects until there is an impact on objectives (poor customer outcomes).
- Capture specific risk events (inappropriate consumer loan provided, promised discounts not applied) where misconduct is one of several potential causes.
- Capture the specific risk events, but categorize them as misconduct risks to enable aggregated reporting
Capturing risks and developing bow ties can be an art form. If the same cause is applied to many risks, it can be more practical to record it as a risk in and of itself. Consider whether someone may own that risk (or collection of related causes) and is responsible for ensuring sufficient controls are in place.
With regards to performance management, how do we ensure that our internal controls ensure sound financial management and public confidence?
This really comes down to four key aspects:
You get what you measure. Ensure that you performance metrics measure the right things around sound Financial Management and gaining and maintaining public confidence and ensure that those metrics cannot be game played. This aligns your incentive schemes to the desired outcomes.
Understand the risks that could lead to poor financial management and low public confidence. Once the key risks are understood, ensure effective controls are put in place and operating effectively.
The right culture and conduct are critical in ensuring both of these elements. Culture as a strong driver of sound financial management and conduct is a strong driver of public confidence.
The final key aspect is compliance, especially with your jurisdiction’s relevant consumer protection laws. Ensuring these laws are always strictly adhered to will lead to high levels of public confidence.< Back to questions
Is live training more effective than digital training for understanding risk outcomes and processes?
Our answer will be biased – we have launched our own digital training platform, Protecht Academy, covering a range of enterprise risk topics. We aimed to raise the quality of what digital risk training could look like, with high production values, interactive components, knowledge checks to confirm learning, and case studies to bring the training to life.
Of course, it will depend on what you are trying to achieve. When it comes to your specific culture and expected conduct, there does need to be some level of interaction. With more diversified workforces, a hybrid approach can be effective, where digital training is supplemented by town halls, meetings or additional live training more specific to your environment.< Back to questions
How effective is exception management in helping to create a good risk culture?
Exception management is really a detective control. Detecting an exception / anomaly and acting on it to rectify. As part of the rectification, the root cause needs to be identified using root cause analysis. Where one of the causes is human related, this can often trace back to poor culture. Where this is the case, the learning should then be used to improve culture to minimize the chance of the exception happening again. So – exception reporting is good, as long as string root cause analysis is performed and appropriate culture improvement responses taken where needed.
If you missed this webinar live, Protecht’s Chief Research & Content Officer David Tattam and VP Risk North America Terry Lee considered the meaning of culture, risk culture and conduct, how they can be measured and managed, and how the building of risk capability is the key to success. You can view it on demand here: