If culture is how you feel then how do you measure risk culture?
The Risk Professionals Weekly Newsletter
>6min reading time
If culture is how you feel then how do you measure risk culture?
13 May 2024
I once worked with a very smart Chairman who didn’t like the word culture. He called out that culture contains the word C.U.L.T. and trying to create a cult(ure) didn’t sit well with him. What he did say is he preferred the word atmosphere. You want to create the best atmosphere.
Think of it as when you walk into a place and the way it makes you feel. This is what you want.
If you’re not focused on risk culture this article explains some key actions you can take to measure, monitor and manage risk culture.
Framework
Larger organisations should have a documented framework describing how they want to manage and measure risk culture.
Some companies already formally manage overall culture with dedicated Culture Teams. Smart companies will make sure they leverage efficiencies to measure both risk culture and culture. Two teams, two processes, not talking to each other is inefficient.
Smaller organisations, you may not need a a standalone framework. Consider including how you manage risk culture in other key organisational documents.
But either way, you must understand your defined approach to managing risk culture.
Organisational surveys
Yes, most people hate these. But Executives love a good pulse check. And now Regulators expect surveys to be completed and actions created off the back of them.
If you run organisational surveys, ensure you have some metrics which relate to risk culture. Consider questions like these 4:
"How comfortable do you feel raising concerns about risks with your manager or team?”
"Do you feel adequately trained and supported to manage risks effectively in your role?”
"To what extent do you believe that risk considerations are integrated into decision-making processes at all levels of the organisation?”
"How well do you think our company balances risk management with pursuing new opportunities?”
Key risk indicators
Remember with metrics you don’t want to create any measures which can’t be measured.
Develop tangible metrics to quantify your risk culture. Think more broadly than incidents and issues. High attrition rates and low completion rates of mandatory courses can indicate a negative work culture which affects people decision making when it comes to risk taking.
Consider metrics like these 4:
Number of overdue risk actions
Audit findings closure rate
Mandatory training completion rate
Employee attrition rate
Reporting and awareness
Great you’re measuring risk culture but what does the organisation know?
You need to make sure the business knows what you are measuring and why. Communicating the results of these down through the organisation enables the business to develop plans to rectify areas where they are lacking.
Don’t just report up to Executive Management and the Board without also communicating down. Show some professional courtesy.
I recommend developing a risk culture dashboard or even better, integrate you risk culture dashboard within the overall Culture dashboard. If you have a team which already measures culture, figure out what they do and leverage them!
Training, training, training
Training is not just a fire and forget mandatory course on risk management.
Training can include presenting at team meetings, quarterly Town Halls, monthly All Ins. Don’t think training is something that has to be formal and in a room. Get creative and start talking about how risk needs to be managed within your organisation.
Stories are great. Use them. Just like I do when explaining the 3 Lines Model.
Risk embedment
This is your ultimate goal. If you can embed risk management into decision-making and reduce uncertainty, you are winning.
Focus on what you need to create an environment like this. Focus on making risk a strategic enabler and getting a seat at the table.
Measure the swing in your risk metrics and adjust or double down when you start to see positive movement.
Conclusion
Risk culture is like a garden. You need to tend to it. Remove the weeds. Water and feed the plants. And create an environment for growing.
To do this you need to have a clear understanding about your approach, measure the current state, develop actions to improve, report on the status and changes in risk culture and continually revise.
Often risk culture is not given the focus it deserves but by applying the above you can get your risk culture to flourish.
Closing Thoughts
The idea of risk culture being about the atmosphere and feeling when it comes to thinking and discussing risk resonates strongly with me. Although just as intangible, it strikes stronger emotional feelings when viewed this way. I encourage you to leverage this concept and see if it helps gain greater buy in and shift your risk culture.
Now, what would you do differently and what help do you need to get there?
If you enjoyed this article here are some others ways I can help you.
1 The Risk Professionals Weekly Newsletter
Join other like minded peers building out effective enterprise risk management functions. Every Monday morning I provide tips and strategies which you can start implementing straight away.
2 1-1 Consultation
Book a 60min call. Let’s discuss what is keeping you up at night.
There’s always a solution, let’s figure out what that is.
I’m here to keep Enterprise Risk simple.