Enterprise Compliance Today

The “Risk Culture” Myth

Posted by Greg Carroll on Thu, Apr 24, 2014 @ 11:31 PM

Risk Culture is the greatest myth perpetrated on business since the Y2K bug. Just like Y2K, an industry has now grown up around it assisting companies to improve their “risk culture”. The problem with “risk culture” is that it has been hijacked from its original practical intent to now being an impossible (and unrequired) philosophical pursuit.



Don’t blame “a poor risk culture” for rogue traders or corruption. Bad people do bad things regardless of the culture.

paperbackfrontFree Excerpt: Mastering 21st Century Enterprise Risk Management

We need to bring discussions of “Risk Culture” back down to earth.  Risk Management is just a management technique and therefore has to remain practical.  From an early practical definition of risk culture of:

"the general awareness, attitude and behaviour of its employees and appointed representatives to risk and the management of risk within the organisation" (FSA 2006),

it has now morphed into this:

 "the values, beliefs, knowledge and understanding about risk shared by a group of people with a common purpose, in particular the employees of an organisation or of teams or groups within an organisation". (IRM 2012)

Can you believe that?  Values and belief system!  Sounds more like a religion than a management practice.  

With over 30 year experience working with the likes of Explosive Ordinance and Infectious Diseases Laboratory organisations, the concept of a value and belief system is laughable. People in these environments are acutely focused on safety and risk mitigation but fail most risk ideology definitions.  They have little time for risk philosophies of “values, beliefs and common purpose” instead they are outcome focused, relying on “awareness, attitude and behaviour”. Guess what?  Their systems work with performance statistics most other business would envy. By the way, I would argue that a “common purpose” Risk Culture is not desirable anyway, which I will cover in a upcoming article “Risk Culture vs Organisatonal Culture – The Hitler Diaries Case Study”.

Don’t blame “a poor risk culture” for rogue traders or corruption. Bad people do bad things regardless of the culture. No one in the corporate world really believes ripping off customers or shareholders is a good strategy. 

Bad behaviour in the workplace is the result of bad management and/or bad systems. 

Bad behavior can only flourish out of the glare of oversight.  It’s not a risk culture issue, it’s an accountability and visibility issue.  Turning a blind eye is poor management whether ignoring rogue traders or failing to notice extraordinarily good effort. A good enterprise risk management system delivers real-time information both up and down the management tree without overburdening anyone with trivial detail. Escalation should only occur when milestones aren’t met, or key performance indicators are out of tolerance.

The problem with trying to implement a “risk culture” is that unless it fulfils the corporate objectives it will be seen as what it is most of the time – lip service. Outside academia and chat rooms, philosophic attitudes toward risk are ineffective.  Rewarding traders or managers for exceeding market averages is in direct opposition to instilling a safety first risk culture. As we have seen in the financial sector little has changed since 2008 regardless of Basel II/III.  Regulatory control does not have much effect on risk culture if it does not support business objectives i.e. increase profits/shareholder returns.  Unless operating penalties on managers (e.g. loss of ALL bonuses) for exceeding risk thresholds, over-performance will always be the innate modus operandi. As if any business doesn’t want to maximise growth and revenues.

I believe this is a result of its unfortunate misnomer “risk culture” instead of risk awareness, attitude and behaviour and is easily confused with organisational culture. I refer to the original intent as an operational risk culture as opposed to the philosophic risk culture cult of business soothsayer and those who have a vested interests that seek to build intangible belief systems.

An operatonal risk culture and organisational culture are very different. Obviously they will impact on each other (as is common in the field of risk) but they are characteristically different. Organisational culture relates to a value system (social responsibility, client focused, employee empowerment) where risk culture relates to behavioural system (awareness and practices). A value system will take years to alter but behavioural systems are capable fast adaption given the right leadership.

Risk attitude is not a value system but a management technique. Risk tolerance varies from dept to dept, product to product and role within the business. Risk adverse product development is as bad as risk tolerant safety practices. What risk culture originally meant, before consultant got a hold of it, was the working environment where risk awareness and practices are endemic through all levels of management and there are systems in place that allow the open interchange of information throughout all aspects of the business to enable confident decision making.

Management have a direct and immediate effect on integrating risk awareness practices into operational behaviour and they in turn need the tools to achieve that change in behaviour. i.e. it’s a Change Management issue.

As with any behavioural change, staff must be involved not just preached at or "motivated".  They have to be competent with risk based decision making tools (which, like common sense, is not innate) and need positive feedback on their effect of their actions. In a business where these practices are endemic, it would be considered to have a good risk culture regardless whether they are a start-up or long established bank, yet their corporate cultures would be vastly different.

If confronted by one the “New Age” risk evangelists rabbiting on about the need to change your “risk culture”, just ask them to name a company that has successfully achieved such a culture. Then go back to ensuring your staff have the awareness, attitude and behaviour (and tools) to fulfil your corporate goals.  For those interested in achieving the latter traditional view of "risk culture", next week in Part 2 I will detail my Roadmap to a Practical Risk Culture.


paperbackfront  reduce non-compliance  reduce compliance costs
Free Excerpt: Mastering 21st Century Enterprise Risk Management
Guide to selecting & implementing Enterprise Risk Management
Webinar Videos
See recorded webinar on the Mastering 21st century Enterprise Risk Management
Product Guide
Technical specifications, pricing, and more.

Tags: Best practices, risk management, risk culture