[The material below is the work of an ad hoc IAA working group. It was produced in 2011 but never completed or published. RISKVIEWS is sharing so that this good work can be viewed.]
Culture is the combination of the behaviours of people in the company – often described as “the way we do things around here”. All organisations have a risk management culture. Risk culture is the shared attitudes, values and practices that characterize how a company considers risk in its day-to-day activities. For some companies, the risk culture flows from an explicit risk philosophy and risk appetite. The risk culture should support the goals, activities and desired outcomes of the company while mitigating the risks of not achieving desired outcomes. Appropriate risk management behaviours may vary according to the organisation, the industry context, the location of operations both within and across national boundaries together with the resultant jurisdictional requirements. However behaviours that allow , that inspire a culture of fear or retribution, that allow “shooting the messenger” or that help “bad news to travel slowly” are not likely to be conducive to good risk management.
Desired actions/features of risks management by category:
1. Each part of the company has their own risk language.
2. There is very little cross discipline communications and discussion of risk and risk management issues.
3. Risk decisions are almost always made individually, without reference to any corporate goals or objectives for risk.
4. Responsibility for dealing with risks is unclear.
5. There is an expectation of negative consequences for those associated with any activity that makes unexpected losses.
6. There is a possibility of negative consequences for those who report bad news.
7. There is little discussion of past problems or losses either at the time or subsequently.
8. Senior Management and Board at best pay lip service to an idea that a company has a culture.
1. Company has a formal risk management program that follows an outside standard or requirement.
2. Company has not adapted that program to the specific culture of the firm in any significant way.
3. Risk management responsibility and discussion are concentrated with a small number of “risk management staff”.
4. Risk culture is acknowledged as important by senior management and Board.
1. There is a common specific risk language at the company.
2. Company has communication tools, cross-functional discussions about management of risks, reporting tools and risks matrices.
3. There are common techniques for risk assessment and risk treatment methodologies.
4. There is a consistent point of view from the enterprise and business levels with regard to risk management.
5. There are common understandings of the corporate goals and objectives for risk management.
6. Company usually carefully reviews unexpected losses seeking to learn from experiences.
7. Incentive compensation scheme support the achievement of risk management objectives
8. Risk culture is actively promoted by senior management and the Board.
Advanced – in addition to the Standard Practices:
1. Cultural is reinforced by frequent communications and training programs, and by senior management and Board being seen to act in line with corporate risk culture.
2. The degree of employee knowledge application of the corporate risk culture is periodically monitored.
3. The communications and training programs are updated in reaction to the monitoring inputs.
4. ERM thinking is automatically incorporated in to all management decision making