No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Risk

The Importance of Risk Culture

by Jim DeLoach
May 26, 2015
in Risk
The Importance of Risk Culture

When objective parties, armed with the benefit of 20/20 hindsight, can easily see warning signs that something was either wrong or wasn’t working and that executive management either missed or chose to ignore these same warning signs, it is fair to assert that management was encumbered with a blind spot. A culture that is conducive to effective risk management encourages open and upward communication, sharing of knowledge and best practices, continuous process improvement and a strong commitment to ethical and responsible business behavior.

Effective risk management doesn’t function in a vacuum and rarely survives a leadership failure. The risk management function can review, inform, advise, monitor, measure and even resign. It cannot control, decide or abort; that’s management’s job. Without an effective internal environment in place to ensure that adequate attention is given to protecting enterprise value, entrepreneurial behavior can run amok, completely unbridled and without boundaries or constraints. By “internal environment,” we mean the total package – the control environment, management’s operating style, the incentive compensation structure, a commitment to ethical and responsible business behavior, open and transparent reporting, clear accountability for results and other aspects of the organization’s culture.

Our premise is that ensuring an effective risk culture is an important task for executive management and the board. Unfortunately, despite its importance, risk culture is often either given lip service or simply ignored.

What Is Risk Culture?

Risk culture is the “set of encouraged and acceptable behaviors, discussions, decisions and attitudes toward taking and managing risk within an institution.” Developed in conjunction with research Protiviti conducted with the Risk Management Association[1], this definition applies to all organizations, whether public or private, for-profit or not-for-profit. Risk culture is the glue that binds all elements of risk management infrastructure together, because it reflects the shared values, goals, practices and reinforcement mechanisms that embed risk into an organization’s decision-making processes and risk management into its operating processes. In effect, it is a look into the soul of an organization to ascertain whether risk/reward trade-offs really matter.

How Do We Evaluate Risk Culture?

Risk culture may be a formidable hurdle to improving risk management performance, whether management realizes it or not. Because risk culture often evolves as the organization evolves, it may make sense for organizations to use self-assessment techniques, internal surveys, focus groups and other techniques to understand the current state of risk culture in the organization by considering the following:

  • Tone of the organization – This term refers to the collective impact of the tone at the top, tone in the middle and tone at the bottom on risk management, compliance and responsible business behavior. Communications from the top have little impact if the organization’s employees see and hear a different message every day from the managers to whom they report. The greater the number of management layers in the organization, the greater the risk of incongruities in the respective tones at the top, middle and bottom. Likewise, the greater the risk of executive management being unaware of serious financial, operational and compliance risks that may be common knowledge to one or more middle managers and rank-and-file employees. Information is often distorted as it moves up and down the management chain, creating disconnected leaders.[2]
  • Physical mechanisms driving risk culture – These tangible mechanisms influence the tone of the organization and include many things comprising the risk governance structure, including corporate value statements, code of conduct and ethics programs, policies and procedures, risk committee oversight activities, incentive programs, risk assessment processes, key risk indicator reporting and performance reviews and reinforcement processes, among other things. They also include the risk appetite dialogue of the executive team and board, as well as the decomposition of risk appetite into risk tolerances and limit structures used day-to-day in executing the corporate strategy.
  • Internal attributes driving risk culture – These attributes include the attitudes, belief systems and core values that drive behavior and guide daily activities and decision making throughout the organization, particularly with respect to entrepreneurial pursuits. While not as easily “seen and touched” as physical mechanisms, they warrant careful attention. For example, behaviors around risk management and internal control accountabilities often manifest themselves in how people clear audit issues, address control weaknesses, escalate issues and resolve issues reported. The timeliness in which such activities are carried out provides powerful “tells” regarding an organization’s risk culture. So, too, does executive management’s reaction (or lack thereof) to warning signs provided by independent risk management functions.
  • External attributes driving risk culture – These attributes include regulatory requirements and expectations of customers, investors and others. The extent to which an organization seeks out these requirements and expectations and aligns business processes through actionable improvements reveals a lot about its resiliency.
  • Subcultures that might have an impact on risk management[3] – Multiple subcultures permit an institution, in response to a changing business environment, to be more agile in solving problems, sharing knowledge and serving customers that a so-called unitary culture may not address. On the other hand, they can also lead to rogue, risk-taking behavior that can ultimately harm the organization.
  • Relationship to overall culture – Risk culture does not operate in a vacuum. The overall organizational culture influences it in many ways, and some argue they are one and the same.

How Do We Improve Risk Culture?

As risk is about uncertainty in facing the future, it would seem logical that a desirable risk culture would position the organization to be proactive as an early mover that quickly recognizes a unique opportunity or risk and uses that knowledge to evaluate its options, either before anyone else or along with other firms that likewise seize the initiative. Such a culture would give management the advantage of time, with more decision-making options before shifts in the market invalidate critical assumptions underlying the strategy. Another example of a desirable risk culture might be one that maintains a healthy tension between the organization’s entrepreneurial activities for creating enterprise value and its activities for protecting enterprise value so that neither one is too disproportionately strong relative to the other.

Once an initial assessment of the current risk culture is completed, executive management should consider whether any organizational changes are needed and take steps to implement those changes as directed by the board. In transitioning to a desired risk culture, executive management should try to achieve the following:

  • Embed it in the organization – Risk culture should be effected through the firm’s overall risk governance process; otherwise, it becomes a nebulous appendage. To illustrate, accountabilities for risk management and desired risk management behaviors should be reinforced through committee charters, policies, job descriptions, limit structures, procedures and escalation protocols.
  • Make it a priority at the highest levels – Executive management must support the desired risk culture by demonstrating the desired behaviors through their actions and decisions over time, as well as by periodically communicating value contributed by the organization’s risk culture. For example, promoting a warrior culture, fostering a “star system” with little or no accountability, shooting the bearers of bad news, ignoring the warning signs escalated by the risk management function and making decisions that everyone can see are inconsistent with the desired risk culture all send the wrong message.
  • Undertake an integrated approach – Standing alone, such programs as periodic policy communications, awareness campaigns and training strategies are mere window dressings. When baked into a comprehensive program that aligns performance expectations, roles, responsibilities and compensation structures with appropriate risk taking, they reinforce critical aspects of the desired risk culture for employees.
  • Periodically evaluate progress – Monitor employee behavior for new trends, attitudes or perceptions requiring attention. Track quantitative and qualitative measures of an effective risk culture using indicators such as:
    • Level of executive management sponsorship
    • Line of business ownership of risk management
    • Effectiveness of risk committee and governance processes
    • Evidence of key business decisions, taking risk and solvency into consideration
    • Quality of board discussions on risk issues and escalated matters
    • Use of risk appetite statement and tolerances in decision making
    • Alignment and incorporation of risk into strategic planning and direction
  • Be alert for signs of change, for better or worse – As noted earlier, employee surveys and focus groups are examples of tools that can provide insights when evaluating risk culture. Reports from the independent risk management function and internal audit are other sources. Consider the effects of changes in strategy and the organization as well as the occurrence of external events, including regulatory developments, when evaluating whether changes are necessary to strengthen risk culture.

Every organization is different. That is why it is important to evaluate risk culture and make necessary adjustments to shape it over time in response to change.

[1] “Risk Culture: From Theory to Evolving Practice,” The RMA Journal, December 2013 – January 2014, Risk Management Association and Protiviti.

[2] “Boards Should Monitor the Tone at the Bottom,” Dr. Larry Taylor, NACD Directorship, October/November 2011.

[3] Risk Culture: From Theory to Evolving Practice.


Tags: Corporate Culture
Previous Post

Risk Assessment: A Natural Partnership for Internal Auditors and CCOs

Next Post

Justice Department Provides Cybersecurity Guidance

Jim DeLoach

Jim DeLoach

Jim DeLoach, a founding Protiviti managing director, has over 35 years of experience in advising boards and C-suite executives on a variety of matters, including the evaluation of responses to government mandates, shareholder demands and changing markets in a cost-effective and sustainable manner. He assists companies in integrating risk and risk management with strategy setting and performance management. Jim has been appointed to the NACD Directorship 100 list from 2012 to 2018.

Related Posts

Fox_Incentives in Compliance_f

Incentives in Compliance

by Corporate Compliance Insights
January 23, 2023

Learn more about how compensation can reinforce compliance culture (or not) Encouraging Good, Discouraging Bad Incentives in Compliance What’s in...

best employees speak up

Why Our Best Employees Don’t Speak Up

by Courtney Sander
November 2, 2022

Are we conditioning our employees not to speak up? The traits present in our best employees might make them less...

quiet quitting well being

Why ‘Quiet Quitting’ Could Harm Ethics & Compliance Functions

by Lisa Beth Lentini Walker
September 14, 2022

Few compliance programs have tasks that are spelled out in the job descriptions of every person in an organization, and...

nfl main art_j

Touchdown or Fumble? What Compliance Can Learn From the NFL’s Disciplinary System

by David Bligh
September 7, 2022

Cheering for your favorite team (or against the one you hate), makes it easy to forget that NFL players are...

Next Post
Justice Department Provides Cybersecurity Guidance

Justice Department Provides Cybersecurity Guidance

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT