The Importance of Risk Culture in an Organization (Hint: It’s Everything!)

Posted: 06/28/2018 - 02:55

At a recent conference on risk in London, I was pleasantly surprised to hear a topic come up that doesn’t get enough attention: the importance of culture in an organization. This culture discussion goes far beyond office behavior, dress codes and team builders; rather, it ties directly to an organization’s tolerance for risk.

Corporate culture has long been in the regulatory limelight. In the UK, the Financial Conduct Authority (FCA), the UK’s version of the Office of the Comptroller of Currency (OCC), has had business culture and people behavior as a central part of their regulatory policy since 2008.

In the US, the OCC’s 2016 publication, Corporate and Risk Governance provides good guidance for any industry on the importance of culture in an organization. The bulletin comments, a responsible corporate culture and a sound risk culture are the foundation of an effective corporate and risk governance framework and help form a positive public perception.

In a recent article The FCA  and  UK Banking Culture” by Peter Andrews, former Chief Economist of the FCA, he suggested that “poor culture played a significant part in the financial crisis and that it is a root cause of many organization’s failings. Andrews identified culture as “both a major driver and potential mitigant of risk. He concluded that he woullike to see that “firms’ senior management lead and foster a culture that has the fair treatment of customers and market integrity at its core.

Some tough questions need to be asked for an organization to get a gauge on its own culture and to thoughtfully analyze it, such as  

  • Do we have proper codes of conduct? This is not simply a reflection on how employees around the office individually conduct themselves; it is about how the business units are guided to conduct themselves and therefore the overall conduct of the organization. Proper codes of conduct breed a strong culture of how the organization carries itself within the industry and within the larger community. Additionally, these codes of conduct and attitudes carry over into what is permissible in how they choose to run their operations and the various activities they pursue in establishing or growing the organization. 

  • Do we promote a culture of compliance and hold all employees – regardless of their position to account? We need to ensure employees are working in good faith to comply with both their organization’s and business unit’s policies, procedures and standards, and not be afraid to question or offer suggestions for improving these key foundational points of organizational culture

  • Do we have a ‘whistle blower’ policy that is communicated regularly to all employees? No employee in any organization should be afraid to bring unethical or non-compliant matters to light. Providing a pathway for such communications and protecting an employee’s anonymity are paramount to mitigating coercion and ensuring any questionable matter is properly addressed.  

  • Do we promote a culture of sustainability? This can take many forms, but overall a culture of sustainability is about employee sustainability. Organizations need to be introspective about understanding and meeting needs for staffing requirements, talent, ability, diversity and their overall work environment.  

  • Do we promote a culture of competency in our staffing? The organization should allow for continuous education to ensure staff are competent with the latest tools, techniques and strategies that are deployed within the organization and the industry. The organization should also have adequate funding for training and education.        

  • Do we have incentives aligned to the current culture, rewarding those who do follow the rules? Follow the rules should be more than a mantra; it should be part of what users are expected to do, monitored and compensated for. Any bad actor in an organization can lead to what befell Wells Fargo and Barclaysa crushed company reputation, and more importantly, demoralizing environment for employees

  • Do we adjust our risk appetite based on culture? This is generally performed at the board level by considering the expectations of shareholders, regulators and any additional stakeholdersConsistency with the company’s culture along with the capacity of the organization to manage risks inherent in its business activities are also key. Ernst & Young (EY) recommends that organizations look at reactions inside and outside the company to recent risk events to determine the true appetite. EY further recommends that, if appropriate, the organization tests the risk appetite among the board and executive management through scenario games that focus on possible risk events. 

  • Do we perform a periodic self-assessment or audit to see how our culture is doingIt’s a good idea to engage your audit, compliance and risk organizations to see if the tolerance of risk is in alignment with the culture of the organization. As business moods change, a mechanism should exist to periodically gauge and perhaps alter the temperament of the risk culture. Are we too liberal in our risk policies? Too conservative? Such observations then need to be brought back to the Board for their analysis and commentary and if adopted, their push to management to make it so. 

  • Are accountabilities clear within the organization? Rod Farrar, Director of Paladin Risk Management Services, a subject matter expert in dealing with organizational risks, noted in his blog (found at Paladin Risk Management) that there are three distinct ownership categories: the risk owner, the control owner and the treatment owner. He notes that the “risk owner” is responsible for the oversight and the day-to-day management of that particular risk to see if there are any changes to the risk. The risk owner also monitors the effectiveness of the control environment. Next, there is the “control owner” who is responsible for making sure the controls are effective and who measures the effectiveness using key performance indicators against that particular control. Lastly, there is the “treatment owner” who is responsible for implementing the solutions that have been designed as part of the management for that risk – including those that are “above and beyond” the controls already in place. He further added that each owner has accountability in making sure their respective components are effective and that a breakdown in any of these indicates a system failure. “There is no such thing as a one-cause failure, it is a systemic issue and so how can the risk owner be held accountable for what occurs?”

    It is the job of all within an organization to periodically question or even challenge the risk culture within the organization, but such a change, even if it’s not radical, can only be established and driven from the very top and promulgated down through the organization. It is important to realize that as your primary and ancillary markets change, your organization’s attitudes to risk may need to change as well. 



About The Author

Tom Garrubba's picture

Shared Assessments Senior Director and CISO, Tom Garrubba, is an internationally recognized subject matter expert, consultant, lecturer, author, and instructor for the Certified Third Party Risk Professional (CTPRP) program. Previously, Tom was Senior Privacy Manager at a Fortune 10 healthcare company where he implemented and managed their vendor risk program. He’s an experienced professional with over 20 years of experience in IT security, privacy, audit, and risk and compliance in various industries and public consulting.  You can connect with Tom Garrubba on LinkedIn.