Risk audits and the problem of measuring culture

Measuring risk culture is difficult - but may be necessary to assess whether progress is being made

There were devastating consequences when an employee over-​rode computer warning signals on Alton Towers’ “Smiler” ride in 2015. A carriage filled with 16 passengers hurtled into an empty train; five were seriously injured. The park operator was fined £5m and is still facing legal proceedings.

It is a tragedy that exemplifies an organisation with a dangerous risk culture; a Health and Safety Executive report found that bonus payments were linked to staff achieving low levels of downtime, putting the engineer under pressure to restart the ride.

Risk audits are a tool that aims to identify exactly this kind of error in strategic thinking to improve the risk culture of an organisation. But how can something as intangible as culture be objectively measured? Paul Butler, managing consultant at financial consultancy Catalyst, says: “The problem with auditing risk culture is that it’s not black and white.”

“Sometimes there’s not even a clear definition of what a risk culture is.”

A 2018 report from accountancy body ACCA on risk and the role of leadership found that regulation and compliance — rather than more high-​level, fundamental problems — are still the focus for many of the C‑suite. “People are not looking at strategic risk, but only at operational risk,” says Jo Iwasaki, head of corporate governance.

But many believe that only by addressing these higher-​level concerns can real progress be made. If true, this means it is increasingly essential for companies to identify whether the corporate risk culture is adequate and, if not, work out how to fix it.

The finance industry, in particular, has been trying to grapple with this slippery concept — no surprise given that, ten years after a financial crisis fuelled by an unhealthy risk culture, regulators are still trying to get companies to address deep-​seated problems.

The Banking Standards Board, established in 2015 to improve behaviour, has identified nine characteristics associated with a “good” culture. But it in its most recent annual review it found only that banks were “moving in the right direction”. Such cautious and limited optimism may indicate how much is yet to be done — but at least it is a start.

“Measurement is the key,” says Mr Butler. “If you can’t measure it, you can’t do anything about it.”

To help, the Institute of Risk Management has created diagnostic tools such as its “risk culture aspects model”, but its 2018 survey of global companies found that interviewees were struggling to find appropriate tools for risk measurement, with spreadsheets still in primary use. It noted a “lack of maturity in the development of tools to support the risks”, demonstrating that companies still find it difficult to record and monitor risk culture consistently.

Mr Butler believes one critical factor for risk audits is independence. Ideally, risk audits would be carried out by external auditors who would be able to demonstrate the independence of their critical observations. At the very least he believes internal auditors should handle the job. But training may be required to ensure the auditors understand how to interpret soft data, such as monitoring meetings to assess whether all employees feel confident about speaking up.

Also, the audit is only one step in a process. “The danger is that once you have done an audit, everyone goes back to doing what they did before,” Mr Butler points out. “There should be a plan explaining how to support and work together.”

Only once measurable initiatives are in place can a company begin to determine whether its attitude to risk is changing, and catch any problems while still small.

But no one ever said it was easy; Barclays has been working to change its risk culture for several years, a process that gathered momentum after it was fined $2.38bn for forex rigging in 2015. Yet in December 2018 after another $15 million fine after high-​level failings, a US regulator stated: “It appears that the cultural transformation that Barclays Group Compliance had  been working hard to instil in the more than one hundred thousand Barclays employees worldwide, was not nearly complete.”