Risk culture: getting beyond the plateau

Some ideas for creating a culture of continuous improvement

Many companies want to make continuous improvement in their attitude to risk. But what can be done if they reach a plateau, and progress stalls?

It is easy to see why this could happen. The initial impetus for change may be a new chief executive, or maybe a corporate failing that puts the company in peril. But the CEO’s energy may in time directed elsewhere; memories of disaster may fade. Risk management may once again become a box-​ticking exercise, and employees may start seeing rules as an impediment, to be circumvented where possible.

“Organisations are people, not machinery,” says Paul Butler, managing consultant at financial consultancy Catalyst. “People are not static. So your risk management needs to be continuously refreshed.”

Ideally, risk culture will be self-​improving, continuously evolving to anticipate changes such as new technology or shifts in strategy or the competitive landscape.

To get this culture embedded, the C‑suite must develop an understanding of the broader implications of strategic choices. Of course, profitability is a vital element in strategic thinking, but is it profitability at any cost? The past decade has seen recognition from both regulators and corporations that profit is not the only measure of success — but the exact balance between profits and wider responsibility is often difficult to discern.

One key to continuous improvement is continuous communication. A survey from Dutch consultants Axveco found that although senior executives in 69 per cent of companies had drafted a strategy around risk, this had been communicated clearly in just 39% of firms. And a single messaging campaign is not enough; it needs to be refreshed for new staff and to keep it top-​of-​mind for those who heard it first time around.

Measuring risk culture is difficult, but an essential first step. Both hard and soft metrics are important, and it is on the softer side that companies often fail – research by accountancy body ACCA found that boards had difficulty connecting softer factors to organisational performance and hence struggled to understand and address them. Staff are often judged on what they have done rather than how they did it – yet the latter may be more relevant to improving the corporate risk profile. Adaptive organisations, where employees are confident in speaking up and managers can react positively, are likely to be the most resilient.

Employee behaviour, interacting continually with systems and processes, is one of the defining factors for risk culture. An incentive programme can be used to nudge behaviour in the right direction; but only if you understand employee motivations and recognise differences. Money and bonus payments may not be key for everyone, and the incentive programme should reflect that.

“A lot of risk management training can be very dry,” points out Mr Butler. “Instead, it’s better if it is made experiential, by putting staff in the customer’s shoes. Yes, you should be building knowledge; but you need to move people beyond the rules to the point where they are in this not just for themselves or the shareholders but for the customer as well. It needs to be personal rather than numbers on a screen.”

Continuous improvement is perhaps best imagined as an upward spiral where risk culture assessment is followed by mapping discrepancies, prioritising and implementing changes – and then by risk culture assessment again, but at a higher level. As a company grows and develops, the risk profile and hence risk programme is likely to change; as business itself changes, the risk profile changes. Participants in 2018 research from the Institute of Risk Management cited disruptive and digital technology as a critical area of concern; the risk manager of a decade ago would have had a very different answer.

A risk manager who believes the job is complete has misunderstood the nature of the role. If your company has reached a risk culture plateau, maybe you need a new risk manager.