Getting to grips with risk culture

A strong risk culture can make it more likely that people will make the right choices when faced with risk-related decisions, but a Risk Culture Survey QBE carried out in 2015 revealed that only 3 in 10 businesses felt that they had a positive risk culture embedded.

With all these factors in mind, we developed a practical Risk Culture Profiling Tool to enable our clients to evaluate their own risk culture against some 31 elements across seven core areas of risk culture: Leadership, People, Reward & Recognition, Communications, Operations, Product & Service Evaluation, and Continuous Improvement.

Findings so far

Our findings to date have provided us with much food for thought. Below we look at the three highest and lowest averaged ratings to consider where businesses strengths and weaknesses may lie and what action might be needed to improve ratings further.

Highest Average Ratings*
6.2 Risk Management Resources
6.0 Avoiding a Blame Culture
5.8 Understanding the Risk Management Approach

Lowest Average Ratings*
3.6 Risk Appetite & Tolerance
3.8 Risk Culture Incentives
4.0 Demonstrating the value of Continuous Improvement
* Highest and lowest average ratings based on a self-assessment scale of 1-7 across Healthcare and other Financial & Speciality policyholders

Review of Highest Ratings

Risk Management Resources: 6.2/7
As understanding of risk management has moved up the agenda and into more senior management conversations, and the appreciation of Enterprise Risk Management and its role in achieving long-term objectives (as opposed to merely controlling hazards) has increased, so, investment in risk management resource appears to have followed. Given that this is the highest rating thus far, this is likely to be reflected in both capacity and capability of internal resource, and the use of specialist expertise where needed.

Avoiding a Blame Culture: 6.0/7
This evaluation reflects the willingness to capture, report and effectively treat ‘failure’ events in a way that focusses on improvement rather than punishment, and trying to establish causative factors on why something went wrong, rather than who was ultimately responsible. When higher profile risk failure events come to light, the spotlight invariably comes to rest on management so improving the process is crucial. This rating would seem to indicate a good appreciation of this

Understanding the Risk Management Approach: 5.8/7
This rating considers training, awareness, learning and ongoing knowledge sharing about risk management within an organisation. Whilst this is the third highest rating so far, there is for the average rating to improve, perhaps by improved induction processes (generically and at departmental / technical level), availability of appropriate reference resources, regular briefing events on topical issues, or risk management achievements and indicators, and refreshers on key issues, strategy, policy or process.

Review of Lowest Ratings

Demonstrating the Value of Continuous Improvement 4.0/7
This rating most likely reflects the capability of those involved in risk management teams, including quality assurance and compliance, to demonstrate impact in financial or other terms that are likely to generate interest amongst senior management. It is interesting to think that the ability to improve any of the higher-rated factors discussed previously: risk resources; blame culture; and risk understanding, all may hinge to some degree on the ability to articulate the value of continuous improvement, so getting better at this will help on many levels.

Risk Culture Incentives: 3.8/7
From this result it appears that reward and recognition are still very much linked to other factors apart from risk management - most likely measurements of productivity, fee-income/turnover, and profitability. It could be argued that without managing risk effectively, such commercial targets and measures would not be achievable, but as these are often short-term measures, and effective risk management is aimed at the long-term sustainability of commercial success, indicators to assess application of risk management should factor more highly in reward packages.

Risk Appetite & Tolerance: 3.6/7
Indicators within this evaluation reflect how well the risk appetite framework is defined, understood, and applied throughout the business. This is the lowest rating of the 31 evaluations at the moment and would appear to be linked to having only informal definitions and general awareness of the risk appetite framework.

Summary

The higher rated factors all relate to the People section of Risk Culture Profiling Tool, reflecting perhaps a clear understanding that people and their behaviour, both individually and as group cultural norms, are critical to attaining a positive risk culture in any organisation. The lowest rated factors are spread across the sections on Leadership, Reward, and Continuous Improvement.