Case Study: Improving Risk Culture

Back to top

Risk management is a key component of every organization’s strategy and operations. Companies make important risk-based decisions every day.  At the forefront of such risk decisions are financial institutions. Improving risk culture allows a company to both raise awareness on how to better manage risk, and also to bridge the gap between management operations and organizational values.

In brief: 5 steps to create a sustainable risk culture

Infographic Improving Organizational Risk Culture
Infographic Improving Organizational Risk Culture

The Challenge

MIGSO-PCUBED was engaged by a federally regulated Financial Services company to provide Change Management Services in support of a company-wide business transformation program.

The program began as a response to recommendations and mandates from regulators. However, risk management had become largely control-driven and lacked consistent awareness among the employee base. Compliance with aggressive regulatory timeframes, competing project scopes, and changes in leadership each contributed to poor risk management. 

The change management initiative, therefore, focused on improving the understanding of risk culture across the organization and creating a foundation for a more sustainable culture going forward.

The Solution

For a transformation initiative centered around risk culture improvement, it is important to set up an effective structure – one that successfully nurtures, builds, and supports an environment for change, which, in turn, allows the organization to see and experience long-term benefits and continuous improvement.

Working directly with the Senior Management Committee and key stakeholders, the team quickly structured the business transformation program into six corporate workstreams that would each simultaneously deliver results. Each workstream’s output provided an understanding of current capability, an assessment of gaps against benchmarks, and a clear roadmap for change. 

With a structure in place, the team next set out to determine what aspects of their risk culture the client needed to specifically address.  With that, we will take a quick detour on risk culture and risk culture measurement.

What is a Risk Culture?

Risk culture is the values, beliefs, knowledge, and understanding about risk, shared by a group of people with a common purpose.”PMI, The ABC of Risk Culture. And, having a robust risk culture is important in more effectively managing risk.

"Risk culture is the values, beliefs, knowledge and understanding about risk, shared by a group of people with a common purpose."

Enterprise risk management includes identifying, assessing, and mitigating risks depending on both the risk tolerance and the risk appetite of the firm.  Whereas risk appetite is the amount of total risk an organization is willing to accept, risk tolerance is the day to day or transactional limit.

By raising risk awareness and understanding, a healthy risk culture aligns a company’s attitudes and behaviors with their business strategy. This ensures that the values and ethics of employees – around risk strategy, appetite, and tolerance – are aligned with those of the organization.

Key elements of a healthy risk culture include Knowledge and Understanding as well as Leadership, Respect, and Accountability.  To cultivate those values, you must also be able to observe the behaviors of Transparency, Communication, Awareness, and Motivation.

Elements of a Healthy Risk Culture
Elements of a Healthy Risk Culture

Bringing Risk Management into Focus

Bringing us to perhaps the most interesting aspect of this project – the focus on risk management and its integration to change management. You may wonder how an organization quantifies their risk management capabilities and overall risk awareness – basically how they conduct a risk culture assessment.

“There is no one good or model culture against which others can be measured and ranked, and no single template or checklist for firms to adopt.”

Within the Financial Services industry, the Banking Standards Board conducts an annual assessment with its member firms.  While it does not rank their culture directly, it does provide its member firms with feedback against key elements to help them manage their culture more effectively (image below).

Survey scores
Source: Banking Standards Board survey-scores-characteristic-2016-2018

In the same way, risk culture itself cannot be measured. However, an organization can measure its ability to demonstrate risk-related values and meet company objectives. That means an organization must first determine what outcomes are driven by values and behaviors, and then begin to measure them.

What values and behaviors contribute to effective risk management? How can these be measured or evaluated? What actions can an organization take thereafter to establish risk awareness?

Measuring Risk Culture Results
Measuring Risk Culture Results

To give you an example, with a strong risk culture, employees feel more empowered to speak up and escalate issues. In turn, an organization that encourages employees to raise concerns and issues might observe a decrease in their employee turnover rate.  They may also see an increase in the number of reported issues or a decrease in the number of integrity-related risks. 

Using an anonymous forum, a company may identify sensitive issues or gauge the number and severity of integrity risks. Using this data, the company can then organize its risk indicators into a dashboard to consistently appropriate and evaluate risk culture.

Implementing a Risk Culture Approach

Adopting this approach, the MIGSO-PCUBED change management team led the client through each of the 4 steps in the graphic below.  The team leveraged core Change Management tools and techniques beginning with assessing the current climate and analyzing in comparison to organizational expectations. The team then defined a set of tangible actions mapped to a change roadmap of short, medium, and long term actions to strengthen areas falling below expectations.  

Additionally, they established a robust governance and planning structure, and tailored communications to facilitate a more sustainable business transformation initiative.

Improving Risk Culture Approach
Improving Risk Culture Approach

The Benefits

In the short term, the MIGSO-PCUBED team has supported the client in building a company-wide and unified understanding of their corporate risk culture. Roles and responsibilities are better understood. Moreover, the client is observing greater risk awareness and more effective risk management practices. 

The client also has the means to assess and monitor their risk culture going forward in the short, medium, and long term.  This allows them to identify gaps and take action more proactively in driving risk culture. This highlights the longevity of the business transformation initiative long after its closure, as its outputs are fully integrated into the organization.

This article was written by Elaina Wheeler and Victoria Emslie.

Loved what you just read?
Let's stay in touch.

No spam, only great things to read in our newsletter.

Dog reading a book
Stay in the loop

Subscribe to our Newsletter

A monthly digest of our best articles on all things Project Management.

Subscribe to
our newsletter!

Our website is not supported on this browser

The browser you are using (Internet Explorer) cannot display our content. 
Please come back on a more recent browser to have the best experience possible