Case Study: Improving Risk Culture
Risk management is a key component of every organization’s strategy and operations. Companies make important risk-based decisions every day. At the forefront of such risk decisions are financial institutions. Improving risk culture allows a company to both raise awareness on how to better manage risk, and also to bridge the gap between management operations and organizational values.
In brief: 5 steps to create a sustainable risk culture
MI-GSO | PCUBED was engaged by a federally regulated Financial Services company to provide Change Management Services in support of a company-wide business transformation program.
The program began as a response to recommendations and mandates from regulators. However, risk management had become largely control-driven and lacked consistent awareness among the employee base. Compliance with aggressive regulatory timeframes, competing project scopes, and changes in leadership each contributed to poor risk management.
The change management initiative, therefore, focused on improving the understanding of risk culture across the organization and creating a foundation for a more sustainable culture going forward.
For a transformation initiative centered around risk culture improvement, it is important to set up an effective structure – one that successfully nurtures, builds, and supports an environment for change, which, in turn, allows the organization to see and experience long-term benefits and continuous improvement.
Working directly with the Senior Management Committee and key stakeholders, the team quickly structured the business transformation program into six corporate workstreams that would each simultaneously deliver results. Each workstream’s output provided an understanding of current capability, an assessment of gaps against benchmarks, and a clear roadmap for change.
With a structure in place, the team next set out to determine what aspects of their risk culture the client needed to specifically address. With that, we will take a quick detour on risk culture and risk culture measurement.
What is a Risk Culture?
“Risk culture is the values, beliefs, knowledge, and understanding about risk, shared by a group of people with a common purpose.” – PMI, The ABC of Risk Culture. And, having a robust risk culture is important in more effectively managing risk.
Enterprise risk management includes identifying, assessing, and mitigating risks depending on both the risk tolerance and the risk appetite of the firm. Whereas risk appetite is the amount of total risk an organization is willing to accept, risk tolerance is the day to day or transactional limit.
By raising risk awareness and understanding, a healthy risk culture aligns a company’s attitudes and behaviors with their business strategy. This ensures that the values and ethics of employees – around risk strategy, appetite, and tolerance – are aligned with those of the organization.
Key elements of a healthy risk culture include Knowledge and Understanding as well as Leadership, Respect, and Accountability. To cultivate those values, you must also be able to observe the behaviors of Transparency, Communication, Awareness, and Motivation.
Bringing Risk Management into Focus
Bringing us to perhaps the most interesting aspect of this project – the focus on risk management and its integration to change management. You may wonder how an organization quantifies their risk management capabilities and overall risk awareness – basically how they conduct a risk culture assessment.
Within the Financial Services industry, the Banking Standards Board conducts an annual assessment with its member firms. While it does not rank their culture directly, it does provide its member firms with feedback against key elements to help them manage their culture more effectively (image below).
In the same way, risk culture itself cannot be measured. However, an organization can measure its ability to demonstrate risk-related values and meet company objectives. That means an organization must first determine what outcomes are driven by values and behaviors, and then begin to measure them.
What values and behaviors contribute to effective risk management? How can these be measured or evaluated? What actions can an organization take thereafter to establish risk awareness?
To give you an example, with a strong risk culture, employees feel more empowered to speak up and escalate issues. In turn, an organization that encourages employees to raise concerns and issues might observe a decrease in their employee turnover rate. They may also see an increase in the number of reported issues or a decrease in the number of integrity-related risks.
Using an anonymous forum, a company may identify sensitive issues or gauge the number and severity of integrity risks. Using this data, the company can then organize its risk indicators into a dashboard to consistently appropriate and evaluate risk culture.
Implementing a Risk Culture Approach
Adopting this approach, the MI-GSO | PCUBED change management team led the client through each of the 4 steps in the graphic below. The team leveraged core Change Management tools and techniques beginning with assessing the current climate and analyzing in comparison to organizational expectations. The team then defined a set of tangible actions mapped to a change roadmap of short, medium, and long term actions to strengthen areas falling below expectations.
Additionally, they established a robust governance and planning structure, and tailored communications to facilitate a more sustainable business transformation initiative.
In the short term, the MI-GSO | PCUBED team has supported the client in building a company-wide and unified understanding of their corporate risk culture. Roles and responsibilities are better understood. Moreover, the client is observing greater risk awareness and more effective risk management practices.
The client also has the means to assess and monitor their risk culture going forward in the short, medium, and long term. This allows them to identify gaps and take action more proactively in driving risk culture. This highlights the longevity of the business transformation initiative long after its closure, as its outputs are fully integrated into the organization.
@ MI-GSO | PCUBED USA
@ MI-GSO | PCUBED USA
Loved what you just read?
Let's stay in touch.
No spam, only great things to read in our newsletter.
We’re committed to your privacy. MI-GSO | PCUBED uses the information you provide to us to contact you about our relevant content and services. You may unsubscribe from these communications at any time.