why and how to reset your organisations risk culture

To deal with the new face of culture and risk management, BDO’s National Leader, People Advisory, Jenine Waters and Partner, Risk Advisory Services, Mark Griffiths recently hosted a webinar for the Australian Institute of Company Directors. Here they share their insights.

Rethinking the importance of risk culture

Recent watershed moments that have impacted the business world have brought discussions of culture risk right up to the top of the focus for boards and leadership teams. Where previously there may have been the propensity to de-prioritise these discussions, recent events such as the COVID-19 pandemic, the royal commission into banking industry misconduct and the Human Rights Commission (HRC) inquiry into sexual harassment at work have highlighted just how critical it is to focus on a company’s culture risk right from the top.

Whilst Inquiries and Royal Commissions have highlighted the need for a focus on culture, many organisations are starting to understand that the cost of a poor culture can be felt financially – from the direct link that risk culture has to performance and productivity, through to the reputational damage that is sustained by organisations who prove themselves culpable in how they have treated their employees and/or their customers.

Despite the recent focus on regulators’ expectations, those organisations who invest in developing a positive culture are able to react effectively to crises and opportunities. Forward thinking directors are using the strength of their organisations' internal culture and governance to persist through difficult circumstances, and the focus on these ideas has never been greater. In the past, culture was considered an isolated risk factor and the sole domain of the HR department. Now, culture has become the heart of risk management, and is high on the agendas of boards, directors and business leaders.

The organisations most able to react quickly at the outset of COVID-19, shifting to remote work and taking other HR measures to survive the impact, were the ones with the most well-developed cultures. During the following months, businesses embedded resilience into their practices and sought to keep their cultures from breaking down as they responded to each change and new challenge.

A starting point for any effective discussion on culture risk is to truly understand the balance between risk and opportunity and to develop a clear picture of how risk culture elements are playing out for your organisation.

Seeing opportunities alongside risks

The concept of risk and risk appetite is also starting to shift, with risk and opportunity management a concept on the rise. Boards are seeing this shift in mindsets to start considering ‘risk appetite statements’ as an enabler of business, innovation and decision-making, rather than the traditional view of risk management as a barrier and an unnecessary added cost to their business.

In the past, risk landscapes were revised once a year, if that. Now, businesses are taking a more frequent look at the future of risk, acknowledging that factors are changing too quickly for such a slow-moving strategy to be effective. Risk, culture and overall business strategy are more aligned than ever in the present landscape.

The risk rethink has also expanded to concepts such as technological resilience, tax matters, environmental sustainability and flexibility in the supply chain. Businesses are paying close attention to legal risks and liabilities, for instance making sure they are in compliance with the Modern Slavery Act.

People management, too, has become newly central to corporations' risk projections. A lack of agility in the workforce could now be seen as a liability, and flexibility regarding work conditions is an opportunity. Businesses that loosened their remote working policies during COVID-19 have realised there is value to be had from relaxing location requirements of permanent employees and consultants alike. New data such as this can immediately become a part of projections and strategies, reshaping the next steps for companies.

Risk beyond hard controls

Ensuring you have access to risk management capability that can understand, measure and shift more than just the hard controls and governance processes will be critical in helping organisations proactively manage their risk culture.

On a general level, organisational culture is affected by two types of controls. Businesses have traditionally turned to hard controls such as splitting up employee duties or setting levels of authorisation to manage their risk. Soft or ‘human’ controls, on the other hand, may be even more influential. These can be split into five general categories:

  • Leadership's decision-making and tone
  • Communication style and channels
  • Facilitation of employee success
  • Encouragement and motivation of personnel
  • Responsiveness to people management issues.

Organisations wanting to get serious about their culture risk need to start by understanding both their hard controls and soft controls and ensure that their risk management plans have factored in both.

As you start to build an understanding of the need for your organisation to create a culture shift, you may want to read our article on 'six steps to building great culture' to get you started.

Motivated by two key business impacts of the COVID-19 pandemic — a new attunement to the effects of risk and a reset in the way workforces are managed — boards are facing a readiness to embark on these changes. The positive impact of such a journey can be considerable.

Contact Jenine or Mark for a more in-depth look at these essential concepts for leaders.

BDO Australia is a longstanding partner of the AICD.