1. In light of the Hayne Royal Commission’s emphasis on culture, how can board directors assess the strength of their organisation’s culture, and conversely, identify warning signs?
I think that it is important to note that risk culture is not a new concept. Although, as the Royal Commission has demonstrated, there is room for improvement within Australia’s Financial Services industry; both APRA and ASIC have been engaging with Australia’s Financial Services industry on risk culture post the GFC.
APRA regulated entities have been required to implement CPS220 Risk Management and CPS510 Governance – both of which address risk culture. CPS220, in particular, requires an organisation’s Risk Management Strategy to describe “the approach…for instilling an appropriate risk culture”. Recently APRA announced its policies for 2019 and stated that it will be revising prudential standards across financial industry sectors to reflect the findings of the Royal Commission (i.e. findings relating to non-financial risk management).
ASIC, also, has risk culture and conduct as a key regulatory priority. Given these, some organisations should already have established processes and metrics for measuring and monitoring risk culture.
The obvious question then is: “how effective are these, in light of the Royal Commission findings, and what can be done to strengthen them?”
We see a variety of practices that can be used to assess risk culture - as you can appreciate, however, there is no “one size fits all” approach.
Post Royal Commission, we have seen organisations beginning to assess how culture overlays and integrates with the overall risk management framework and system within their specific organisation. From our experience, to look at risk culture in a vacuum is a danger and so it needs to be viewed in the context of the organisation as a whole.
2. What kinds of metrics should boards be using?
We always encourage clients to step back and look at their overall strategy and existing board and risk committee reporting structure, before diving into specific metrics.
Without a clear vision as to what you are trying to achieve and report against, you are potentially setting yourself up for failure from day one.
Once you have a view on the overall goals, the key is to develop a suite of reporting that covers multiple dimensions of the organisation, from both a financial and non-financial perspective to establish relationships and trends over time. This can be done in conjunction with existing risk reporting, Risk Appetite Statement limits and other qualitative data sources.
The ability to then capture trends and potential relationships between the data is key to measure progress over time, and also to identify any emerging risks that need to be mitigated.
As with any reporting, the underlying processes, data sources and controls that are in place to make sure that the reporting is complete and accurate is fundamental. All too often we see boards making decisions and placing reliance on reporting that is heavily manipulated and massaged before being reported. Therefore, there is a constant risk of incomplete and inaccurate data being presented. We are seeing more boards undertake reviews of their overall reporting framework, including making sure that the processes around reporting are suitably robust.
Once this foundation is set, then specific metrics can be investigated and in a post-Royal Commission world, the metrics are increasingly being focused around conduct and culture. These are increasingly multi-dimensional metrics (at a suitably disaggregated level) that are looking to capture internal process compliance with service level standards, overlaid with complaints data and sales staff and executive remuneration structures to form a 360-degree view of risk at a certain product/channel/line of business level.
3. Are there different types of “risk culture” and how do boards determine which one is right for them?
Of course, there is no "off-the-shelf culture" that organisations can choose from.
Risk culture, as a sub-element of organisational culture, is a complex qualitative component of an organisation. It is a combination of the organisation's history, strategy, values and tone from the top as well as the industry sector.
Even within an organisation there are bound to be serval subcultures, depending on the business unit and function.
This means that boards need to work with their management team to obtain and monitor various data points and indicators of culture over time, as it changes and evolves.
But the key element is first boards need to define what is the culture that they are looking to have within their organisation and, from a risk culture perspective, what is the risk appetite of tolerance that people need to abide by.
4. How should boards approach creating a methodology to monitoring risk culture?
We have been working with organisations to help them customise methodologies to suit their needs and unique circumstances. Often we hear that "a staff survey" is the answer, maybe adding a risk-related question to the end of a staff engagement survey, as a quick and easy way “tick the risk culture box”. We would recommend against this, as this will not provide the depth of information that is required to define and shape risk culture within an organisation.
A successful methodology needs to balance a combination of existing data points, both internally and externally, with obtaining employee perspectives and attitudes through surveys, focus groups and interviews. Then the process must allow synthesis of this information into a meaningful board report that can drive action over time.
Any methodology that is put in play needs to be dynamic, as and when specific internal and external factors change; organisations need to be comfortable to pivot their approach as needed - for example, through a merger or acquisition. There is little benefit in having the wait for a ridged annual staff engagement survey, as your only tool to measure risk culture.
5. You have previously said, “risk culture is not like typical policies or processes that you can design and execute, but a result of a series of trade-offs across a number of attributes”. What kinds of trade-offs are you referring to here? How do boards strike the right balance?
If in business you have an appetite to take no risk, then you will not be in business. So setting a risk culture is about understanding your organisation's risk appetite and profile to then allow for the processes, controls and organisational rituals to work within those boundaries. You don't want risk management to become a hand brake to your business’ goals and strategy. But, at the same time, you need to place some limits on what the expected boundaries are so people can navigate within them.