Professional Documents
Culture Documents
Guide To Risk Culture 1679033134
Guide To Risk Culture 1679033134
RISK
CULTURE
Structure of the guide
Guide to risk culture 3
Introduction 3
Additional resources 6
Useful videos on the topic 7
Recommended reading 8
Introduction
Welcome to the RISK-ACADEMY's Guide on Risk Culture – an essential resource for
professionals seeking to understand and improve the risk culture within their organization. In
today's rapidly evolving business landscape, the ability to make risk based decisions is
paramount to an organization's success. At the heart of this capability lies the organization's
risk culture – a complex and often elusive concept that can significantly impact an
organization's overall performance.
In this guide, we will delve deep into the multifaceted world of risk culture, providing you with
valuable insights and practical steps to foster a robust risk culture within your organization.
We will share case studies from a diverse range of industries, allowing you to learn from the
successes and challenges faced by other organizations in their quest to develop a strong risk
culture. Simple, practical steps, trialed and tested by the RISK-ACADEMY team.
Whether you are a seasoned risk professional, an executive seeking to foster a culture of risk
awareness, or a newcomer to the field of risk management, this guide will serve as a
comprehensive resource and a valuable companion in your journey towards cultivating a
resilient and proactive risk culture within your organization.
Risk teams need to acknowledge the need for change and be willing to embrace the transition
from RM1 to RM2. This entails recognizing that the traditional risk management approach
might not be sufficient to address the complex challenges organizations face today. The risk
team should be open to learning new techniques, tools, and approaches that enable a more
integrated, proactive, and effective risk management process.
RM2 emphasizes the importance of risk management in the decision-making process. The
risk team should adopt a proactive mindset, seeking to understand business decisions and
their implications on the organization's risk landscape. This involvement requires risk
managers to be more assertive, confident, and articulate in presenting their findings and
recommendations to senior management and the board.
The transition to RM2 demands a higher level of technical competence from the risk team.
This may involve learning new analytical tools, such as Monte Carlo simulations, decision
trees, and scenario analysis. Risk managers should invest in continuous learning and
professional development to ensure they are well-equipped to handle the new responsibilities
and improve rather than deteriorate risk culture.
Effective risk management in RM2 requires strong collaboration and communication among
the risk team, business units, and other stakeholders. Risk managers should work to build
relationships with key decision-makers, establish channels for regular communication, and
create a culture of openness and transparency.
• Executive level: Understand what drives various executives and use that to gain their
support for promoting a risk-aware culture. For example, a CFO might be interested in
risk culture to achieve more accurate risk-adjusted forecasts, while a COO might want
to reduce operational risks. An HR director could be focusing on integrating risk
competencies into the overall education and skill development program.
• Board level: Seek support from independent directors or board members who
appreciate the value of a risk-aware culture in enhancing decision-making transparency
and providing additional information channels. These individuals can promote the need
for better risk awareness, risk reward trade offs and better risk based decision making.
• Auditor level: Collaborate with auditors to align risk culture practices used internally
with those expected by external auditors. Identify auditors who are interested in the
topic and may later help promoting risk awareness and informed risk taking.
• Regulator level: Engage with regulators to understand their expectations regarding risk
culture. Strive to synchronize your internal risk culture practices with what regulators
anticipate, fostering a smooth relationship and a shared understanding of risk
management. Help regulators understand your organisation's attitude to risk taking in
return and educate them on quantitative risk management.
Securing the right champions for risk culture may be more art than science. While it's unlikely
that a risk manager will convince all board members or executives, it's not necessary. The key
is to have support from individuals at each level mentioned above, ensuring a robust and
resilient risk culture across the organization. By cultivating this culture, informed risk-taking
becomes a shared responsibility, ultimately driving organizational success.
Risk management KPIs should be integrated into the existing performance management
system, or better yet, existing KPIs should be made risk-based instead of creating separate
risk management KPIs. Encouraging employees to consider and disclose risks as part of their
decision-making process is crucial, but it doesn't come naturally to everyone. Implementing
and monitoring risk management KPIs for key employees can significantly improve risk
management maturity.
KPIs should be tailored to each role within the risk governance model. For example:
1. CEO KPIs could include:
• Improvement in the risk management culture rating
• Regularity and quality of risk disclosure to shareholders
• Achievement of risk-adjusted profitability and performance measures
2. CFO or COO KPIs might involve:
• Enhancement in risk management culture maturity
• Risk-adjusted return on capital (RAROC)
• Risk-adjusted cash flow and liquidity metrics
• The number of critical operational events, etc.
3. For employees, risk management KPIs may focus on:
• Timely and accurate risk analysis during core business processes or significant
decisions.
By establishing role-specific KPIs that emphasize risk management, companies can create a
risk-aware culture in which informed risk-taking is shared responsibility, leading to a more
resilient and successful organization.
It's essential for risk managers to ensure that consistent risk management principles and
language are used throughout the organization. This alignment has been achieved at the ISO
Technical Committees level, with language in ISO9001:2015 and ISO14000:2015 consistent
with ISO31000:2018, so risk managers should follow suit.
A clever example from our research demonstrates how risk managers can promote risk
management adoption across an organization. In this case, a risk manager aimed to
implement risk management across 90+ portfolio companies in a large investment fund. Since
the company was a minority shareholder in most portfolio companies, implementation had to
be voluntary. Here are the steps taken:
1. The risk manager created an implementation pack and offered it for free to all portfolio
company CEOs. Only 1 out of 90+ responded, and the risk manager helped them set
the foundation.
2. A month later, the risk manager worked with internal audit to include risk management
questions in the annual compliance review questionnaire for the portfolio companies.
3. Six months later, most portfolio companies received non-compliance reports for lacking
or limited risk management.
4. Another month later, the risk manager once again offered the risk management
implementation pack for free. This time, over 65% of portfolio companies opted in.
Within just a year, the risk manager significantly increased the adoption of risk management
practices across the portfolio companies, establishing a more robust risk culture and making
informed risk-taking everyone's responsibility.
If at any stage you have a question, book a free cal with Alex Sidorenko
Additional resources
https://courses.dcroi.org/courses/alex-sidorenko
https://www.archerirm.com/insight-risk-academy
Useful videos on the topic
https://www.youtube.com/watch?v=gafKiRlLGb0
Book a free no
Saved more than $13 million per year in premiums on cargo,
obligations call
Legal disclaimer and copyright notice
The information contained in this guide is for general informational purposes only and is not intended as
legal or professional advice. The guide is provided by RISK-ACADEMY and while we endeavor to keep
the information up-to-date and correct, we make no representations or warranties of any kind, express or
implied, about the completeness, accuracy, reliability, suitability or availability with respect to the guide or
the information, products, services, or related graphics contained in the guide for any purpose. Any
reliance you place on such information is therefore strictly at your own risk.
In no event will we be liable for any loss or damage including without limitation, indirect or consequential
loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of, or in
connection with, the use of this guide.
Through this guide, you may be able to access other websites and resources provided by third parties.
RISK-ACADEMY has no control over the content of these sites or resources and assumes no
responsibility for them or for any loss or damage that may arise from your use of them.
RISK-ACADEMY reserves the right to make changes to this guide at any time without prior notice.
The information, content and format contained in this guide is protected by copyright. Reproduction of
any part of this guide, in any form or by any means, without the express written permission of RISK-
ACADEMY is strictly prohibited. The guide is for personal use only and may not be used for commercial
purposes or be distributed for profit.
By accessing and using this guide, you acknowledge and agree to the above Legal Disclaimer and
Copyright Notice.