This paper, authored by John Michael Farrell and Angela Hoon, discusses how Boards have had increasing interest in their company’s risk management programs, but risk culture is an area of risk management that has only recently become a focus. To adequately address risk culture, it must first be defined. Risk culture is the system of values and behaviors present in an organization that shapes risk decisions of management and employees. One element of risk culture is a common understanding of an organization and its business purpose. Employees must also understand that risk and compliance rules apply to everyone as they work towards business goals. This understanding can ensure a company “does the right thing” and is a fundamental part of good ERM practices. In order for there to be a strong risk culture, employees need training to understand how to make educated risk-related decisions to ensure consistent risk behavior in an organization.

Conversation about Risk Culture

A first step to establishing the importance of risk culture to an organization is beginning a conversation among boards and management regarding several key topics. First, a company should examine their “tone at the top” and “in the middle”. For risk culture to be changed, leadership must be the driver of that change. Senior and middle management also play key roles as they set the tone and influence behavior of those around them. To promote a strong tone at the top, management at all levels should receive risk management education and training, follow the risk management policies of the company, and analyze decisions considering the company’s official risk policies.

Companies should also ensure there is effective communication around ethics and risk. For risk culture to change requires constant, consistent messages to employees that managing risk is a critical part of their daily responsibilities. Communication should involve working to continually improve how the risk function and business lines work together to ensure consistent risk information is shared across the business. Ethical behavior is a key component of a strong risk culture and there is evidence of a substantial link between the existence of formal ethics programs and the ethical behavior of employees.

There are several other important components to successfully establishing the importance of risk culture in an organization. Employees should be incentivized to do the right thing and incentive programs should be aligned to reward long-term prudent conduct that complies with the organization’s strategy and risk appetite. There should be a formal process to consider risks during decision-making so organizations have a consistent and repeatable approach that allows for an understanding of the impacts of risks and permits executives to feel comfortable with decisions made. Risk culture should extend outside the organization to third party suppliers and partners to help ensure third parties are managing risks within guidelines or meeting their own risk standards. Organizations can also incorporate risk in the hiring process by gaining a sense of if candidates will fit into the company’s risk culture. A strong risk culture in an organization means that employees know what a company stands for, the boundaries within which it can operate, and that they can openly discuss which risks should be taken in order to achieve the company’s long-term strategic goals.