Assessing Risk Management Culture to Better Understand the Characteristics of ERM Programs

Monday, August 27, 2012

Michele Westergaard


The past 24 months have seen a number of man-made and natural disasters bring risk management demands to the forefront of executives and board directors.

Whether these have been natural disasters, such as the Japanese Tsunami or man-made disasters, such as the Gulf of Mexico oil spill, fat-tail disasters have created a renewed interest in enterprise risk management (ERM) practices.

Although demand for these practices and the discussion level for their use is high inside the C-suite of many corporations and private enterprises, studies have shown that there is a discontinuity of both talent and practice in Western economies.

So, how can organizations ensure a culture of risk awareness is put into place?

 “Get a commitment from senior management that encouraging a risk culture throughout the organization is a priority.  Put together a communication strategy that can include newsletters, lunch-and-learns, speaking at head office and regional business meetings.  Look at the gaps or challenges in your Risk Appetite and Material Risks for ideas on where to focus your efforts,” says Diana L. Graham, Chief Risk Officer at ResMor Trust Company.

Marcus Evans spoke to Ms. Graham, before the forthcoming 2nd Annual Enterprise Risk Management Canada Conference, October 2-3, 2012 in Toronto, Canada. Within her role at Resmor Trust, she has built a successful internal risk culture involving individuals from every level of the organization. Key to this success is developing transparency across these risk buckets to enhance communication and minimize potential gap risk from falling through the cracks.

“Ideally, risk management would be included as a business stakeholder in budgeting decisions when areas seek to streamline operations resulting in the elimination or weakening of controls” says Graham.

“Risk management should be an influencing stakeholder regarding certain compensation decisions, i.e., risk management targets in areas outside risk management and weighting of the risk management segment in balanced scorecards. Additionally, risk management should sign-off on all new product/new business decisions” says Graham.

Companies in Canada are in a unique position because they are in various levels of implementing enterprise risk strategies within their organizations. The key to the success of establishing an enterprise risk management (ERM) framework lies within the creation of risk appetite and tolerance levels across risk buckets.

 “Canadian companies tend to be more conservative than those in the US, so there may be more of a foundation in place across the organization. Generally, I have found that there is a 'healthy tension' among stakeholders in Canada as opposed to that found in the US in building a risk culture” says Graham.

While the need to incorporate the Board of Directors within the ERM framework is a global challenge, Canadian companies’ cultures are more open to implementing risk structures and processes at every level of the organization.

Diana Graham has been Chief Risk Officer at ResMor Trust Company since January, 2010.  Prior to this, she worked on behalf of the FDIC in the closure of US banks, and in senior risk management positions in large US and Canadian financial institutions.  Ms. Graham received her MBA from New York University, Stern School of Business. 

For more information, please contact Michele Westergaard at 312-540-3000 ext. 6625 or  

Possibly Related Articles:
Enterprise Security
Information Security
Security Awareness Disaster Recovery Business Continuity Leadership Resilience Communications Policies and Procedures Enterprise Risk Management
Post Rating I Like this!
Horst Simon To start the process of Risk Culture Building, an organisation first needs to get an accurate picture of the current level of risk culture maturity in the organisation.

Various attempts have been made to do this and generally most revert to some kind of questionnaire or checklist approach linked to a scoring sheet that is eventually tabulated to quantify an overall score which is linked to a perceived level of maturity. In some cases organisations call in consultants who use an interview process combined with some of the attempts already mentioned, the outcomes are then debated and agreed upon by consensus with the client.

Although most inputs in any kind of culture maturity assessment are subjective, there is value in using a combination of approaches, but generally the outcome, due to human nature and perception, is always mid-point or average. These processes also fail to identify specific weaknesses or action plans.

There is also no standard definition for the different levels of maturity, but an interesting aspect is that most practitioners working on this use the concept of 5 different levels of maturity, this in itself also contributes to most consolidated assessment results ending up at mid-point.

In an attempt to improve the accuracy of these kinds of assessments, a leading UK consultancy in governance has recently developed and launched an on-line assessment tool. The tool uses sets of questions focused on six operational areas within the risk management discipline. (see Appendix 1 for detailed descriptions)

1. Policies
2. Processes
3. People and Organisational Design
4. Reporting
5. Management and Control
6. Systems and Data

One or more of the questions in each operational area is linked to a specific level of risk culture maturity in the defined 5 levels of risk culture maturity. The questions are not in any kind of sequence which relates to the different levels of maturity and the user can also not see the underlying mathematical calculations, thus the assessment process cannot be manipulated and the outcome cannot be predicted by the user.

Various combinations of reporting of the outcomes are produced, but the most important aspect, other that the accurate measurement of the level of maturity; is that by comparing the maturity levels in each of the six operational areas, the organisation can pinpoint the areas in which improvement is needed and focus their action plans accordingly.

The five levels of Risk Culture maturity have been defined in the assessment tool as follows: (see Appendix 2 for detailed descriptions)
• In a bad risk culture, people will NOT do the right things regardless of risk policies and controls
• In a typical risk culture, people will do the right things when risk policies and controls are in place
• In a good risk culture, people will do the right things even when risk policies and controls are not in place
• In an effective risk culture every person will do something about the risks associated with his/her job on a daily basis
• In the ultimate risk culture every person is a risk manager and will evaluate, control and optimise risks to build sustainable competitive advantage for the organisation
The five levels of maturity in the six operational areas are underpinned by a set of guidance standards to support organisations in formulating their action plans. These guidance principles are built as a result of years of research, supplemented by reviews of most global risk management standards and guidance documents from a number of organisations.

Once an organisation has established the level of maturity in each of the six operational areas within risk management, the Board of Directors and Executive Management can commence the process of Risk Culture Building. It is not possible to implement risk culture in any organisation; it is a process of building, starting at the top. There are no best practices that can be implemented, the risk culture must be built upon the underlying corporate culture, so each risk culture building process is organisational specific and unique. Risk Culture Building is thus a process of change to instill new behaviours in the workforce, both the behaviours the leadership want to encourage and the behaviours they want to avoid.
Risk Culture Building is defined as the process of growth and continuous improvement in the way each and every person in an organisation will respond to a given situation of risk as to mitigate, control and optimize that risk to the benefit of the organisation.

No two people will respond the same way to a situation of risk, the way any person responds to risk is influenced by a number of factors, the main ones are:

• Nationality & culture
• Childhood experiences (and formative environment)
• Work ethics, trust & honesty
• Education (and the way it was obtained)
• Work experience
• Religion and other spiritual thinking
• Attitude towards life (and death)

Risk practitioners generally failed to address these underlying human aspects. Since the publication of the Basle accord, ISO 31000 and other standards and regulations, it has often been argued that compliance with these standards and regulations will mitigate and control risk, but this is only true if the standards and regulations are embraced in an effective Enterprise Risk Management Culture. Just like the policies, procedures and systems, these are worthless if human attitude, acceptance and desired response lack.
An effective Risk Management framework must consider the behavior, beliefs and values required to support the defined ERM processes.
Addressing the aspect of people risk is the only way an organisation can improve the results of how their people respond to a situation of risk and the effectiveness of their risk management function. No organisation can ever have a perfect risk management culture, but organisations can achieve a level of maturity where they have an effective risk culture process and every employee is risk-minded and does something on a daily basis to mitigate, control and optimize risk

The development of Risk Culture Building is focused on awareness and training in business ethics and human behaviour, as mentioned, both the behaviours we want to encourage and the behaviours we want to avoid. Organisations should frequently evaluate the progress (or regress) they are making on the path to maturity and implement action plans.
People Risk Mitigation

A key element in the overall Enterprise Risk Management Framework and an element very closely linked to Risk Culture Building is the mitigation of people risk.

The development path for Risk Management was focused on Systems and processes; organisations failed to address the people issues in Risk Management. In managing Enterprise Risk, organisational and cultural issues ultimately pose greater challenges than the evolving technical hurdles that companies must overcome.

Over the past decade, risk management became more about quantitative models and less about behavioral models. Unfortunately, as we discovered during the recent financial crisis, even the best quantitative models cannot predict the result of misguided behavior. Does you risk management process motivate or does it irritate your staff?

Companies in the UK spent GBP 5 billion in 2010 to buy the latest technology and systems- but many will fail to implement procedures that reduce the risk of human error and malpractice causing damage to their single most important business tool.

The People Factor is not a new concept, many researchers have referred to it and many articles and papers were published, but no real action was taken by organisations to address this element, one can only subscribe that to the inherent subjectivity in the assessment of people risk and the difficulty to manage and control this.

Irrespective of how much time and effort we will spend to attempt to predict human behaviour and human error in risk-taking situations; the results will remain distorted views of the situations as our perceptions of risk and perspectives on risk management are part of our individual make-up and directly related to our upbringing from the formative years, greatly influenced by our environment and shaped by our “lessons in life” As no two people will respond in similar ways to a situation of risk. Let us then rather look at effective people risk mitigation.

Risk Management has a primarily human nature, loss number crunching and Value at Risk quantifications are nothing more than supporting tools; built by—people.

My theory here is that we can still use the normal risk management process to manage people risk, we just need to change the starting point a few notches and start with Risk Mitigation in stead of Risk Identification. Trying to identify and quantify people risk will take us nowhere, we must accept that it is too high and start work on solving the problem.

Successful mitigation of people risk rests on a five-pillar methodology:

• Leadership
• Actualization
• Spiritual Needs
• The Right Policies
• A Competency Framework

Implementing these five pillars of people risk mitigation will have a positive effect on building a good risk culture and a robust risk nervous system into your business. Remember, people will do the right things only because you built risk resilience skills into their psychology.

The biggest change is shifting organisations from having a rear-view risk focused based on historic data, past events and modeling to a forward-looking perspective of an effective risk culture based on pro-active risk mitigation, scenario analysis and risk optimization.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.