Every once in a while, we all encounter confusing words and phrases that only experts can understand. One such example of this in action came to light in a recent conversation with a company.
This particular organization was inquiring about a risk culture audit, which sounds like an excellent idea when you consider how many regulators, especially in the financial sector, are taking a closer look at a company’s “risk culture.” However, over the course of the conversation, I realized the company was talking about assessing cultural risk, which is something much different.
What on Earth could be so different about risk culture and culture risk?
Aren’t they just two peas in the same pod or two sides of the same coin? On the surface, you wouldn’t think there’s much of a difference, but as you’ll discover in the following paragraphs, there actually is.
Just like the order of operations we learned about in math class way back when, the order in which you read words matters.
Before exploring the differences though, one similarity both risk culture and culture risk share is that neither can be done until management establishes a baseline or “ideal” of the organization’s culture.
With that said, let’s metaphorically roll up our sleeves and dig into these concepts and how organizations can use them to better manage risks, manage opportunities, and ultimately accomplish its goals.
Culture risk assessment – a surface level evaluation of behaviors and outcomes
Culture risk considers what behaviors or cultural issues will pose a risk to the organization achieving its goals. More specifically, culture risk examines the likelihood that culture will differ from what’s desired due to inherent pressures in the environment and/or ineffective mitigation of these factors.
In the image above, a culture risk assessment is only concerned with the breadth, or the viewable parts of the iceberg. The way I described it is a shallow but broad assessment of culture across the entire organization.
A culture risk assessment is usually handled internally by the risk team in coordination with executive management.
This assessment looks across the organization to reveal and highlight where troublesome behaviors may be occurring. The typical approach for assessing culture risk(s) consists of surveys, data, behavior observations, and any other method that fits the organization’s needs.
Since a culture risk assessment is surface-level in nature, it is not considered a good tool for understanding if observed behaviors are the norm or if they’re isolated incidents, nor is it helpful in determining any systemic drivers.
Risk culture audit – examining corporate behavior norms on a deep level
Broadly speaking, culture consists of shared perceptions on what constitutes “correct” behavior in an organization. In the risk context, culture refers to normal behaviors that can help or hinder an organization’s risk management.
If a culture risk assessment looks at the entire organization only at a surface level (visible part of the iceberg), a risk culture audit is examining both the breadth and depth (both visible and non-visible parts of the iceberg) of risk culture in the organization.
A risk culture audit is handled by a party independent of management, whether the internal audit department or a third-party.
But shared perceptions of the “ideal” culture doesn’t automatically mean culture will be uniform throughout the organization.
Horst Simon succinctly explains this concept when he states:
An effective risk culture is not a matter of risk assessment or level compliance; it is a matter of individual ownership of risk and personal “conviction” – a state of mind where human beings own the risks and the process of managing those risks through making well-informed risk decision because they want to, not because they have to.
Previous articles on the Wells Fargo and Commonwealth Bank of Australia scandals illustrate how poor risk culture can lead to devastating consequences.
As the name implies, a risk culture audit is a comprehensive and objective evaluation of the company’s behavioral norms when it comes to risk. The Auditing Risk Culture Guide from the Institute of Internal Auditors in Australia explains how this action not only provides assurance, but also an objective view of risk culture itself to the organization.
Horst Simon warns against about management handling this sort of task since incentives exist for them to manipulate processes to support whatever perception they may have, thus leading to a failure on the part of the company to identify weaknesses and develop action plans.
Company leaders can take the findings and recommendations, coupled with effective policies and systems, to build a culture that encourages everyone to ask questions, challenge assumptions, and otherwise weave a risk mindset into the fabric of the organization.
As you can see, the arrangement of words can have a dramatic impact on what they ultimately mean, and this situation is no different.
The inevitable conclusion that arises from situations like this is the main reason why it’s so important to use terminology the business is familiar with. Simply copying terms you read here and elsewhere will just confuse those whose help you’ll need for ensuring the company’s success.
Do you use terms like risk culture and culture risk interchangeably? What tools does your company use to better understand these issues?
To share your thoughts on the topic of risk culture and culture risk, please don’t hesitate to leave a comment below or join the conversation on LinkedIn.
And if your company is struggling to put in processes or establish the right tone for building a robust risk culture (around both risks and opportunities), reach out to me to discuss your current situation.
Embedded images courtesy of IIA Australia. Featured image courtesy of Fauxels via Pexels.com
