Horst Simon describes himself on LinkedIn in a challenging way:
Transformational Nonconformist – It is time to Think Differently about Risk; Transformative change requires Disruption!!
I like that!
His primary description is as a “Risk Culture Builder”.
A while ago, he wrote an interesting piece, Calling all Risk Culture Experts. In it he says, and I agree, “we suddenly find a whole bunch of Risk Culture ‘Experts’ talking absolute garbage”.
The trouble is that while I agree a great deal with Horst, I am not 100% with him on this.
Let us get the basics right:
Basics No 1: Governance structure: Firstly, the reporting line for the Head of Risk/ Chief Risk Officer is directly to the Board. If you run your business by Committees, that would be the Chairperson of the Board Risk Committee; if not, it should be a Non-executive Director who knows something about the management of risk.
If you want to ensure that there is tension and more, even conflict, between the Chief Risk Officer (CRO) and management, emphasize the independence of the CRO. Make it clear that the CRO is the sheriff appointed to ensure the cowboys in management don’t take too much risk.
But if you want to promote effective management, de-emphasize independence and have the CRO report to the CEO with access to the board. Then hold the CEO (not the CRO) accountable for the effective management of risk and opportunity.
I like Horst’s two definitions of risk culture:
- “Risk culture is the system of values and behaviours present in an organization that shapes risk decisions of management and employees. One element of risk culture is a common understanding of an organization and its business purpose” NC State ERM Initiative
- “Risk culture is a term describing the values, beliefs, knowledge, attitudes and understanding about risk shared by a group of people with a common purpose” Institute of Risk Management
- What is a “risk decision”? Every decision should be a business decision. What might happen (risk, or harm, and opportunity, or benefit) needs to be considered as an integral and necessary part of decision-making.
- The culture of an organization is not consistent across the organization (just think of Sales vs. Finance) and can and probably should change as business conditions change.
- Organizational culture, as I have explained many times in this blog and my books, has many dimensions. Attitudes towards taking risk can conflict, for example, with attitudes towards compliance, entrepreneurship, customers, teamwork, innovation, and more.
Basically, considering attitudes towards risk without also considering other dimensions of culture is considering it in a silo.
Horst shares a definition of “Risk Culture Building”:
Risk Culture Building is the training of mind, of heart and of personal character to respond effectively to any situation of risk and take the right decision to mitigate, control or optimise risk to the advantage of the organisation.
We all need to take risk if we are to survive and thrive.
Horst’s blog, and I am sure the training and services he provides, makes some excellent points. But aren’t we better off thinking about whether the culture of the organization as a whole promotes the behaviors necessary for success?
Let’s first examine the demonstrated behaviors towards:
- Shared objectives
- Teamwork and collaboration
- Information sharing
- Concern for employees
- Challenging ingrained beliefs
- Involving others and obtaining appropriate information when making decisions
- Employee empowerment
- Taking the right level of the right risks
- Escalating to more senior management when appropriate, but making decisions when it is not
- … and more
If it is clear that desired behaviors are demonstrated every day, we can be satisfied with the culture.
If not, then let’s find out why not.
As for risk culture, we are talking about the ability to make (risk and opportunity) informed and intelligent decisions.
You can’t have effective risk management without assurance that decision-makers know and then take the right risks for success.
I welcome your comments.
 Full disclosure: I was one of the reviewers of the IRM’s publication on risk culture, although I did not endorse the final product for the reasons I discuss in this blog post.
- Auditing at the speed of risk with an agile, continuous audit plan - June 22, 2022
- Do smaller companies manage risk better than larger ones? - May 18, 2022
- Is there an effective risk culture? - April 20, 2022