Is your organisation the type of place where people only want to hear good news? If so, that’s bad news for your organisation. Firms that are unwilling to identify or escalate issues around risk ultimately leave themselves open to dangerous blind spots occurring.
A robust risk culture is no longer a ‘nice to have’ with many regulators now insisting on it – with the buck stopping with the steering Committee. After all, a good risk and conduct culture doesn’t maintain itself. If your steering committee and your senior management cannot adequately answer the following four questions, you need to take action, fast.
Many organisations struggle with spelling out exactly what’s expected of people on the field. At the same time, meaningful data about risk culture performance may end up not being escalated. All steering committees should therefore ensure people throughout the organisation know exactly what they should be doing and how, through regular communication and a constant review of management information about the organisation’s risk culture.
Poor compliance training and a lack of behavioural controls can create blind spots. You need a behavioural policy framework, supported by a clear steer on what is and is not acceptable, sophisticated training and a visible link to performance and reward.
Senior managers may well tell a good news story about their values and culture, but this may be directly contradicted by logs showing front line behavioural breaches and a growing number of customer complaints. If you see a pattern emerging in terms of behavioural problems and this type of customer complaint, it is a strong warning signal that your organisation lacks sufficient risk controls – or even that certain types of behaviour are being rewarded.
It’s vital that your employees understand what risk-laden behaviour is and how best to respond. This is particularly important for new areas such as technology risk, from business continuity to cyber-crime. All too often, compliance and risk functions are just fire-fighting, rather than scanning the horizon to understand any major new risks emerging. Firms should, for example, help their technology teams become risk-aware and able manage risks. Many heads of technology do not have deep risk management skills; firms therefore need to take a hard look at their competency framework, recruiting strategy and performance management.
It’s no longer possible – or acceptable for authorities – to say, ‘it’s impossible to measure culture’. On the contrary, many organisations are now coming up with frameworks to assess, measure and challenge their existing culture. They do this by referring to conduct data, customer feedback and behavioural policy compliance, or even by using sophisticated people analytics.
There’s a fine balance to strike between a control culture that stifles innovation and one which supports the right decisions in ethically ambiguous territory. But, the focus on culture and risk management isn’t going away. Organisations that adapt fast will be far better placed than those who haven’t yet woken up to the urgency of these issues.
The answer? To be unequivocal and unrelenting in terms of your behavioural expectations of staff, so that an effective risk culture becomes second nature throughout your entire organisation.
If your steering committee cannot adequately answer these four questions, you need to take action, fast.