Good conduct and the risk overlay
Today I’m going to be a bit contentious but I’d like you to hear me out: risk culture isn’t going to drive good conduct.
Now I know for many – regulators included – this is going to seem like the opposite of what the line they are pushing, but after having yet another risk conduct/risk culture/risk appetite ‘alignment’ course pop up in my feed again I began to wonder – why are we still having this same conversation?
I believe it’s because inserting the idea of ‘risk culture’ over ‘culture’ layers unnecessarily the conduct conversation and this is a critical conversation to get right.
Now this isn’t to say that risk management as a business tool isn’t a fantastic method for managing risks. And of course you should assess and mitigate your risks of not complying. Compliance is managed via assessing risks and priorities.
But here’s the thing: putting the word ‘risk’ in front of everything and thinking that methodology is the only one you need is a nonsense, especially for big things like culture and conduct. Risk management methodologies may or may not herd your organisation to behaviours within the flags but the devil is in the detail.
Compliance, on the other hand, is objective. It is a clear ‘north’ marker. Laws are created by agreement. You might not like all of them, they might be a convoluted way of achieving the outcomes and it could be open to debate about how they could best be worded to achieve their outcomes, but they are a social marker of expectations. As societies we generally agree that we can’t all do whatever we want to do – and our way of solving the problem is to create rules and guardrails that have been agreed and go through a process for that agreement.
Additionally, laws can already be controls established to mitigate the risk of a negative event occurring: car accidents as a risk is a prime example. Speed limits, drink driving laws, road worthiness of vehicles are all ways of trying to prevent harm to yourself or harm to others.
So why would you layer again a ‘risk culture’ over the top of established boundaries and controls that are already in place? To me this just sends a message that the internal values system of an organisation is superior to the external values system that society as a whole has established.
To return to the car accident analogy it's the conversation that people frequently have in their own heads - based on absolutely no objective data - that because 'they' are 'good' drivers, they don't need to worry about the speed limit. They are 'managing their risk'. The problem is that the objective data outside of their world doesn't align and they haven't considered the risks posed by all of the other people on the road, altered conditions and new circumstances that may arise.
Rather, a ‘compliance culture’ and thereafter managing the risks of falling outside those cultural and conduct expectations gives a single point of reference to work toward. What’s your objective: To keep your customers safe and make money at the same time? Fantastic – what needs to be done to achieve this and what are the behaviours that won’t achieve it? What does the experience of the law tell us? It’s a completely different conversation.
By all means, then manage the risk of your staff making mistakes or behaving badly but that’s not the same conversation as working toward a values driven objective and objectives and a common goal drive cultures and conduct. Compliance management embeds culture and expectation - risk manages the potential for that not working, it doesn't do the embedding, even if you put 'risk' in front of the word 'culture'.
Too often I’ve seen organisations tie themselves up in knots writing a risk appetite statement (that no one really understands) and then establishing frameworks to adhere to that risk appetite statement and then they consider their compliance obligations and maybe their organisational values, as a late entry activity. These then have either have to be wedged in somehow to the ‘risk culture’ they are creating or there is a whole lot of tinkering around the edges on technicalities and the organisation loses sight of the inherent value of complying in the first place.
Disagree? Could say it better? – I'd love to read your comments! You can read the full article on the GRC Institute website and if you aren't already on our mailing list you can sign up there as well: www.thegrcinstitute.org
Risk Compliance & Governance Specialist, Director, Experienced Executive, Committee Member
1 年Great discussion starter Naomi!
Director - Financial Services Audit & Assurance at Deloitte Australia
1 年For me there needs to be a much deeper conversation around the drivers of good outcomes, and I would argue that these don't necessarily hinge on risk, culture or even compliance, but can be materially impacted by driving attention into any one of these areas. What we need to consider is how desirable outcomes are supported by each of the above frameworks and unhinge our reliance on risk management, culture, and compliance as a failsafe way of achieving them.
CEO at Compliance Institute SA; Chair, International Federation of Compliance Associations (IFCA)
1 年Well said, Naomi!
Director - Raeside Consulting - External Compliance Committee Member, Financial Services Compliance Specialist -
1 年Naomi - I agree that compliance is broader than and separate to risk. It is about how the organisation can ensure it meets its various obligations be they set by regulatory, contractual, industry standards, community expectations or the organisation’s cultural norms. Risk management is about how organisations manage uncertainty in achieving their objectives within the organisation’s appetite for risk. A different and very important management role to that of compliance. At times the two will work together but more often compliance plays a much broader role.