#LOCKDOWN DAY 7: RISK MANAGEMENT NOTES ABMI ? Practice Guideline A3: Risk Management Culture

I recently came across an interesting book of 2014 by Gustavo R. Grodnitzky titled “Culture Trumps Everything: The Unexpected Truth About the Ways Environment Changes Biology, Psychology, And Behavior”. I have equally heard similar sentiments expressed by risk management professionals all indicating that culture is the superior concept that precedes and drives the overall effect and impact of risk management within organisations.

Why do we manage risk? The answer simply put is so that we perform and are sustainable. This should be logical; but when one notes the extent of inertia within organisations in implementing the prescripts of effective risk management, you are bound to wonder if we are on the same page regarding risk, risk management and its impact on performance.  

I have tried to steer clear of “flavour of the moment” phrases and topics which are spoken about at length but in actual effect being existent ideas that have been merely re-packaged to keep us all busy on the terminology without much expression on the practical necessity, application and implementation thereof. Risk culture isn’t one of those temporary debates and if properly understood, is a core differentiator of organisations, how they have been governed, and prospective performance. In more recent times, how countries and organisations have responded to the COVID19 pandemic is a direct reflection of their overall mindset and approach to uncertainty, the central emphasis and purpose of risk culture in the first place. Some have taken the view that the current pandemic will be contained at all costs and no expense will be spared, and this has been reflected in the urgency and coordination of their lockdown and mitigation efforts. On the polar side, we have also observed more relaxed approaches to the current pandemic which have directly translated into a relaxed approach to the pandemic across the spectrum. The extended effects have been devastating and unfortunate, but also a true reminder, that sometimes, people do just “as you say”.

One of the more undeniable elements of risk that I have always emphasised is that, when it comes to risk, no amount of denial or “burying your head in the sand” will spare you. What you know as well as what you don’t know will hurt you. The best defence is in establishing a culture that recognises and respects uncertainty both as a value driver and a potential threat that needs to be managed proactively and retrospectively through lessons learnt and enhancements in terms of way forward.

As described by Michael F. Brown, an organisational culture may be generally described “as a set of norms, beliefs, principles and ways of behaving that together give each organisation a distinctive character” (Brown, 1995). The risk management culture directly impacts risk-taking decisions of an organisation and determines the extent and nature of risks that the organisation will contend with in the value-realisation process. (ABMI Reference Library, 2018 edition, p34).

The ABMI Reference Library in its definition of enterprise risk management gives prominence to risk culture in its definition of ERM as:

“The culture-driven risk and opportunity management rules, attributes and management processes designed to assure organisational performance and sustainability in an integrated manner”

The organisation is expected to have and maintain good ethics, values and integrity standards as well as a conducive culture of managing risk that ensures that the risk policy positions are understood, adhered to and adequately enforced. This is in terms of the competence standards of the attribute-based maturity index (ABMI Reference Library, 2018 edition, p6).

KEY SUB-ATTRIBUTES OF A3: RISK MANAGEMENT CULTURE

Please note that in terms of the attribute-based maturity index there are 7 core components of risk management that comprise 26 primary attributes. These primary attributes are in turn split up into 93 sub-attributes. Below I analyse the sub-attributes of one of the 26 primary attributes. Keep coming back for more articles that unpack the other elements.

Some elements aren’t explained in full save for the focus item. All elements, however, are explained in detail in the ABMI Reference Library which can be obtained directly using a self-registered user profile on www.abmi.co.za

A:3-1 Risk culture assessment and improvement

The organisation formally assesses its risk culture and implements required culture building programmes.

The organisation must ensure that it recognises and prioritises the relevance and contribution of risk culture on organisational effectiveness and performance. This requires that the organisation formally assess its risk culture and implement required enhancements in areas of identified weakness. The assessment of risk culture should strive to focus on actual outcomes through giving priority to actual behaviours rather than paper-based components of risk culture.

 A:3-2 Risk policy communication and awareness

The governing authority provides for a consistent and formal risk culture by effectively and consistently communicating the risk philosophy of the organisation as embedded in the risk policy.

A:3-3 Organisational culture through awareness

The organisation promotes and sustains an optimal risk management culture through ongoing risk training and awareness initiatives with officials and key stakeholders.

The organisation should implement a risk training and awareness programme with specific objectives that align with the organisational risk policy as well as risk strategy and improvement plan. Risk training and awareness can be delivered face-to-face, in-workshop or using e-learning platforms. The organisation should consider post-learning assessments to determine the effectiveness of the learning process. The organisation should ensure that the training and awareness programme is designed to benefit all relevant levels of staff. This should also include ensuring that training and awareness content is aligned to the recipient audience so they can practically apply the training and awareness initiatives in their own areas of work.

A:3-4 Ethics and values

The organisation clearly defines and communicates an organisational code of ethics and conduct as well as a set of core values that must guide the activities and interactions of all officials and stakeholders.

A:3-5 Breach and consequence management

The organisation, through consequence management activities, ensures that all breaches of organisational policies, ethics, and values are resolved consistently and in a formalised manner.

A:3-6 Risk culture and performance management

The organisation through its reward and recognition process (or performance management) demonstrates preferable behaviour through recognising positive behaviour and dis-incentivising negative behaviour.

Conclusion: For additional context, register a free user profile via www.abmi.co.za and download our free ABMI Reference Library Preview document or explore additional value-added offerings. Good luck and feel free to share your views. We are all here to learn and no idea is unwelcome!!!