intelligent culture why behaviour matters - rims in...

Presenter

Fostering a risk intelligent culture–why behaviour matters

PresenterDailene Kells

RIMS Canada Conference 2014

September 16, 2014

© Deloitte LLP and affiliated entities.

“…. clearly we have the benefit of

some kind of good risk management

culture... I guess I would say it's sort of

the way we just do things, but I think

it's critically important in how we get to

our outcomes.”

Erin Callan, CFO Lehman Brothers, February 2008

Fostering a risk intelligent culture - RIMS Canada Conf 20141


Current events

2 Fostering a risk intelligent culture - RIMS Canada Conf 2014

• Financial Stability Board

– Issues consultative document on Nov. 18, 2013

– Guidance on Supervisory Interaction with Financial Institutions on Risk Culture

– Explores ways to formally assess risk culture at financial institutions


Discussion items

• Why risk culture?

• Understanding risk culture

• Improving risk culture


© Deloitte & Touche LLP and affiliated entities.

Why risk culture?



“Getting risk culture right is

fundamental to controlling risk

effectively within the organization.

It is, above all, about actual

behavior – what you do, not just

what you say.”

Governance For Strengthened Risk Management, IIF October 2012



“Culture eats strategy for

breakfast.”Mark Fields, former President of Ford Motor Company (attributed to Peter Drucker)



Risk culture has a significant impact on the implementation of risk strategy

1. Organizations traditionally focused on the more tangible aspects of risk

management

2. The risk culture of an organization has a significant impact on how

effective an organisation is at managing risk

3. Managing risk culture should be an integral part of risk management

strategy

Risk culture can dominate the risk-related

behaviours of employees


Understanding risk culture

© Deloitte LLP and affiliated entities.8 Fostering a risk intelligent culture - RIMS Canada Conf 2014

The role of risk culture

Even the best designed controls are subject to the failings of people’s experience,

attitude, mindset and values.

30% 70%

Governance

Frameworks

Infrastructure

Policies /controls

Systems

Instincts

Behaviours

Unconscious bias

Diversity of thought

Cultural symbols

Traditional risk management

approaches only focus on

formal risk mechanisms and

governance

i.e., the “hardware”

The majority of significant risk failings

have been the result of the broader

organizational climate and controls

context

i.e., the “software”


Bu

sin

ess p

erf

orm

an

ce

Risk culture performance

Detrimental

risk culture

Risk culture and business performance

9

In most cases,

continuous

improvement

opportunities exist

to drive a more

strategic value-

adding approach

to risk

Poor risk culture

causes frequent

high impact

incidents

Gaps in risk

culture result in

lost opportunities

and more errors

than desirable

‘Developing’

risk culture

Desirable

risk culture



Example risk-related behaviours

Open and

honest

dialogue

regarding risks

Following risk

management

policies and

processes

Admitting to

making

mistakes

Proactive

sharing of best

practices

Consulting

with others

when in doubt

Taking

personal

accountability

for managing

risks

Involving risk

professionals

in risk

decisions

Constructive

response to

challenge

RISK

COMPETENCE

MOTIVATION

RELATIONSHIPS

ORGANIZATION

Reluctance to

learn from past

mistakes

Shooting the

messenger

Inadequate

challenge of

excessive risk

taking

Reticence to

escalate risks

appropriately

Following the

herd

Rewarding

excessive risk

taking

Yielding to

inappropriate

pressure from

others

Cutting corners

Detrimental behaviours Desirable behaviours


• Commonality of purpose, values and ethics

• Universal adoption and application

• Learning organization

• Timely, transparent and honest communications

• Understanding of the value of effective risk management

• Responsibility – individual and collective

• Expectation of challenge


Attributes of a desirable risk culture

Everyone understands the organization's approach to risk, takes personal

responsibility to manage risk in everything that they do, and encourages others to

follow their example.


Benefits of a desirable risk culture

• More effective management of risk

• Improved risk-based decision-making throughout the organization

• Increased confidence of external stakeholders

• Enhanced credit ratings

• Compliance with regulatory requirements


“You can pass new laws, you can

toughen up regulations and we've

got to do that, but what you can't do

is to pass laws to change people's

culture and to get them to behave

in a more responsible way...”

Alistair Darling MP, former UK Chancellor of the Exchequer



Understanding risk culture



What is risk culture?

A system of values and behaviours present throughout an

organization that shape day-to-day risk decisions.

© Deloitte LLP and affiliated entities.16

Three elements of organizational culture

Management

systems

Organizational processes and infrastructure

How people are required to complete their work

Behavioural

norms

Accepted patterns of behaviour visible across the

organization

How people interact with management systems and each other

Organizational

symbols

Inherent interpretations of symbolic messages

What behaviours are (or perceived) to be rewarded or

sanctioned

These elements represent the manifestation of organizational culture.



Deloitte Risk Culture FrameworkSixteen risk culture indicators

Organization

How the organizational

environment is structured

and what is valued

Relationships

How people in the

organization interact with

others

Motivation

The reason why people

manage risk the way they

do

Risk competence

The collective risk

management competence

of the organization

Risk culture influencers


How the organizational

environment is structured

and what is valued

To fully understand an organization’s current risk culture and to track progress of cultural change, a focused assessment is

required. Deloitte has developed a comprehensive approach to assessing risk culture based on our Risk Culture

Framework. The framework consists of sixteen risk culture indicators aligned to the four risk influencers. Once an

organization’s risk culture is understood, then the Risk Culture Framework can be used to begin to help to manage it too.

Measuring and managing risk cultureRisk culture is understood by measuring specific influencers and indicators

How people in the

organization interact with

others

The reasons why people

manage risk the way that

they do

The collective risk

management competence

of the organization

Example survey questions:

• The pressure on me to meet

performance targets is balanced

with the need to comply with risk

policies, processes and

procedures

• People in this organization are

penalised if they take

unacceptable risks, even if their

actions subsequently generate

good returns


• When it comes to risk management,

this organization practices what it

preaches

• People in this organization know

how to escalate risks

• People in this organization share

similar ethical values


• People in this organization are

expected to do what they are told,

no matter what

• Risk management concerns are

discussed openly and honestly in

this organization

• The leaders of this organization role

model the right risk behaviours

Risk

Culture

Organization

Motivation

Risk

Competence

Relationships

Risk Culture Framework


• In this organization we assess and

learn from risk events and

mistakes when they occur

• I understand the key risks

associated with my role

• Our people are made aware of

their risk-related responsibilities

from the day they are hired


The time required to assess an organization’s risk culture depends on the scope of the exercise, the demographics of the

survey participants and the complexity of the logistics associated with it. It is also recommended that a number of qualitative

interviews and/or workshops are conducted to supplement the quantitative results generated from the Risk Culture Survey.

There are three different options for delivery, depending on the depth of the assessment required. The exercise should be

then be repeated on an annual basis to monitor progress and re-align initiatives as appropriate.

Measuring and managing risk cultureMethodology to assess organization’s risk culture

Risk Culture

Assessment

Methodology

4. Analyze

and

interpret

results

5. Feedback

insights

&determine

desired risk

culture

6. Plan

actions and

produce

annual Risk

Culture

Report

1. Configure

and

distribute

survey

2. Gather

survey

feedback

3. Conduct

interviews

and/or

workshops

BEGIN/REPEAT/EMBED

Assessment Methodology Delivery Options

Survey Assessment Study

Typical Duration 1-2 months 2-3 months 3-4 months

Risk Culture Survey

(64 questions)Yes Yes Yes

Exploratory

Interviews

A few with

leaders

With leaders

and managers

With leaders,

managers

and staff

Investigative

WorkshopsNo

With leaders

and managers

With leaders,

managers

and staff

Risk Culture Report Yes Yes Yes

Current Risk

Culture ScoreYes Yes Yes

Organization-

Specific Risk

Culture Indicators

Identified Assessed Analysed

Desired Risk

Culture DefinitionLimited High-Level Detailed

Action Planning Basic Detailed Extensive

Initiate

culture

change

programmes



The Risk Culture Survey helps financial institutions to assess how the key risk culture indicators are influencing how risk is

being managed in their organization. The survey is a standard set of sixty-four risk culture-focused questions, derived from

the sixteen risk culture indicators of the Risk Culture Framework.

Measuring and managing risk cultureAssessment helps organizations determine what activities to prioritize

1. Managers at xxx support the actions and decisions of their people.

The way it is

NO 1 2 3 4 5 6 7 8 9 10

The way it should be

NO 1 2 3 4 5 6 7 8 9 10

2. People at xxx will put in extra effort to ensure the job gets done

properly.

The way it is

NO 1 2 3 4 5 6 7 8 9 10


NO 1 2 3 4 5 6 7 8 9 10

3. People take the initiative when it comes to developing new

things/ideas .

The way it is

NO 1 2 3 4 5 6 7 8 9 10


NO 1 2 3 4 5 6 7 8 9

The survey enables data analysis that identifies

risk culture strengths and weakness. The data

can also be mined allowing further investigation of

any areas of key concern.

Gathering data and information Generating survey outputs

OrganizationRisk Competence

Motivation Relationships

Risk

orientation

Performance Management

Incentives

Accountability

Knowledge

Skills

Learning

Recruitment & Induction

Controls

Structures

Values

StructuresValues & Ethics

Policies, Process & Procedures

Risk Governance

Strategy & Goals

Communication

Challenge

Management

Leadership

COMP Score

4.4

ORG Score

4.9

MOT Score

3.5

REL RCS

3.9

Risk

Culture

Score

4.2

The results from the survey regarding the sixteen

risk culture indicators can be plotted by

considering their relative influence on risk culture.

Priorities for action planning can then be

identified.

Prioritizing and action planning

Key features of the Risk Culture Survey:

• 64 questions written in plain English and

designed so that they can be answered by

people at all levels within a financial institution

• It can be delivered to large numbers of

employees (either electronically, via paper or

both) – the use of Deloitte’s survey technology

– DeloitteDEX – is optional

• Feedback can be gathered anonymously to

encourage honesty

• A 5 point response scale is used ranging from

‘strongly agree’ through to ‘strongly disagree’

• Demographic information is also captured

allowing multi-faceted analysis e.g.

role/geography/business unit.

Indicators requiring priority attention

Indicator’s relative influence on risk culture

Ris

k C

ulture

Surv

ey S

core

Lowest Highest

Negative

Positive Desirable Risk Culture Zone

51

3

4

6

7

8

9

10

11

12

1314

15

16

Strong Risk Culture Zone

Weak Risk Culture Zone2

5

5

6

7

8

1

2

3

4

Knowledge

Skills


9

10

11

12

13

14

15

16

Risk Competence

Leadership scores

Employee scoresLeaders/Employees Perception Gap

Motivation Relationships Organization Risk

Competence

Leadership scores

Employee scoresLeaders/Employees Perception Gap

Q#Instructions: Please read the statements below and indicate the extent of

your agreement with the statements, using the rating scale provided:Strongly

Disagree

Neither

Agree nor

Disagree

Strongly

Agree

1 I understand how the risks associated with my role impact this organisation

2 I understand the major risks associated with my role

3 The people I work with understand how to manage risk effectively

4 I have easy access to information to help me manage the risks I am responsible for

5 I have the right skills to effectively manage risk in my role

6 We have the right level of skills within our business function to manage risk effectively

7 We are expected to keep our risk management skills current

Deloitte Risk Culture Survey.This survey measures a number of statements that describe the risk culture of your organisation. Each

group of statements represents an important part of the culture. Please read each statement and indicate the

extent to which the behaviour described reflects the norm in your organisation. Your responses

should reflect what you are generally able to observe in your organisation. This is not a test; there are no

right or wrong answers.

Relationships

Communication

Challenge

Management

Leadership

Motivation

Risk orientation

Performance Mgt

Incentives

Accountability

Organization

Controls

Structures

Values

StructuresValues & Ethics

Policies, Processes &

Procedures

Risk Governance

Strategy & Objectives

Learning



Survey results may indicate issues with single

organizational influencer of the risk culture

framework that requires addressing.

Potential activities to address this risk

competence issue:

• Conduct training needs analysis, including an

assessment of current risk management

knowledge and skills

• Develop a risk management training strategy

• Design and deliver training and development

programmes to enhance risk capabilities

Survey results may indicate very specific

issues that require action.

Potential activities to address this incentives

issue:

• Review incentive framework in relation to risk

appetite

• Benchmark incentive programmes against

other similar financial institutions

• Design the incentive framework to reinforce the

desired risk culture

Risk Culture

Findings of the assessment will typically fall into one of three categories: isolated, thematic, or systemic. Isolated and

thematic outcomes are usually the simplest to deal with. If the risk culture results indicate systemic issues then a wide

ranging culture change programme will be required.

Measuring and managing risk cultureHow organizations should respond to the assessment at the macro-level

Isolated Thematic Systemic

Survey results may indicate there has been a

general weakening of the organization’s risk

culture, this would need to be addressed

systemically.

Potential activities to address this result:

• Revision of recruitment and induction

approaches and coaching methods

• Realignment of organizational values to reflect

the risk strategy

• Work with senior leadership and management

to build a culture of healthy challenge and

effective role modelling

• Review of incentive and rewards structures

Risk Culture Risk Culture



Measuring and managing risk cultureDesired organizational response at the ‘indicator’ level

Indicator Definition Goal and Interventions

Knowledge

The awareness and understanding that

people have about risk management

The goal is to improve people’s knowledge. Interventions will focus on ensuring that there are frequent

communications and awareness programmes delivered through the most appropriate channels for the different

audiences. Assessments of awareness and understanding should also occur.

SkillsThe ability that people have to manage risk

effectively

The goal is to improve people’s skills. Interventions will focus on structured training and education programmes.

Assessments of skills should also occur.

Learning

The act, process or experience of gaining new risk management

knowledge or skills

The goal is to achieve a continuous learning culture. Interventions will focus on the promotion of on-the-job

learning and coaching, and the formalisation and embedding of techniques such as lessons-learned reviews.


The identification of new people to join the

organization, and their assimilation into it

The goal is to ensure that people who are brought into the organization have the necessary risk management

knowledge and skills and the appropriate attitude to risk. Interventions will focus on ensuring that these personal capabilities and attributes are factored into the whole

process – from interview to induction.

Ris

k C

om

pe

ten

ce





Performance Management

The system used to measure people’s

contributions to the organization’s risk-

related goals

The goal is to align the performance management system with the risk-related objectives of the organization.

Interventions will focus on ensuring that appropriate risk management objectives are included in the system e.g. in

balanced scorecards.

Incentives

Items that encourage appropriate risk

management actions or efforts, such as fear of

punishment or expectation of reward

The goal is to encourage appropriate risk management actions or efforts. Interventions will focus on identifying and then adjusting those incentives in the organization that have

the most significant effect on risk-related behaviours e.g. penalties for non-compliance.

Reward & Recognition

Benefits and recognition that are given in recompense for

exhibiting the desired risk management

behaviours

The goal is to ensure that the personal reward system is aligned with the risk management objectives of the

organization. Interventions will focus on identifying and then adjusting those reward and recognition systems in the organization that have the most significant effect on risk-

related behaviours e.g. compensation.

Accountability

The willingness of people to accept responsibility for

managing risk, and for their own risk

management actions

The goal is to encourage people to take more personal responsibility for managing risk. Interventions will focus on

clarifying risk-related roles and responsibilities, and ensuring that people understand and accept that everyone

in the organization has some level of risk management responsibility.

Mo

tiva

tio

n





Strategy & Objectives

How the organization’s strategic plans,

including risk appetite and tolerance, are perceived by the

people in the organization

The goal is to ensure that people understand and believe that the organization’s risk strategy is aligned with its

business strategy. Interventions will focus on ensuring that the risk strategy is being properly interpreted by people in the organization, and that risk strategy is being correctly

translated into functional and personal objectives.

Values & Ethics

The individual and organizational beliefs

and rules that influence risk management

behaviours

The goal is to ensure that the organization’s belief systems support the risk strategy. Interventions will focus on

understanding both the personal values of people, and the ethical standards of the organization, and then aligning

them with the risk strategy.

Policies, Processes & Procedures

How the formal risk management rules and controls are perceived by the people in the

organization

The goal is to ensure that people willingly adhere to the risk management policies, processes and procedures.

Interventions will focus on educating people about the importance of formal risk management rules and controls, and also understanding the reasons why people may be

choosing to ignore or to circumvent them.

Risk Governance

How the formal risk management structures

are perceived by the people in the organization

The goal is to ensure that the organization’s risk management structures are fully understood and properly

leveraged by everyone. Interventions will focus on educating people about the structures and also promoting

the value-adding aspects.

Org

an

iza

tio

n





Challenge

The willingness of people to challenge

others, and the responses of those

that are being challenged

The goal is to create an environment in which challenge is expected. Interventions will focus on educating people how

best to challenge others, and also helping leaders and managers to role model the desired behaviours when they

themselves are challenged.

Management

The risk management behaviours exhibited by the managers in

the organization

The goal is to have managers role modelling and encouraging the desired risk management behaviours. Interventions will focus on education of the managers

regarding how to conduct themselves in relation to risk-related situations.

Leadership

The risk management behaviours exhibited by the leaders of the

organization

The goal is to have leaders role modelling and encouraging the desired risk management behaviours. Interventions will focus on education of the leaders regarding how to conduct

themselves in relation to risk-related situations.

Communication

The top-down risk-related

communications, and also the risk-related dialogues that take

place between people across all levels

The goal is to have frequent, open and honest communications occurring throughout the organization.

Interventions will focus on ensuring that there are adequate communication channels and forums available that are suitable for the discussion of risk management, and that

they are being used appropriately.

Rela

tionship

s



Traditional techniques (surveys, interviews) focus on what people do and fail to

uncover the reasons why people behave the way they do.


Assessment techniques

Subjective Assessments reliant on a few simple techniques lack objectivity.

Retrospective

focus

Surveys and interviews on their own fail to shed light on the mindsets

that shape and influence future risk decisions and behaviours.

Cognitive biasPeople will instinctively respond to questions that probe ethics or risk-

related behaviours in a way that avoids challenging an individual’s

moral standing.

Lack of

‘actionability’

‘Actionability’ is reliant on presenting evidence, supported by multiple

data sources.


Risk culture assessment techniques

Element Method Technique Focus Outcome

Management

systemsAudit Programmed audit

Risk policies,

procedures,

systems

Behavioural

normsCorrelate

Behavioural

assessment

Establish risk

behavioural

‘norms’

Organizational

normsValidate

Structured data

analysis & surveys

Incentives,

rewards, etc.

Analytics Predict RegressionProactive

intervention

Inconclusive

Informed

Evidenced

Deep

Objective

Actionable


Improving risk culture



1 - Improve management systems

Commit to plans which drive continuous cultural improvement through

awareness, change and refinement of policies, frameworks, methodologies and

systems.

Enablers

Leadership

commitment

Secure the buy-in and commitment of the leadership team,

including executives and the board

Communications Communicate program goals to all stakeholders, and proactively

seek out feedback

Measurement and

reporting

Establish an objectives measurement of the organization’s Risk

culture and report on it regularly

Program management Manage as a program of change, including coordinating with

other relevant change initiatives



2 - Communicate behavioural norms

• Set right tone-at-the-top

• Broad and consistent communication

• Coach employees to be risk managers

• Clarify expectations and requirements

• Support identification and escalation of issues

• Link performance and risk management


3 - Use metrics for organizational symbols

Cultural metrics

Can provide direct measurement of Risk Culture

by measuring people’s attitudes, beliefs and

behaviours

Leading cultural indicators

Makes use of metrics that organizations typically already track, and indicate where and

why cultural weaknesses can be more likely to occur

Lagging cultural indicators

Makes use of metrics that organizations typically

already track, and that indicate where cultural

weaknesses may have already resulted in

undesirable behaviors and outcomes


“Effective development of a ‘risk

culture’ throughout the firm is

perhaps the most fundamental tool

for effective risk management.”

Institute of International Finance



For more information


If you would like more information on risk culture or how Deloitte can help your

organization, please contact me at:

Dailene Kells

Partner, Enterprise Risk

306-343-4464

[email protected]

intelligent culture why behaviour matters - rims in...

Documents