ERM International



Our new head of risk culture, capability and change, Rob Jack, combines HR and risk management skills to deliver an impactful, adaptive approach to organisational transformation. He explains why risk culture needs to be ‘always on’ in your business.

In the past decade, we’ve witnessed a noticeable uplift in risk management capability at many organisations, driven by the necessity of addressing internal and external uncertainty, and the steady maturing of risk management as a professional discipline. 

To continue this trajectory, organisations are now turning their attention to developing a strong risk culture. That is, a shared set of beliefs and behaviours that underpin effective risk management. 

But it is not enough to just define what we mean by a strong risk culture. Organisations must develop it as part of their overall organisational culture. They must also focus on maintaining their culture over time. 

At ERM International, we help build and embed an ‘adaptive approach’. Our fit-for-purpose methodology enables organisations to continuously assess, monitor and improve their culture to align with ever-evolving business needs and external challenges. 

Use a variety of assessments

What are we trying to do when we ‘assess risk culture’? Basically, we aim to define and evaluate the organisation’s attitudes, perceptions and behaviours around risk management. Ideally, we set out common behavioural definitions, using language already familiar to the organisation.

We then consider a variety of structured assessment tools that identify strengths and weaknesses, as well as areas for reinforcement and improvement. Working with each organisation to meet their bespoke needs, we employ various qualitative and quantitative methods, such as perception surveys and proxy metrics, as well as interviews, focus groups and workshops.

Experimenting with these tools enables the collection of data and insights into the organisation’s risk awareness, risk appetite decision-making and risk-taking behaviours.

At ERM International, we consider both formal structures, such as the application of risk policies and procedures, as well as behavioural elements, communications and leadership performance.

Don't stop at the survey

Many teams stop at risk culture perception surveys. While surveys are a great place to start, it’s only with a tailored combination of quantitative and qualitative assessment techniques that an insightful picture of the behavioural and cultural environment begins to emerge.

This provides the foundation for routine reporting and/or a dashboard, and the identification of internal comparisons, hotspots and temporal trends.

Routine reporting is also crucial for maintaining executive and board-level engagement, and especially important in highly regulated environments.

Integrate culture into governance

Improving risk culture requires integration with the existing governance framework in a way that fosters accountability, transparency and continuous improvement.

This may include reinforcing the basics such as establishing clear roles and responsibilities for risk management, sharing risk-related information and integrating risk into decision-making.

Over time, these improvement activities will likely expand to more thematic opportunities, such capability development, aligned assurance initiatives and behavioural auditing, designed to improve overall risk management and governance practices.

Embrace a 'never-ending' culture approach

An adaptive approach to risk culture acknowledges that every organisation, its risk management practices and its broader governance model are all dynamic.

Thus, the risk culture approach must also couple components of ‘always-on’ monitoring with periodic and bespoke assessment. Responsive, fit-for-the-moment actions will also be required.

In this way, risk culture can become a barometer of risk effectiveness. It should enable continuous improvement and ultimately facilitate a more resilient organisation. Embracing this adaptive approach will help your organisation to remain agile, responsive and resilient in concert with the evolving risks and challenges you face. It also adds an important behavioural component to the risk team’s professional ‘toolkit’.

Where to next?

Rob Jack leads risk culture, capability and change with our ERM International clients. Keen to chat? Get in touch to organise a time.

Leave a comment

Written by:

Rob Jack

Posted On:

11 July 2023

Recent posts

A sporting chance – using risk to get ahead of the game

A sporting chance – using risk to get ahead of the…

Seeing blind spots, being prepared and taking risk strategically are all key to ensuring an organization can kick goals.

How to see what you don’t see – a practical approach

How to see what you don’t see – a practical approach

COVID-19 prompted organisations around the world to ask: what else are we blind to? We run through our risk radar approach.

Scroll to Top