Why risk culture could be a competitive advantage for your business
The recent turmoil in the banking sector has underlined the importance of risk culture as a fundamental component of business resilience. The failures of Credit Suisse, First Republic and other banks are a stark reminder of why we must incorporate risk into governance and strategy.
All too often, risk management is associated with compliance and ‘box-ticking’. Unfortunately, this approach is itself a risk since it causes boards and leadership teams to miss the warning signs of failures waiting to happen. What is needed instead is a strong risk culture, which permeates every level of an organisation.
A strong risk culture can be defined as a culture where individuals share a common sense of purpose, values, beliefs, behaviours and understanding about the risks that their organisation faces. They also have a shared awareness of their organisation’s level of accepted risk.
Overconfidence prevails
Today the growing interest in risk cultures has been largely driven by regulators, particularly within the financial services sector, who see it as a means of tackling and preventing governance failures. The mounting focus on risk culture is also linked to increasingly disconnected organisations and volatile business environments. This climate presents a widening range of risks, including many that are hard to detect, predict and quantify.
Yet while there is an increasing will to improve, many businesses are still not getting their risk culture right. In fact, a recent study by ACCA, conducted in partnership with the Association of Insurance and Risk Managers (Airmic), and the Professional Risk Managers’ International Association (PRMIA), suggests that companies are overconfident about the effectiveness of their risk cultures. The study is based on an online survey of more than 1,800 risk and financial professionals globally, and was also informed by roundtables, one-on-one interviews, and an online community pop-up platform.
Around 80 per cent of survey respondents said they had a good understanding of the risk appetite within their organisation. Furthermore, 57 per cent said their organisation’s risk culture had changed for the better since the pandemic. Nevertheless, the research also found that just 60 per cent of respondents thought that risks are sufficiently discussed at all levels within their organisation. Worryingly, the risk conversations that do occur often seem to be happening in a vacuum at the top.
Survey respondents ranked regulatory, compliance and legal risks as the top priority for their organisations, followed by technology, data and cyber security risks. There were some understandable differences between sectors, however, with inflation and the prospect of recession being a top risk priority for the financial services sector, while the corporate sector ranked logistics and supply chain issues among its main concerns.
Despite corporate fraud being on the rise, the corporate sector ranked misconduct, fraud and reputational damage bottom of its list of risk priorities. This suggests that companies are confident – or perhaps overconfident – about their ability to manage these kinds of culture and conduct risks.
A strong risk culture
Given the varied and complex nature of today’s risk landscape, businesses must prioritise building a strong risk culture. A good starting point is to assess the organisation’s current culture, the behaviours it breeds, and the risks that those behaviours might drive.
A recurrent theme from our research was that businesses should focus on building a risk culture that commits to proactively dealing with risks. To do this, they will need to align their strategy with the risks they face and integrate risk into their core processes. They will also need to get early access to information on a broad range of risks, break down the existing silos around risk governance, and build their capacity to deal with change.
Businesses should not overly focus on compliance and processes to the detriment of attitudes, knowledge, and ethical values. Our research highlighted that a good risk culture is an organisation that gives its people the capacity to spot emerging risks, and act on them. On the other hand, a weak risk culture was defined as ‘bureaucratic’, ‘misaligned’ and ‘process-driven’. Audit professionals can play an important role in strengthening risk cultures by ensuring that functional decision-making is in line with the overall risk appetite of the organisation.
As our research rightly noted, an effective risk culture does not just avert disasters; it also brings a host of new opportunities. By taking a more dynamic and collaborative approach to risk management, businesses can build a risk culture that boosts their resilience today while acting as the foundation for long term, sustainable success.
To learn more about our research, visit Risk culture: building resilience and seizing opportunities. accaglobal.com/insights