First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Is asking about risk culture the right question?

risk cultureEverybody is talking about assessing and addressing risk culture.

They talk as if risk culture (the beliefs and so on that drive risk-taking behavior) is not only a major factor in whether risks are at desired levels, but is consistent across the organization.

But, while culture is a major driver of behavior (of all types, not just risk-taking), it is most certainly not consistent.

Consider the executive team.

Do they have an identical attitude towards taking risk? Aren’t some more careful and cautious than others? Isn’t there often a healthy debate when it comes to the timing of product launches or expansions into new markets?

If you don’t have a consistent attitude towards taking risk among the few members of the executive team, how can you expect to have a consistent attitude among the population of employees and decision-makers?

I am not saying that attention should not be paid to culture. If there are conditions (such as severe penalties and repercussions for making a mistake) that can drive behavior in the wrong direction, it is important to understand and address them.

What I am saying is that we should ask a different question.

How can we be reasonably sure that decision-makers will take the desired level of the desired risks, the level of risk that the board and top management want taken to achieve objectives?

Follow that with asking who (individuals and teams) is more likely to take a different level of risk?

Now that we have identified the potential sources of poor risk-taking (and decision-making, by the way), we can start to think about what we are going to do about it.

Options might include expanding or shrinking how we empower certain employees to make decisions and take risks without approval.

Let me close with this.

Are you paying too much attention to risk culture in general and not enough to people who you (or top management) are not confident will make intelligent and informed decisions and take the wrong level of risk (which may either be too little or too much)?

I welcome your comments.

Follow me

Norman D. Marks, CPA, CRMA

Norman D. Marks is an Author, Evangelist and Mentor for Better Run Business, as well as an OCEG Fellow and Honorary Fellow of the Institute of Risk Management. Mr. Marks has been a practitioner and thought leader in internal audit, risk management, and governance for a long time. He has led large and small internal audit departments, been a Chief Risk Officer and Chief Compliance Officer, and managed IT Security and governance functions. Read more
Follow me

Latest posts by Norman D. Marks, CPA, CRMA (see all)

, , ,

Comments are currently closed.