• About us
  • Raising The Bar
  • Risk Committees
  • Team
  • Events
  • Blog
  • Contact
  • Menu

The Risk Coalition

  • About us
  • Raising The Bar
  • Risk Committees
  • Team
  • Events
  • Blog
  • Contact

Effective risk oversight: why culture matters

July 17, 2022

Risk and culture pervade all aspects of an organisation’s operations and strategy and the panel of experts on Transpire Global’s Risk Faculty webinar (which I was a member of) explored the key connections and crossovers between risk and culture which are too often kept in silos.  The panel considered a range of issues including regulatory developments relating to culture, creating a physiologically safe work environment and the people and culture dimensions to cyber and technological risk.

The regulatory risk backdrop

The Financial Reporting Council (FRC) is a cross-sector organisation which is the custodian for several important governance codes (covering listed companies, private companies & investor stewardship).  While it has no specific remit for culture, the FRC recognised the importance of culture in support of ‘purpose’ and stakeholder outcomes, so it created the Culture Coalition (with four workstreams and support repositories) to coordinate a very wide pool of views and assistance.

For financial services, the Financial Conduct Authority (FCA) has a much more focused ‘conduct’ remit, with a current focus on consumer duty and vulnerable customers, with a long-term interest in a firm’s complaint management practices as a practical indicator of culture.

It’s not all about technology

Behaviours, culture and people risk underpin our maturity and capabilities within cyber, data and IT risk management.  Cyber, for example, requires a focus on the resilience of delivery of purpose and service, and is usually considered to be a constantly-evolving ‘top 10’ operational risk.

Growth firms typically employ technologists as more than 50% of their resources.  The team’s motivation is to use agile techniques with a focus on continuous improvement, being exemplary in usability and testing, all whilst considering users’ vulnerabilities and to ‘care’ about them – employing professionalism through a real interest in the role and not just pay rates.  As technology skills are scarce, employers can emphasise these added-value factors to achieve better staff loyalty and motivation.  

Creating the right culture

There is an importance to purpose and values – as well as inclusion – in creating a psychologically safe environment to enhance an organisation’s performance.  Dr Roger Miles has done some excellent work here; his recent book, Culture Audit in Financial Services (relevant beyond financial services) is compendium of culture tools and case studies – developed with UK Finance (and with the interest of the FCA, of course).

Being authentic

Prof Roger Steare’s research also proves that while individuals and small business owners may be authentic in their personal application of culture and ethics, on arrival at work for a big firm, an employee may ‘change hats’ and be coerced to do bad things by formal processes or scripts.  Alison Bond emphasises the need to focus on measuring outcomes (not just processes) and creating an authentic alignment to purpose.  In essence, it is necessary to think carefully about how culture builds into outcomes.

Your role as a non-executive

Your role as a non-executive is to own ‘accountability’ and to pro-actively join up oversight and assurance, supporting (but not over-policing) those in the front line carrying the targets and resources.  You will need to rely on ‘sources of assurance’ including internal audit and others within or beyond your own organisation (and through the value chain) to be confident in the positive effect of culture on delivering your commitments.

Takeaways

Is there is a two-point takeaway that will keep your culture efforts tight?

Firstly, focus on your purpose and whether you are delivering, and being accountable, for that: too many organisations in both the private and public sectors are failing those that rely on them for an essential service – which effectively is their reason for being.

Secondly, ensure you are ready and resilient, especially if you provide an essential or infrastructure service to your stakeholders.  Don’t let them down!

 

Bryan Foss is an experienced non-executive director, CISI Risk Forum Committee member, Co-Founder of the Risk Coalition, Co-Chair of Transpire Global’s Risk Faculty, Senior Advisor with the FRC and a helper to others on governance matters.

Transpire Global, in conjunction with the Chartered Institute for Securities & Investment and the Risk Coalition, held an online discussion panel on “Effective risk oversight: why culture matters” on 20 June 2022.  In addition to Bryan Foss, panelists included Alex Walker and Bob Barclay.  The discussion was chaired by Hanif Barma.

The Risk Coalition’s Raising the Bar guidance and GABI self-assessment and benchmarking tool for Board Risk Committee Chairs, CROs and Risk Functions includes guidance and improvement ideas for risk culture-related oversight activities.

Tags: Bryan Foss, Alex Walker, Bob Barclay, Hanif Barma
Prev / Next

Blog

Featured
Sep 4, 2024
Polly Williams, Mia Harris
Three key threats of phishing to be aware of
Sep 4, 2024
Polly Williams, Mia Harris
Sep 4, 2024
Polly Williams, Mia Harris
Aug 25, 2024
Felix Ritchie
Principles versus rules in data and corporate governance
Aug 25, 2024
Felix Ritchie
Aug 25, 2024
Felix Ritchie
Jul 16, 2024
Jane Hunter, Mia Harris
How can you maintain high standards in your business without suffering burnout?
Jul 16, 2024
Jane Hunter, Mia Harris
Jul 16, 2024
Jane Hunter, Mia Harris
Jun 2, 2024
Afshan Moeed
Enforcement of individual accountability in UK banking: a new boardroom recipe for change or continuity?
Jun 2, 2024
Afshan Moeed
Jun 2, 2024
Afshan Moeed
May 28, 2024
Craig Morris, Mia Harris
Three exciting new developments for AI in 2024 that you need to know about
May 28, 2024
Craig Morris, Mia Harris
May 28, 2024
Craig Morris, Mia Harris
May 24, 2024
Stefan Hunziker
The stuff of nightmares: risk management is shut down, and nobody notices
May 24, 2024
Stefan Hunziker
May 24, 2024
Stefan Hunziker
Mar 20, 2024
Neil Tinegate
What should boards know about digital technology?
Mar 20, 2024
Neil Tinegate
Mar 20, 2024
Neil Tinegate
Mar 15, 2024
Francis Kean
The insolvency risk for company directors - are you swimming naked?
Mar 15, 2024
Francis Kean
Mar 15, 2024
Francis Kean
Feb 29, 2024
Andy Watkins-Child
Are you sitting comfortably?  Cyber risk, board attestations and the implications for NEDs
Feb 29, 2024
Andy Watkins-Child
Feb 29, 2024
Andy Watkins-Child
Oct 24, 2023
Mamun Madaser
Risk management and internal audit should collaborate to navigate the poly-crisis of risk
Oct 24, 2023
Mamun Madaser
Oct 24, 2023
Mamun Madaser
Oct 18, 2023
Jim Watson
How to mitigate the risk of cyber security breaches – part 2
Oct 18, 2023
Jim Watson
Oct 18, 2023
Jim Watson
Oct 13, 2023
Nisha Sanghani
Risk management and internal controls: much (needed) work to do as a result of the proposed changes to the UK Corporate Governance Code
Oct 13, 2023
Nisha Sanghani
Oct 13, 2023
Nisha Sanghani
Oct 9, 2023
Jim Watson
How to mitigate the risk of cyber security breaches – part 1
Oct 9, 2023
Jim Watson
Oct 9, 2023
Jim Watson
Sep 25, 2023
Chris Burt
The implications of the revised UK Corporate Governance Code
Sep 25, 2023
Chris Burt
Sep 25, 2023
Chris Burt
Sep 13, 2023
Andrew Cunningham
Financial regulators take aim at crypto-finance
Sep 13, 2023
Andrew Cunningham
Sep 13, 2023
Andrew Cunningham