Are you really in control of your Culture and Conduct risks?
The list of key risks that should be keeping us awake at night seems to be forever changing. Whatever your list, Culture and Conduct Risk should be a permanent fixture in your “Top 10”. Firstly, the risk is enduring — as long as we have people, we have the risk. Secondly, it is a major driver of many other risks and of overall performance. I would go as far as to say it is the foundation on which everything else is built and many years ago, I was spiritually advised to build on rock, not on sand!
Are you adequately measuring, monitoring, managing, and controlling your culture and conduct foundation?
Risk Management is forever evolving. It has come a long way in the past 20 years but has a long way to go. This is particularly true for some of the more difficult to manage risks including Culture Risk and Conduct Risk. This article is aimed at helping that ongoing development.
This article focuses on:
- What is Culture and Conduct Risk?
- Why is Culture and Conduct Risk tricky to manage?
- What needs to be done?
1. What is Culture and Conduct Risk?
Using the ISO 31000:2018 definition, Risk is “the effect of uncertainty on objectives”, it follows that Culture and Conduct Risk is “the effect of uncertainty, created by culture and conduct, on objectives”.
In describing the difference between Culture and Conduct, we typically consider Culture to be “What goes on around here when no one is looking” and conduct to be “What goes on around here, which affects our customers, when no one is looking!”. Culture is internally focused and Conduct, externally focused. The two are obviously connected. Poor culture usually drives poor conduct.
Using my family as an analogy, “Culture” is how my children behave at home and “Conduct” is how they behave at their grandparents!
2. Why is Culture and Conduct Risk tricky to manage?
We all accept that Conduct and Culture Risk is very real. History is scattered with the damage! Conduct and culture risk management is therefore critical yet difficult. Why?
The risk is human-based and human-driven. It is therefore unpredictable, often invisible until it’s too late, and difficult to control given free will.
Society, regulators, customers, and stakeholders generally are becoming much more aware and conscious of behaviour. A social licence to operate is becoming increasingly critical to earn and maintain.
Culture and Conduct is difficult to measure and “you can’t manage what you can’t measure” (Peter Drucker). The historical lack of data has traditionally led to the monitoring and measurement of culture and conduct and their related risks to being subjective and open to opinion.
Risk itself is the effect of uncertainty, arising from Culture and Conduct, on objectives. Uncertainty on something that itself is difficult to manage exacerbates the problem.
The levers to manage and influence Culture and Conduct are not always obvious and the connection between the levers and the risk is often unpredictable and dependent on the individual.
3. What needs to be done?
We need to rise to the occasion and develop the capability to manage Culture and Conduct risk. At the Protecht Group, this is how we approach the challenge:
- Analyse and understand your Culture and Conduct Risk
- Setting the desired Culture and Conduct
- Measure and Monitor Culture and Conduct Risk
- Report on your Culture and Conduct Risk
- Determine and apply Risk Appetite for Culture and Conduct Risk
- Control, manage and influence Culture and Conduct
- Integrate your Culture and Conduct Risk Management into your overall ERM framework
Why is conduct risk management and training important?
Education helps you achieve clarity and consistency across your organisation as to what Culture and Conduct Risk is. This needs to address clarity over the meaning and scope of
- Risk Culture
- Culture Risk
- Conduct Risk
- Risk Culture Risk
2. Analyse and understand your Culture and Conduct Risk
Analyse, understand and document your Culture and Conduct (Misconduct) Risks. At the Protecht Group, we use the Risk Bow Tie method to analyse and communicate risk.
3. Setting the desired Culture and Conduct
Determine, articulate and communicate your desired Culture and Conduct. This should align with your strategy and objectives and be articulated across your values and commitments, code of conduct, policies, incentive schemes etc.
4. Measure and Monitor Culture and Conduct Risk
Be able to measure your actual culture and conduct on an ongoing and consistent basis. This is where a strong suite of metrics and a good risk system are critical.
5. Report on your Culture and Conduct Risk
This is where the metrics must be turned into meaningful intelligence that is reported as part of your risk reporting using Culture and Conduct Risk Dashboards.
6. Control, manage and influence Culture and Conduct
Understand how culture and conduct can be controlled, managed, and influenced. This requires a strong understanding of the drivers of culture and conduct risk. The Risk Bow Tie Analysis (refer Fig 1.) is critical for this understanding.
7. Understand how culture and conduct can be controlled, managed, and influenced
This requires a strong understanding of the drivers of culture and conduct risk. Again, the Risk Bow Tie helps this understanding.
8. Integrate your Culture and Conduct Risk Management into your overall ERM framework.
Build your Culture and Conduct Risk Management as an integral part of your Enterprise Risk Management Process rather than as a standalone, siloed capability.
Automating processes removes human intervention to decrease errors. Find out how to automate your...
When SA Health, which handles the Government of South Australia's health portfolio and health...
Balancing risk with agility for better government services.