A good risk culture is about accountability and ownership
During the Audit, Risk, and Governance Africa conference early this month in Accra, Ghana, Andrew Smuts, head of internal audit and enabling functions at Standard Bank Group, discussed the central points in setting the risk culture at the organization, including tone at the top, risk appetite, and how the risk plan is communicated to the organization.
One of the points Smuts emphasized is that risk culture is part of the larger culture conversation. "Risk culture is a subject of the larger culture. It doesn't exist in isolation," said Smuts.
Hallmarks of a Good Risk Culture
Smuts provided some indicators of a good risk culture:
• Leadership commitment to the risk agenda is tangible--it is seen and felt by staff.
• Senior management actively involved in the development of risk management capabilities.
• Middle management and junior level staff can have a major impact through informal influence.
• Effective balance between the need to hold individuals to account for culpable failure and the recognition that mistakes happen--and that, in order to learn from those mistakes, they must be freely reported.
• Praise is important but being clear about the personal consequences of poor behaviour should accompany incentives for good behaviour.
• Transparent and timely risk information flowing up and down the organization without fear of blame.
According to Smuts, internal auditors have an obligation to uphold the risk culture, even if it means creating conflict. He says conflict isn't always a bad thing. And, he says, auditing culture doesn't have to mean moving into a strange and distant land. "It's not about reinventing a new way of auditing. A lot of what we already do will lead us most of the way down the path," says Smuts. "It's just the last few steps about understanding behavior and what drives it," said Smuts.
How organizations communicate expectations for risk taking is a central part of the risk culture plan, says Smuts. "It starts with the leadership message," he says. "Who are you as an organization and what are you trying to achieve?" he asks. When done right, a healthy risk culture becomes part of the fabric of the organization. Says Smuts: "It's what people do when no one is looking."