Risk culture:

You might think the number of respondents saying that the pandemic has improved / changed their risk culture would be higher. Our research, informed by 2,000 responses from risk and financial practitioners globally, shows that shows there is indeed a will to improve – but the post-pandemic environment is very challenging,

We found a number of competing forces. While they did not indicate a direct link between employee wellbeing and risk culture, certain testimonies in our roundtable discussions implied that employee wellbeing resulted in better employee engagement. This shows some correlation with a better risk culture and management of people risk.

Internal audit members discussed how, once Covid-19 struck, their roles became less about adding up numbers and more about making judgements in difficult situations. The pandemic proved how modernising and more frequent monitoring were required at even the most profitable firms with mature risk frameworks.

We heard how organisations could structure governance better, particularly for the relationship between the first and second lines of defence and how the past few years have proved the importance of collaborating while also maintaining independence for the second line in overseeing risk control and governance.

There is no doubt that responses about the top three risk priorities reflect the multitude of regulatory and compliance requirements around the globe as the workplace becomes ever more complex. They also indicate that staying on top of these changes requires a great deal of time and effort. Regulatory / compliance / legal is in the top three for all sectors except the not-for-profit / charity sector.

Regulatory risks loom large. Most respondents admit that while they accept extreme weather and natural catastrophes are causing costly disruption, they do not have the bandwidth to address the environmental and social implications.

Regulators are requiring banks to reimburse customers for phishing and other hacks, so companies are having to invest in due diligence for mitigating this added layer of an already material risk. Our survey finds that cyber risk is ingrained in anyone who wants to run a successful business, so there is less of a battle to get buy-in. However, building a strong risk culture that can serve as an early warning for dealing with such threats is far from easy.

When asked whether they were confident that their organisation’s risk culture could do this, respondents revealed a mixed picture; the dominant response was only ‘quite confident detection will happen’. Overall, they seemed uncertain about whether risk culture enables detection of risky behaviours and misconduct.

The public sector scores highest for ‘not very confident that detection will happen’. The public sector also placed misconduct / fraud / reputational damage higher than other sectors as a risk priority.

The corporate sector stood out for ranking misconduct / fraud / reputational damage significantly lower than others.

Responses to questions about the effectiveness of internal auditors and planning processes indicate another blind spot – in internal auditing. Perhaps the difficulty arises because most intended controls for behaviour are policies and guidelines, and the test should be on how behaviours change in practice.

It’s also possible that reactive controls, such as penalties for misconduct, can be created, or tested and reported better. Other levers and predictors of behaviour – for example, bonuses – might also be risk-assessed for unintended consequences. This would preferably be done with the advice of the risk function.

Whether risks were typically reported as part of an organisation’s budgeting and forecasting processes varied: only two-thirds said that risks were included in the internal financial processes. Since all controls require resource, any adjustments to budgets should be firmly based on the necessity (or otherwise) of controls.

An understanding of how these controls will change the risk so that objectives can be met within the ethical values of the company is necessary when determining whether the budget allocation is sufficient. Risk gives a basis for prioritising spending, and meeting behavioural and cultural aims requires resource. So the question should be not ‘Can we achieve our objectives?’ but rather ‘Can we achieve our objectives in a way that corresponds with our ethical and cultural values?’

Only around 60% of respondents agreed that risk was sufficiently discussed at all levels in their organisation. The consensus was that different functions speak in different languages when it comes to risk and governance, so there is a lot for us to do help empower risk and financial professionals to get risk into the conversations.

Respondents in roles not explicitly in charge of risk said that interpreting volatile macro and political conditions and aligning them with risk strategy remained one of biggest challenges.

Our conclusion is that risk culture should enable leaders to connect with the emerging reality of the business. This requires risk leaders who convene and engage. Otherwise, risk assessments and reports become more of an academic exercise than effective, forward-looking management.