intelligent culture why behaviour matters - RIMS in...
Transcript of intelligent culture why behaviour matters - RIMS in...
Presenter
Fostering a risk intelligent culture–why behaviour matters
PresenterDailene Kells
RIMS Canada Conference 2014
September 16, 2014
© Deloitte LLP and affiliated entities.
“…. clearly we have the benefit of
some kind of good risk management
culture... I guess I would say it's sort of
the way we just do things, but I think
it's critically important in how we get to
our outcomes.”
Erin Callan, CFO Lehman Brothers, February 2008
Fostering a risk intelligent culture - RIMS Canada Conf 20141
© Deloitte LLP and affiliated entities.
Current events
2 Fostering a risk intelligent culture - RIMS Canada Conf 2014
• Financial Stability Board
– Issues consultative document on Nov. 18, 2013
– Guidance on Supervisory Interaction with Financial Institutions on Risk Culture
– Explores ways to formally assess risk culture at financial institutions
© Deloitte LLP and affiliated entities.
Discussion items
• Why risk culture?
• Understanding risk culture
• Improving risk culture
3 Fostering a risk intelligent culture - RIMS Canada Conf 2014
© Deloitte & Touche LLP and affiliated entities.
Why risk culture?
4 Fostering a risk intelligent culture - RIMS Canada Conf 2014
© Deloitte LLP and affiliated entities.
“Getting risk culture right is
fundamental to controlling risk
effectively within the organization.
It is, above all, about actual
behavior – what you do, not just
what you say.”
Governance For Strengthened Risk Management, IIF October 2012
Fostering a risk intelligent culture - RIMS Canada Conf 20145
© Deloitte LLP and affiliated entities.
“Culture eats strategy for
breakfast.”Mark Fields, former President of Ford Motor Company (attributed to Peter Drucker)
Fostering a risk intelligent culture - RIMS Canada Conf 20146
© Deloitte LLP and affiliated entities.
Risk culture has a significant impact on the implementation of risk strategy
1. Organizations traditionally focused on the more tangible aspects of risk
management
2. The risk culture of an organization has a significant impact on how
effective an organisation is at managing risk
3. Managing risk culture should be an integral part of risk management
strategy
Risk culture can dominate the risk-related
behaviours of employees
7 Fostering a risk intelligent culture - RIMS Canada Conf 2014
Understanding risk culture
© Deloitte LLP and affiliated entities.8 Fostering a risk intelligent culture - RIMS Canada Conf 2014
The role of risk culture
Even the best designed controls are subject to the failings of people’s experience,
attitude, mindset and values.
30% 70%
Governance
Frameworks
Infrastructure
Policies /controls
Systems
Instincts
Behaviours
Unconscious bias
Diversity of thought
Cultural symbols
Traditional risk management
approaches only focus on
formal risk mechanisms and
governance
i.e., the “hardware”
The majority of significant risk failings
have been the result of the broader
organizational climate and controls
context
i.e., the “software”
© Deloitte LLP and affiliated entities.
Bu
sin
ess p
erf
orm
an
ce
Risk culture performance
Detrimental
risk culture
Risk culture and business performance
9
In most cases,
continuous
improvement
opportunities exist
to drive a more
strategic value-
adding approach
to risk
Poor risk culture
causes frequent
high impact
incidents
Gaps in risk
culture result in
lost opportunities
and more errors
than desirable
‘Developing’
risk culture
Desirable
risk culture
Fostering a risk intelligent culture - RIMS Canada Conf 2014
© Deloitte LLP and affiliated entities.10 Fostering a risk intelligent culture - RIMS Canada Conf 2014
Example risk-related behaviours
Open and
honest
dialogue
regarding risks
Following risk
management
policies and
processes
Admitting to
making
mistakes
Proactive
sharing of best
practices
Consulting
with others
when in doubt
Taking
personal
accountability
for managing
risks
Involving risk
professionals
in risk
decisions
Constructive
response to
challenge
RISK
COMPETENCE
MOTIVATION
RELATIONSHIPS
ORGANIZATION
Reluctance to
learn from past
mistakes
Shooting the
messenger
Inadequate
challenge of
excessive risk
taking
Reticence to
escalate risks
appropriately
Following the
herd
Rewarding
excessive risk
taking
Yielding to
inappropriate
pressure from
others
Cutting corners
Detrimental behaviours Desirable behaviours
© Deloitte LLP and affiliated entities.
• Commonality of purpose, values and ethics
• Universal adoption and application
• Learning organization
• Timely, transparent and honest communications
• Understanding of the value of effective risk management
• Responsibility – individual and collective
• Expectation of challenge
11 Fostering a risk intelligent culture - RIMS Canada Conf 2014
Attributes of a desirable risk culture
Everyone understands the organization's approach to risk, takes personal
responsibility to manage risk in everything that they do, and encourages others to
follow their example.
© Deloitte LLP and affiliated entities.12 Fostering a risk intelligent culture - RIMS Canada Conf 2014
Benefits of a desirable risk culture
• More effective management of risk
• Improved risk-based decision-making throughout the organization
• Increased confidence of external stakeholders
• Enhanced credit ratings
• Compliance with regulatory requirements
© Deloitte LLP and affiliated entities.
“You can pass new laws, you can
toughen up regulations and we've
got to do that, but what you can't do
is to pass laws to change people's
culture and to get them to behave
in a more responsible way...”
Alistair Darling MP, former UK Chancellor of the Exchequer
Fostering a risk intelligent culture - RIMS Canada Conf 201413
© Deloitte & Touche LLP and affiliated entities.
Understanding risk culture
14 Fostering a risk intelligent culture - RIMS Canada Conf 2014
© Deloitte LLP and affiliated entities.15 Fostering a risk intelligent culture - RIMS Canada Conf 2014
What is risk culture?
A system of values and behaviours present throughout an
organization that shape day-to-day risk decisions.
© Deloitte LLP and affiliated entities.16
Three elements of organizational culture
Management
systems
Organizational processes and infrastructure
How people are required to complete their work
Behavioural
norms
Accepted patterns of behaviour visible across the
organization
How people interact with management systems and each other
Organizational
symbols
Inherent interpretations of symbolic messages
What behaviours are (or perceived) to be rewarded or
sanctioned
These elements represent the manifestation of organizational culture.
Fostering a risk intelligent culture - RIMS Canada Conf 2014
© Deloitte LLP and affiliated entities.17 Fostering a risk intelligent culture - RIMS Canada Conf 2014
Deloitte Risk Culture FrameworkSixteen risk culture indicators
Organization
How the organizational
environment is structured
and what is valued
Relationships
How people in the
organization interact with
others
Motivation
The reason why people
manage risk the way they
do
Risk competence
The collective risk
management competence
of the organization
Risk culture influencers
© Deloitte LLP and affiliated entities.18 Fostering a risk intelligent culture - RIMS Canada Conf 2014
How the organizational
environment is structured
and what is valued
To fully understand an organization’s current risk culture and to track progress of cultural change, a focused assessment is
required. Deloitte has developed a comprehensive approach to assessing risk culture based on our Risk Culture
Framework. The framework consists of sixteen risk culture indicators aligned to the four risk influencers. Once an
organization’s risk culture is understood, then the Risk Culture Framework can be used to begin to help to manage it too.
Measuring and managing risk cultureRisk culture is understood by measuring specific influencers and indicators
How people in the
organization interact with
others
The reasons why people
manage risk the way that
they do
The collective risk
management competence
of the organization
Example survey questions:
• The pressure on me to meet
performance targets is balanced
with the need to comply with risk
policies, processes and
procedures
• People in this organization are
penalised if they take
unacceptable risks, even if their
actions subsequently generate
good returns
Example survey questions:
• When it comes to risk management,
this organization practices what it
preaches
• People in this organization know
how to escalate risks
• People in this organization share
similar ethical values
Example survey questions:
• People in this organization are
expected to do what they are told,
no matter what
• Risk management concerns are
discussed openly and honestly in
this organization
• The leaders of this organization role
model the right risk behaviours
Risk
Culture
Organization
Motivation
Risk
Competence
Relationships
Risk Culture Framework
Example survey questions:
• In this organization we assess and
learn from risk events and
mistakes when they occur
• I understand the key risks
associated with my role
• Our people are made aware of
their risk-related responsibilities
from the day they are hired
© Deloitte LLP and affiliated entities.
The time required to assess an organization’s risk culture depends on the scope of the exercise, the demographics of the
survey participants and the complexity of the logistics associated with it. It is also recommended that a number of qualitative
interviews and/or workshops are conducted to supplement the quantitative results generated from the Risk Culture Survey.
There are three different options for delivery, depending on the depth of the assessment required. The exercise should be
then be repeated on an annual basis to monitor progress and re-align initiatives as appropriate.
Measuring and managing risk cultureMethodology to assess organization’s risk culture
Risk Culture
Assessment
Methodology
4. Analyze
and
interpret
results
5. Feedback
insights
&determine
desired risk
culture
6. Plan
actions and
produce
annual Risk
Culture
Report
1. Configure
and
distribute
survey
2. Gather
survey
feedback
3. Conduct
interviews
and/or
workshops
BEGIN/REPEAT/EMBED
Assessment Methodology Delivery Options
Survey Assessment Study
Typical Duration 1-2 months 2-3 months 3-4 months
Risk Culture Survey
(64 questions)Yes Yes Yes
Exploratory
Interviews
A few with
leaders
With leaders
and managers
With leaders,
managers
and staff
Investigative
WorkshopsNo
With leaders
and managers
With leaders,
managers
and staff
Risk Culture Report Yes Yes Yes
Current Risk
Culture ScoreYes Yes Yes
Organization-
Specific Risk
Culture Indicators
Identified Assessed Analysed
Desired Risk
Culture DefinitionLimited High-Level Detailed
Action Planning Basic Detailed Extensive
Initiate
culture
change
programmes
19 Fostering a risk intelligent culture - RIMS Canada Conf 2014
© Deloitte LLP and affiliated entities.
The Risk Culture Survey helps financial institutions to assess how the key risk culture indicators are influencing how risk is
being managed in their organization. The survey is a standard set of sixty-four risk culture-focused questions, derived from
the sixteen risk culture indicators of the Risk Culture Framework.
Measuring and managing risk cultureAssessment helps organizations determine what activities to prioritize
1. Managers at xxx support the actions and decisions of their people.
The way it is
NO 1 2 3 4 5 6 7 8 9 10
The way it should be
NO 1 2 3 4 5 6 7 8 9 10
2. People at xxx will put in extra effort to ensure the job gets done
properly.
The way it is
NO 1 2 3 4 5 6 7 8 9 10
The way it should be
NO 1 2 3 4 5 6 7 8 9 10
3. People take the initiative when it comes to developing new
things/ideas .
The way it is
NO 1 2 3 4 5 6 7 8 9 10
The way it should be
NO 1 2 3 4 5 6 7 8 9
The survey enables data analysis that identifies
risk culture strengths and weakness. The data
can also be mined allowing further investigation of
any areas of key concern.
Gathering data and information Generating survey outputs
OrganizationRisk Competence
Motivation Relationships
Risk
orientation
Performance Management
Incentives
Accountability
Knowledge
Skills
Learning
Recruitment & Induction
Controls
Structures
Values
StructuresValues & Ethics
Policies, Process & Procedures
Risk Governance
Strategy & Goals
Communication
Challenge
Management
Leadership
COMP Score
4.4
ORG Score
4.9
MOT Score
3.5
REL RCS
3.9
Risk
Culture
Score
4.2
The results from the survey regarding the sixteen
risk culture indicators can be plotted by
considering their relative influence on risk culture.
Priorities for action planning can then be
identified.
Prioritizing and action planning
Key features of the Risk Culture Survey:
• 64 questions written in plain English and
designed so that they can be answered by
people at all levels within a financial institution
• It can be delivered to large numbers of
employees (either electronically, via paper or
both) – the use of Deloitte’s survey technology
– DeloitteDEX – is optional
• Feedback can be gathered anonymously to
encourage honesty
• A 5 point response scale is used ranging from
‘strongly agree’ through to ‘strongly disagree’
• Demographic information is also captured
allowing multi-faceted analysis e.g.
role/geography/business unit.
Indicators requiring priority attention
Indicator’s relative influence on risk culture
Ris
k C
ulture
Surv
ey S
core
Lowest Highest
Negative
Positive Desirable Risk Culture Zone
51
3
4
6
7
8
9
10
11
12
1314
15
16
Strong Risk Culture Zone
Weak Risk Culture Zone2
5
5
6
7
8
1
2
3
4
Knowledge
Skills
Recruitment & Induction
9
10
11
12
13
14
15
16
Risk Competence
Leadership scores
Employee scoresLeaders/Employees Perception Gap
Motivation Relationships Organization Risk
Competence
Leadership scores
Employee scoresLeaders/Employees Perception Gap
Q#Instructions: Please read the statements below and indicate the extent of
your agreement with the statements, using the rating scale provided:Strongly
Disagree
Neither
Agree nor
Disagree
Strongly
Agree
1 I understand how the risks associated with my role impact this organisation
2 I understand the major risks associated with my role
3 The people I work with understand how to manage risk effectively
4 I have easy access to information to help me manage the risks I am responsible for
5 I have the right skills to effectively manage risk in my role
6 We have the right level of skills within our business function to manage risk effectively
7 We are expected to keep our risk management skills current
Deloitte Risk Culture Survey.This survey measures a number of statements that describe the risk culture of your organisation. Each
group of statements represents an important part of the culture. Please read each statement and indicate the
extent to which the behaviour described reflects the norm in your organisation. Your responses
should reflect what you are generally able to observe in your organisation. This is not a test; there are no
right or wrong answers.
Relationships
Communication
Challenge
Management
Leadership
Motivation
Risk orientation
Performance Mgt
Incentives
Accountability
Organization
Controls
Structures
Values
StructuresValues & Ethics
Policies, Processes &
Procedures
Risk Governance
Strategy & Objectives
Learning
20 Fostering a risk intelligent culture - RIMS Canada Conf 2014
© Deloitte LLP and affiliated entities.
Survey results may indicate issues with single
organizational influencer of the risk culture
framework that requires addressing.
Potential activities to address this risk
competence issue:
• Conduct training needs analysis, including an
assessment of current risk management
knowledge and skills
• Develop a risk management training strategy
• Design and deliver training and development
programmes to enhance risk capabilities
Survey results may indicate very specific
issues that require action.
Potential activities to address this incentives
issue:
• Review incentive framework in relation to risk
appetite
• Benchmark incentive programmes against
other similar financial institutions
• Design the incentive framework to reinforce the
desired risk culture
Risk Culture
Findings of the assessment will typically fall into one of three categories: isolated, thematic, or systemic. Isolated and
thematic outcomes are usually the simplest to deal with. If the risk culture results indicate systemic issues then a wide
ranging culture change programme will be required.
Measuring and managing risk cultureHow organizations should respond to the assessment at the macro-level
Isolated Thematic Systemic
Survey results may indicate there has been a
general weakening of the organization’s risk
culture, this would need to be addressed
systemically.
Potential activities to address this result:
• Revision of recruitment and induction
approaches and coaching methods
• Realignment of organizational values to reflect
the risk strategy
• Work with senior leadership and management
to build a culture of healthy challenge and
effective role modelling
• Review of incentive and rewards structures
Risk Culture Risk Culture
21 Fostering a risk intelligent culture - RIMS Canada Conf 2014
© Deloitte LLP and affiliated entities.
Measuring and managing risk cultureDesired organizational response at the ‘indicator’ level
Indicator Definition Goal and Interventions
Knowledge
The awareness and understanding that
people have about risk management
The goal is to improve people’s knowledge. Interventions will focus on ensuring that there are frequent
communications and awareness programmes delivered through the most appropriate channels for the different
audiences. Assessments of awareness and understanding should also occur.
SkillsThe ability that people have to manage risk
effectively
The goal is to improve people’s skills. Interventions will focus on structured training and education programmes.
Assessments of skills should also occur.
Learning
The act, process or experience of gaining new risk management
knowledge or skills
The goal is to achieve a continuous learning culture. Interventions will focus on the promotion of on-the-job
learning and coaching, and the formalisation and embedding of techniques such as lessons-learned reviews.
Recruitment & Induction
The identification of new people to join the
organization, and their assimilation into it
The goal is to ensure that people who are brought into the organization have the necessary risk management
knowledge and skills and the appropriate attitude to risk. Interventions will focus on ensuring that these personal capabilities and attributes are factored into the whole
process – from interview to induction.
Ris
k C
om
pe
ten
ce
22 Fostering a risk intelligent culture - RIMS Canada Conf 2014
© Deloitte LLP and affiliated entities.
Measuring and managing risk cultureDesired organizational response at the ‘indicator’ level
Indicator Definition Goal and Interventions
Performance Management
The system used to measure people’s
contributions to the organization’s risk-
related goals
The goal is to align the performance management system with the risk-related objectives of the organization.
Interventions will focus on ensuring that appropriate risk management objectives are included in the system e.g. in
balanced scorecards.
Incentives
Items that encourage appropriate risk
management actions or efforts, such as fear of
punishment or expectation of reward
The goal is to encourage appropriate risk management actions or efforts. Interventions will focus on identifying and then adjusting those incentives in the organization that have
the most significant effect on risk-related behaviours e.g. penalties for non-compliance.
Reward & Recognition
Benefits and recognition that are given in recompense for
exhibiting the desired risk management
behaviours
The goal is to ensure that the personal reward system is aligned with the risk management objectives of the
organization. Interventions will focus on identifying and then adjusting those reward and recognition systems in the organization that have the most significant effect on risk-
related behaviours e.g. compensation.
Accountability
The willingness of people to accept responsibility for
managing risk, and for their own risk
management actions
The goal is to encourage people to take more personal responsibility for managing risk. Interventions will focus on
clarifying risk-related roles and responsibilities, and ensuring that people understand and accept that everyone
in the organization has some level of risk management responsibility.
Mo
tiva
tio
n
23 Fostering a risk intelligent culture - RIMS Canada Conf 2014
© Deloitte LLP and affiliated entities.
Measuring and managing risk cultureDesired organizational response at the ‘indicator’ level
Indicator Definition Goal and Interventions
Strategy & Objectives
How the organization’s strategic plans,
including risk appetite and tolerance, are perceived by the
people in the organization
The goal is to ensure that people understand and believe that the organization’s risk strategy is aligned with its
business strategy. Interventions will focus on ensuring that the risk strategy is being properly interpreted by people in the organization, and that risk strategy is being correctly
translated into functional and personal objectives.
Values & Ethics
The individual and organizational beliefs
and rules that influence risk management
behaviours
The goal is to ensure that the organization’s belief systems support the risk strategy. Interventions will focus on
understanding both the personal values of people, and the ethical standards of the organization, and then aligning
them with the risk strategy.
Policies, Processes & Procedures
How the formal risk management rules and controls are perceived by the people in the
organization
The goal is to ensure that people willingly adhere to the risk management policies, processes and procedures.
Interventions will focus on educating people about the importance of formal risk management rules and controls, and also understanding the reasons why people may be
choosing to ignore or to circumvent them.
Risk Governance
How the formal risk management structures
are perceived by the people in the organization
The goal is to ensure that the organization’s risk management structures are fully understood and properly
leveraged by everyone. Interventions will focus on educating people about the structures and also promoting
the value-adding aspects.
Org
an
iza
tio
n
24 Fostering a risk intelligent culture - RIMS Canada Conf 2014
© Deloitte LLP and affiliated entities.
Measuring and managing risk cultureDesired organizational response at the ‘indicator’ level
Indicator Definition Goal and Interventions
Challenge
The willingness of people to challenge
others, and the responses of those
that are being challenged
The goal is to create an environment in which challenge is expected. Interventions will focus on educating people how
best to challenge others, and also helping leaders and managers to role model the desired behaviours when they
themselves are challenged.
Management
The risk management behaviours exhibited by the managers in
the organization
The goal is to have managers role modelling and encouraging the desired risk management behaviours. Interventions will focus on education of the managers
regarding how to conduct themselves in relation to risk-related situations.
Leadership
The risk management behaviours exhibited by the leaders of the
organization
The goal is to have leaders role modelling and encouraging the desired risk management behaviours. Interventions will focus on education of the leaders regarding how to conduct
themselves in relation to risk-related situations.
Communication
The top-down risk-related
communications, and also the risk-related dialogues that take
place between people across all levels
The goal is to have frequent, open and honest communications occurring throughout the organization.
Interventions will focus on ensuring that there are adequate communication channels and forums available that are suitable for the discussion of risk management, and that
they are being used appropriately.
Rela
tionship
s
25 Fostering a risk intelligent culture - RIMS Canada Conf 2014
© Deloitte LLP and affiliated entities.
Traditional techniques (surveys, interviews) focus on what people do and fail to
uncover the reasons why people behave the way they do.
26 Fostering a risk intelligent culture - RIMS Canada Conf 2014
Assessment techniques
Subjective Assessments reliant on a few simple techniques lack objectivity.
Retrospective
focus
Surveys and interviews on their own fail to shed light on the mindsets
that shape and influence future risk decisions and behaviours.
Cognitive biasPeople will instinctively respond to questions that probe ethics or risk-
related behaviours in a way that avoids challenging an individual’s
moral standing.
Lack of
‘actionability’
‘Actionability’ is reliant on presenting evidence, supported by multiple
data sources.
© Deloitte LLP and affiliated entities.27 Fostering a risk intelligent culture - RIMS Canada Conf 2014
Risk culture assessment techniques
Element Method Technique Focus Outcome
Management
systemsAudit Programmed audit
Risk policies,
procedures,
systems
Behavioural
normsCorrelate
Behavioural
assessment
Establish risk
behavioural
‘norms’
Organizational
normsValidate
Structured data
analysis & surveys
Incentives,
rewards, etc.
Analytics Predict RegressionProactive
intervention
Inconclusive
Informed
Evidenced
Deep
Objective
Actionable
© Deloitte & Touche LLP and affiliated entities.
Improving risk culture
28 Fostering a risk intelligent culture - RIMS Canada Conf 2014
© Deloitte LLP and affiliated entities.
1 - Improve management systems
Commit to plans which drive continuous cultural improvement through
awareness, change and refinement of policies, frameworks, methodologies and
systems.
Enablers
Leadership
commitment
Secure the buy-in and commitment of the leadership team,
including executives and the board
Communications Communicate program goals to all stakeholders, and proactively
seek out feedback
Measurement and
reporting
Establish an objectives measurement of the organization’s Risk
culture and report on it regularly
Program management Manage as a program of change, including coordinating with
other relevant change initiatives
29 Fostering a risk intelligent culture - RIMS Canada Conf 2014
© Deloitte LLP and affiliated entities.30 Fostering a risk intelligent culture - RIMS Canada Conf 2014
2 - Communicate behavioural norms
• Set right tone-at-the-top
• Broad and consistent communication
• Coach employees to be risk managers
• Clarify expectations and requirements
• Support identification and escalation of issues
• Link performance and risk management
© Deloitte LLP and affiliated entities.31 Fostering a risk intelligent culture - RIMS Canada Conf 2014
3 - Use metrics for organizational symbols
Cultural metrics
Can provide direct measurement of Risk Culture
by measuring people’s attitudes, beliefs and
behaviours
Leading cultural indicators
Makes use of metrics that organizations typically already track, and indicate where and
why cultural weaknesses can be more likely to occur
Lagging cultural indicators
Makes use of metrics that organizations typically
already track, and that indicate where cultural
weaknesses may have already resulted in
undesirable behaviors and outcomes
© Deloitte LLP and affiliated entities.
“Effective development of a ‘risk
culture’ throughout the firm is
perhaps the most fundamental tool
for effective risk management.”
Institute of International Finance
Fostering a risk intelligent culture - RIMS Canada Conf 201432
© Deloitte LLP and affiliated entities.
For more information
33 Fostering a risk intelligent culture - RIMS Canada Conf 2014
If you would like more information on risk culture or how Deloitte can help your
organization, please contact me at:
Dailene Kells
Partner, Enterprise Risk
306-343-4464