Risk Culture Lab

Setting risk appetite can be one of the most complicated steps in building a robust risk culture but is worthwhile if implemented correctly. A risk appetite that speaks powerfully to those it serves cultivates improved knowledge and positive attitudes, thus empowering individuals to effectively manage risk. This ensures that decisions at an individual level are aligned to the wishes of the organisation. The relationship between appetite and culture is mutually supportive. A risk appetite sets expectations for consistency of approach and therefore the foundations for risk culture. Conversely, a strong risk culture will increase the success of a risk appetite in practice because effective leadership, communications and governance systems incentivise application of risk frameworks. Risk culture is influenced not only by internal forces, but also by the industry (particularly those in heavily regulated sectors) and region in which it operates. #riskculturelab  #riskculture https://lnkd.in/dtc9ify9

Uncertainty is all about the unknown. The less an organization knows, the greater its uncertainty and the less able it is to manage resources effectively. Managing uncertainty, therefore, requires learning. Companies need to learn more, and more quickly, to manage uncertainty. Organizational learning is an organization’s capability to change its knowledge through experience. Organizations that learn from mistakes, tolerate failure, capture best practices, and support new ideas have an advantage over organizations that don’t: They learn to get better. Those that struggle to learn will struggle to navigate increasing uncertainties. Extensive past research demonstrates the benefits of general organizational learning. General organizational learning capabilities don’t necessarily depend on AI; organizations can have strong organizational learning capabilities without using the technology. Conversely, organizations can use AI to learn even if they don’t otherwise have strong organizational learning capabilities. Managers can learn from generative AI tools, use AI to deepen their understanding of performance, and iterate with AI to develop new insights and processes. These individual learning experiences create value from AI but may not constitute an organizational learning capability. Organizations that combine organizational learning with AI-specific learning — Augmented Learners — outperform organizations that employ either approach in isolation. As businesses adopt AI and embrace successively more powerful AI tools in various contexts, they have new opportunities to strengthen their learning capabilities — for both human workers and their machines. Using AI can improve organizational learning capabilities, and these learning improvements are tied to not only enhanced financial results but also the ability to manage strategy-related uncertainties. #riskculturelab #riskculture https://lnkd.in/gkpWt5cv

Humans are the weakest link in the security chain. Human beings do not typically translate knowledge directly into behavior. They have emotions, attitudes, and motivations, and we know that real behavioral change cannot happen unless we engage with them on these levels. We defended – and continue doing so – that, when treated as allies, employees become invaluable in creating cyberresilient organizations. More modern security awareness and training solutions (SA&T) strategies like experiential and conversational learning – driven by companies like ours – have been gaining traction in recent years. However, the reality is that most companies were not yet ready to transition from compliance to cyber resilience. As a result, the majority of the market continued to demand the most basic “tick-the-compliance-boxes” solutions. Meanwhile, the world around us has changed rapidly. Information overload has grown year after year, and attention spans seem to have hit an all-time low. Combined with escalating global political tensions and a staggering shortage of nearly four million unfilled cyber security positions, security teams are under immense pressure and struggle to find ways to effectively reduce all types of security risks, especially their human risk. The pressure to perform often results in significant stress levels, leading many professionals to admit to experiencing burnout – as this report later reveals. Truly reducing human risk human layer security needs to change, and we must look at people and their behaviors more holistically. That’s why we need to go beyond security awareness and training and move towards human risk management. #riskculturelab #riskculture https://lnkd.in/eG4eTD_B Human Risk Review 2024

Management of non-financial risk (NFR) requires different skills than those needed to manage traditional financial risks. Further, NFR requires a far more diverse set of skills since this category includes risks of very different types ranging from conduct and third–party risks to cyber and compliance risks. Based on the results of their Risk Identification process, institutions will need to identify and prioritize the different types of skills and experiences they will need to effectively manage the risks identified. Many institutions may find that they lack sufficient skills and will need to either hire new employees or upgrade the skills of their current workforce with respect to NFR. Each institution will also have to consider its culture — the habits and behaviors of its organization — and the tone set at the top by senior management to make sure that the importance of NFR and the responsibility of employees throughout the organization to identify and manage NFRs is clearly understood. The importance of NFR should be regularly and consistently communicated by top management, and all relevant employees should be familiar with NFR terminology and risk management processes. To be taken seriously, however, NFR management needs to have real world consequences. For a start, capabilities for managing NFR could be considered when establishing the operating budgets and available investments for a business unit. Beyond these business– wide impacts, managing NFR should be included among the job responsibilities of relevant employees as well as considered in performance objectives and compensation decisions. #riskculturelab #riskculture https://lnkd.in/d5McNiha

For a company undergoing transformation, cultivating employee “will” to change the way it operates is critical for success. Organizations that focus on generating this will, along with building critical skills, executing with rigor, and setting a holistic aspiration, are far more likely to outperform peers. Leaders can take three critical steps to get more employees involved and committed to the transformation. First, elevate a core segment of employees to take responsibility for designing and implementing change. Next, build on this strong foundation by empowering a broader group of influencers and managers to amplify transformation-related activities. Finally, make sure transformation sponsors play a critical role in energizing all employees about the change. This step-by-step approach offers valuable insights for leaders embarking on transformations and creates momentum for change programs that are already under way. #riskculturelab #riskculture https://lnkd.in/dq9EQmpT

Culture is a cornerstone of good risk governance. It shapes the values and behaviours that guide decision-making across an organisation. Leaders and boards play a vital role in modelling ethical conduct, fostering collaborative behaviours, and building a resilient and sustainable corporate culture. The Risk Committee should consider and periodically report to the board whether the organisation’s purpose, values and risk culture expectations as defined in the board risk policy are appropriately embedded at all levels and are reflected in observed behaviours and decisions. In seeking to meet this principle, the Committee should: ·     Challenge executive management to demonstrate that they have articulated, embedded and continue to monitor and actively promote a healthy culture consistent with the organisation’s purpose, values and risk culture expectations. ·     Through use of formal and informal means – including independent assurance – continuously monitor, regularly assess and advise the board whether the values and behaviours exhibited in the boardroom, by the executive management team and across the wider organisation, are consistent with the organisation’s purpose, values and risk culture expectations. ·     Constructively challenge whether the values and behaviours exhibited by executive management and the board provide those working for and with the organisation with appropriate support to ‘do the right thing’ in difficult or challenging circumstances. monitor the effectiveness of speak-up and whistle-blowing arrangements and advise where improvements should be made, as necessary. ·     In conjunction with the remuneration committee, consider and advise the board whether proposed executive remuneration plans, including long term incentive arrangements, are consistent with the organisation’s board risk policy and likely to encourage appropriate risk-taking and decision-making. ·     Monitor whether the board’s and executive management’s attitude towards the risk advisory, compliance and internal audit functions (where relevant), and the organisation’s receptiveness to internal and external audit recommendations, is indicative of a healthy culture. #riskculturelab #riskculture https://lnkd.in/eJW-vTsT

Risk Culture has a key role to play in ensuring that organisations can take appropriate risks, mitigate inappropriate risks, create great outcomes for their shareholders and positively contribute to society. Alignment between organisational purpose, strategy and behaviours is pivotal if we are to meaningfully improve risk culture. The learnings from the global financial crisis have led to substantial focus on improving risk culture and risk outcomes in financial services over the last decade. Yet despite the resources and efforts allocated, there are still challenges to progress. What is really needed to enable genuine risk culture transformation, why is it so hard and what new approaches are available? DeAnna Gladieux Burton #riskculturelab #riskculture https://lnkd.in/gsTcxcpX

A company’s culture and its risk appetite go hand in hand. However, operations need to know they can never create a situation where you are taking zero risk, you will have to take risks and do so in an informed manner. Risk managers must ensure that their company’s risk appetite is not only communicated to all staff but is also fully understood. Risk managers need to ensure that people across business also understand the risks they are able to take and also the risks for which there is no tolerance. #riskculturelab #riskculture https://lnkd.in/eE7CNBmb

When a corporate scandal occurs and stakeholders seek reasons and root causes, the trail often leads back to problems with the organization’s culture. Financial statement fraud is one extreme example of a consequence of a weak ethical culture, while a strong ethical culture can mitigate the risks of fraud — including fraud that is immaterial to the financial statements. Financial statement fraud is not the only risk, however. When there are fabricated reports, fraudulent accounts, or inaccurate claims related to revolutionary technology, the foundation for these and numerous other crises is often a culture that allows or encourages — inadvertently or not — illegal, unethical, or risky behavior. The consequences are significant if a culture that condones or even encourages such behavior — directly or indirectly — results in financial failures, but the costs of a weak culture can also accumulate over time with every risky decision or corner cut. Related scandals can mar the reputations that companies — boards of directors, management, internal auditors, and employees — work so hard to build. In the worst cases, organizations go out of business, shareholders lose their investments, and employees lose their jobs. Trust and confidence are hard earned but too easy to tarnish. A proactive approach to culture can deter various types of misconduct and promote behaviors that can enhance morale and productivity. #riskculturelab #riskculture https://lnkd.in/dM_3nyEy

Macro and micro-cultures are everywhere. It’s in our nations, our office space, our work departments, our neighbourhoods, family systems and friendship groups. Cultures create rules that shape our daily lives. Yet, when it comes to evaluation, analysis of the culture is often neglected. Dominant narratives and assumptions can be so large that, like the fish in the sea, we are not aware of them.  #riskculturelab #riskculture https://lnkd.in/dwnRat4a