Cultivating a Risk

Intelligent Culture
A fresh perspective

October 2012


Why culture?
In managing risk effectively it
is important to understand what
drives behaviours towards risk

As the Global Financial Crisis

unfolded, it became evident that
cultural misalignment played a
large role in organisational failures.
An organisation’s culture determines
how it manages risk when under stress.
For some organisations, their risk
culture is a liability, while for others
it facilitates both stability and a
competitive advantage.

2
Process follows culture

Organisations wishing to better manage risk should

consider establishing a Risk Intelligent Culture
There is no ‘one-size-fits-all’ solution to risk
management. How a business manages its risk should
be aligned with and should support its strategy, “A robust and pervasive risk culture
business model, business practices, risk appetite and throughout the firm is essential.
risk tolerance. This is especially true in the financial
services industry, where significant risk-based
This risk culture should be embedded
decisions are being made by businesses every day. in the way the firm operates and
should cover all areas and activities,
Essentially, a Risk Intelligent Culture exists within an
organisation when its employees’ understanding,
with particular care not to limit risk
and their attitudes toward risk, lead them to management to specific business
consistently make appropriate risk-based decisions. areas or to have it operate only as
Consequently, risk culture drives the behaviours
an audit or control function.”
that influence day-to-day business practices, and is
a significant indicator of whether the organisation
embodies the characteristics of a Risk Intelligent
Enterprise™.

Cultivating a Risk Intelligent Culture A fresh perspective 3

Understanding risk culture

Risk culture encompasses the general awareness, attitudes,

and behaviours of employees towards risk and how risk
is managed. Risk culture is a key indicator of how widely
risk management policies and practices have been adopted
Having a Risk Intelligent Culture means that everyone The first step is to understand the existing risk
understands the organisation’s approach to risk, culture and measure how well it supports the
takes personal responsibility to manage risk in organisation’s risk strategy and risk management
everything that they do, and encourages others to approach. Deloitte’s Risk Culture Framework and
follow their example. Codes, management systems, corresponding Risk Culture Survey provide a structure
and behavioural norms should be aligned to encourage and process to help clients in their efforts to achieve
people to make the right risk-related decisions, this measurement.
and exhibit appropriate risk management behaviours.

Key characteristics of a Risk Intelligent Culture

Commonality of purpose, People’s individual interests, values, and ethics are aligned with those of the
values and ethics: organisation’s risk strategy, appetite, tolerance, and approach.
Universal adoption Risk is considered in all activities, from strategic planning to day-to-day
and application: operations, in every part of the organisation.
The collective ability of the organisation to manage risk more effectively
A learning organisation:
is continuously improving.
Timely, transparent and People are comfortable talking openly and honestly about risk using a
honest communications: common risk vocabulary that promotes shared understanding.
Understanding the value of People understand, and enthusiastically articulate, the value that
effective risk management: effective risk management brings to the organisation.
Responsibility – individual People take personal responsibility for the management of risk and
and collective: proactively seek to involve others when that is the better approach.
People are comfortable challenging others, including authority figures
Expectation of challenge:
without fear of retribution. Those who are challenged respond positively.

4
Measuring risk culture

A focussed assessment is needed to fully

understand an organisation’s current risk
culture and to track progress of cultural change
Deloitte’s Risk Culture Framework A Risk Culture Survey allows us to measure an
Deloitte has developed a broad approach to help organisation’s risk culture against each indicator
clients assess and measure risk culture based on our and then analyse and gain a thorough understanding
Risk Culture Framework. The framework consists of of the current maturity level of the risk culture.
sixteen Risk Culture Indicators aligned to the four Risk Once we have done so, we can then use the Risk
Culture Influencers. Culture Framework to identify and recommend
specific target areas in order to help strengthen
the risk culture throughout the organisation.

ce Or
ten ga
n
e
tives

cs
Know
p

thi

isa
om

Strategy

de
& objec

tio
kc

ledge

an

n
Ris

ses
es
Sk

ces s
lu

o
ills

Va

p r re
Le es, cedu
arn lici
ing Po d pro
an
Recr
and uitment ernance
indu
ction Risk gov
Risk
Culture
ance Challe
Perform nge
g e m ent
mana
M
n an
ta tio ag
or ien em
isk en
Lea
es

R t
tiv

de
Comm
tabilit
en

rsh

ip s
Inc
Mo

ip

sh
un

unica
ti v

on

tio ti
Acco
a

n la
Re
tion

Risk Culture Influences

Risk competence Motivation Relationships Organisation

The collective risk The reasons why How people in the How the organisational
management people manage risk organisation interact environment is structured
competence the way that they do. with others. and what is valued.
of the organisation.

Cultivating a Risk Intelligent Culture A fresh perspective 5

 Strengthening risk culture

Strengthening an organisation’s risk culture requires

both a focussed effort and the direction of leadership
The initial focus should be on building cultural It is important to recognise that this road map
awareness, predominantly through communications focuses on the cultural aspects of risk management.
and education. Cultural improvement will be likely To achieve a strong, effective and intelligent
to require meaningful changes to established ways risk culture, all the components of a formal risk
of operating. Once the desired risk culture has been management structure should be implemented
established, the organisation should continually refine and adopted by the organisation.
it to reflect ongoing changes in business strategy.

Risk culture influencers Road map for continuous cultural improvement

Cultural awareness: Cultural change: Cultural refinement:

Risk competence

Build risk competence: • Deliver • Create a culture of • Integrate risk

• Risk function communications constructive challenge management
• Existing employees from leadership • Embed risk lessons-learned into
• New employees using a common performance metrics communications,
• Future employees. risk management into motivational education and training
vocabulary systems • Hold people
• Clarify risk • Establish risk accountable for
management management their actions
responsibilities and considerations in talent • Refine risk performance
Align motivational systems:
accountabilities management processes metrics to reflect
• Incentive systems
Motivation

• Roll out risk • Position individuals changes in business

• Reward systems
management general with the desired risk strategy, risk appetite
• Performance systems
education and orientation in roles and tolerance
• Individual and team
customised training where effective risk • Reposition individuals
accountabilities.
based on role management is critical to reflect changes to
• Establish risk • Reinforce behavioural, business strategy
management ethical and compliance and priorities.
induction programs standards.
Strengthen relationships:
Relationships

• Refine recruitment
• Leaders to manage methods to include
• Leaders/managers to employees risk management
• Peer to peer capabilities.
• Risk function to business.

Enablers
Promote organisational risk Leadership commitment: Secure the buy-in and commitment of the leadership team
management infrastructures: including executives and the board
Organisations

• Governance and Communications: Communicate program goals to all stakeholders, and proactively seek
reporting protocols out feedback
• Procedural protocols Measurement and reporting: Establish an objective measurement of the organisation’s
• Behavioural and ethical risk culture and report on it regularly
expectations Program management: Manage as a program of change, including coordinating with other
• Compliance expectations. relevant change initiatives

6
 Reporting risk culture

Risk culture metrics should be included in regular risk reporting to

the board and management. These quantitative cultural metrics should
also be linked to other traditional risk management metrics that
comprise both leading and lagging organisational cultural indicators
Sample Risk Culture Report

XYZ Corporation – Risk Management Metrics

XYZ Corporation – Risk Culture Metrics Compliance with mandatory

training requirements (0–100)‡
Weculture
Organisational risk are continuing
(0–100)† to experience the gradual
Divisions strengthening
(0–100)† of our risk culture across the
100
organisation as a whole. This follows the significant decline that we experienced in 2009 resulting
66 70 Insurance
from
64.3 the insurance business acquisition in Europe that completed in late 2008. Related 95
64 Acquisition of the Corporate bank to this,
we remain significantly
62.6 European Insurance
below 60
leadership’s cultural expectations in our European
Retail Insurance
bank business.
62 Business 90
60.7
60.6 We still have a number of leadership
60 50 and management integration related challenges remaining
85
59.2
58 (notably in France, Spain and Italy).40Addressing these is one of our top priorities. In terms of
55.2 56.1
56 80
54
cultural leading 56.4 practices, Asia Pacific continues to serve as a model and we are in the process 2008 2009 2010 2011
30
2008 of2009
codifying2010 a selection of risk management
2011
2008 practices
2009 from our Australian
2010 2011 business and will pilot Divisional managers with risk
them in other geographies in late 2012. weighted performance metrics
(0–100)‡ Compliance with mandatory
Cultural influencers (0–25)† Regions(0–100)† 80 training requirements (0–100)‡
Organisational risk culture (0–100)† Divisions (0–100)†
25 70 LATAM 100
60
70 APAC
20 66 EMEA Insurance 95
64.3 60 40
15 64 Acquisition of the Corporate bank
62.6 European Insurance 60 Retail bank
62 50 90
10 Business 60.7 20
60.6
5 60 40 50
85
58 59.2 0
0 56.1 2008 2009 2010 2011
2008 2009
56 2010 55.2
2011 30 40 80
56.4 2008 2009 2010 2011 Limit breaches* 2008 2009 2010 2011
54
2008 2009 2010 2011 30 30
Strongest risk culures 2008 risk culures
Weakest 2009 2010 2011 Divisional managers with risk
Risk competence Motivation Relationships Organisation • Country 1 (79%) • Country 4 (42%) 25
The collective risk The reasons why How people in the How the organisational • Country 2 (72%) • Country 5 (41%)
weighted performance metrics
management people manage risk organisation interact environment is structured • Country 3 (71%) • Country 6 (40%) 20 (0–100)‡
competence the way that they do. with others. †and what is valued.
of the organisation. Cultural influencers (0–25) Regions(0–100)† 15 80
LATAM 10
25 70 60
APAC 5
20 60 EMEA 0 40
15 2008 2009 2010 2011
†
Real-time cultural metric ‡ Leading cultural indicator * Lagging cultural indicator
50
10
Source: Deloitte Consulting LLP 20
5 40
0
0 2008 2009 2010 2011
2008 2009 2010 2011 30
2008 2009 2010 2011 Limit breaches*
30
Strongest risk culures Weakest risk culures
Risk competence Motivation Relationships Organisation • Country 1 (79%) • Country 4 (42%) 25
The collective risk The reasons why How people in the How the organisational • Country 2 (72%) • Country 5 (41%)
management people manage risk organisation interact environment is structured • Country 3 (71%) • Country 6 (40%) 20
competence the way that they do. with others. and what is valued.
of the organisation.
15
10
5
0
2008 2009 2010 2011
†
Real-time cultural metric ‡ Leading cultural indicator * Lagging cultural indicator
Source: Deloitte Consulting LLP

Cultivating a Risk Intelligent Culture A fresh perspective 7

Delivering risk culture solutions

We have helped many financial institutions across the

globe to measure and strengthen their risk cultures,
including in Australia, Canada, the U.S. and the U.K.
Embedding risk management ways of working Improving risk management compliance
A global insurance company needed an ongoing A review of this financial services organisation’s
way to measure how effectively its risk management compliance with regulations uncovered that it
framework was embedded in its employees’ needed to improve how its employees understood,
behaviours – primarily to show compliance with respected, and followed its risk management policies
certain Solvency II and Pillar II requirements. and procedures. Through an overall risk culture
In collaboration with the client, Deloitte designed assessment, Deloitte provided leadership with an
an objective assessment process with the supporting objective measure of its risk culture in its Credit
tools, surveys, and qualitative interview questions Risk and Market Risk units. With this information,
based upon Deloitte’s Risk Culture Framework. Deloitte helped the client in its efforts to develop
This framework and assessment identified several specific action plans for Credit Risk to improve its
business units that had been more successful than communications and training efforts, and to review
others at embedding risk management into their its governance model against its trading volume.
employees’ behaviours. As a result, Deloitte helped Within its Market Risk division, recommendations
the client identify those effective practices that focused on employing technology to better and more
could be leveraged and replicated in other areas to quickly share risk information at both the granular
improve the client’s overall risk culture. By actively and aggregate levels.
involving the client’s risk team in conducting the
initial assessment and analysis, Deloitte imparted the
knowledge and skills the client needed to conduct
this assessment in the future.

Enabling a risk transformation program

A financial services organisation was in the midst
of a risk transformation program addressing
its risk management governance, compliance
processes, and controls. During this program,
leadership identified the need for the organisation
to improve its employees’ risk management
attitudes and behaviours. Deloitte helped the
client to determine the organisation’s risk culture
score and engaged key leadership, including the
Chief Risk Officer, in developing an action plan to
improve areas of concern (notably, incentives and
rewards, communications, and risk awareness and
competence). By assessing its risk culture every six
months, the organisation now maintains a current
and objective measurement of its risk culture, and it
can insightfully gauge the effectiveness of its cultural
improvement efforts.

8
Assessing the impact of enhancements to risk
management capabilities
A financial institution had recently increased its risk
management capabilities by introducing new risk
management leadership roles and processes.
The board’s risk committee wanted to understand
if these initiatives were having the desired beneficial
impact on the business’ risk culture. Through
an overall assessment of the risk culture, which
included interviews with the executive team and
a company-wide Risk Culture Survey, Deloitte
helped the client in its efforts to develop an internal
benchmark to be used to assess current and future
changes to risk culture. Also, with the use of data
analytic techniques, Deloitte was able to identify
particular opportunities to enhance overall success
by identifying specific ways that the business could
better manage its risks.

Developing a risk culture assessment capability

The Board Audit Committee of a bank required a
definitive statement on its risk culture in order to take
specific action to strengthen identified weaknesses.
Deloitte helped the internal audit department develop
a repeatable approach to measuring its risk culture to
include in its regular audit process. Leveraging the Risk
Culture Framework allowed Deloitte to help create
a broad, objective, and intuitive two-tier assessment
methodology for the internal audit department to first
identify areas of possible risk culture weakness within
business units, and then to conduct a more in-depth
analysis of these areas of concern. The assessment
process used employee surveys, behavioural enquiry,
deep structured interviews and data analytics to
provide tangible evidence to support its statement
on risk culture. After success of the initial pilot, the
internal audit department expanded the risk culture
audit process to be included in programmed and ad
hoc audits across the entire organisation globally.

Cultivating a Risk Intelligent Culture A fresh perspective 9

The Risk Intelligent Enterprise™

A strong risk culture is a pervasive theme of the nine

fundamental principles of a Risk Intelligent Enterprise2
In a Risk Intelligent Enterprise:
1. A common definition of risk, which addresses 7. Business units (departments, agencies, etc.)
both value preservation and value creation, is used are responsible for the performance of their
consistently throughout the organisation business and the management of risks they take
2. A common risk framework supported by within the risk framework established by executive
appropriate standards is used throughout the management
organisation to manage risks 8. Certain functions (e.g. Finance, Legal, Tax, IT, HR,
3. Key roles, responsibilities, and authority relating to etc.) have a pervasive impact on the business and
risk management are clearly defined and delineated provide support to the business units as it relates
within the organisation to the organisation’s risk program
4. A common risk management infrastructure is used 9. Certain functions (e.g., internal audit, risk
to support the business units and functions in the management, compliance, etc.) provide objective
performance of their risk responsibilities assurance, as well as monitoring and reporting on
5. Governing bodies (e.g. boards, audit committees, the effectiveness of an organisation’s risk program
etc.) have appropriate transparency and visibility to governing bodies and executive management.
into the organisation’s risk management practices
to discharge their responsibilities
6. Executive management is charged with primary
responsibility for designing, implementing,
and maintaining an effective risk program

2
“Putting risk in the comfort zone: Nine principles for building the Risk Intelligent Enterprise™,” Deloitte Development LLP. Available online
at http://www.deloitte.com/view/en_US/us/article/6b929c9096ffd110VgnVCM100000ba42f00aRCRD.htm

10
Contact us

For more information, please contact:

Nicky Wakefield Peter Matruglio

National Leader, Human Capital National Leader, Enterprise Risk
Tel: +61 2 9322 5799 Tel: +61 2 9322 5756
[email protected] [email protected]

Sydney

Heidi Dunbar Jonson Grant MacKinnon Andy Abeya Michael Williams

Director Director Director Director
Tel: +61 2 9322 5951 Tel: +61 404 804 744 Tel: +61 2 9322 5691 Tel: +61 404 828 751
[email protected] [email protected] [email protected] [email protected]

Brisbane

Natalie Smith Lisa Morgan

Director Director
Tel: +61 7 3308 7216 Tel: +61 7 3308 7274
[email protected] [email protected]

Melbourne

David Boyd
Partner
Tel: +61 3 9671 7077
[email protected]
Contact us
Deloitte
225 George Street
Sydney, New South Wales
Australia

Tel: +61 2 9322 7000

Fax: +61 2 9322 7001
www.deloitte.com.au

This publication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or
their related entities (collectively the “Deloitte Network”) is, by means of this publication, rendering professional advice
or services.
Before making any decision or taking any action that may affect your finances or your business, you should consult a
qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained
by any person who relies on this publication.
About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its
network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/au/
about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.
Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple
industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class
capabilities and high-quality service to clients, delivering the insights they need to address their most complex business
challenges. Deloitte’s approximately 195,000 professionals are committed to becoming the standard of excellence.
About Deloitte Australia
In Australia, the member firm is the Australian partnership of Deloitte Touche Tohmatsu. As one of Australia’s leading
professional services firms, Deloitte Touche Tohmatsu and its affiliates provide audit, tax, consulting, and financial
advisory services through approximately 6,000 people across the country. Focused on the creation of value and growth,
and known as an employer of choice for innovative human resources programs, we are dedicated to helping our clients
and our people excel. For more information, please visit Deloitte’s web site at www.deloitte.com.au.
Liability limited by a scheme approved under Professional Standards Legislation.
Member of Deloitte Touche Tohmatsu Limited
© 2012 Deloitte Touche Tohmatsu.
MCBD_Mel_09/12_047855