Sean McGing and Andrew Brown
Résumé: The paper compares where organisations are on their journey in implementing enterprise risk management (ERM) and the extent to which, and how, organisations identify, measure and seek to improve their risk cultures. We do this for three contrasting industries – financial services, energy and education. Within financial services we consider variations between banking, life insurance, general insurance and superannuation.
An organisation’s culture is complex and varies with a wide range of attributes and environment. How it instills its risk appetite and related actions in its people and translates risk and opportunity into improved outcomes will vary across industries. So too will the optimal risk management framework with its policies, systems, processes, controls and procedures.
As a basis for the comparison we picked a sample of companies and identified their ERM frameworks and processes. We considered how the risk culture of the organisation affects their risk management. In particular the roles of the first two of the typical “three lines of defence” – (1) risks being managed by the people responsible for making decisions in the business and (2) the support and enterprise wide view from the risk function headed by the Chief Risk Officer (CRO), line (3) being independent audit. We examined how an organisation’s risk culture and it’s interaction with the ERM framework affected risk ownership, taking responsibility for risks and being accountable for outcomes.
A key element of our assessment was our design of a risk culture questionnaire which was completed by the organisations’ CROs or equivalent. We complement this with interviews of the CROs.
We present our findings including comparisons of risk practices and maturity levels and what each of the disparate organisations might learn from each other. We make recommendations on how to measure and manage risk culture. We reflect on the desirable attributes of a good CRO.
We explore the key insights and reflections from the CROs in relation to the major challenges they are grappling with in relation to risk culture. These include how to identify the steps along a culture journey, the value or otherwise of investing in deep cultural change, how much resourcing of a risk team is enough, and the role of senior leadership (tone from the top) and middle management (the tune from the middle).