• Building a healthy risk culture



    As the tax season wraps up for most companies here in the Philippines, preparing for upcoming annual stockholders meetings (ASM) is next on the agenda. While reporting the financial position and results of operations is given significant focus, the management should be ready to report and answer questions about the company’s risk culture.

    Most of you must be familiar with what organizational culture means. But how much do you know about risk culture? Do you have the right risk culture in your organization?

    For those of you who have completed your ASMs, big congratulations are in order, especially if you have not been asked by your stockholders about efforts to foster a healthy risk culture. These matters may not come up in ASMs but expect that as part of the management team, one way or another you will always be challenged on how you can inspire true behavioral change and cultural health.

    In an article published by the Institute of Risk Management, risk culture is defined as a term describing the values, beliefs, knowledge, attitudes and understanding about risk shared by a group of people with a common purpose, in particular the employees of an organization or of teams or groups within an organization. This applies whether the organizations are private companies, public bodies, family-owned corporations or not-for-profits – wherever they are in the world. Banks, for example, have invested heavily in attempts to cultivate an internal culture that promotes ethical behaviors and deters risky ones.

    The challenge of building a corporate culture that prioritizes risk management, ethical behavior and smart decision-making continues to weigh on organizations. Let us understand the areas of risk culture and certain organizations’ leading practices that make theirs a healthy culture.


    Leaders, as role models, are expected to understand, embrace and exemplify the risk culture. Executives have made progress in setting the right “tone at the top,” but management actions —in setting appropriate risk standards and promoting desired behaviors—are not living up to these communications.

    How to “walk the talk.” Leading institutions see risk culture as a multidimensional issue that needs to be supported by a combination of people skills, policies and tools. Examples of leading practices are opening channels for escalating risk issues and encouraging others to do the same, underscoring a zero-tolerance policy for retaliation, finding new and better ways to attract talent with the right risk mentality, and developing an environment where individuals feel comfortable in challenging the well-established “command and control” leadership model.

    Governance and organization

    This pertains to the alignment between the risk function and the business as strategic partners. Simply put, how will the risk team be involved in key business decisions upfront? In addition, there is a defined and clear assignment of key risk-related business decisions to those capable of recognizing risk and managing it.
    This area also calls for better communication and collaboration with industry fora and regulators as it can create a more open dialogue about what works, what doesn’t, and what challenges to expect.


    To promote and sustain the risk culture that you want, a clear communications strategy and a high degree of transparency need to be fostered. Help deliver risk information to the right people, when and where it is needed. Start with sharing risk awareness and education materials across functions, businesses and geographies until risk communications become fully integrated with daily operations. Make available the risk issues log and mitigation plans to relevant staff, providing a high degree of transparency. Major risk events trigger activation of a formal communication plan with employees, customers, shareholders and regulators, as appropriate.

    Talent management

    Emphasize the importance of strong values and risk awareness across hiring, development and incentive programs. Cultivating the right risk culture calls for soft skills, but that is also grounded on technical things such as credit risk policies, escalation protocols and risk dashboards.

    By dealing with compliance violations quickly and consistently, leaders are sending a clear message about the importance of risk management and compliance. By integrating risk metrics into how employees are compensated, assessed and developed, leaders are demonstrating their commitment to promoting “good” risk behaviors over short-term profits.

    Consistent global/national operating norms

    Each region has consistent operating norms that comply with the organization’s policies and expectations. It is not enough to create company-wide policies and mandate their adoption. The head office needs to gain perspective about the local markets and locations they do business in and adapt their risk initiatives there.

    Technology and infrastructure

    Deliver technology and infrastructure that provide for a comprehensive portfolio view of risk across the organization. Executives should be able to get the single view of risk that they need and see how risks taken across the organization are correlated, as well as their cumulative impact on the risk profile. Establish processes to mine, manage and interpret data across product, customer, finance and the workforce. Whether you have or are planning to invest internal tools or more sophisticated risk technology offered by third parties, keep in mind that your goals should be focused on building greater access to information and to have an enterprise-wide view of data.

    Culture exists in every organization. It is how people react not only to the black and white but also to all shades of gray. Keeping focused on these six key areas of risk culture is critical to creating and sustaining a healthy culture. After all, the mark of a strong risk culture is a company that doesn’t make the headlines for the wrong reasons.

    Geraldine Hammond-Apostol is a risk assurance leader, chief audit executive and transformation leader at Isla Lipana& Co./PwC Philippines. Email your comments and questions to markets@ph.pwc.com. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.


    Please follow our commenting guidelines.

    1 Comment

    1. We have known for a long time that no two people will respond the same way to a situation of risk, the way any person responds to risk is influenced by a number of factors, the main ones are:
      • Nationality & culture
      • Childhood experiences (and formative environment)
      • Work ethics, trust & honesty
      • Education (and the way it was obtained)
      • Work experience
      • Religion and other spiritual thinking
      • Attitude towards life (and death)

      Risk practitioners generally failed to address these underlying human aspects. Since the publication of the Basle accord, ISO 31000 and other standards and regulations, it has often been argued that compliance with these standards and regulations will mitigate and control risk, but this is only true if the standards and regulations are embraced in an effective Risk Culture. Just like the policies, procedures and systems, these are worthless if human attitude, acceptance and desired response lack.

      Addressing the aspect of people risk is the only way an organisation can improve the results of how their people respond to a situation of risk and the effectiveness of their risk management function. No organisation can ever have a perfect risk management culture, but organisations can achieve a level of maturity where they have an effective risk culture process and every employee is risk-minded and does something on a daily basis to mitigate, control and optimize risk.