Copyright notice: The following slides are intended for professional use within an organization for discussion purposes only. Any other uses or modifications are strictly prohibited.
Any organization is an assembly of people: people who take risk as they manage and direct the enterprise; people who decide how much risk is acceptable or even desirable; and provide oversight of the management of risk across the extended enterprise.
Organizational culture has been the topic of study for many years.
• “Culture is how organizations ‘do things’.” — Robbie Katanga
• “Organizational culture is the sum of values and rituals which serve as ‘glue’ to integrate the members of the organization.” — Richard Perrin
Richard Anderson and Norman Marks share their views on this complex subject. They cover:
• What is the difference between the “risk” culture and the “organizational” culture? How can it be analysed?
• Who takes risk, and who should be responsible for deciding how much risk to take?
• Is there such a thing as a single risk level?
• Why do so many of us take different views of exactly the same risks? How does an organization decide which view is “right”?
• Is one person’s risk another’s opportunity?
• What about when the actions of one impact the success of another?
2. Risk Reimagined!
Risk Management
author and
evangelist
Former Chairman of
the Institute of Risk
Management and risk
manager
Webinar #1:
December 1st, 2015
Webinar #2:
December 8th, 2015
www.riskreimagined.com
Richard AndersonNorman Marks
3. Risk Reimagined!
About this webinar:
• CPE: 1 Credit
• Program Level: Intermediate
to Advanced
• Prerequisites and
Advance Preparation: N/A
• Delivery Method: Group
Internet Based
• Category: Specialized
Knowledge and Applications
To receive a CPE credit:
• Remain joined to webinar for entire
duration of programming (full hour)
• Answer all 3 polling questions
• Answer all evaluation questions
Join the conversation on Twitter with #RiskReimagined
4. Risk Reimagined!
Regulators are getting excited by culture
Regulator Year No of Pages Culture Risk Culture
NAO 2011 18 4 Nil
Department of Justice 2011 43 6 Nil
FRC 2014 28 20 Nil
FSB 2014 14 100+ 73
5. Risk Reimagined!
It’s all about people
Any organization is an assembly of people: people who take risks
as they manage and direct the enterprise; decide how much risk is
acceptable or even desirable; and provide oversight into the
management of risk across the extended enterprise.
6. Risk Reimagined!
It’s all about people
“Culture is how organizations ‘do things’” — Robbie
Katanga
“Organizational culture is the sum of values and
rituals which serve as ‘glue’ to integrate the members
of the organization” — Richard Perrin
8. Risk Reimagined!
Polling Question 1
Has the risk culture in your organization been reviewed internally or
by consultants?
Yes, it is reviewed on a regular basis
Yes, once
We are thinking about it
It would never fly
It is not possible
11. Risk Reimagined!
Compliance area Level of risk
Bribery and corruption 50
Environmental regulations 20
Financial reporting 30
Export/import regulations 20
Product safety 30
TOTAL 150???
Is there such a thing as a single risk level?
12. Risk Reimagined!
Why do so many of us take different views of exactly the same
risks? How does an organization decide which view is “right”?
13. Risk Reimagined!
Why do people matter?
Human nature is …
Individualist … or … collectivist
What do you believe … ?
I or C? Which do you think?
14. Risk Reimagined!
Why do people matter?
Human nature is …
Individualist … or … collectivist
What do you believe … ?
I or C? Which do you think?
The way we live …
“superiors” tell “inferiors” … or … “equals” negotiate the “rules”
Prescribed/In-equal … versus … Prescribing/Equal
Tell or Negotiate? T or N? Which way does it work?
15. Risk Reimagined!
Polling Question 2
Are you:
Individual/Negotiate
Collectivist/Negotiate
Individual/Tell
Collectivist/Tell
None of the above
Don’t know
Don’t Understand
17. Risk Reimagined!
What is the difference between the “risk” culture and the
“organizational” culture? How can it be analyzed?
18. Risk Reimagined!
IRM Risk Culture Framework
IRM’s risk culture framework
looks at component parts
making up an organisation’s
risk culture
• How will I react?
• How will I respond in
recognition of other
competing needs?
• What will I do?
• What will we do?
• Our overall risk culture
Risk Culture
Organisational Culture
Behaviours
Personal Ethics
Personal
Predisposition to
Risk
19. Risk Reimagined!
Risk culture aspects model
Risk Culture
Tone at the
Top
Risk
Leadership
Dealingwith
BadNews
Governance
Accountability
Transparency
Decisions
RiskInformed
Decisions
Reward
Competency
Risk
Resources
RiskSkills
20. Risk Reimagined!
Thinking about risk is managed…
1. Risk informed decision
2. Deals with risk systemically
3. Throughout the
organization
4. With partners
5. Nimble with new issues
6. Can leverage risks
7. Takes more, better-
managed risks
8. Gets hit by few surprises
9. Lives by established
principles
10. Expects excellent
performance
11. Top-level buy-in to risk
management
12. Links risk management to
strategic and operational
management
13. Aims for simplicity and action,
not bureaucracy
14. Constantly conscious of risk
management performance
23. Risk Reimagined!
Holding a mirror up...
Regular findings
Non-execs normally refuse to take part.
Exec directors are ALWAYS more optimistic about their risk
management maturity than the rest of the workforce.
Risk managers, heads of internal audit etc. ALWAYS know when
they are using smoke and mirrors to report up the line.
Few others even care...
30. Risk Reimagined!
Objective
Risk D
Objectives, Risks and Controls
Objective
Risk A Risk B Risk C
Control 1 Control 2
Control 3 Control 4
Risk to more
than one
objective
Control to
more than
one risk
31. Risk Reimagined!
Objectives, Risks and Controls
Objective
Risk D
Objective
Risk A Risk B Risk C
Control 1 Control 2
Control 3 Control 4
Department A Department BWho owns Control 4?
Who has a
guardianship interest?
32. Risk Reimagined!
Objective
Risk D
Objectives, Risks and Controls
Objective
Risk A Risk B Risk C
Control 1 Control 2
Control 3 Control 4
Company One Third party coWho owns Control 4?
Who has a
guardianship interest?
33. Risk Reimagined!
Risk vs. Organizational Culture
Culture:
The culture of the organization is built from the behaviours, beliefs, attitudes,
activities and ethical responses of the individuals in the organization and
determines how those individuals will respond to issues in the “here-and-
now”. It is influenced by the tone from the top, incentives and the social &
regulatory environment.
Risk Culture:
“The risk culture of the organization is about how individuals tackle the
complexity of the multiple futures that face them in dealing with issues
today. It is about “tomorrow” rather than the “here-and-now”. It is what gives
an organization the resilience to tackle difficult decisions today while having
an eye on the impact tomorrow.”
34. Risk Reimagined!
And where they clash…
Issues which any board should want to know about:
• Values: Significant deviations from the board’s values.
• Silos: Especially where an organization is facing complexity in its dealings
internally or externally.
• Layering: Layered management reporting prevents new issues being spotted on a
timely basis.
• Short-termism: Extrapolation from past behaviours is not necessarily good enough
for dealing with new futures.
• Control vs. Risk: Control (or risk control) management instead of risk
management.
• Obstruction: Individually obstructive nodes can be very dangerous.
• Black holes: Sometimes it is difficult to discern any volume of conversations about
risks.
35. Risk Reimagined!
Balanced Risk revisited
Performance
Culture
Corporate
Ethics
Avoiding
Pitfalls
More Managed
Risk
Performance
Zone
Dead
Zones
36. Risk Reimagined!
Balanced Risk revisited
Performance
Culture
Corporate
Ethics
Here-and-Now Tomorrow
Performance
Zone
Dead
Zones
37. Risk Reimagined!
Leadership in complex systems
Relationships
& behaviours
Draw on widely
diverse
perspectives
Adopt open
enquiring
mind set
Go out of
your way to
make
connections
Tasks
& ideas
Be Clear
Be Curious
Be Courageous
Invest in
promoting
values
Establish
compelling
vision
Embrace
uncertainty
Distribute
leadership &
decisions
38. Risk Reimagined!
Polling Question 3
Does your organization have a healthy risk culture?
Without question, yes
With exceptions, mostly yes
Only to a degree
Not really
Unsure
39. Risk Reimagined!
The bottom line
Risk Management should be the
disruptive intelligence that pierces
perfect-place arrogance
42. Risk Reimagined!
www.riskreimagined.com
Richard Anderson
Director, AndersonRisk
rca@andersonrisk.com
www.AndersonRisk.com
Norman Marks
Risk Management Author and Evangelist
nmarks2@yahoo.com
Contact Us:
Resolver Inc.
1-888-891-5500
info@resolver.com
www.resolver.com
Hussain Hasan
Principal and Regional Leader for Risk
Advisory Services, RSM US LLP
1-312-634-3700
Hussain.hasan@rsmus.com
www.rsmus.com