Home' RMIA : RMIA 2015 Contents 35
It is essential that an organisation's risk management culture
be viewed as fundamental to its risk management success.
Boards must understand that they are accountable for the
organisation's risk culture through setting an organisation's
risk appetite, and working closely with the executive team
and the chief risk officer to promote the organisation's
risk culture. All staff members must understand that risk
management is not just the responsibility of the board and
senior management; everyone within an organisation has
It is not always straightforward to achieve this cultural focus
on risk management, when risk management fundamentally
requires an investment based upon things that may or
may not happen in the future. Risk management is an
explicit expense, and its true benefit is difficult to estimate
and market without the value of hindsight. It is clear,
however, that successful organisations leverage their risk
management culture to drive success. Qantas, for example,
trades from its significant safety record. Qantas states that it
trains staff to use risk tools 'so that the management of risk
becomes a natural part of everything we do, to help embed
a risk management culture' (Qantas, 2012).
Regulatory and governing body perspectives
Risk culture is an important issue for regulators and
governing bodies. Some examples of how their views
towards risk culture have been articulated include:
Australian Securities and Investment Commission
(ASIC), comments by Chairman to Senate Estimates,
3 June 2015:
'ASIC is concerned about culture because it is a big driver
of conduct in the financial industry. It is a sad fact that bad
culture leads to bad conduct, and this inevitably leads to
poor outcomes for consumers. Given there is a strong
connection between poor culture and conduct, ASIC thinks
culture is a major risk to: investor and consumer trust and
confidence; and the fair, orderly and transparent operation
of our markets. ASIC is planning to incorporate culture into
our roles as a conduct regulator.'
Australian Prudential Regulation Authority (APRA),
Prudential Standard CPS 220 Risk Management,
'The Board of an APRA-regulated institution is ultimately
responsible for the institution's risk management framework.
In particular the Board must ensure that ... (b) a sound
risk management culture is established and maintained
throughout an institution.'
'A risk management strategy (RMS) is a document that
describes the APRA-regulated institution's strategy
for managing risk and the key elements of the risk
management framework that give effect to this strategy.
At a minimum, an RMS must ... (e) outline the approach
to ensuring all persons with the institution have awareness
of the risk management framework and for instilling an
appropriate risk culture across the institution.'
Commonwealth Risk Management Policy (Australia),
'An entity's risk management framework must support the
development of a positive risk culture.'
A successful risk culture
So what does a successful risk management culture look
like? Some thoughts:
• Leaders champion and value risk management,
communicate consistently about its importance to an
organisation, and provide a role model for acceptable
risk-taking behaviours. Leaders actively review their
organisation's risk management culture, and work to
continuously enhance it.
• All employees actively consider possible future
opportunities and threats, and manage these according
to the organisation's risk appetite and ethical standards.
• Risk management is not viewed as a one-off activity,
but as a continuous process that is embedded
throughout an organisation's activities. Accountabilities
for risk management are clearly understood throughout
• Risk management is viewed as fundamental to the
achievement of an organisation's strategy, and is
embedded within strategy development processes
across an organisation.
• Employees understand risk management, and are not
afraid to raise and discuss risks. They escalate risks
that require further focus by senior management, and
senior leaders listen, seek understanding and provide
follow-up. There is a transparent two-way flow of
communication about risks, vertically and horizontally
throughout their organisation.
Links Archive RMIA 2016 Navigation Previous Page Next Page