The Royal Commission into Misconduct in Banking, Superannuation and Financial Services has highlighted the need for a clear understanding of both what risk culture actually is, and what are its key drivers. Current approaches to assessing and embedding risk culture into an organisation are impeded by this lack of clarity. This of course means that when you try to identify and address the gaps in risk culture, they can fall short – because they are less focused and impactful than they could be. Imagine the following examples where two people within a team are given the same task. In the first example, the actions of both lead to poor risk outcomes because of: Weak risk processes and practices that did not support them to manage risk effectively. Weak capability or skills to manage risks effectively – possibly underpinned by weak institutional skills training programs. Weak behaviours needed to manage risk e.g. an environment that did not encourage escalation of concerns. This could be due to a blame culture or one that does not respect risk. Tone from the top in relation to embedding risk in decision-making is therefore weak. The team members were simply unaware that managing the risks in the task was part of their role. The accountabilities for risk were not clear. In the second example, one person identifies and manages the risks well and the other does not. The probable causes for the failure of risk management by one person could include: The individual lacks the capability or skills to manage the risks effectively or has not received appropriate training. A lack of care, negligence of a deliberate decision to ignore risks in completing the task. A robust risk culture is one where risk is clearly considered in decision-making. This happens most effectively when people: Have the required skills and capabilities to manage risk;• Are supported by effective tools, processes and policies to identify and manage risk within accepted risk appetite. Are clear on their roles and responsibilities for risk. Are clear on their behaviours expected in relation to managing risk. The tone from the top from the Board, senior management and line managers reinforces the importance of risk and demonstrate this through their own decision-making and behaviours. An integrated approach to assessing risk culture maturity should consider whether the: Right people are managing risk: Are the roles and responsibilities for risk clear? This applies to both individual and collective roles and responsibilities as reflected in role profiles and the terms of reference of governance committees. It is also impacted by organisational structures and how roles and responsibilities for risk are reflected across it (e.g. Three Lines of Defence model). People are doing the right things to manage risk: Are the risk frameworks and particularly risk appetite, effective in managing risk? Are the controls effectively embedded? Are they complex or simple? Do they meaningfully inform and empower the business to manage risk and deliver fair outcomes for customers within risk appetite? Do staff members have the required level of capabilities to use the tools? People behaving in the right way when managing risk: Are the target behaviours that support acknowledgement, transparency, respect and responsiveness clearly understood and reinforced by management? Are they appropriately reflected in reward and remuneration structures? Is appropriate action being taken when inappropriate risk behaviours are observed? These are all critical questions to ask when determining whether “The right people are doing the right things, in the right way.” When it comes to considering risk in decision-making it is absolutely imperative that these three simple approaches are embedded in the organisation to be able to deliver a culture where risk is part of the way people work and think. The Royal Commission into Financial Services and the APRA CBA report both identified weaknesses in how risk is considered in decision making – to the detriment of customers and leading to institutional financial and reputational loss. Determining the causes of these weaknesses can be effectively assessed using the three dimensions above. Most organisations that are seeking to assess risk culture and take actions to addressing weaknesses tend to place too much emphasis on the behavioural dimensions of risk management alone. These perceptions are normally based on outcomes derived from staff surveys Those organisations making the greatest progress in addressing weaknesses in risk culture need to look more broadly than just behaviours. They should assess the other dimensions discussed in order to gain deeper insights into the key drivers of the maturity of their organisation’s risk culture so they can identify the most powerful actions they can take to embed their target risk culture. For more commentary from Deloitte on the Royal Commission click here.