Question asked by Anonymous
AFERM Experts Say...
It is important to establish a common definition of risk culture. The Risk Management Society (RMA) defines risk culture as “the set of encouraged and acceptable behaviors, discussions, decisions and attitudes towards taking and managing risk within an institution.” In my opinion, this definition appropriately focuses on attitudes and behaviors as the driving force behind organizational culture because it is ultimately the people, and not the processes and procedures, that determine ERM program success. A useful model to think about with respect to promoting culture is the Attitude-Behavior-Culture (A-B-C) model where culture derives from repeated behaviors, behavior is influenced by attitude, and attitude is influenced by culture. (Hillson, 2013) https://www.pmi.org/learning/library/understanding-risk-culture-management-5922
Culture change efforts can focus on shaping attitudes and reinforcing the desired behaviors associated with the desired risk culture. Considering strategies in relation to the A-B-C model, knowledge and understanding are key to shaping attitude. There are several approaches that an agency can consider, including frequent communications, specific training on the ERM program, using ERM as a common thread woven throughout agency-provided training, and providing other learning forums. Strategies to address the behavior component could include setting expectations and reinforcing the desired risk management behaviors. Creating clearly defined risk appetite statements for employees allows them to apply the statements to the decisions they make within their assigned responsibilities. Adding a risk management core competency or performance goal to performance appraisals can be useful. Additionally, having clearly defined and enforced risk management policies and processes that guide behavioral expectations, along with recognizing and rewarding the desired behaviors, are significant ways to establish and reinforce how the agency expects its employees to behave, individually and collectively. The final culture component of the A-B-C model can be addressed through periodically assessing the risk culture of the organization and by setting the right tone at the top, and through an effective and transparent risk governance process. These aspects are the most important according to Hillson, and the results of a 2013 study conducted by RMA. www.rmahq.org/WorkArea/DownloadAsset.aspx?id=5452
It is important to remember that changing culture is very much an evolutionary endeavor and not a revolutionary one. It is one of the most difficult leadership challenges, takes considerable effort and time and is difficult to measure progress.
Hillson, D. (2013). The A-B-C of risk culture: how to be risk-mature. Paper presented at PMI® Global Congress 2013—North America, New Orleans, LA. Newtown Square, PA: Project Management Institute.