Risk Culture



As businesses become more global and risks become complex, behavioural factors are important to consider. There is growing recognition among risk professionals that a positive risk culture is an essential element of effective risk management. This is not to say that to effectively embed risk management in an organisation other factors are not important - clearly they are. Leadership, governance, training and adequate resourcing are just a few.

Behaviour change

To successfully change risk culture requires modifying behaviour. No clearer example is provided than the step change improvement in risk management in the field of work health and safety (WH&S). In organisations where by their very nature WH&S is the headline risk and often “the rule book is written in blood”, attention has turned to the human element rather than merely work processes and physical conditions. Behaviour analysis is becoming a vital tool to improve safety risk culture in these workplaces. So what is behaviour analysis, and can we use it more broadly to change risk culture outside of the field of WH&S?

Application of Applied Behaviour Analysis (ABA) to broader risk culture

Behaviourism is not at all new to the field of psychology, but relatively new to risk management. >Put simply, most people will not change their behaviour unless motivated to do so. ABA is “applied” as it relies on observation rather than theory. However this observation should not be confused with an exercise in fault finding, which it is not. Rather it is a process of fact finding through observation.

ABA is only effective when the application of these techniques changes the behaviour it seeks to change. ABA is a useful tool to more broadly enhance risk culture through identifying the underlying drivers of behaviour in an organisation. In effect the triggers and reinforcers that may be present in an organisation that either contributes to or detracts from a positive risk culture. Most organisations talk extensively about expected risk behaviour (the “said”), but often the underlying drivers of risk behaviour (the “unsaid”) are inconsistent. Staff intending to exhibit expected behaviours can easily be lead into unexpected behaviour by contradictory triggers and reinforcers, such as “unrealistic” KPI’s or short-term focussed reward and recognition systems. There must be clear alignment in an organisation between the activators and consequences of behaviour, and the expected risk culture. Focus on positive consequences to effectively change behaviour. Negative consequences should only be used as a last resort.

Strategies to improve risk culture

  • Matrix management structure: To counter hierarchical structures, local management staff across all the three lines of assurance should have matrix management reporting lines to a regional or head office. This “dotted” reporting line becomes a key escalation route in the event of local hierarchical resistance.
  • On the ground monitoring: Group identification and loyalty can undermine transparency as “bad news” may not get escalated in a timely manner. Remote monitoring from a regional hub or head office is therefore less effective. Frequent travel for face-to-face contact is essential, with regular meetings held outside the physical work environment to encourage and facilitate candid dialogue with local staff.
  • Increased independent assurance activity: A traditional three lines of assurance or “monitoring of accountabilities” model may be less effective where the cultural norm is the avoidance of discord within the organisation. To ensure accountability and effective risk ownership and oversight, additional external and independent assurance activity is ordinarily required.

Compliance training programs to build risk culture

Compliance training for your staff can be of tremendous value to an organisation and an essential part to building ethical culture, establishing acceptable standards of behaviour and mitigating risk. Other benefits include:

  • Reduction in errors
  • Reduce operational costs
  • Increase in productivity
  • Increase in customer satisfaction
  • Reduce staff turnover
  • Assist in building relationships with regulators
  • Adapt more quickly to regulatory change
  • Enhances reputation of the organisation
  • Increase in customer satisfaction

Governance, risk and compliance courses by the GRC Institute

At the GRC Institute (GRCI), we can deliver programs or individual modules that can be delivered in-house, as part of your organisational training framework. The courses can be tailored to meet the specific needs of your organisation, within the parameters of the national qualification framework, ensuring optimal value for your business and employees. As a registered training organisation (RTO), we offer two nationally accredited risk and compliance courses – mutually recognised in Europe, the Americas and across Asia through our international alliances with other compliance associations.

For further information about our compliance and risk training solutions for your staff, please contact us on +61 (02) 9290 1788.