How does the tone at the top influence a risk culture?

The risk culture of an organisation is influenced by the style and behaviours of those responsible for its leadership. Whether this is an individual or a leadership team, the decisions made, values upheld, and actions taken set the tone for the rest of an organisation to follow. 

In 2019, the Australian Prudential Regulation Authority (APRA) reviewed Australia’s largest banks, insurers, and superannuation licensees, finding that the term ‘risk culture’ was not well understood. It also found that entities were unclear about what a good risk culture should look like, and how to measure it effectively. APRA stated that organisational culture is what influences how entities manage risks and therefore should be considered alongside risk culture.

Leadership practices that can make a difference

While everyone is responsible for risk, there are key aspects and practices that leaders and their leadership teams should implement to encourage an effective risk culture.

Lead by example

Those at the top should buy into a culture that demonstrates ethical decision-making and encourages staff to regularly and effectively assess risk. Key artefacts, such as risk registers and risk policies, (while important) are not enough on their own. Staff need to see that their leaders consider risk in everything they do, so it’s clear how they can adopt good practices in their own roles.

Leaders need to set the appetite for risk and encourage their teams to actively identify, assess, and report risks in their day-to-day activities. They should also encourage a culture where staff are empowered to learn from realised risks and not be scared to report them.

Clear lines of accountability

If responsibility for an entity’s risks is not clearly defined it can result in: 

• risk oversight – failing to identify and mitigate existing and emerging risks 
• mismanagement of risk – leading to under or over allocation of resources to manage risk
• lack of accountability – no one taking responsibility to manage risk.

When allocating responsibility for a risk, leaders should ensure that there is a single point of accountability. Too often when risks are allocated to multiple risk owners or a team, it can be difficult to hold people to account, and for individuals to be clear on what their role is. This can result in either duplication or a failure to act.

Engrained processes and procedures 

A risk culture needs to be more than a tagline. It needs to represent the tolerance accepted by an entity, and how it will respond to identified risks it faces. It can’t be about merely ‘going through the motions’. It should be fully integrated and aligned to an entity’s annual strategic and operational planning process. 

Risk policies and procedures need to be ‘living’ documents that are regularly socialised with staff, easily understood, and applied. This ensures buy-in and that staff understand how to apply them in their business environment. It should also support clear and transparent decision-making and reflect the ethical and moral compass of an entity. 

What should those charged with governance be asking?

Those who sit around the boardroom table or are part of an audit committee play a critical role in ensuring that risk management represents more than just a compliance exercise. Those charged with governance need to satisfy themselves that their entity:

• clearly articulates and effectively applies a risk appetite and tolerance in its decision‑making and operational activities

• regularly assesses risks and updates its risk register, related controls, and risk treatment plans accordingly

• encourages staff to identify and report risk, but also empowers staff to embrace risk opportunities within the boundaries of the risk appetite set by the leadership team

• prepares timely, useful, and comparative risk reporting that provides the right information to the right audience at the right time, while keeping up with industry benchmarks

• covers risks specific to its business or industry, for example risk of non-compliance with regulatory requirements. 

  Case study: We shared insights drawn from a suite of our audits on regulatory practices in Chapter 4 of our report Regulating animal welfare services(Report 6: 2021–22). We found that when regulators develop an effective risk management framework tailored to its organisational environment and industry-specific risks, it can help entities better prioritise, focus and deploy its resources. This sees resources allocated in proportion to the risk of the desired regulatory outcomes being achieved. To do this successfully, entities need to apply current regulatory information.

• takes a holistic or comprehensive approach to risk management.

  Case study: In our report Minimising gambling harm (Report 9: 2023–24), we found that the department had not taken a comprehensive approach to risk management, which saw it fail to focus on high-risk areas and key regulatory elements like monitoring compliance with regulatory requirements, and educating the industry.

How much should you report and is it effective?

Leaders need to consider each audience and their need and intended use of the information when reporting on risks. For example, boards, executive leadership teams, and audit committees are unlikely to want to know more than an entity’s strategic risks and risks related to its major projects. Whereas operational teams and divisions will be more focused on the risks that directly impact their activities, but with an understanding of how this aligns to the overarching strategic risks the entity faces.

Leaders can ensure they are providing the right and most relevant information by meeting with audiences regularly. This helps ensure needs are understood, including how audiences intend to use the information. In turn, this practice helps those responsible for risk reporting to know what to report and how often to report it.

Resources

• APRA’s evolving approach to supervising risk culture | APRA
• Advice on setting your risk appetite 
• Risk management – where do we start? 
• Regulating animal welfare services (Report 6: 2021–22)
• Minimising gambling harm (Report 9: 2023–24)
• Using risk appetite in the public sector
• Observations on ASIC report—oversight of non-financial risk
• The importance of culture
• You have an audit committee, but is it effective?
• The role of audit committees in financial reporting
• Effectiveness of audit committees in state government entities (Report 2: 2020–21)