Following its recent pilot risk culture survey, APRA identified Risk Governance and Controls, Responsibility & Accountability and Decision-Making & Challenge as the lowest performing dimensions for risk culture across companies.
This article is the second in a series on these challenges and provides a perspective on how companies can strengthen responsibility and accountability to improve their risk culture.
A risk governance and control framework is a critical starting point for establishing good risk culture, but what brings it to life is when people embrace the responsibilities and accountabilities that enable that framework. Yet, even organisations that have strong governance and controls often have difficulty engraining responsibilities, accountabilities and ownership.
So why does the journey so often stop at governance and controls, and not translate into people stepping up and taking ownership of risks?
Lack of clarity on who is responsible, and what they are responsible for, can make risk management burdensome for all and ineffective for the business. It goes without saying that everyone is responsible for behaving in accordance with the organisation’s standards and risk appetite, and you should have clear frameworks for rewards and consequence management to reinforce these behaviours.
However, being accountable for a risk means being responsible for understanding a risk, creating controls or processes to manage the risk, reporting on the performance of those controls and processes, and ultimately guiding the business’s response to that particular risk. Yet many organisations are not clear on who the risk and control owners are, beyond the executive accountabilities required by regulation, and thus gaps endure in creating and maintaining effective controls.
Lack of clarity over risk and control ownership often leads to paralysis in decision making. Where people come together to make decisions, but the decision itself is never taken, or frustration arises around who is or is not consulted in the decision-making process. Where clear accountabilities are defined, the risk or control owner becomes clear on their responsibilities, including their responsibility to ensure risks are being effectively managed, and that decisions are appropriately informed.
Companies need to ensure that key risks and controls in the business have an appropriate owner, avoiding both duplication and gaps. Risk owners need to be clear on their responsibilities, and have the capability and capacity to deliver on that responsibility, to effectively manage risk.
A common issue with the three lines of defence model is that there can be unclear roles, particularly between the first line of defence and second line of defence. People in these functions often aren’t clear on when their responsibilities start or end. This lack of clarity can create overlaps in responsibility (leading to inefficiencies, tension and diffused responsibility) and also gaps (which can have consequences that range from undesirable to catastrophic). Being specific in defining roles, and ensuring there is effective communication and feedback channels between the lines of defence, is an important step to making those lines sharper.
Taking responsibility for a key risk is a risk itself and should be rewarded. Being held ‘accountable’ when something goes wrong brings negative connotations to mind. But it’s also important to hold people responsible and recognise them when risk is embraced, well managed and things go right.
Organisations that are successful in cultivating accountability and responsibility are the ones that provide appropriate rewards and recognition for those taking ownership of good decisions or taking risks within appetite, but also fairly and transparently apply consequences when things don’t go right. In many circumstances there are more risks associated with inaction than action, and by focusing the conversation on consequences rather than rewards you can create paralysis and secrecy rather than drive good risk behaviour.
Organisations that share and celebrate the stories and behaviours they want to see, and reward good risk taking behaviours like sharing lessons learnt and collective problem solving, will be much better positioned to capitalise on emerging opportunities and to navigate uncertainty.
Accountability leaves when a person does
With increasing mobility in the job market, it’s important to think about how accountability can be separated from individuals. If someone leaves, it’s important that the handover of the risks they were responsible for is robust enough that the accountability doesn’t end with them.
In reality when a person departs from an organisation, there is a gap before they are replaced. This creates a key risk for the business, in that their risk accountabilities may not be managed by anyone. When someone takes on a new role within the organisation, are they given sufficient training and “induction” on their accountabilities and responsibilities with respect to risk? Are employees kept up to speed in a changing regulatory or external environment, when risks shift? When they leave, how is their knowledge and responsibility for risks transferred? For many companies, the transition gap between when someone leaves and another starts can heighten vulnerability for effective risk management.
Succession planning is a critical part of organisational management, but very few organisations are effective in creating succession and handover plans for significant business risks. Building key risks into job descriptions and the recruitment/onboarding process is an effective strategy for embedding clear responsibility for risk.
It goes without saying that Senior Leadership need to role model the behaviour of accepting responsibility. While it’s true that leaders might not necessarily have been aware of (or directly responsible for) something that’s gone wrong down the chain, they must accept accountability in acknowledging what occurred and facilitate the learning and remediation required.
Senior Leaders, in an effort to ensure they have effective oversight of the risks they are responsible for, are increasing reporting requirements within the business on risk management. This can create increased burden on the business to effectively manage risk.
Leaders need to think deeply about what signals they are sending to the business about risk management, and consider the behaviours that might be preventing the business from taking responsibility for the risks they encounter in their work.
Fostering a climate where people feel safe and empowered to lean into responsibility ensures the controls in place are functioning well. To embed a mindset of responsibility towards risk management, leaders need to talk about risk, celebrate where risk is taken effectively, and ensure the lessons learnt are shared when they arise.
There are some common stumbling blocks organisations face when trying to foster cultures that encourage collective and individual accountability. This culture of accountability emerges when accountabilities and responsibilities are clearly defined, across the three lines of defence; and when people are appropriately recognised and rewarded for managing risk effectively. Vulnerability emerges when accountabilities fall through the gaps, most often when someone leaves the business. Most importantly, leaders need to challenge themselves for the tone they set across the business, and how their behaviour and signals shape the behaviour of those responsible for managing risk below them.