The foundation of good risk culture is a strong governance and control framework, which APRA defines as including “the risk frameworks, policies, controls and reporting within an organisation”. Experience tells us that these controls are necessary, but not sufficient, for optimising risk culture in an organisation. Organisations can have these controls in place and still not have a fully effective risk culture, but you also can’t have an effective risk culture without these controls being in place.
Many organisations stumble at this critical first step, and this article explores some of the common hurdles they face.
Frameworks reflect where the organisation wants to be
At a minimum, good governance and control frameworks should meet compliance obligations. At their best, governance and control frameworks help operationalise an organisation’s purpose, values and priorities. They help people understand how decisions need to be made and who has decision rights. These frameworks are a vehicle for the organisation to proactively achieve strategic objectives within risk appetite.
For example, if an organisation has safety as a core value and strategic objective, it can develop governance, controls and reporting frameworks that elevate this issue as a priority and signal to staff that safety is beyond a mandatory compliance exercise but a key business priority.
Innovation is another core value many organisations want to live in their daily operations, and this value can also be reflected in governance and controls. Are controls being regularly updated? Are they leveraging new technologies and reflecting current best practice? If your governance and controls process haven’t evolved, it’s a clear indication that this value isn’t lived.
Placing the employee at the centre of design
When setting a foundation for a house or building, the end goal is a good experience for the people living in it. Otherwise, the foundation is just a slab of concrete without function.
Similarly, when you’re developing risk frameworks, policies, and controls you need to be thinking about how people will eventually interact with those policies and controls. Are they having to dig through 10 layers to find that process document? Are there cues or prompts that set them up for success? Are there duplications or inconsistencies? Are they workable when staff are on a tight deadline, under stress or working remotely with children in the background yelling for ice cream? These are the realities of how people operate in the new world of work.
Compliance and controls inevitably place some demands on users, but an ideal outcome for an organisation is when following the processes is made as easy as possible, integrated into BAU activities and not an overlay or bolt on process. Most people don’t have malicious intent when they don’t comply with risk processes or procedures. They either don’t know what the right thing to do is, or doing the right thing is burdensome and fails to be a priority.
Further, even simple and user-friendly controls can be difficult for staff to operate when there are too many of them. While adding controls and frameworks is an understandable response to the regulatory environment of recent years, the sheer volume can be overwhelming and create an environment where people aren’t comfortable taking any risks, and feel they only have binary choices. Having set processes for organisational tasks are a necessary step towards a mature risk culture, but they can add up when you consider the huge number of tasks that need to be completed in an organisation on a given day. More mature risk cultures characterised by high trust and psychological safety can move towards guidance rather than overly prescriptive controls.
Leveraging technology
Good governance and risk frameworks leverage technology effectively. Technology allows the automation of controls and organisations to streamline the collection and analysis of relevant data. It also makes developing audit trails, recording decisions and, in some cases, automating decision making possible. Without fit-for-purpose technology that integrates insights across the Governance and Controls Framework, it’s difficult to track or establish connections between different data points, make effective decisions that take the bigger picture into account or view risk culture holistically.
Increasingly companies are ensuring they are bringing not only their line two risk managers into the design of technology based products (to ensure controls are developed within the product design, rather than after the product is designed) but also their line one and chief control officers to provide an end user perspective. This allows for the product solution to firstly avoid any unnecessary risk and for controls to be automated into the solution.
Technology and analytics also allow people to visualise the control environment, information flows, and the interdependencies of business risks. Effective controls frameworks will leverage technology based platforms and centralised systems to ensure line one risk owners have oversight of other risks in the business and are able to see them in context, or understand the cumulative risk that may be propagating across the business. This said, while you can provide the data, line one risk owners might not always have the time or ability to examine these cumulative risks. This is where line two can assist by scouring the data for cumulative risk across processes, and deliver insights back to line one for more effective risk management.
Risk governance and controls provides the foundations for an effective risk culture by providing the architecture by which people consider and manage risk. Effective governance will ensure the values and principles of the organisation are embedded in its controls design and risk management. Ensuring a user centred design to the architecture of a governance and controls framework will ensure its optimal use across the business. And technology should be used to assist in providing a cumulative and holistic view of risk not only to business leaders, but also to line one risk owners.