Behavioural Risk - What's the issue?

Over the past few years, organisations across all industries have enhanced their focus on the culture and conduct (or behaviours). This has been driven by regulations in some sectors, and also by the rising incidence and cost of incidents where poor behaviours played a key role.

The two recent Australian Royal Commissions and the APRA CBA Report, have made it very clear that organisational culture and the conduct of individuals, once seen as the responsibility of HR, is a matter that needs to be firmly on the agenda of both senior management and the Board.

Risk, culture, conduct and behaviours...

Behavioural risk is the possibility of undesirable risk outcomes caused by poor workforce behaviours (or conduct) and the cultural factors that drive them.

Organisational culture is the sum of employee behavior – it is complex, difficult to observe and difficult to change. A desirable culture is unique to each organisation and depends on the purpose, strategy and values, as well as external factors such as the competitive context. It may also vary over time, and by business unit or the country/culture in which it operates, for example.

The interaction of organisation culture with risk management is referred to as risk culture. This is a key focus area including in regulations, to ensure the organisation culture supports strategy execution within risk appetite, and promotes sound risk responses.

Potential risks come to life as issues because of human behaviours - people either doing (or not doing) things that are inconsistent with the strategy, values and risk appetite the organisation desires.

How do we monitor this?

Just as all other risks are assessed, understood and reported against - so too should behavioural risk be. Behaviours of employees are a strong source of evidence of the actual culture in any organisation, and can show if the intended and expressed strategy, values, risk culture and risk appetite are being realised.

All executives and employees have a role to play, and a number of supporting functions such as the HR, risk, audit and compliance functions typically have specific roles.
 

There are a range of techniques that can be used to consider culture and behaviours:

What are the questions Audit and Risk Committees should be asking?

• What role do behaviours play in executing the strategy within our risk appetite?
• Have we defined and articulated our desired culture and behaviours?
• What role do key organisation functions play in managing and monitoring this?
• What information does the committee currently receive on the intended and actual culture and behaviours?

When it works well....

Committee role

• Responsibility for monitoring risk culture and any associated regulatory requirements is in the Audit and Risk Committee charter
• The role of other Committees and interactions on this topic, particularly the Remuneration Committee, is clear

Risk function

• Risk culture requirements are in risk management frameworks, processes and reporting
• Regular holistic reporting on risk culture to the Executive and Audit and Risk Committee

Compliance function

• Root cause analysis is conducted on compliance monitoring and breaches to identify behavioural causes and opportunities for systemic improvements

Internal Audit function

• IA reports comment on the role behaviour played for every audit issue (with root cause)
• “Deep dive” audits focused on culture and behaviour are conducted using a combination of qualitative and quantitative techniques
• Holistic risk culture audits are performed, often in support of or in coordination with regulatory requirements

People function

• Performance framework considers behaviours, including those relating to risk and compliance
• Risk incidents and compliance breaches are explicitly considered as part of performance outcomes

Pulling it together...

• Data on risk incidents, compliance breaches, audit findings and behavioural issues is shared between risk, compliance, people and audit functions

View all articles