Chapter 3: Risk Culture

It is important to understand and monitor the agency’s risk culture so that action can be taken to improve risk culture when necessary. Some methods and tools which can be used to gain insight into the risk culture of an entity are:

• Interviewing executives and the AA to understand their needs and expectations from risk management
• Conducting periodic staff surveys to identify trends in risk culture. For example, a question on risk management is included in the annual PMES for the NSW Public Service.
• Using the NSW Treasury Risk Maturity Assessment toolas a measurable way to track changes in risk maturity. This tool helps identify your current level of risk culture maturity and what level of risk culture maturity is most appropriate (i.e. target maturity). It also helps to target specific areas and activities that can be used to improve risk culture maturity.

These insights will likely show that people at different levels in an organisation see risk management differently. This is why it is important to get input from everyone – frontline staff, risk practitioners, executives, and the AA – when assessing risk culture.

Tone from the top recognises the importance of a leadership team in promoting risk culture in an agency, and in enabling good risk management as a result.

Maintaining a tone from the top that is consistent with the agency’s values is vital to ensuring that the agency’s risk framework is effective. Whilst the risk management function of the agency can support leadership in informing and monitoring risk, this will be ineffective if the decisions made by leadership do not align with the risk management function.

An agency’s leadership sets the tone from the top. To support effective tone from the top the leadership team should:

• model and actively promote commitment to risk management
• recognise the need to resource the management of risk in order to achieve the agency’s objectives
• ensure that any strategic direction taken by the organisation does not conflict with policies and controls implemented to manage risk,
• model ethical behaviour, and ensure compliance with policies and procedures
• establish methods for employees to report unethical behaviour, and
• clearly communicate the values of the organisation to employees.

The introduction of any new risk management initiatives requires widespread organisational support. Management must consider the risk culture of the agency when driving change in risk management.

The desired risk management culture should align with the agency’s strategic goals and be part of the organisational culture, internal policies and decision-making processes. Performing a gap analysis of the current and desired state of risk culture is the first step to successfully promoting positive risk culture, as discussed in section 3.1.

Actions to promote positive risk culture include:   

• Executive and senior managers embedding the importance of risk management in the agency, by championing and demonstrating their commitment to it through their behaviour,
• Communicating that all staff in the agency are part of the risk management process, for example including responsibilities in role descriptions
• Encouraging managers and staff to develop and invest in risk management knowledge and skills
• Training and supporting staff in incorporating risk management into everyday roles and responsibilities, such as business planning, budgeting, project management, and.
• Ensuring sufficient time and resources are allocated to risk management activities to strengthen and enhance resilience and success.

For further drivers and possible actions to influence risk culture please see Appendix B.