1、RISK CULTURE:BUILDING RESILIENCE AND SEIZING OPPORTUNITIESA GLOBAL SURVEY AND REPORT 2023 Association of Chartered Certified Accountants April 2023About ACCA ACCA(the Association of Chartered Certified Accountants)is the global professional body for professional accountants.Were a thriving global co

2、mmunity of 241,000 members and 542,000 future members based in 178 countries and regions,who work across a wide range of sectors and industries.We uphold the highest professional and ethical values.We offer everyone everywhere the opportunity to experience a rewarding career in accountancy,finance a

3、nd management.Our qualifications and learning opportunities develop strategic business leaders,forward-thinking professionals with the financial,business and digital expertise essential for the creation of sustainable organisations and flourishing societies.Since 1904,being a force for public good h

4、as been embedded in our purpose.In December 2020,we made commitments to the UN Sustainable Development Goals which we are measuring and will report on in our annual integrated report.We believe that accountancy is a cornerstone profession of society and is vital in helping economies,organisations an

5、d individuals to grow and prosper.It does this by creating robust trusted financial and business management,combating corruption,ensuring organisations are managed ethically,driving sustainability,and providing rewarding career opportunities.And through our cutting-edge research,we lead the professi

6、on by answering todays questions and preparing for the future.Were a not-for-profit organisation.Find out more at About Airmic The leading UK association for everyone who has a responsibility for risk management and insurance in their organisation,Airmic has over 450 corporate members and more than

7、1,750 individual members.Individual members are from all sectors and include finance,sustainability,information and technology,internal audit,and legal professionals,as well as risk and insurance professionals.With our partners,and in collaboration with affiliate associations and institutes,Airmic s

8、upports members through learning and research;a diverse programme of events;developing and encouraging good practice;and lobbying on subjects that directly affect our members and their professions.Above all,we provide a platform for professionals to stay in touch,to communicate with each other,and t

9、o share ideas and About PRMIA Established in 2002,the Professional Risk Managers International Association(PRMIA)is a non-profit,member-focused and member-driven professional association represented globally by more than 50 chapters in major cities around the world.PRMIAs mission is to provide an op

10、en forum for the development and promotion of the risk profession through credentialing,learning and development programs,online thought leadership resources,and events.To learn more,visit www.prmia.orgRISK CULTURE:BUILDING RESILIENCE AND SEIZING OPPORTUNITIES Unique collaboration and dedicated spec

11、ial interest groupThe Association of Chartered Certified Accountants(ACCA),Airmic,and the Professional Risk Managers International Association(PRMIA)have teamed up to dig deeper into what our members are doing to enhance risk culture and its effect on the organisations broader strategy.This collabor

12、ation is a first of its kind on risk culture across sectors and regions around the world.AuthorRachael Johnson,Head of Risk Management and Corporate Governance,ACCAForewordIn recent years our world has experienced profound behaviour-transforming disruption.In early 2022,we decided to collaborate and

13、 explore how these interconnected issues,including climate change and other intensifying global macro threats,are influencing the way members of our three professional bodies approach risk management.Given the new perma-crisis norm,we decided to take a deeper dive into what risk culture means and fi

14、nd out to what extent risk and accountancy professionals understand its impact on performance.As a continued string of corporate failures also reminds us of the long-standing disconnection between risk management and accountancy,we remain focused on how our professions can collaborate more on foster

15、ing cultures that allow organisations to get where they want to be.Risky behaviours brought down the Wirecards and FTXs.Other collapses continue to grab headlines,indeed even as we write,with Silicon Valley Bank and Signature Bank in the US(Pound 2023).Yet the predictable question that always comes

16、up in the aftermath is:where were the risk managers and accountants?In todays digital,vox pop world,we also see the likes of Trustpilot,Glassdoor and other social media giving regulators a new lens for observing beyond what is stated in annual reports and other public statements.However,in this new

17、era of accountability,it wont just be the regulators stepping up their scrutiny.With environmental,social and governance(ESG)issues dominating agendas,we see stakeholders from all corners asking for more answers.This is a material aspect of todays corporate world that risk and financial leaders cann

18、ot ignore.Our aim through this report is to empower our professions to improve their risk cultures and,by helping them learn what is working or not,lead their organisations in what is undeniably a new age of risk.As part of our research,we formed a special interest group comprising subject matter ex

19、perts,who continue to assist us in shaping the research,educating our members,and enhancing our continuous learning resources for risk and financial professionals globally.We would like to thank all who have contributed.Helen Brand CEO,ACCAJulia Graham CEO,AirmicJustin McCarthy CEO,Prmia4ContentsAbo

20、ut the report 6 Global surveys,roundtables,and one-on-one interviews 61.What is risk culture and why is it gaining recognition?8 Every risk is driven by human behaviour 8 Human behaviour is difficult for organisations to define and measure 9 Culture supervision 102.Key findings from our online surve

21、y 12 Survey respondents rank regulatory change and cybersecurity as top risk priorities 12 Risk culture has changed for the better since the pandemic 17 Who is who in risk management?21 How internal audit evolves with risk management remains a big question 24 Risk appetite:Even when people understan

22、d it,they behave differently 25 The inside story of overconfidence and debilitating misalignment between culture and organisational purpose 28 Risk conversations are happening in a vacuum at the top 31 Board and senior management coordination needs to improve 32 How well does risk culture detect mis

23、conduct?38 Regional differences in comfort with whistleblowing 42 Sector differences in comfort with whistleblowing 463.Whats next?Can regulatory forces build trust through purpose and accountability?48 Greater accountability,not only for firms but also for individuals 48 What should individuals be

24、accountable for inside their organisations?48 Role clarity and bringing the G in ESG up to speed 50 Pleading ignorance is no longer acceptable 50 Board and management must agree on how purpose is understood and put into practice 51 Supervisory oversight efforts to force cultural change 54 Benchmarki

25、ng and the all-important MI 544.Closing remarks from Stephen Scott,Starling 57Special interest group 60Appendix 61Inefficiencies of risk culture maturity surveys by Horst Simon,Risk Culture Builder 61Demographic breakdown of respondents 62References 635Global surveys,roundtables,and one-on-one inter

26、viewsAt the heart of our research is an online global survey designed to help us gauge how members of our professional bodies would describe their risk culture.Is your culture one that is dangerously full of perils and contradictions?Is it a potentially powerful and coherent force full of opportunit

27、y?Is it somewhere in the many shades of grey in between?Theres much to unveil,revealed by our extensive reach.The survey,which took place during the last two weeks of October 2022,attracted 1,823 individual responses from risk and financial professionals around the world and across a range of indust

28、ries.It covered an unprecedented amount of ground on the culture of risk management.With 93%of responders being ACCA members and therefore from accountancy backgrounds,we can compare findings from a wide range of niche roles related to risk with perspectives from people also in financial roles not e

29、xplicitly in charge of risk management.This has given the research a breadth and authenticity which we have found very insightful.Several financial supervisory bodies already conduct regular comprehensive surveys on the risk culture of firms,but these are in their separate jurisdictions,which means

30、our joint initiative is the first to do so with such global scale and reach(APRA 2022;FCA 2017).Charts can be found in the Appendix showing the demographic breakdown of our survey respondents by region(Figure A1),organisation size(Figure A2),sector(Figures A3 and A5),roles(Figure A4)and age.To compl

31、ement our survey,we held an online community pop-up platform in November 2022 where respondents could log-in and share their views and experiences with risk culture.This platform attracted more than 100 participants,who joined in conversations with members of our special interest group as well as in

32、 mini-polls and other interactive engagements,giving us rich qualitative data and a wealth of anecdotes to compare with the survey findings.We also set up roundtables and one-on-one interviews,along with discussions in our business-as-usual forums,all of which took place between January 2022 and Jan

33、uary 2023,allowing us,ultimately,to gather insights from over 2,000 risk and financial professionals around the world.With this triangulation we have been able to analyse in detail the convergences and divergences of all the input.Overall,we found the survey respondents seemed overconfident about th

34、e effectiveness of their risk cultures,given what we heard in the qualitative sessions.Listening to participants in our interviews and forums,we experienced a bursting of the floodgates as participants expressed a pent-up frustration with the short-sighted focus on risk culture inside their organisa

35、tions.Through those discussions,we perceived a mix of risk perceptions and scepticism across different roles and hierarchies.Have lessons been learned despite the accounting scandals that have shone a light on the alleged misdiagnoses of external auditors?Are judgements still being based on numbers

36、that only vaguely add up and assertions from senior management that ignore red flags?Hindsight bias always says a different call could have been made,but can audit professionals honestly say that their judgements were valid and reasonable when considering all the information they had at the time?The

37、 consensus is a resounding no from those in key risk roles.These interviews produced fascinating insights into risk and financial professionals hopes and fears day-to-day as they often struggle to get the necessary commitment to create the risk cultures and governance needed to facilitate their orga

38、nisations strategy.This struggle arises because the warning signs of failures waiting to happen are definitely present,but respondents recognised that a strong risk culture,consciously built and nurtured by the board,senior and middle management is essential as the best means of avoiding them,and th

39、is is often lacking.About the reportRISK CULTURE:BUILDING RESILIENCE AND SEIZING OPPORTUNITIES|ABOUT THE REPORT 6RISK CULTURE:BUILDING RESILIENCE AND SEIZING OPPORTUNITIES|ABOUT THE REPORT I HAVE SEEN SO MANY SITUATIONS WHERE MORE JUNIOR STAFF“STAY IN THEIR LANE”BECAUSE SENIOR MANAGEMENT TEND TO USE

40、 JARGON THAT IS HIGH LEVEL AND GENERALLY ACT LIKE RISK DISCUSSIONS ARE SECRETS TO BE KEPT LOCKED AWAY IN THE BOARDROOM AND AWAY FROM STAFF.ONLINE COMMUNITY POP-UP PARTICIPANT7What we have learned throughout the course of our research and engagement with members of our professional bodies is that ind

41、ividual values,beliefs and attitudes towards risk are naturally influenced by,and contribute to,the wider overall culture of an organisation(Power et al.n.d.).In other words,organisational culture or corporate culture is naturally related to leadership,learning and performance,control,ideology and/o

42、r oppression(Power et al.n.d.).Culture is about how we do things around here or what we expect around here(Power et al.n.d.).Culture is the cause,as it were and what happens as a result,be it good or bad,is the effect.The workplace transformations accelerated by Covid-19 also posed new questions abo

43、ut what constitutes risky behaviour and how it spreads.But,in recent years,supervisory regulators in the financial services industry,especially,have been turning their attention to risk culture as a means of tackling and preventing further governance failures,and a concerted dialogue on psychologica

44、l safety has fast emerged(Baunsgaard 2022).The focus is on how to foster an environment where staff believe they are safe to speak up and discuss ethical issues,including views on how their products and services are produced and delivered.Businesses are increasingly finding themselves forced to cons

45、ider why their organisation exists and what the role of their business should be within wider society.This includes identifying where conduct and leadership lapses can threaten their competitiveness.So,where is risk culture in all this?Every risk is driven by human behaviourFor all its concern over

46、regulatory capital,the Basel Committee on Banking Supervision has published corporate governance guidelines for banks after every crisis(e.g.,BCBS/BIS 2014)and still defines risk culture as norms,attitudes and behaviours related to risk awareness,risk-taking and risk management,and controls that sha

47、pe decisions on risks(quoted in Milkau 2017).The Financial Stability Board(FSB),set up in Basel in April 2009 to represent the G20 economies,also describes a sound risk culture as that which bolsters effective risk management,promotes sound risk-taking,and ensures that emerging risks are recognised,

48、assessed,escalated and addressed in a timely manner(FSB 2014).The FSB explains how risk culture is not static but evolves over time in relation to the events that affect the institutions history(such as mergers and acquisitions)and is affected by the external context within which the institution ope

49、rates(FSB 2014).RISK CULTURE:BUILDING RESILIENCE AND SEIZING OPPORTUNITIES|1.WHAT IS RISK CULTURE AND WHY IS IT GAINING RECOGNITION?1.What is risk culture and why is it gaining recognition?From Arthur Andersen and Enron to Lehman Brothers,the LIBOR(London Interbank Offer Rate manipulation and the ne

50、ver-ending stream of other scandals,we see how risk culture becomes a big topic as a consequence of each incident but then fades down the list of priorities for boards and senior managers until the next spectacular corporate collapse.There are huge points when your organisation is tested.For example

51、,when you do a restructuring or a termination.You wont get it right if you dont have the risk leaders,finance and HR working in tandem.Its like the Freudian triangle.You need all these to have a culture that will have the right impact:the behaviours that get you where you want to be.Accountant at a

52、Fortune 500 companyWe have to be careful not to fall into the trap of separating culture from risk culture.Culture is how people behave.Behaviours,whether they lead to risk taking or risk aversion,come from the decisions that you make.Decisions are based on judgements,and judgements are largely base

53、d on the values we hold.Yes,there are external pressures which impact these decisions,but we need to track Risk Culture back to a clear set of moral and behavioural values that underpin decisions.This is where individual and firm values become intertwined in the firms business and risk culture.Patri

54、ck Butler board chair,Net Zero Labs and adviser on culture and conduct management,and member of the special interest group 8RISK CULTURE:BUILDING RESILIENCE AND SEIZING OPPORTUNITIES|1.WHAT IS RISK CULTURE AND WHY IS IT GAINING RECOGNITION?In our survey,we asked whether respondents believed the risk

55、 culture at their organisation could prevent unexpected behavioural issues and we put forward a short suggested definition of risk culture to give them a general base for their answers and comments.It is one that we would say is accurate and reflects our research findings.RISK CULTURE IS A TERM DESC

56、RIBING THE VALUES,BELIEFS,KNOWLEDGE,ATTITUDES,CONDUCT,BEHAVIOURS,AND UNDERSTANDING ABOUT RISK AND THE LEVEL OF ACCEPTED RISK SHARED BY A GROUP OF PEOPLE WHO HAVE A COMMON PURPOSE.FIGURE 1.1:Seven steps of cultureHuman behaviour is difficult for organisations to define and measureAn organisations ris

57、k culture is hard to measure because whether good or bad,a risk culture that helps an organisation be successful at achieving its goals involves participation up and down,throughout the organisation.Therefore,there are many touchpoints,which individually could be of high or low quality,to consider w

58、hen developing behavioural indicators.CultureLeadershipPeopleReward&recognitionCommuni-cationPerformanceevaluationContinuousimprovementServicedelivery&operationsmgmt.Organisational culture is about how people behave as members of a group,and risk culture is an aspect of this.For firms,promoting beha

59、vioural norms that facilitate good risk management,and identifying and managing any that may undermine it,matters.Doing this well requires both understanding of the wider context in terms of overall workplace culture and avoiding narrowing the focus to conduct as measured by the incidence of miscond

60、uct the latter,identifiable and clearly very important,but only a part of the bigger picture.Alison Cottrell,chief executive officer of the UKs Financial Services Culture BoardIn the face of these measurement challenges,regulators are requiring firms to demonstrate how they manage human capital,beca

61、use there is a growing consensus among them that managing risk culture starts by assessing the broader culture,the behaviours it breeds and the risks that they might drive(Starling Insights 2018).No matter how hard it is to measure,manage or influence risk culture,or how much or how little an organi

62、sations leaders are under pressure to do so,the benefits of getting risk culture right,laid out in this report,underline why boards and executives would be wise to recognise how their risk culture affects performance.Source:adapted from Airmic-QBE Guide,The Importance of Managing Corporate Culture,2

63、0189We also heard how the growing focus on this has led some organisations to discover they are sitting on useful information that they had not previously realised they had and now are considering how to apply it to policies and decision making.This new data paradigm is spelled out more comprehensiv

64、ely in Culture Audit in Financial Services:Reporting on Behaviour to Conduct Regulators by Dr Roger Miles,a specialist in behavioural science who is also member of ACCAs risk culture special interest group(see Harwood 2022).As we see through our survey responses,this requires a new generation of man

65、agement reporting information(MI)that many members of our professional bodies admit they have yet to grasp.Some respondents in the financial services industry have been gathering culture and conduct MI for as long as a decade now but say they are still struggling to use it strategically and act appr

66、opriately on the information they get.Some banks have invested a considerable amount of money in developing the metrics,and respondents in various roles told us they are not only working out what information matters most but trying to share it with the people who could use it in a more effective way

67、.RISK CULTURE:BUILDING RESILIENCE AND SEIZING OPPORTUNITIES|1.WHAT IS RISK CULTURE AND WHY IS IT GAINING RECOGNITION?CRISISCRISISCRISISCRISISCRISISCRISISCRISISCRISISBackward lookingForward lookingThematic investigationsBehaviour&cultureBoard effectivenessBusiness modelsBench markingMacro prudential

68、analysisSound operations policyAML/CFTComplianceOperational risk managementFinancial reportsRisk managementStress testingNon-financial risksFinancial risksCulture supervisionFIGURE 1.2:Risk culture supervisionSource:adapted from Dr Roger Miles10RISK CULTURE:BUILDING RESILIENCE AND SEIZING OPPORTUNIT

69、IES|1.WHAT IS RISK CULTURE AND WHY IS IT GAINING RECOGNITION?AN ORGANISATIONS RISK CULTURE IS HARD TO MEASURE BECAUSE WHETHER GOOD OR BAD,A RISK CULTURE THAT HELPS AN ORGANISATION BE SUCCESSFUL AT ACHIEVING ITS GOALS INVOLVES PARTICIPATION UP AND DOWN,THROUGHOUT THE ORGANISATION.11By region,regulato

70、ry/compliance/legal risk is top or close to the top with one exception:North America ranked technology/data/cybersecurity significantly higher than the rest.Also notable is China,where regulatory/compliance/legal risk was a much higher priority than all other risks(Figure 2.3).Respondents based in A

71、frica were more likely to be concerned about misconduct/fraud/reputational damage issues,something that was not a major concern for those in Western Europe.In terms of sector,respondents in financial services were more likely to raise technology/data/cyber security and regulatory/compliance/legal as

72、 their highest risk priorities,whereas those in the corporate sector ranked logistics/supply chain issues as one of their top risk concerns.Regulatory,compliance,and legal risks came top of respondents risk priorities and Technology,data,cybersecurity came second.Regulators and hackers top the list

73、of greatest risk concerns,as shown in Figure 2.1.Data from the first question in the survey speaks volumes and in the subsequent interviews and roundtables led us to debate why being compliant is the top risk priority for organisations(Figures 2.2).There is no doubt that this reflects the multitude

74、of regulatory and compliance requirements around the globe as the workplace becomes ever more complex.It also indicates that staying on top of these changes requires a great deal of time and effort for those responsible.Regulatory/compliance/legal is in the top three for all sectors except one:not-f

75、or-profit/charity.RISK CULTURE:BUILDING RESILIENCE AND SEIZING OPPORTUNITIES|2.KEY FINDINGS FROM OUR ONLINE SURVEY2.Key findings from our online surveyFIGURE 2.1:Risk and financial professionals top risk priorities(as at October 2022)1st ranked 2nd ranked 3rd ranked35%33%25%32%43%31%33%35%29%35%32%3

76、5%31%34%29%34%36%29%34%37%28%30%42%25%36%39%Regulatory/compliance/legal965*Technology/data/cyber security899*Economic inflation/recession842*Misconduct/fraud/reputational damage563*Talent scarcity/skills gaps/employee retention752*Logistics,including supply chain291*International and geopolitical in

77、stability449*Climate change and its social and economic implications306*Currency,including crypto and digital assets152*PLENTY OF BOX TICKING IS PREVALENT,BUT THERE IS ALSO A GROWING INTEREST IN RISK CULTURE TO COPE WITH DISCONNECTED ORGANISATIONAL CULTURES AND HARD-TO-DETECT BREADTH OF RISKS.*Numbe

78、r of respondents out of the total 1,823 who put this risk in their top three(Data rounded to nearest whole number)Survey respondents rank regulatory change and cybersecurity as top risk priorities12FIGURE 2.2:Top risk priorities by sector Regulatory/compliance/legal Technology/data/cyber security Ec

79、onomic inflation/recession Talent scarcity/skills gaps/employee retention Misconduct/fraud/reputational damage International and geopolitical instability Logistics,including supply chain Climate change and its social and economic implications Currency,including crypto and digital assetsSECTOR1st RAN

80、KED2nd RANKED3rd RANKEDPublic practice46%44%39%Public sector41%39%38%Financial services46%36%34%Not-for-profit/charity43%40%39%Corporate sector42%40%36%Retired/between jobs*43%41%38%RISK CULTURE:BUILDING RESILIENCE AND SEIZING OPPORTUNITIES|2.KEY FINDINGS FROM OUR ONLINE SURVEYFIGURE 2.3:Top risk pr

81、iorities around the worldNorth AmericaCaribbeanAfricaWestern Europe,Central and Eastern EuropeMiddle East and South AsiaAsia Pacific minus China regionsMainland China,Hong Kong SAR,Macau SAR and Taiwan region28%24%20%17%26%19%23%28%14%14%4%8%8%3%1%15%10%13%15%12%4%3%0%13%16%11%14%7%5%5%2%18%19%15%8%

82、6%5%4%2%20%13%11%16%8%4%4%2%21%19%13%9%4%3%5%1%13%15%12%5%12%4%5%3%*Based responses on previous place of work(Data rounded to nearest whole number)Regulatory/compliance/legal Technology/data/cyber security Economic inflation/recession Talent scarcity/skills gaps/employee retention Misconduct/fraud/r

83、eputational damage International and geopolitical instability Logistics,including supply chain Climate change and its social and economic implications Currency,including crypto and digital assets(Dont knows remain the balancing figure for each region)13The outliers by age are the over-65s,who put ec

84、onomic concerns top,then cybersecurity,followed by talent.While there are some interesting age nuances to consider,the main differences throughout the survey are between the under 25s and over 65s(Figure 2.4).We found variances across roles to be especially insightful for most questions in the surve

85、y(Figure 2.5).Of all the roles categories,chief risk officers placed cyber and economic concerns higher than regulatory/compliance/legal,but not by much.Respondents in these roles gave a higher ranking to misconduct/fraud/reputational damage than those in any other roles,putting it in fourth place.R

86、ISK CULTURE:BUILDING RESILIENCE AND SEIZING OPPORTUNITIES|2.KEY FINDINGS FROM OUR ONLINE SURVEY All respondents Chief risk officer Head of risk Other role related to risk Not in a role related to riskFIGURE 2.5:Who fears what?Top risk perceptions by job rolesRegulatory/compliance/legalTechnology/dat

87、a/cyber securityEconomic inflation/recession15%21%5%3%17%12%9%7%3%Talent scarcity/skills gaps/employee retentionMisconduct/fraud/reputational damageInternational and geopolitical instabilityLogistics,including supply chainClimate change and its social and economic implicationsCurrency,including cryp

88、to and digital assets26%23%19%24%19%22%18%14%9%14%11%8%5%1%5%2%All respondents Under 25 25-35 36-50 51-65 Over 65FIGURE 2.4:Top risk perceptions by age of respondentRegulatory/compliance/legalTechnology/data/cyber securityEconomic inflation/recession23%8%28%12%10%7%Talent scarcity/skills gaps/employ

89、ee retentionMisconduct/fraud/reputational damageInternational and geopolitical instabilityLogistics,including supply chainClimate change and its social and economic implicationsCurrency,including crypto and digital assets26%19%10%24%19%15%23%18%13%20%14%6%11%6%8%3%1%5%5%2%I suspect that most of the

90、CROs and heads of risk responding to this survey would be from highly regulated industries,such as banking and telecoms,and as such have no option but to comply since these are mandatory requirements which could attract fines and have a severe impact on the business as a going concern.CRO from a ban

91、k in Western AfricaMultinational companies have had to rely on third parties because of all the supply chain disruption and travel restriction pressures since Covid,and this just makes business ripe for bribery and other crimes.Regulators are now stepping up their enforcement and working together to

92、 combat the corruption,so this is an increasing concern for our multinational clients.Audit and compliance teams are dealing with a crazy number of changing risks and incidents in this post-pandemic era.Monica Young,director of risk and compliance at KMPG LLP in Chicago,and a member of our special i

93、nterest group14There is a realisation,albeit after the fact,of how risk culture affects an organisations ability to deal with constant regulatory implementations.One audit committee chair at a UK property developer told us that,in hindsight,a greater focus on risk culture could have helped the organ

94、isation cope better with fierce and sudden regulatory changes that are being described as the new black swans.1 But the truth of the matter is that this being compliant-style of management has become a core driver of corporate strategy.Even where regulators are not springing surprises on organisatio

95、ns,the comment below from a chief financial officer at a construction company in Singapore explains that while the authorities there have been giving the company a reasonable timetable for complying with new sustainability reporting standards,the implications of Covid-19 have changed the industry fo

96、r ever and such transformations are impossible to keep up with operationally and financially.RISK CULTURE:BUILDING RESILIENCE AND SEIZING OPPORTUNITIES|2.KEY FINDINGS FROM OUR ONLINE SURVEY1 A reference to The Black Swan:The Impact of the Highly Improbable by Nassim Nicholas Taleb.We had to put some

97、 big provisions on the balance sheet because of a regulation that was developed overnight that says any building youve ever built in the last 30 years you have to go and fix,even though you may no longer own it.Ethically,the government is saying youve made a load of money in the last 20 years,theres

98、 no one around whos left to fix this,so its over to you,Mr Developers.Theres just no way to predict what this or that outcome is going to be,and theres more upcoming.Weve got a new consumer code that is like SarbanesOxley on steroids.Regulation has completely changed.Yes,it is for the better because

99、 one could argue we should have been doing this stuff and responding to customers in the right way in the first place,but were not used to working in such a volatile political environment like this.Its a massive paradigm shift in terms of behavioural change and how we need to operate.ACCA members in

100、 UKThe Russian invasion of Ukraine was also highly disruptive for our respective members at the time of the survey.Many risk leaders started 2022 losing sleep over concentration risk on the Cloud and then came a curveball of geopolitical and economic uncertainty never seen in most of our respondents

101、 careers.We had a lot of new issues to sort out and since as much as a third of our branches were in buildings owned by Russian oligarchs there was obviously a blind spot that required different teams coming together given the sanctions.CRO in UKThe new requirements definitely give us insights for t

102、he long run to see how we can reflect on how we move on from the traditional way of doing things and do it better for the future,but we also have the fact that things are evolving at a very rapid pace.CFO in Singapore The burden of compliance is greater in some areas than others,and that is also a r

103、eason why certain priorities at the bottom of the ranking stood out.Climate change,for example,has undeniably become increasingly compliance-intensive,despite coming second to last overall as a priority.With several respondents referring to the daunting task of Scope 3 emissions,we can see how clima

104、te change is increasingly viewed as a regulatory issue by our respondents.Regulatory risks also loom large because regulators can present sudden fines and immense implementation costs,with most respondents admitting that while they accept extreme weather and natural catastrophes are also causing cos

105、tly disruption,they do not have the resources for assessing the scale of the impacts on their businesses.We are facing risk everywhere,especially with the unpredictable approach of the authorities,and not just at the state level but also the European level.We have the cost-of-living crisis,which is

106、intensifying daily here,while authorities continue to change the rules,especially when it comes to climate.Its not an easy game to play and makes it harder for us to attract new direct investments.An energy sector entrepreneur in Eastern Europe15Regulatory risk ranking at the top can also be explain

107、ed by the fact that,for some,it is the way they chose to express concern over other risks.Below is a comment from a finance director in North America on cybersecurity,and why it also can be covered under a broad definition of regulatory risk.Talent shortages ranked mid to high in the priority hierar

108、chy compared with other risk areas and in our conversations seem clearly to have hit some organisations harder than others.RISK CULTURE:BUILDING RESILIENCE AND SEIZING OPPORTUNITIES|2.KEY FINDINGS FROM OUR ONLINE SURVEYCybersecurity is one of the biggest problems for the best of us and we dont know

109、how to collectively manage or report on it.New regulations are coming out all the time with new kinds of approaches and we go to the Big Four,but they are also playing catch-up.We have had regulations on cyber risk before,but not to the magnitude it is now.Finance director in North AmericaRegulators

110、 are requiring banks to reimburse customers for phishing and other hacks,so the stakes are high for banks to invest in the right measures for mitigating this added layer of an already material risk.They want us to have zero tolerance,but it is foolish to think anyone could have zero tolerance when y

111、ou look at the scenarios we are dealing with.Head of risk at a bank in Central EuropeAs regards to the ranking of technology/data/cybersecurity at second highest overall,one ACCA member at a technology company in Eastern Europe also summed up why cyber risks would remain a priority for everyone.Cybe

112、r risk is something that is so ingrained in anyone who wants to run a successful business,so I think there is less of a fight or a challenge in getting the buy-in.Leaders also worry about retaining the data security or IT teams because so much subject matter expertise is required.Some might even say

113、 its part of compliance,but compliance is not a security against cyber risk.IT risk is also a worry because the CEO cant prevent who clicks on what.They can only take ownership of the risk from the perspective of investment and prioritisation rather than the day-to-day measurement.ACCA member at a t

114、echnology company in Eastern EuropeAnother material risk for us is human resources.In the case of Romania,six million people have left in the last couple of years to live abroad,mostly around Western Europe.Most of them are very educated and left due to the difference in salaries,conditions,medical

115、system,insurance,and so on.Managing director in Eastern EuropeDemand for certain kinds of talent was a major topic with ACCA members in the Middle East as well,with one risk head who works at one of the US-based big tech companies in Dubai explaining the high demand for risk and compliance professio

116、nals in the region.Everyone here is looking for risk and compliance people right now and there are not enough to go around.Head of risk at a tech company in DubaiAnother interviewee who works as a risk governance consultant in Dubai blamed the talent scarcity on the ancient and out-of-touch educatio

117、n models we have created,saying that graduate students,even those coming out of the top universities and finance programmes globally,are not in tune to what is happening in the real world and none of them know how to account for risks or sustainability matters.Trade bodies and universities should be

118、 working together more on risk training,and thats around the world not just here,because even those coming out of the top universities and finance programmes do not have an inkling about risk and what it means to companies today.Im working with small-to-medium and public sector entities on learning

119、the ISO 31000 certification,but this needs to be continuous in terms of how you apply it to your business situations in a fast-changing world;how will you use AI and now the consequences,risks and opportunities of ChatGPT and who decides that and creates the governance for it?2Risk governance consul

120、tant in Dubai2 ISO 31000:2018,the latest update of the international risk management standard,reinforces the importance of managing risk culture.It requires top management to demonstrate their commitment to risk management and its alignment with the organisations strategy and culture.Organisations m

121、ust also evaluate the effectiveness of the risk management framework on the behaviours of their people.Risk and financial professionals therefore have a major role to play in managing corporate culture.16and the need to put new technologies into practice.These competing forces are why the data shows

122、 such a mixed picture.While our survey findings did not indicate a direct link between employee wellbeing and risk culture,certain testimonies in our roundtable discussions implied that employee wellbeing resulted in better employee engagement,which therefore shows some correlation with a better ris

123、k culture and management of people risk.Internal audit members in previous research discussed how,once Covid-19 struck,their roles became less about adding up numbers and more about making judgements in difficult situations(ACCA 2021).The pandemic proved how modernising and more frequent monitoring

124、were required at even the most profitable firms with mature risk frameworks.We heard how organisations could structure governance better,particularly for the relationship between the first and second lines of defence and how the past few years have proved the importance of collaborating while also m

125、aintaining independence for the second line.When we asked about risk culture,most respondents,irrespective of sector or organisational size either agreed,or neither agreed nor disagreed,that their organisations risk culture had improved(Figure 2.6).Respondents in China were generally much more confi

126、dent in their organisations risk culture compared to other countries.57%OF RESPONDENTS SAY THAT THEIR RISK CULTURE HAS CHANGED FOR THE BETTER SINCE THE PANDEMIC.It might intuitively appear that the number of respondents saying oh yes,the pandemic has improved/changed our risk culture would be higher

127、.What our discussions on the responses brought out is that there is a will to improve,and many things are improving,but at the same time the post-pandemic environment is very challenging,particularly given that scarce resources are coupled with rising costs RISK CULTURE:BUILDING RESILIENCE AND SEIZI

128、NG OPPORTUNITIES|2.KEY FINDINGS FROM OUR ONLINE SURVEYPublic practicePublic sectorFinancial servicesNot-for-profit/charityCorporate sectorRetired/between jobs18%38%24%8%6%4%16%39%23%12%4%5%18%40%22%10%4%5%12%45%24%6%3%8%16%43%25%8%4%4%12%28%25%15%4%4%12%FIGURE 2.6:The pandemic got more than half of

129、the respondents organisations to rethink risk culture Strongly disagree Disagree Neither agree nor disagree Agree Strongly agree Dont know or N/A Prefer not to commentSME:Agree37%Neither agree nor disagree27%Strongly agree13%Disagree10%Strongly disagree5%Agree42%Neither agree nor disagree21%Strongly

130、 agree19%Disagree9%Strongly disagree3%Dont know or N/A:6%Prefer not to comment:1%Large:Dont know or N/A:4%Prefer not to comment:0%(Data rounded to nearest whole number)Sector:Risk culture has changed for the better since the pandemic17An ACCA member who had worked as head of internal audit for multi

131、national companies based in Japan,China and India,decided to leave her corporate job during the pandemic to set up a risk advisory business that supports small-to-medium-sized enterprises(SMEs)in Asia,mostly in China.RESPONDENTS SAY AN EFFECTIVE RISK CULTURE NOT ONLY AVERTS DISASTERS BUT ALSO PRESEN

132、TS OPPORTUNITIES.If a being compliant style of management or a tick the box audit and risk management style are what drives risk strategy,then we conclude that in itself is a significant risk since it moves away from the specific context of the organisations purpose and distorts important,high-level

133、 decisions,which have to take full account of both threat and opportunity.This distorted perspective essentially implies that the purpose of the organisation is to be compliant with regulatory requirements,and that would seem far from the true purpose and mission of an organisation and its value pro

134、position.An optimistic portrayal of risk culture was mentioned repeatedly in our research a risk culture built to take on risks in a more informed way and with the most directly bottom-line focus possible for gaining a competitive advantage.In conversations,respondents admit that they are not seekin

135、g 100%compliance but,rather,thinking of risk as a language that everyone in the organisation speaks.RISK CULTURE:BUILDING RESILIENCE AND SEIZING OPPORTUNITIES|2.KEY FINDINGS FROM OUR ONLINE SURVEYI have worked in both the private and public sectors for decades and can say that while risk culture has

136、 become more important,given the circumstances today,it is in its infancy.But,suddenly,being thrust into this economic shift where annual funding or revenue streams disappear,and where we are faced with situations that we had not prepared ourselves for,means we need to rethink how we operate.It has

137、been survival mode for the last three years,meaning youre managing things month-to-month and not thinking about investing in something that has long-term implications.CFO in CanadaI saw how much human and manual errors are holding SMEs back.Helping them adopt blockchain,AI and other open-source tech

138、nologies for processing orders and payments can change the course of direction of their business very quickly.Many of their founders or leaders dont understand how attitude can help them drive that until they start weighing risk and opportunity,and once they start talking about that they see how ave

139、nues of investment and growth can happen during stressful times.Risk adviser,Far EastWe continue to hear members talk about bringing due diligence processes up to date,but this requires resources,and most organisations are struggling with budgeting for the long term,especially as technology advances

140、 rapidly and economic conditions become increasingly uncertain.Respondents talked about the conflict between short-term shockwaves and the need to think for the long term and move on from costly legacy systems.In my mind the overall approach to risk management has been from a defensive perspective f

141、or decades and I think culturally as a profession we have not talked enough about how we think the other way;how it can actually give you a competitive advantage.Thats why we fall back into ticking the boxes and why its only the people who are responsible for risk who have a more positive view of ho

142、w we are doing compared with others.That is a tough line to cross but as we see more of us thinking about risk culture,maybe we will start to see the real benefits of risk management as opposed to this unconscious bias that it is all about meeting defensive requirements.CFO at mid-size corporation i

143、n North America18RISK CULTURE:BUILDING RESILIENCE AND SEIZING OPPORTUNITIES|2.KEY FINDINGS FROM OUR ONLINE SURVEYLEADERSHIP RISKS:What to look out for by Dr David Cooper,Cooper LimonLeadership risk relates to the way in which the process of leadership and the way leaders think and behave determines

144、value creation and destruction.It is often a significant contributing factor when there is a sudden collapse in enterprise value:recent examples include WeWork,Theranos,FTX,Silicon Valley Bank and Signature Bank.Indeed,it is increasingly recognised as being significant for all businesses as understa

145、nding the role of leadership provides a richer more contextualised understanding of risk a counterbalance to overly rational analytical approaches.The leadership risk perspective has a number of key aspects:nLeadership risk is not a separate category of risk,it relates more to the wider organisation

146、al environment in which risk management happens.nLeaders cannot objectively view the risk landscape from the outside because they themselves are part of the risk landscape.nThis view encourages those involved in risk management not just to consider what the risks are but also to take account of how

147、they are looking at risk,with a particular emphasis on revealing hidden assumptions and blind spots.Leadership risk and risk culture are closely intertwined leadership happens in a cultural setting which both influences and is influenced by leaders.Several themes highlighted in this report have a le

148、adership risk dimension:nconcern about the extent to which senior leaders are perceived as being detached from the reality of the business nissues relating to the expectations set by senior leaders in relation to risk management and how accountability for risk is managed nthe approach that senior le

149、aders take when making resources available for risk management nthe disparity of perspectives on risk perception across different roles(even within the risk-management function)and age groups nthe prioritisation of regulatory compliance above (and potentially at the expense of)other risks more direc

150、tly related to value creation and destruction.19RISK CULTURE:BUILDING RESILIENCE AND SEIZING OPPORTUNITIES|2.KEY FINDINGS FROM OUR ONLINE SURVEYLEADERSHIP RISKS:What to look out for by Dr David Cooper,Cooper LimonTo engage effectively with culture risk,it is important to consider the leadership risk

151、 perspective and the ways in which this influences the definitions,decisions,approaches,and reactions associated with the process.Several comments from the respondents in our research underline why senior leaders should consider the following questions:nHow effectively are we capturing culture risk

152、and leadership risk on our high-level risk dashboard?How far do we bring these subjects into discussions about risk and the wider organisational purpose?nWhat gets in the way of engaging more actively with the culture risk agenda?How can we address this?nWhat new skills,competencies and frames of re

153、ference does our organisation need to ensure that we take proper account of culture risk and leadership risk?nHow far does our culture provide people at all levels of the organisation with the requisite understanding of the risks associated with their role particularly when they exercise discretion?

154、Does everyone feel included in the discussion of risk?How are we monitoring this?nHow do we ensure that our risk managers have sufficient time to stop and reflect?Could a culture of chronic busyness be depriving them of time to think about or discuss risk?nHow confident are we that our culture facil

155、itates candid and transparent communication about risk?This includes:top down messages about risk appetite and key priorities framed by the higher organisational purpose bottom up challenges and messages about emerging threats and opportunities that challenge the status quo whether we are using cult

156、ure to ensure we are authentically connected to the reality of the business.nHow far are we critically evaluating how resources are allocated and deployed to ensure we embrace a range of approaches and perspectives on risk management?Are we overly skewed towards(simplified)quantification and analysi

157、s?nHow self-aware are we as leaders?nDoes our culture provide our risk managers with the confidence and the licence to consider leadership risk properly and to challenge and evaluate leaders as part of that?nDoes our culture provide the requisite level of trust and safety so that people are comforta

158、ble challenging,questioning and communicating bad news?nHow fit for purpose are our expectation-setting and performance-management practices in relation to the risk-management function?20One of the best aspects of our research is that the survey results allowed us to compare responses between people

159、 who are risk professionals and those financial professionals who are not in roles explicitly related to risk(Figure 2.7).We were also pleased that the number of respondents in each role gave us the opportunity to dig deeper into specific roles,such as those of chief risk officers and heads of risk

160、and put them into context in relation to internal audit,for example,especially when we were speaking with them or reading their responses to the two open-ended questions in the survey,which we will discuss later in this chapter.We also asked about risk versus non-risk functions across other dimensio

161、ns,such as age.Here it was clear that younger respondents tended not to work in a role explicitly related to risk but interestingly many were actively considering some form of risk role as part of their job activities,and we learned through our discussions that Gen Zs and Gen Ys yearn for more invol

162、vement in the risk conversations at their organisations.During our special interest group discussions,lack of experience was highlighted as a risk from a risk knowledge perspective,and the possible reasons for it went beyond the simple dimension of seniority being linked to age(Figure 2.8).RISK CULT

163、URE:BUILDING RESILIENCE AND SEIZING OPPORTUNITIES|2.KEY FINDINGS FROM OUR ONLINE SURVEYFIGURE 2.8:Roles by age 4%Chief risk officer 5%Head of risk 50%Other role related to risk 41%Not in a role related to riskFIGURE 2.7:Who is who in risk?CHIEF RISK OFFICERSMostly in regulated or large multinational

164、 companies with some being regional CROs of big oil,insurance,investment banking,chemicals,pharma companies for exampleHEADS OF RISKOverseeing enterprise risk for medium to large businesses or in charge of certain risks,including operational,credit,market,cyber,as well as culture and conduct.Heads o

165、f Risk may be the most senior risk leaders in large multinational companies where sectors are less regulated RISK ROLES BUT NOT CRO OR HEAD OF RISKThis includes internal audit(though we found some internal audit in the heads of risk if they had risk in the title too;external audit,finance teams,comp

166、liance as well as other C-suite)ROLES NOT EXPLICITLY IN CHARGE OF RISKFinancial controllers,accountancy practitioners,academics,consultants,training,entrepreneurs of different types,many public sector positions,and a range of business development roles(Data rounded to nearest whole number)Under 2525

167、-3536-5051-65Over 6522%63%13%40%49%8%4%6%49%37%5%9%7%52%27%6%5%13%53%20%10%I am the Chief risk officer I am the Head of risk I work in a role related to risk which isnt either of the above I dont work in a role related to risk,but I am considering it I dont work in a role related to risk,and I am no

168、t currently considering it(Data rounded to nearest whole number)Are age groups defining and understanding language in a different way?Or perhaps age groups differ in terms of risk perception?An effective risk culture should provide a consistent point of reference which would hopefully flatten out su

169、ch differences.Special interest group participant 20%40%60%80%100%Who is who in risk management?21When the differences between age groups came up in one of our CROs Forum sessions,one member,who said he has become fascinated by the whole area of behavioural economics and its application to risk mana

170、gement,advised us to be careful not to stereotype different generations,otherwise you may create artificial generational divides that make it even more difficult to get the language right across the organisation.Our findings attest that the needs of all ages are complex and in constant change,and we

171、 see how understanding both the similarities and differences between generations is a key first step in both attracting and keeping pany.It dropped to 2%in the financial sector and rose to 20%in the not for profit/charity sector(Figure 2.9).Jane Walde,an enterprise risk consultant,and member of the

172、special interest group,emphasises that without risk leadership and adequate tone from the top,it is very difficult to shape and embed a risk culture(Figure 2.10).RISK CULTURE:BUILDING RESILIENCE AND SEIZING OPPORTUNITIES|2.KEY FINDINGS FROM OUR ONLINE SURVEYFIGURE 2.9:Risk organisation varies across

173、 sectorsAll respondents*Public practicePublic sectorFinancial servicesNot-for-profit/charityCorporate sectorRetired/between jobs*18%19%12%9%6%23%4%9%11%17%14%30%7%12%5%5%39%24%8%11%10%2%3%3%10%10%29%17%8%20%3%3%9%16%26%22%7%14%2%4%18%12%14%16%8%23%0%9%19%18%17%18%8%13%3%5%We have a Chief risk office

174、r We have a Head/Director of risk Our finance team is responsible for our risk function Internal audit is responsible for our risk function Our risk function is overseen by a non-executive director There isnt a dedicated risk lead in my organisation Other Dont know/Not applicable*Data shows the%of t

175、otal responses,so 19%of responses were We have a Chief Risk Officer.Note that multiple responses from one person are possible.*People not currently working were asked to answer with reference to their previous job.The CEO and I are in our 40s and we work well together but that doesnt mean that I do

176、not work just as well with those on the risk committee or in my team who may be on other ends of the generational spectrum.This kind of engagement is another important aspect of risk culture and another reason why culture becomes so important to your competitiveness.Even if technology is making our

177、processes more efficient,at the same time I see the human aspects of risk more than ever before.ACCA CROs Forum participantWe also looked at where the responsibility for risk within an organisation sat from a functional perspective.Our data shows that most organisations represented by the survey res

178、pondents placed responsibility for risk with either specific risk employees a CRO or head/director of risk,internal audit or finance teams and a minority placed the risk responsibility in the hands of a non-executive director or other function.The numbers responding,there isnt a dedicated risk lead

179、in my organisation varied by sector.Overall,13%of the respondents said there was no specific risk leader in their 8%of respondents said the risk function is overseen by a non-executive director.Perhaps this should open a debate about whether the risk function should be overseen by a non-executive di

180、rector,or at least have regular conversations with one given that the governing board or trust are ultimately responsible for the risks the organisation is taking.Jane Walde,enterprise risk consultant,who is also a member of the special interest group and ACCAs Global Forum for Governance,Risk and P

181、erformanceAnd on the topic of accountability for risk among non-risk functions,the role of HR alongside risk and finance teams arose often in discussions as being an essential part of avoiding blind spots from bullying to expenses patterns we heard how many are known but not addressed.Every business

182、 transformation requires a culture transformation,as one respondent also put it.The HR function is just as much a compliance function as the risk function.HR sometimes thinks that they are there to develop career growth.Thats the sexy part,but when youre dealing with so much change,you need a strong

183、,smart HR department that understands the companys mission and values,or else your culture can really decline.You need an HR department thats going to work with the business and help manage the behaviours during trying times.Head of internal audit&risk,apparel company 22RISK CULTURE:BUILDING RESILIE

184、NCE AND SEIZING OPPORTUNITIES|2.KEY FINDINGS FROM OUR ONLINE SURVEYFIGURE 2.10:The Three Lines Model and Risk AppetiteSource:adapted from Airmic-Arthur D.Little-QBE EXPLAINED Guide,Risk Appetite,2021First lineReal-time monitoring and reporting:track performance and detect adverse trends for effectiv

185、e decision-makingMonitoring of KRIs and KPIsSecond lineIndependent oversight by top management to ensure both application and governance of risk appetite meet expectationsManagement reviewThird lineIndependent audit ensuring assessment criteria address risk appetite requirements across all functions

186、Audit controls(internal and external)Procedures to defne operations of all fuctions*including related risk appetite ranges,foors,ceilings,etc.Documented procedures for all functionsincluding risk appetite process and goverance*Make sure there are no black holes or glass ceilings where process contro

187、ls and risk appetite parameters do not reach.It may prove difficult to define,control and set metrics for some functions such as those with sensitive information(finances,HR)or creative processes(design,marketing),or managers may try to avoid the process controls applied in the core operations and s

188、ervice delivery.This would very likely have damaging knock-on effects,including avoidance of monitoring,audit and reporting for management oversight,so it is important to map out all functions in your organisation as one connected management system to ensure nothing has been missed.*Emphasised here

189、to spotlight risk appetite,but in practice,it is likely to be both part of operating procedures and controls defined around risk management/ERM overview itself.23preferably with the advice of the risk function,which can signpost risk indicators for internal audit to test.Whether risks were typically

190、 reported as part of an organisations budgeting and forecasting processes varied:only roughly two-thirds said that risks were included in the internal financial processes.Since all controls require resource,any adjustments to budgets should be firmly based on the necessity(or otherwise)of controls.A

191、n understanding of how these controls will change the risk so that objectives can be met within the ethical values of the company is necessary when determining whether the budget allocation is sufficient.Risk gives a basis for prioritising spending,and it should be remembered that meeting behavioura

192、l and cultural aims also requires resource,so the question should be not Can we achieve our objectives?but rather Can we achieve our objectives in a way that corresponds with our ethical and cultural values?Our survey also examined the effectiveness of internal auditors and planning processes.We ask

193、ed,Can internal audit at my organisation verify whether proper internal controls and processes for dealing with risky behaviours are in place and adhered to?Only around two-thirds agreed that internal audit could verify internal controls for risk taking and approximately one-fifth either disagreed,d

194、idnt know,or preferred not to say(Figure 2.11).The data could indicate another blind spot,this time in internal auditing.Perhaps the difficulty arises because most intended controls for behaviour are policies and guidelines,and the test should be on how behaviours change in practice.There is also th

195、e possibility that reactive controls,such as penalties for misconduct,can be tested and reported better(or created,if not in place).Other levers and predictors of behaviour,for example,bonuses,might also be risk-assessed for unintended consequences,RISK CULTURE:BUILDING RESILIENCE AND SEIZING OPPORT

196、UNITIES|2.KEY FINDINGS FROM OUR ONLINE SURVEYFIGURE 2.11:Potential blind spot only two-thirds of risk and financial professionals believe that internal audit can verify internal controls62%Internal audit at my organisation can verify whether proper internal controls and processes for dealing with ri

197、sky behaviours are in place and adhered toRisks are typically reported as part of my organisations budgeting and forecasting processesSenior management is sufficiently aware of what is going on at all levels of the workplaceCHIEF RISK OFFICER68%HEAD OF RISK69%OTHER ROLE RELATED TO RISK56%NOT IN A RO

198、LE RELATED TO RISK62%CHIEF RISK OFFICER68%HEAD OF RISK69%OTHER ROLE RELATED TO RISK56%NOT IN A ROLE RELATED TO RISK74%CHIEF RISK OFFICER72%HEAD OF RISK65%OTHER ROLE RELATED TO RISK60%NOT IN A ROLE RELATED TO RISKHow internal audit evolves with risk management remains a big question24Most respondents

199、 said they had a good understanding of risk appetite in their organisation,with the under-35s and those not explicitly in a role related to risk rating their understanding lowest.This was still at a very high overall level,at around 80%,which was not only astounding to everyone involved in the data

200、analysis but also contradicted what respondents were revealing in the roundtables and online community pop-up platform(Figure 2.12).A good understanding of what risk appetite is supposed to be does not necessarily mean the behaviours and culture inside an organisation reflect the stated appetite for

201、 risk taking.Culture and risk appetite too often diverge and work against each other as separate forces.RISK CULTURE:BUILDING RESILIENCE AND SEIZING OPPORTUNITIES|2.KEY FINDINGS FROM OUR ONLINE SURVEYFIGURE 2.12:Making sense of the overconfidence about understanding risk appetiteUnder 2525 3536 5051

202、 65Over 6581%19%81%18%86%12%89%9%90%3%Dont understand much/at all Understand to some/great extentBy job roles:By age:Chief risk officerHead of riskOther role related to riskNot in a role related to risk0%97%4%95%10%89%18%79%Risk appetite is a key component of enterprise risk management.Willingness t

203、o bear risk can be defined as an organisations desire or aversion to pursue opportunities in an uncertain business environment and as how much volatility around an expected outcome is tolerable in terms of capacity,regulatory compliance,ethics,reputation,and alternative costs for a business.Risk app

204、etite varies between industry sectors and between organisations within sectors,and by geographies and types of risk.The level of regulation and capital intensity of an organisation will also influence its perception of acceptable risk in relation to potential opportunities.The context in which all o

205、rganisations operate is dynamic,and an approach of continuous improvement should be adopted to ensure that risk appetite is reviewed and updated in synchronisation with change,and signed off by key stakeholders,including the Board.Key is that whatever the business and whatever the context,risk appet

206、ite and risk culture should reflect“the way we do things here”.Julia Graham,CEO,AirmicThe stated greater understanding of risk appetite in 50 to 65 year-olds and over 65s in the survey data is again perhaps another reflection of overconfidence and therefore,dangerously,a complacent view that it is n

207、ot necessary to be particularly engaged or concerned.This was one of the viewpoints in one of our special interest group discussions.Many of that age would be in senior positions or board level and are probably not trained to deal with new and challenging issues around risk culture,so they are more

208、likely to want to keep doing what they have been doing.There is a hardening,a sclerosis if you like,across organisations and industries.Therell be a“first man over the wall gets shot so no one wants to go first”scenario.Theres also a defence of sorts in saying“were doing the same as our peers”and th

209、ereby claiming to be“best practice”.How about“effective practice”as a better alternative?If you dont have an effective practice,how can you be confident that you really understand the risk appetite of your organisation?Special interest group participantsA GOOD UNDERSTANDING OF WHAT RISK APPETITE IS

210、SUPPOSED TO BE DOES NOT NECESSARILY MEAN THE BEHAVIOURS AND CULTURE INSIDE AN ORGANISATION REFLECT THE STATED APPETITE FOR RISK TAKING.Risk appetite:even when people understand it,they behave differently(Dont knows remain the balancing figure for each age/role)25Since articulation of risk appetite h

211、elps guide and inform behaviour and therefore culture,it is logical to suggest that improved communication of risk appetite is going to be beneficial in building a successful risk culture.Respondents also noted,however,that within a single multinational organisation different appetites for risk may

212、be appropriate in different regions and that will warrant different conversations about it.These comments on benchmarking also remind us of Daniel Kahnemans book Thinking Fast and Slow,(Kahneman 2012)in that we can rely too much on making simple immediate judgements because being decisive is a behav

213、iour all senior executives like to display.Kahnemans slower thinking is about the more effortful thinking required to understand complex entities.This is what leaders in effective risk cultures will demonstrate they will admit I dont know.Another example of the desire for black and white thinking le

214、ading to overconfidence in assessing risk appetite stood out from a comment in our online community pop-up,given there are always going to be two sides to this:qualitative and quantitative.RISK CULTURE:BUILDING RESILIENCE AND SEIZING OPPORTUNITIES|2.KEY FINDINGS FROM OUR ONLINE SURVEYPeople can get

215、stuck on benchmarking.How am I doing against others?How are you doing when it comes to the effective management of risk in your business?I tell board members I can compare their organisations to anybody,but it might be different tomorrow morning.Rather,what I suggest is they improve their level of m

216、aturity by not obsessing about benchmarking.See where you are instead,and how you can grow.And this is hard,not just because Im handing them a problem as opposed to a simple solution,but because if they get any of the Big Four coming into their business and doing their version of a risk culture matu

217、rity assessment,one of the key things theyll say is“we will benchmark you”.I would really like to steer people away from benchmarking as the solution.Special interest group memberYou might say that you have zero tolerance for risks that will damage your reputation,such as cyber risks,but nobody in t

218、he world can have zero tolerance for reputational or cyber risks because its not a matter of if theyre going to hit you,but when.You cant zero them out so expressing that in a risk appetite statement is ridiculous,its not real.A risk culture perspective on risk appetite says is risk appetite known b

219、y every employee and are they acting within it?Are people operating at the top end of your risk appetite so we can give them the best“risk taking assessing reward?”That is a good culture.Online community pop-up participantRisk culture is about both diversity and cohesiveness.Getting that balance rig

220、ht is integral to how an organisation is governed,and it reflects how well an organisation can achieve its objectives.There is no single right or wrong risk culture.This is something borne out in our research.We found that risk culture and how it is framed varies hugely,depending on the organisation

221、:what industry it is in,what regulations it must follow,who the stakeholders are,as well as how its stated purpose and tolerance for risk are defined.Structures within any single organisation might also constantly change as the speed of risk accelerates.Nevertheless,the implications of diversity,coh

222、esiveness and good governance cannot be overlooked.Risk appetite it is pretty different across the different regions we work in.For example,in the West we basically have a larger risk appetite for trading activities,and in the China region a larger risk appetite for real estate and property.I also b

223、elieve theres a difference between the culture of the banks and branches of them within Asia.For example,banks in Singapore and Japan sit somewhere in-between Western and Chinese banking culture.CRO at a global investment firm in Hong Kong SAREven for the banking sector there will be different busin

224、ess models.You look from one side of the world to the other and you will see that their appetites or tolerances for risk will be night and day,so theres no template for risk culture and thats especially true when it comes to perceptions of risk appetite.Non-executive director for Asia-based bankOver

225、confidence is a result of opting for apparently simple solutions where in practice there are none.One member of our special interest group pointed out the challenges of persuading senior people that simply benchmarking yourself against others is not the answer.RISK CULTURE IS ABOUT BOTH DIVERSITY AN

226、D COHESIVENESS.GETTING THAT BALANCE RIGHT IS INTEGRAL TO HOW AN ORGANISATION IS GOVERNED,AND IT REFLECTS HOW WELL AN ORGANISATION CAN ACHIEVE ITS OBJECTIVES.26FIGURE 2.13:Key concepts of risk appetiteRISK CULTURE:BUILDING RESILIENCE AND SEIZING OPPORTUNITIES|2.KEY FINDINGS FROM OUR ONLINE SURVEYRISK

227、 LIMITDecision-makingAssuranceRISK CAPACITYRISK APPETITERISK TOLERANCERISK TARGETThe amount and type of risk an organisation is willing to accept in pursuit of its strategic objectives,balancing both threats and opportunities.The amount and type of risk an organisation is able to support in pursuit

228、of its business objectives.The specifc maximum risk an organisation is willing to take regarding each relevant risk.Thresholds to monitor so that actual risk exposure does not deviate too much from risk target and stays within the organisations risk tolerance and risk appetite.Exceeding risk limits

229、will typically act as a trigger for management action.The optimal level of risk that an organisation wants to take in pursuit of a specifc business goal.A related point made by members is that there can be very good reasons why risk appetite needs to change,but if it does then culture and communicat

230、ion should be carefully adjusted to ensure that alignment remains.Our research also revealed that even if you have your risk appetite,risk culture and behaviours perfectly in line,when a person has to make a quick decision they may do something completely out of step because of the pressure of the m

231、oment.The consensus is that risk appetite has become much more theoretical than practical and that many perhaps claimed to understand risk appetite just because of they were aware of the organisations risk appetite statement(Figure 2.13).People tend to become more willing to accept a higher level of

232、 risks,given that every day seems to bring something new and unexpected to worry about.That might be another explanation for overconfidence in the findings related to risk appetite.I think theres going be a sea change in the way we perceive risk.People might be saying that“risk is covered”or that“we

233、 are good with our risk assessments”,but I would say deep down they know that is not the reality of it,especially when it comes to conduct.Chief audit officer in EuropeA risk appetite statement could be something beautiful and flowery,whatever the case may be,but theres no way to measure it since it

234、 is changing all the time.I have seen situations where were not actually taking enough risk,because people want to follow their procedures,and they dont want to grab the ball and be the person whos called out if something goes wrong.On any given day the overall position might not be out of line with

235、 the stated appetite,but it may be that someone is just so worried about something going wrong,that they dont want to take the chance.Risk manager at bank in North AmericaTHE CONSENSUS IS THAT RISK APPETITE HAS BECOME MUCH MORE THEORETICAL THAN PRACTICAL.Source:adapted from Airmic-Arthur D.Little-QB

236、E EXPLAINED Guide,Risk Appetite,202127Nonetheless,respondents did agree that whether it is firefighting or chasing profit opportunities,the overconfidence in knowing what our biggest risks are is just as hazardous.That individuals have different perceptions of where risk appetite fits in was also a

237、common concern,particularly in the banking and professional services environments.This becomes most problematic when distinguishing good versus bad risk taking.Unfortunately,risk registers and risk reports are not going to solve these problems.When we asked respondents whether their organisations ri

238、sk culture was aligned to its purpose,the results were similar,with around 70%agreeing,chief risk officers scoring highest at 80%and heads of risk lowest at 63%(Figure 2.14).On the one hand the data shows a clear majority agreeing there is alignment on the difficult topic of alignment between cultur

239、e and organisational purpose,but at the same time about one-third do not believe there is.But again,what about overconfidence?Do respondents genuinely understand whether their culture is aligned to purpose or were they basing their agreement on statements written on their websites?The short-sightedn

240、ess of relying on what you can see was famously illustrated by Donald Rumsfeld,the former US Secretary of Defense:Reports that say that something hasnt happened are always interesting to me,because as we know,there are known knowns;things we know that we know.We also know there are known unknowns.Th

241、ere are things that we know we do not know.But there are also unknown unknowns the ones we dont know we dont know.His famous quote came up often during our research discussions and led us to another point that claiming you are not biased is perhaps the worst bias of all.The ability to recognise the

242、limits of your knowledge and say I dont know is key to effective risk management but what is equally important is following up and reducing knowledge gaps as far as possible.As we learnt through one-on-one interviews,there are diverging definitions of what risk means and indeed how purpose is relate

243、d to it.This was thought-provoking,since the respondents were all risk and financial professionals.RISK CULTURE:BUILDING RESILIENCE AND SEIZING OPPORTUNITIES|2.KEY FINDINGS FROM OUR ONLINE SURVEY80%CHIEF RISK OFFICER63%HEAD OF RISK74%OTHER ROLE RELATED TO RISK69%NOT IN A ROLE RELATED TO RISKFIGURE 2

244、.14:One-third say culture and purpose are not in lineIm trying to transform and combine financial and non-financial risk quantification on our risk register and have learned early on how much understanding behaviours matters.The real lightbulb moment is when youre trying to get this super aggregate

245、of the different levels of risks and potential control failures.From an accountancy perspective,scenario analysis is at the heart of understanding what can go wrong,but this also is where all these questions and images about customers,safety,and how people think and act come in,so you see how behavi

246、ours have so much to do with it now.CRO in EuropeThe problem with risk reports is that the details become conveniently averaged out as you read along,so aggregating a core figure for risk proves unhelpful in the end.Quantumsic processes can mislead and disguise some of the finer sensitivities,and qu

247、ite often the behaviour-based sensitivities of these finer details get buried at the back of the report and no one beyond the risk team ever reads them.Dr Roger Miles,presenting on Behaviours at Risk at CROs Forum AROUND 70%OF ALL RESPONDENTS AGREED THAT THEIR ORGANISATIONS RISK CULTURE WAS ALIGNED

248、TO ITS PURPOSE.CHIEF RISK OFFICERS SCORED HIGHEST AT 80%AND HEADS OF RISK LOWEST AT 63%.The inside story of overconfidence and debilitating misalignment between culture and organisational purpose28We also considered to what extent the mixed results reflect the constant battle between the culture bel

249、ievers and those more concerned with ticking boxes,and how we verify the risks and their implications.We found plenty of those financial professionals from outside the risk team agitating to be heard when we asked two open ended-questions and in the online community pop-up.The alignment or not of an

250、 organisations risk culture with what it says it does publicly was a hot topic in our interviews.Respondents talked about culture risk or the risks in a culture where an organisation with a culture of dysfunction or fear or conversely success-at-any-cost carries the risk that its people will engage

251、in unethical behaviour and wrongdoing,something that is certainly not in line with its publicly stated purpose,risk appetite and values.This could stem from poor management,bad systems,or an environment in an organisation where misbehaviour is not reported.We also found that the most optimistic resp

252、ondents,by role,for alignment of culture,strategy and purpose are the chief risk officers.While the top risk for organisations overall is compliance,the Job to Be Done for many risk professionals is not about ticking a compliance box,but fixing the risk culture inside their organisations,because tha

253、t is how they see these organisations becoming compliant.The message was clear that risk leaders are working passionately to improve culture and align it with purpose.Some perhaps believe theyre getting somewhere while others probably do not,but believe that they will or must somehow find a way to g

254、et the authority they need to change the mindsets of their peers.RISK CULTURE:BUILDING RESILIENCE AND SEIZING OPPORTUNITIES|2.KEY FINDINGS FROM OUR ONLINE SURVEYFIGURE 2.15:Heads of risk less confident than others that risk awareness informs strategyFIGURE 2.16:Those not in a risk role less convince

255、d that risk culture is what the organisation says it is78%CHIEF RISK OFFICER66%HEAD OF RISK78%OTHER ROLE RELATED TO RISK74%NOT IN A ROLE RELATED TO RISK78%CHIEF RISK OFFICER72%HEAD OF RISK70%OTHER ROLE RELATED TO RISK66%NOT IN A ROLE RELATED TO RISKSome banks have put names on teams to oversee behav

256、iours,culture and conduct risks,but are these window-dressing efforts?Its hard to see whether they have any real power or influence,and the concern could be that they are spending a lot of their time justifying their existence rather than driving true change.The CEOs do not want someone going over t

257、heir head to the board so you can see how theyre able to deflect an issue downward into obscurity if they choose to do so.Special interest group discussionOn the difference in confidence between chief risk officers and heads of risk,we saw a similarly more pessimistic view from heads of risk when re

258、spondents were asked whether risk awareness informs strategy(Figure 2.15).We also found those not in a risk role showed lower confidence when we asked whether public commitments are really aligned with risk culture(Figure 2.16).Thus,misalignment is certainly not something that only risk professional

259、s care about.Some of the respondents in roles not explicitly in charge of risk told us they wished that they were more involved in defining and articulating the purpose and risk appetite statements(Figure 2.16).29The view of most risk leaders in our survey was clear-cut:if a company has a set of eth

260、ical values as a foundation of its culture and these are aligned with an efficient risk framework,in theory,compliance with regulations would be a natural consequence.This question is,for many,a reflection of their own work and the success of what they themselves are responsible for and trying to ac

261、hieve,but the overriding challenge for them is getting others at the top to appreciate how behaviours in their organisation drive risk.RISK CULTURE:BUILDING RESILIENCE AND SEIZING OPPORTUNITIES|2.KEY FINDINGS FROM OUR ONLINE SURVEYI think risk management is still seen as a process by most,whereas th

262、e effective management of risk is what we need to focus on.Its more about the purpose being to support the execution of strategy.When we start looking deeper into the human behaviours that underpin the responses to risk,thats the important shift in mindset we are talking about.Its about the decision

263、s that every employee makes every day in their job at any point in time.Its about the employees having a risk-management mindset.If everyone looks left,right,and left again we have a stronger understanding of how to respond in any given situation.Horst Simon,risk culture builder,Canada and Namibia,m

264、ember of special interest group Respondents talked about how the behaviour of people inside an organisation should be a focus when discussing costs,another hard numbers reason to promote the risk culture agenda.We have to think about mistakes that our employees can make and how they respond to them.

265、This is something that we are focused on,and we know it can be costly if a customers satisfaction is affected.But this requires resources,and we need to think about where we innovate,where it matters most;and that is more challenging than you think because of the market we are in and the fast-changi

266、ng headwinds we face today.CFO from a US corporate A member of our special interest group also pointed out the futility of relaxing for a moment simply because youve thoroughly ticked all the boxes you can possibly think of.You can tick all the boxes and list all the risks that you know,but tomorrow

267、 morning that might be totally different due to any kind of external or sometimes even internal factors.There definitely was a risk register for Twitter,which changed overnight and theres a risk register in most organisations which changed overnight when Covid struck.So,if someone expresses assuranc

268、e that they are brilliant on any one day,that assurance may be worthless the next morning because they totally missed something like a global pandemic.Its not about the plan and testing the plan,its about how people will respond to that situation when it happens.Special interest group memberDo we ne

269、ed to be reminded of FTX?This wasnt something done in the deep dark recesses of the crypto world.This was about some sophisticated people,some real knuckleheads when it comes to internal controls,approving expenses with emojis.It was just a crazy bad culture that brought it down.Non-executive direct

270、or at bank based in North AmericaWe also see how organisations that focused on compliance and processes were falling down the incompetence slide,whereas those that understood the importance of culture and did something about it were more forward-looking.A good risk culture was viewed as an organisat

271、ional culture that gives staff the capacity to spot emerging risks and act on them.A weak culture was described as misaligned,bureaucratic and process-driven:one that enables activities at odds with stated policies and values.One of our respondents also pointed out that investment in technology with

272、out appropriate governance often carried huge risks of misfiring.This respondent talked about the scramble in 2020 to rush through digitalisation plans and how the continuous monitoring required to keep up with fast-changing ways of working was not sufficiently maintained.We threw cash at new digita

273、l technologies and cyber risk software but conducted an assessment two years on and realised we didnt get the proper implementation needed to reap the cost-savings benefits we thought we were getting,and in turn just exposed ourselves to more risk than we had before wed invested in these new technol

274、ogies.Survey respondent A GOOD RISK CULTURE WAS VIEWED AS AN ORGANISATIONAL CULTURE THAT GIVES STAFF THE CAPACITY TO SPOT EMERGING RISKS AND ACT ON THEM.A WEAK CULTURE WAS ONE THAT ENABLES ACTIVITIES AT ODDS WITH STATED POLICIES AND VALUES.30Phil James,a partner at the cyber risk boutique consultanc

275、y,CIO-Office,presented to ACCAs Global Forum for Governance,Risk and Performance in February 2023 on developing governance and oversight for cybersecurity and new technologies and argued that only behaviour can stop many scandals,particularly those involving social media.Internet risk culture was a

276、subject that sparked much interest during discussions.The conflict between What somebody has told us we must prioritise,ie,the box needing to be ticked and what actually needs to be done to ensure we are compliant is a significant factor revealed by the survey,which showed that two-thirds of respond

277、ents agreed that culture,strategy,and purpose are aligned and one-third did not.RISK CULTURE:BUILDING RESILIENCE AND SEIZING OPPORTUNITIES|2.KEY FINDINGS FROM OUR ONLINE SURVEYLinkedIn is the most common offender,but its not just the posts.You can lose valid usernames,password combinations and other

278、 confidential data without being hacked and thats a risk that most organisations fail to look at.People might write confidential things in their CVs that reveal IT and security resources;what systems the company is good at or what projects theyre working on.That gives a lot away to the hackers.Phil

279、James,partner at CIO-Office Risk conversations are happening in a vacuum at the topFIGURE 2.17:Only 60%of risk and financial professionals believe risk is sufficiently discussedONLY AROUND 60%OF RESPONDENTS AGREED THAT RISK WAS SUFFICIENTLY DISCUSSED AT ALL LEVELS IN THEIR ORGANISATION.Risk culture

280、should enable leaders to connect with the emerging reality of the business so there would appear to be room from improvement here.Special interest group memberMy biggest challenge as head of risk is getting staff to understand that their responsibilities include acting as risk managers;making them s

281、ee that while the risk team provides guidance,the business and risk owners still have to make the final decisions and take responsibility for risksHead of risk on the surveys question about what constitutes the biggest challenge 61%CHIEF RISK OFFICER62%HEAD OF RISK60%OTHER ROLE RELATED TO RISK54%NOT

282、 IN A ROLE RELATED TO RISKThe lower level of agreement by those not explicitly in a risk role may also indicate that true enterprise risk management(ERM),where every function engages in risk management,is yet to be embedded in many of the organisations surveyed.Our conclusion is that silos still exi

283、st even in what is considered the most mature ERM framework.In the open-ended questions of the online survey,those respondents in roles not explicitly in charge of risk said that interpreting volatile macro and political conditions and aligning them with risk strategy remained one of biggest challen

284、ges.One respondent complained of a general over-confidence,within the business,that risks were all under control.The capacity to deal with change and that expectation from the board that we can predict the future are all myths.Respondent to online surveyWe asked,Are risks sufficiently discussed at a

285、ll levels in your organisation?Only around 60%of respondents agreed that they were(Figure 2.17).Our discussions about the results pointed to the fact that this is the opposite of what a good risk culture is supposed to do.31Our online-community platform revealed several reasons why different functio

286、ns in an organisation may or may not be aligned:ticking boxes again,with the board and senior management talking in a vacuum.Overall,two-thirds of respondents agreed that their board and senior management have the same approach(Figure 2.18).But there were a lot of Ive heard enough about tone at the

287、top comments in our discussions,and many respondents,including those in senior management,said that with the changes in work and virtual board meetings tone from the top is a cliche that has lost meaning.A chief risk officer from an insurance company in Europe helped us understand another perspectiv

288、e behind the data exactly how potent is the tone from the top and should it also be assessed when we think about expectations of what a risk culture can do?RISK CULTURE:BUILDING RESILIENCE AND SEIZING OPPORTUNITIES|2.KEY FINDINGS FROM OUR ONLINE SURVEYFIGURE 2.18:Different functions speaking differe

289、nt languages about riskWhile the board has overall responsibility for culture,including its alignment with risk culture,it is essential to assess the effectiveness of“tone from the top”when ensuring that the expected risk culture is happening in practice.CRO,insurance company,EuropeOne audit committ

290、ee chair at a Hong Kong SAR conglomerate also commented on the importance of cascading risk awareness throughout the organisation.Strong risk awareness is important in what we all do,not only in a risk department.Our group board,through the audit committee,defines the tone at the top regarding the c

291、ulture of our risk management and controls and must lead that by example.Our chief risk officer at the bank subsidiary drafts our risk appetite statement but that is discussed with many others,including other board committees and every business function head.The CRO and chief operation officer coord

292、inate training,townhall and communications with staff about our risk appetite.The government in the China region provides guidance on cultural exchange and promoting people bonds and cooperation,and we follow that.Audit committee chair,Hong Kong SAR74%CHIEF RISK OFFICER73%HEAD OF RISK65%OTHER ROLE R

293、ELATED TO RISK61%NOT IN A ROLE RELATED TO RISKOUR ONLINE-COMMUNITY PLATFORM REVEALED SEVERAL REASONS WHY DIFFERENT FUNCTIONS IN AN ORGANISATION MAY OR MAY NOT BE ALIGNED:TICKING BOXES AGAIN,WITH THE BOARD AND SENIOR MANAGEMENT TALKING IN A VACUUM.We can talk about tone from the top but what about th

294、e tone from the middle?You cant just have your senior management,the C-suite and the board talking about how weve got a healthy risk culture.How do you convey that and how does it cascade to the rest of the staff?Online community pop-upWe can see how misaligned the risk culture is from the first con

295、versation we have with a client,so we do questionnaires and interviews before we help them implement risk management frameworks.Management then has an ongoing communication with the risk takers and the wider audience about what really defines their risk appetite and how those at the end of the curve

296、 can pick that up.They then see how alignment can be improved simply by having people be part of the conversation.The more who are involved in the conversation,who know whats behind the KPIs or KRIs,the better.It really is about knowledge and information sharing.Risk advisory consultant with a Big F

297、our firm in EuropeIn a roundtable of European respondents,a risk advisory consultant at one of the Big Four accountancy firms talked about how conversations at each level are critical for people to understand whats behind KPIs or Key Risk Indicators(KRIs).The point is that without conversations ther

298、e is no possibility of being on the same page and our survey showed low levels of maturity overall.Board and senior management coordination needs to improve32My organisation has already conducted a maturity assessment/audit of its risk culture within the current financial year,by regionMainland Chin

299、a,Hong Kong SAR,Macau SAR and Taiwan regionAsia Pacific minus China regionsEuropeAfrica Middle East and South AsiaUK(England,Scotland,Wales,Northern Ireland)North America and Caribbean38%30%29%28%27%26%23%Our online-community platform also provided perspectives about the link behind whether people a

300、re on the same page(or not)and incentives and rewards.The difficult question of how you reward someone for contributing to a good culture was highlighted in discussions.ONE-THIRD OF SURVEY RESPONDENTS HAD CONDUCTED A RISK ASSESSMENT IN THE PREVIOUS 12 MONTHS,BUT HOW DID IT ADD VALUE?We asked respond

301、ents whether they had conducted a risk culture maturity assessment or audit of risk culture,and about one-third said they had conducted one within the current financial year,and around a 20%more said that they were planning one(Figure 2.19).Again,we get the same message:there is interest in the topi

302、c,but it is certainly not an automatic feature of an organisations annual priorities,and interpretations of what an assessment might be vary.RISK CULTURE:BUILDING RESILIENCE AND SEIZING OPPORTUNITIES|2.KEY FINDINGS FROM OUR ONLINE SURVEY30%My organisation has already conducted a maturity assessment/

303、audit of its risk culture within the current financial yearMy organisation is planning to conduct a maturity assessment/audit of its risk culture within the current financial yearCHIEF RISK OFFICER33%HEAD OF RISK33%OTHER ROLE RELATED TO RISK26%NOT IN A ROLE RELATED TO RISKFIGURE 2.19:More than half

304、have worked or are working on risk maturity assessmentsRisk culture,or if you want,culture risk,is always,from a leadership perspective,going to be overwritten by something more existential,like cyber risk,and thats the problem with so many organisations.They have a quarter-to-quarter perspective an

305、d its hard for them to focus on the bigger picture and thats something the CEOs and CROs need to overcome together.Your call to action should be to look beyond the quarter-to-quarter performance.Youve got to look at culture and its effect over the longer term.Lagging governance can certainly have a

306、sudden,adverse deleterious effect.But as a CEO or CRO,how is your performance gauged?If you look at all the CEOs of the big US banks,its the earnings announcements.They get large bonuses based on stock performance,revenue and controlling costs.So,how do we reward someone for contributing to a good c

307、ulture?There are just a number of things that need to be overcome.Online community pop-up20%CHIEF RISK OFFICER21%HEAD OF RISK23%OTHER ROLE RELATED TO RISK14%NOT IN A ROLE RELATED TO RISK33The head of compliance of a bank in Greece couldnt see how risk maturity assessments provide any reliable insigh

308、t into risk culture and said that she didnt believe any of the respondents from her part of Europe could say that they had completed one during the last financial year.Referring to a new Greek corporate governance rule requiring listed companies to appoint a chief risk officer,the respondent made th

309、e comment below.While there appears to be positive feedback,we also saw no lack of alternative views on the effectiveness of risk maturity assessments when we spoke to respondents(Figure 2.20).One ACCA member who sits on company boards around the world said,theyre often just a filler with little val

310、ue added.RISK CULTURE:BUILDING RESILIENCE AND SEIZING OPPORTUNITIES|2.KEY FINDINGS FROM OUR ONLINE SURVEY.has added value by raising risk awareness/improving our decision making43%.has identified specific actions that we are putting into place31%.has helped to benchmark against our performance23%3%N

311、one of the aboveFIGURE 2.20:Which of the following statements are true with regards to the outcome of an assessment/audit of risk culture at your organisation?43%SAY RISK ASSESSMENTS HAVE IMPROVED RISK AWARENESSWe have had much success with incorporating behaviour economics and I have to say that wh

312、en I engage the business in risk assessment exercises,I dont even mention risk.Risk is counter intuitive because the responses range from blank looks or“its fine”to panic or a tendency to equate risk with a certain outcome.So,instead,I ask about verifiable facts and from this work with the managemen

313、t team I try to understand the risks that these facts give rise to or what risks can be inferred from the data.ACCA CROs ForumIve seen many risk maturity assessments,and they are all their own versions,but the reality is that companies are not really doing anything with them.The results stay in the

314、risk team and dont really get acted on.Any sense of the real risk culture at an organisation is more of a check-list exercise from what I can see.Also,it depends on who you are talking to.So,if you are interviewing the people who are producing these programmes,they well may argue that it is working

315、fantastically,but if you talk to another audience,they might say its a bit iffy.Board chairA head of risk from a mid-size tech company in Europe also spoke about the difficulties of producing quality risk-maturity assessments,explaining how it is one thing to identify the main risks but when you dig

316、 deeper into individual activities and processes to get a bigger picture,you end up with too many biases to piece together.Right now,most of us are in the process of assessing all the new requirements of the law,but I have not seen many companies conducting actual risk maturity assessments and would

317、 add that I have never seen one that takes behaviours and culture into account.Thats not to say that people are not aware of wrongdoing or not doing something bad.Its just that most of them are hidden secrets and have never been included.I think thats why people have answered your survey in a confid

318、ent way at least from what I see in Europe.They feel confident because they genuinely do not know if anything bad has happened.They only know the impact of wrongdoing after the fact.Head of compliance in GreeceWe also asked about the outcomes of assessments of risk culture,which revealed that they c

319、ome in many different forms.(See quotes from online community pop-up.)(Data rounded to nearest whole number)34Indeed,a common thread across respondents in all regions and sectors was that everyone has their own interpretation of what a risk maturity assessment looks like and how it is conducted and

320、used.A CRO at an insurance company in Europe talked about how theirs is acted on.RISK CULTURE:BUILDING RESILIENCE AND SEIZING OPPORTUNITIES|2.KEY FINDINGS FROM OUR ONLINE SURVEYYou cannot assess everything;you need to scope it.We look at a key process,certain geographical spread,or different types o

321、f risk drivers.Even if you have only the first line of defence submitting self-assessments,thats still a lot of input so it becomes important to have tools to eliminate biases when you consolidate your inputs.Only then do you have a chance to genuinely capture a bottom-up picture to make visible to

322、the board.This is even more of a challenge today when the world is moving faster.The picture changes daily,but that makes it more important than ever to do continuous monitoring,and you cant do that unless you have key risk indicators at various levels within the organisation,not just at the top wit

323、h the risk team.If you ask yourselves whether something happened when the sickness rate was abnormally high,you need models that interpret how much of a deviation there is and whether thats something you need to look at,so the controls team know what direction that risk is moving in.You need pillars

324、 that will pick up the signals everywhere and the means to interpret those signals and analyse them.Head of risk,technology company,EuropeAlastair Goddin,head of risk at Asta in London as well as a member of the special interest group,ACCAs Global Forum for Governance,Risk and Performance and ACCAs

325、CROs Forum says it makes sense that there are no consistent views of what a risk culture or risk maturity assessment should look like,since there is no one-size-fits-all even in one industry,but that in regulated sectors it pays to modify them over time to meet individual needs.We conduct a maturity

326、 assessment model each year where we look at several dimensions from questionnaires that rank 1 to 5 on“culture,people and organisation”,“risk control cycle”,and“organisation and governance”.The CEO and CRO own the outcome and calibrate with the group functional heads to define actions and follow-up

327、s.For example,this year with People we saw the team had increased turnover,so we agreed to improve our succession planning and increase our interactions with the rest of the organisation.CRO,insurance company,EuropeWe have implemented a risk culture assessment framework,which has helped us to identi

328、fy areas for improvement,where our clients are doing well and where we can drive actions to improve the risk culture and therefore overall risk management framework.The approach is based on regulatory guidance but includes specific expectations of the Lloyds market.It has provided another view of th

329、e risk framework for senior management and the board.Alastair Goddin,head of risk,Asta,London35RISK CULTURE:BUILDING RESILIENCE AND SEIZING OPPORTUNITIES|2.KEY FINDINGS FROM OUR ONLINE SURVEYDOS AND DONTS in measuring risk culture maturity by Horst Simon,Risk Culture BuilderLEVEL 1:In a bad risk cul

330、ture,people do not care and will not do the right things regardless of risk policies,procedures and controls.This generally reflects an environment where risks are managed in silos,and people are always firefighting,with no clear risk owners,no real communication and weak accountability.LEVEL 2:In a

331、 typical risk culture,people tend to care more and will do the right things when risk policies,procedures and controls are in place.Risk owners are clearly defined,and roles and commitments are understood,but effective awareness is still lacking.LEVEL 3:In a good risk culture,people care and will do

332、 the right things even when risk policies,procedures and controls are not in place.At this level,there are integrated risk management teams with standardised roles and clear accountabilities,normally controlled by a central function that coordinates all activities.LEVEL 4:In an effective risk cultur

333、e,people care enough to think about the risks associated with their jobs on a daily basis,before they make decisions.There is strong cross-functional teamwork and employees apply sound judgement in the management of risk.A small central risk-management advisory team that understands the enterprise fully supports the business at all levels.Organisations at this level are well prepared for crisis ma