The answer, in short, is that many organisations have a long way to go - but change is afoot. "For me, instilling a positive culture - one in which risk management is truly embedded - has been like pushing water uphill," one risk manager observed. "The company didn't have the mindset or budget for considering risk culture, even at the very top. But people are starting to see the value in it, and we are making progress at last."
Corporate culture has come under the spotlight in recent years. It may not be a sexy concept, and will rarely grab headlines, but yet it underpins so much of what constitutes best practice in risk management, and is at the heart of business resilience.
The tone from the top
The importance of leadership was a key theme of the roundtable. "The tone from the top is essential" according to Diane Côté, chief risk officer at London Stock Exchange Group. "And not just words but actions too."
Getting the CEO on side can be a challenge, especially in large, complex organisations where leadership comes from different sources. When Parma Pillay started his role as director of enterprise risk at Kingfisher, he observed a lack of collaboration across the many businesses that make up the Kingfisher group: "The conflicting interests and priorities were putting a stress on managing risks. They were affecting our agility and creativity."
Getting buy-in from all the CEOs from the different operating companies was therefore crucial to his mission of embedding a healthy culture. "The format and composition of the group executive was changed to include the operating company CEOs. This presented a platform for risks to be looked at collectively," he explains. And it has been a success: "They are now addressing risks in the context of the entire group strategic plan. It's now a top-down approach."
Part of the problem is that risk management is still seen as akin to "business prevention", and therefore viewed negatively by many across the business. This needs to change, the roundtable heard. "A turning point for me was when key people started to see the value of an embedded risk culture," noted Claire Combes of intu, owner and manager of some of the UK’s largest shopping centres. "Until that point, it was a challenge."
Mr Pillay of Kingfisher had a similar experience and said that persuasion was vital: "I had to personalise it - demonstrate how it was going to help individuals and the business units they were responsible for, that a positive risk culture is an opportunity. It helped me move risk away from its negative image."
Changing culture does, however, takes time. "I'm five years in and we still don't have an embedded risk culture," one participant observed.
According to Ms Côté, "It can take years to properly embed a risk culture. Management needs to be trained on the concept of risk culture and what it means for them individually." It is not always easy to alter mindsets, she admits, "especially when we are talking about legacy risk culture, and we have seen many examples of how legacy risk culture can impact the reputation of a company."
It helps to demonstrate clearly that a person's attitude to risk culture will affect them personally, according to another participant: "For example, if you make it seen that it will impact their remuneration and career progression, your message has more impact. It has to be shown that the old way of doing business is no longer acceptable."
A turning tide?
What can or should be the trigger for transforming the risk culture of an organisation? For most around the table, it was a crisis or near miss that jolted the CEO or senior management into action.
This is changing, though. The concept of corporate culture is more readily discussed by businesses, including at the c-suite level, helped by guidance from the Financial Reporting Council, for example. Gradually, albeit rather slowly, the notion that corporate culture is an important, strategic and positive consideration is starting to penetrate UK boardrooms.
For many risk professionals, this means they are at least pushing on an open door. As Ms Côté noted: "Thankfully, today we don't have to wait for that corporate crisis for a trigger to make positive change. The benefits are being seen."
Read Airmic and QBE's guide: The importance of managing corporate culture
Outlining how risk managers can contribute to the discussion on corporate culture and provide a simple framework for assessing and developing a positive corporate culture.
Access it here