ABSTRACT

This chapter explores what culture risk is, why culture risk is important and how to manage culture risk – starting with the need to create a baseline from which progress can be measured. The chapter ends by providing some ideas on what organizations can do to avoid culture risk and build a healthy risk culture. Culture is the system of values, beliefs and behaviors that shapes how things get done within an organization. Culture risk encompasses the misalignments that can occur between the organization’s values and beliefs and what is happening within and around the organization. Such misalignments can be caused by a wide number of factors, but generally involve the people, processes and technology internal to the organization as well as the extended enterprise and external stakeholders. These concepts consider the broader, holistic view of culture risk, not to be confused with the concept of “risk culture,” which is “the system of values and behaviors present in an organization that shapes risk decisions of management and employees.” A strong risk culture is the best defense against the types of incidents caused by an unhealthy level of culture risk. A culture risk management program provides insights into organizational culture, employee engagement, behaviors and external market signals that can drive actions to proactively manage culture risk. It should be one of the core capabilities to manage a portfolio of enterprise risks, like fraud risk management, internal control and operational risk management programs. The chapter identifies key foundational elements and actions associated with an effective culture risk management program.