Unit 5 Flashcards
(9 cards)
Risk culture
The IRM (2012) has defined risk culture as the ‘values, beliefs, knowledge and understanding about risk share by a group
Confirmation bias
Conformity bias (or group think)
Authority bias
Loss Aversion bias
Bandwagon bias
Anchoring bias
Confirmation bias – we believe what we want to believe because the information confirms our existing preconceptions of beliefs
Conformity bias (or group think) – choices of a group or the majority influence how we think, even if it is against our personal judgement
Authority bias – where we favour the ideas of an authority figure
Loss aversion - once a decision has been made, sticking to it rather than taking risks due to the fear of losing what you gained in starting sth and wishing to see it finished
Bandwagon bias – where we favour ideas already adopted by others
Anchoring bias – where we are influenced by information we already know, and have trouble moving outside that pre-existing knowledge
The five indicators of positive safety culture LILAC
Leadership, Involvement, Learning, Accountability and Communication:
Leadership– promoting a positive safety culture
Involvement of staff– active employee participation
The existence of a learning culture– lessons learnt, communicated and improvements implemented
The existence of a just culture – movement from a blame culture to one of accountability, with care and concern for employees
Two-way communication– effective channels for top-down, bottom-up and horizontal communication
ABC Model - Risk Culture
Risk Attitude – the chosen position adopted by an individual or group towards risk, influenced by risk perception/Example: A startup founder might have a risk-seeking attitude, seeing uncertainty as an opportunity for innovation. In contrast, a hospital administrator might have a risk-averse attitude, prioritizing patient safety over experimentation. 4Cs of attitude: Comfort (green zone), Cautious(yellow), Concerned(orange), Critical(red)
Risk Behaviour – the external observable risk related actions of individuals/A project manager who always builds in contingency plans and buffers is behaving cautiously. Another who skips risk assessments to save time is behaving recklessly.
Risk Culture – the values, beliefs, knowledge and understanding about risk, shared by a group of people with a common purpose/ In a financial institution, a strong risk culture might mean that everyone from top management to junior staff understands and respects risk controls, and risk discussions are part of daily operations.
Risk Culture influences Risk Attitude
→ If an organization values caution, individuals are more likely to adopt risk-averse attitudes.
Risk Attitude shapes Risk Behaviour
→ A risk-averse person is more likely to act conservatively.
Risk Behaviour forms/ reinforces Risk Culture
→ When many people act cautiously, it strengthens a culture of caution.
Risk culture influence behaviours and attitudes
Double ‘S’ Model
Sociability – the people focus, based on how well people interact socially – on the vertical axis of the model
Solidarity – the task focus, based on goals and team performance – on the horizontal axis of the model
four cultural types - fragmented, networked, communal and mercenary
Optimal risk position
Tolerable risk position
Optimal risk position – ‘the level of risk with which an organisation aims to operate’ (risk appetite)
Tolerable risk position – ‘the level of risk with which an organisation is willing to operate’ given current constraints (risk tolerance)
These definitions are comparable to risk appetite and tolerance in that the optimal risk position is related to risk appetite, and the tolerable riskposition is related to risk tolerance
six key principles taken into account when designing a framework for risk appetite
1.Risk appetite can be complex – oversimplification can cause problems
2.It needs to be measurable – otherwise risk appetite statements become fundamentally meaningless
3.It is not a single, fixed concept – there are a range of appetites for different risks that can change with time
4.It should be developed in line with an organisation’s risk management capability and maturity – the approach should be clear and supportedbefore risk appetite can be understood
5.It must take account of different views at strategic, tactical and operational levels – to address risk appetite throughout an organisation
6.It must be integrated with the control culture – to balance risk taking and risk control at the right levels of an organisation and, at the sametime, provide assurance that risk management and internal controls are effective
Describe the 4Ns of risk maturity and Characteristics (FOIL)
Naïve/Fragmented: Orgs do not understand the benefit of RM - Fragmented: RM focuses on legal compliance e.g. HSE| Will automatically accept incompetent or undesirable behaviours| INFORM
Novice (αρχαριος)/Organised: Aware of RM, just started - Organised: Actions are planned to co-ordinate risk management across all types of risk, plans may not have been fully implemented| Will become aware that the behaviours are incompetent or undesirable and will try to improve, but have not yet achieved change| REFORM
Normalised/Influential: Embedded RM into business (not yet automated), but management effort is still required to maintain adequate ERM activities - Influential: ERM processes influencing processes and management behaviours, but this may not yet happen consistently or reliably | Improved normalised behaviours -change achieved| CONFORM
Natural/Leading: orgs have a risk-aware culture with a proactive approach to ERM and risk is reliably considered at all stages to gain competitive advantage - Leading: RM is substantial factor in making business decisions, and strategy decisions are led by ERM considerations| PERFORM
Does the strategy defines the risk appetite or the risk appetite defines the strategy?
Risk appetite is often driven by strategy.
It is the business drivers and imperatives (absolutely essential or critically important for a business to achieve its goals) that are the primary concern for board members, not the level of risk involved. it is more often the case that the level of risk comes with the defined strategy, rather than the risk appetite defining the strategy.
