Renew or Reinstate your Membership for 2025 today

  • Support
  • Log In
  • Sign Up
ANZIIF Logo
Go back
Professional Development

Need help with professional development?

Contact Support

View by Kind
Go back
View by Kind
Short Courses Qualifications Skills Units Compliance Webinars Events Articles Videos Activities Whitepapers Ask An Expert
View by Sector
Go back
View by Sector
Claims General Insurance Insurance Broking Reinsurance Risk Management Life and Retirement Income
All Professional Development The Journal Recognition of Prior Learning Your Career in Insurance
Studying with ANZIIF
Go back
Studying with ANZIIF Enrol Academic Calendar Assessments FNS20 Training Package Student Support
For Companies
Go back
For Companies Train your staff Life Insurance Professional Standards General Insurance Claims Handling Framework Reference books Government Training Incentives
Go back
Membership

Need help with your membership?

Contact Support

Member Tools
Go back
Member Tools
Login Become a member Renew or Reinstate your membership
Members Centre - Professional Development
About membership
Go back
About membership
Your Membership Guide Member Levels Benefits Certified Insurance Professionals Digital Badge Member Directory
Scholarships and Awards
Go back
Scholarships and Awards
Australian Industry Awards New Zealand Industry Awards Academic Awards Lloyds Scholarship Turks Bright Light Award ICNZ and ANZIIF Scholarship
Go back
About ANZIIF

ANZIIF is the leading membership, training and professional development organisation for the insurance and finance industry in the Asia-Pacific region. We partner with a broad range of organisations and government to provide services that support professional excellence. We help enhance standards and improve community understanding of insurance and finance.

Overview
Go back
Overview History Boards and Councils Annual Reports Media Governance Corporate Sponsorship Partners Careers at ANZIIF Contact
Community Initiatives
Go back
Community Initiatives
Your Career in Insurance Careers in Insurance Corporate Supporter Making a Difference Awards Donna Walker Awards Life Insurance Professional Standards General Insurance Claims Handling Framework Generation i
ANZIIF Logo
Professional Development Articles
Article
0.25CIP Points

What is the difference between conduct risk risk culture and organisational culture

John Dawson and Carmel McDonald — Principals, Dawson McDonald Consulting
14 Aug 2019 - Reading time 6 minutes
Risk Management
What is the difference between conduct risk risk culture and organisational culture

The purpose of this paper is to offer some observations on organisational culture, risk culture and conduct risk and to encourage reflection on the differences and similarities between these three aspects of culture in organisations.

This is not a piece of academic research but results from our practical experience at DMC in helping clients to improve their risk culture and from our broader work with clients as Certified Performance Technologists, which requires a deep involvement in organisational culture.

The Principals of Dawson McDonald Consulting (DMC), John Dawson and Carmel McDonald, both have social science backgrounds. 

Both have also achieved Certification by the International Society for Performance Improvement (ISPI) as experts in that field so naturally they have a close interest in what influences behaviour in organisations and how that impacts on organisational performance. 

DMC has been helping private and public sector organisations for more than a decade to strengthen their Risk Cultures.

WHAT IS CULTURE?

Anthropologists do not appear to agree on a common definition of culture as more than 150 definitions are available.  These disparate definitions apply at the level of a society and help to generate many varied definitions of organisational culture.

Here are two definitions that we find helpful in thinking about organisational culture.

‘Culture is a fuzzy set of basic assumptions and values, orientations to life, beliefs, policies, procedures and behavioural conventions that are shared by a group of people, and that influence (but do not determine) each member’s behaviour and his/her interpretations of the ‘meaning’ of other people’s behaviour.’[1]

Note this stresses that culture influences an individual’s behaviour but does not determine it.

VISION, VALUES AND SYSTEMS

Wikipedia offers this definition of organisational culture:

‘Organizational culture encompasses values and behaviors that contribute to the unique social and psychological environment of a business. 

'The organizational culture influences the way people interact, the context within which knowledge is created, the resistance they will have towards certain changes, and ultimately the way they share (or the way they do not share) knowledge. 

'Organizational culture represents the collective values, beliefs and principles of organizational members and is a product of factors such as history, product, market, technology, strategy, type of employees, management style, and national culture; culture includes the organization's vision, values, norms, systems, symbols, language, assumptions, environment, location, beliefs and habits.'

Ravasi and Schultz (2006) characterise organisational culture as a set of shared assumptions that guide behaviors.  

It is also the pattern of such collective behaviors and assumptions that are taught to new organizational members as a way of perceiving and, even thinking and feeling.

Thus, organisational culture affects the way people and groups interact with each other, with clients, and with stakeholders. In addition, organisational culture may affect how much employees identify with an organisation.

RISK CULTURE

There is no doubt that risk culture, like sales culture or safety culture, is derived from the overall organisational culture. 

However, we have seen many examples of organisations that have a positive culture overall and yet do not have a sound risk culture.  This is especially true in organisations where the management of risk is seen by many staff as a compliance issue, not a means for guiding business decisions.

The CEO and the C suite team demonstrate what values are important in the organisation by the way they behave.  These behaviours may not always match the Values listed on the organisation’s website.

What senior executives do, not what they say, will drive operating practices across the organisation and these will influence the way individuals behave in order to be accepted or fit in.  

This determines how risk is actually treated, or ‘how things get done around here’.

BEHAVIOURS – SIGNPOSTS OF RISK CULTURE

Risk culture, like organisational culture, is not tangible - you can’t touch it or see it. You can observe the behaviours that flow from the culture.

Any effort to strengthen risk culture must begin by gathering evidence about current behaviours and attitudes towards managing risk at all levels of an organisation.  

This can be done using some form of online survey like the Risk Culture Assessment we use at DMC to help our clients or it could be through other methods like interviews or focus groups.

Once you have this evidence you need to use it to decide what behaviours need to stop, start or continue.  

We have written before about an outstanding case study in behavioural change and what can be achieved through a change in behaviours driven by the leadership team.

The factors we have identified through our research and field work with clients as essential to achieving a positive and effective risk culture are illustrated in our Risk Culture Model.

RISKY SUB-CULTURES?

The evidence you gather about behaviours and attitudes to the management of risk must encompass people at all levels of your organisation.  

There are sub-cultures within the overall organisational culture and the same is true of risk culture.  Some of these risk sub-cultures can be dangerous.

Where staff at all levels are strongly positive about each of the steps in the Risk Culture Model the executive team will also show confidence that risks are being well managed.

RISK CULTURE & CONDUCT RISK

Are risk culture and conduct risk two different names for the same thing or is conduct risk only one aspect of risk culture?

This seems to be an unresolved question in the Australian context.  It’s not unusual to see papers from consulting firms and others referring to risk culture and conduct risk as if these are two separate factors and then in the same papers find these terms used interchangeably.

THE REGULATORS’ VIEWS

However, two of Australia’s key regulators have made their positions clear.

The Australian Securities and Investments Commission (ASIC) is a conduct regulator and has defined conduct risk as:

‘The risk of inappropriate, unethical or unlawful behaviour on the part of an organisation’s management or employees’.2

The Australian Prudential Regulatory Authority (APRA) is also concerned about culture and risk.  Former APRA Deputy Chair Ian Laughlin said that if culture is ‘the way we do things around here’, then risk culture is ‘the way we do risk around here’3

In an Information Paper4 on Risk Culture APRA defined risk culture thus:

RISK MANAGEMENT IMPACT

Risk culture can be thought of as the impact of organisational culture on risk management. A definition of organisational culture that is often cited is:

‘…a system of shared values (that define what is important) and norms that define appropriate attitudes and behaviours for organisational members (how to feel and behave)’.  

Risk culture is the application of this concept to the way an organisation takes and manages risk. 

Risk culture is therefore not separate to organisational culture, but reflects the influence of organisational culture on how risks are managed. One of the more widely accepted definitions of risk culture is:

‘the norms and traditions of behaviour of individuals and of groups within an organisation that determine the way in which they identify, understand, discuss, and act on the risks the organisation confronts and the risks it takes’.

In the same paper APRA provided this Risk Governance Architecture model to illustrate their views on governance and oversight.

CONDUCT RISK AND RISK CULTURE

If people want to be accepted and ‘fit in’, they follow the norms of ‘how things get done around here’.  This is driven by the overall organisational culture and, as the Wikipedia reference above states, this comprises '... the collective values, beliefs and principles of organizational members’ 

Factors that influence organisational culture include:

  • history, product, market, technology, strategy,
  • type of employees, management style, and national culture
  • norms, systems, symbols, language, assumptions, environment, location, beliefs and habits.

These same factors that produce collective values, beliefs and principles also influence the type of risk culture an organisation develops. 

That these factors include such things as history, strategy, symbols, assumptions and beliefs shows clearly that culture consists of much more than just behaviours.

Conduct risk is by definition only about behaviour — ‘inappropriate, unethical or unlawful behaviour’. 

Conduct risk is not identical to risk culture although it is definitely influenced by the overall organisational culture and by the risk culture. 

An important qualification is that while culture does influence behaviours it does not necessarily always determine the behaviour of each individual. 

An organisation may have a positive risk culture and still be exposed to rogue behaviour by one or more individuals.  However, there is no doubt that a positive risk culture will significantly reduce exposure to conduct risk.

THREE MEMBERS OF THE SAME FAMILY

In thinking about the relationship between organisational culture, risk culture and conduct risk it may be helpful to think of these as three members of the same family.  

Organisational culture is the parent, risk culture is the older sibling and conduct risk the younger.  Influence flows down the family tree but this does not always prevent the younger sibling acting in ways that disrupt the family.

Contact us if you’d like more information on our full Risk Culture Assessment .

REFERENCES

Spencer-Oatey, Helen, 1952-, ed. (2008) Culturally speaking: culture, communication and politeness theory, second edition. London, U.K. / New York, NY, U.S.A.: Continuum International Publishing Group

APRA information Paper - Risk Culture October 2016

[1] https://www.apra.gov.au/media-centre/speeches/stay-ahead-risk-risk-governance-and-risk-culture

Information paper - Self-assessments of governance, accountability and culture 22 May 2019

ABOUT THE AUTHORS

John P Dawson and Carmel McDonald are the co-owners of Dawson McDonald Consulting.  They’ve been running Risk Culture Assessments since 2008 to help clients protect their organisations and build resilience.  They can be reached at [email protected]

This article first appeared on the Dawson McDonald Consulting website. It is reproduced here with permission.

This is Worth

0.25 CIP Points

Login to Collect Points & Comment
What are CIP Points? About ANZIIF Membership
Your comment has been successfully posted

Comments

Loading comments

Remove Comment

Are you sure you want to delete your comment?
This cannot be undone.

kitchen sink logo
  • About
  • Professional Development
  • Membership
  • Compliance
  • Contact Us
  • Enrol
  • Become a Member
  • Login
  • Privacy Statement
  • Terms & Conditions

© Copyright The Australian and New Zealand Institute of Insurance and Finance Inc. 2021

RTO NO. 3596