The Institute of Risk Management (IRM) has published two documents on Risk Culture. The first is a pamphlet-sized piece, “Under the Microscope: Guidance for Boards”, and the second is a much longer and detailed document for practitioners.

The piece for boards, which is available as a free download from the link provided above, is an easy read and includes some good advice for boards.

I like the fact that it focuses on the need for a risk culture that promotes taking the right risks, and points out that a failure to take risks can be as dangerous to a firm’s success as taking too much risk.

I suggest that boards and management teams (led by the risk officer, and if none exists then by the head of internal audit) discuss the points made in the publication. Particular attention should be given to the list of 10 attributes (on page 6) of a  ”good risk culture”, the “Ten questions a board should ask itself” on page 14, and the “What do we do next” on page 15. The whole booklet is valuable for understanding risk culture, but these are the areas I would pay especial attention to – and use as a basis for action.

I think risk practitioners should obtain and read the more detailed document. It is free for IRM members (a membership worth paying for).

The discussion and understanding of risk culture continues to develop. One of the most challenging aspects is how you measure risk culture, especially as it changes every time you change the makeup of the management team, and it should also change as business conditions change (being more risk averse in challenging times than when the economy is booming). I am also challenged to separate risk culture from the overall culture of the organization.

I welcome your thoughts. Do you find the booklet and detailed guidance useful?