Moving beyond the rulebook

Elgin Chetsanga

We frequently see headlines detailing organisational turbulence caused by a shocking risk management failure. While most of the time these failures are attributed to a clear lack of controls leading to a company’s inevitable demise, there is also an interesting side to these events: failures that occur despite an organisation possessing extensive policy binders and powerful risk software.

What could be the cause?

The evidence suggests these failures are not attributable to missing rules, but to a deeper problem: a culture that undermines compliance, discourages speaking up, or simply does not prioritise risk.

This realisation—that culture plays an outsized role in risk management failures—has been a wake-up call for professionals in the field. Risk practitioners now understand that even the most robust and well-thought-out risk frameworks and advanced technology, may fall short if the organisation’s collective norms, attitudes, and behaviours do not actively support them.

Measuring Culture!

This realisation leads to a contentious question: How can an organisation audit or assess something as intangible and pervasive as culture? How can we assess the evidence of a good risk culture, such as an employee’s willingness to speak up in a meeting about a potential hazard or challenge a superior’s bad decision?

The solution, which has been evolving over the past decade, lies in moving beyond simple checklists and applying a structured blend of tools and techniques. The approach attempts to measure the maturity of the risk culture, pinpoint specific behavioural gaps, and importantly, implement targeted interventions that get to the heart of how people work.

Establishing the Benchmark: The Risk Culture Maturity Model

To methodologically assess where an organisation stands, many professionals have turned to the concept of a Risk Culture Maturity Model. These models typically categorise an organisation’s risk culture into ascending levels, providing a clear visual progression.

The lowest maturity levels are often termed “Non-Existent” or “Ad Hoc.” At these levels, risk management is entirely inconsistent, reactive and almost always happens after something has already gone wrong. Furthermore, the organisation has no common risk language or processes in place.

As an organisation ascends the ladder of maturity, it moves through levels such as “Defined,” where basic policies are written down, and “Managed,” where those policies are consistently applied. The highest maturity level, often termed “Integrated” or “Proactive,” is the goal. At this level, risk consciousness is seamlessly woven into the business’s strategy, daily operations and individual decision-making.

These maturity models are, therefore, more than just a scoring mechanism. They create a common language and a tangible roadmap for improvement. They help leadership to visualise the journey from a nascent, reactive state to a fully embedded, proactive risk culture and give them a shared vocabulary to discuss an otherwise abstract concept.

Practical Techniques for Cultural Diagnostics

Because culture is an intangible thing, assessing it requires a multi-pronged approach, blending qualitative and quantitative techniques. One of the most used approaches is an anonymised employee survey. Questionnaires are used to probe employee perceptions about key cultural dimensions.

Specifically, questionnaires explore critical areas like the “Tone at the Top,” asking employees whether they believe senior leaders prioritise long-term risks over short-term profits. They also gauge risk awareness and competency, checking if people understand the risks relevant to their specific roles and have the training to manage them. Crucially, they probe the state of communication and openness, attempting to measure the comfort level for raising concerns, admitting mistakes, and escalating “near misses” without fear of reprisal. Finally, they ask about decision-making, questioning whether risk information is a mandatory and integral component of strategic choices or merely a bureaucratic afterthought ticked off a list.

Another technique to assess culture is through data analysis. While culture is intangible, it leaves a measurable data trail. By analysing the right quantitative metrics, risk practitioners can deduce maturity levels and identify systemic weaknesses. As an example, the quality and timeliness of internal loss data can be used as an indicator. If data on risk events and near-misses is reported quickly and comprehensively, this could indicate a culture of risk ownership, while slow and incomplete reporting of risk events could suggest a culture of blame and concealment.

The Limitations of Risk Maturity Modelling

While maturity models and these diagnostic tools are helpful for providing structure, their application to something as fluid and subjective as culture is subject to criticisms.

The first major criticism is the “One Size Fits All” trap. Many maturity models implicitly assume a universal “best practice” ideal. However, there is a fundamental flaw in this assumption. For example, a financial institution’s risk culture requires strict regulatory adherence, caution and detailed processes. This is fundamentally different from a tech start-up’s culture, which often relies on agility, calculated risk-taking and rapid iteration to survive.

The second major criticism of risk maturity models is that they can provide a static view of a culture, which is itself a dynamic concept. Culture is a living ecosystem that constantly evolves in response to internal events, shifts in leadership and market pressures. A risk maturity assessment is, by its nature, a snapshot taken at a single point in time. In a fast-changing business environment, this assessment can become outdated within months, failing to capture the ongoing, fluid nature of cultural evolution.

The Journey is More Important Than the Destination

Ultimately, the true value of diagnostic tools and maturity models does not lie in the final rating. Using these models can lead to the common and dangerous misconception that a high maturity rating is a guarantee of sound practice. An organisation could score highly on dimensions like “Risk Governance” because it has well-documented policies and clear committee structures, yet still fail dismally on communication and openness because employees are terrified of speaking up.

Therefore, maturity models and their accompanying diagnostics should be viewed as navigational charts for a long journey, not an arrival stamp to be framed on the wall.

Risk practitioners must understand that ultimately, the goal is not to reach a perfect score on a report that nobody reads. The goal is to weave risk consciousness into the very fabric of the organisation, making it a deeply held, self-enforcing characteristic of its daily life, ensuring that when the next crisis emerges, the culture itself is the first and strongest line of defense.

Elgin Chetsanga is a Risk Management professional who works for a regional Financial Institution. Elgin writes in his own capacity. Elgin can be reached on [email protected]

 

 

facebookShare on Facebook
TwitterPost on X
FollowFollow us
PinterestSave

Related Posts

DAWN OF A NEW ERA . . . final batch of multi-energy cancer machines arrives
DAWN OF A NEW ERA . . . final batch of multi-energy cancer machines arrives

Trust Freddy-Herald Correspondent THE final batch of multi-energy cancer treatment machines procured by the Government is expected in the country tomorrow, after the State successfully negotiated to airlift the 22-tonne…

Continue reading
Hwange power boost saves nation US$92m
Hwange power boost saves nation US$92m

Oliver Kazunga-Senior Reporter ZIMBABWE has saved nearly US$92 million in foreign currency after expanded generation from Hwange units 7 and 8 led to a sharp reduction in electricity imports, signalling…

Continue reading

Leave a Reply

Your email address will not be published. Required fields are marked *

×
×