By Majella Gomes

When confronting risk, understanding the prevailing culture of one’s environment underpins the level of success of any risk strategy.

Speaking at the recent MIA Risk Management Conference 2018, Nik Shahrizal Sulaiman, Assurance Partner, Risk Assurance Services, PwC Malaysia said that even the best standard operating procedures (SOPs) cannot save a firm if it doesn’t have a culture in place that embraces risk, determines risk appetite levels and how to manage crises.

Nik Shahrizal Sulaiman

Shahrizal debunked prevailing myths about risk culture that will hopefully help firms in rebooting their own risk culture for better governance.

Myth 1: As long as a firm complies with regulations, its risk culture is good enough. Wrong. You must understand risk and what drives it to manage risk effectively. This necessitates an understanding of what drives risk culture, and the factors which cultivate it, in each firm’s respective unique environment. Building a risk culture is not exclusively about designing and implementing policies and procedures; more importantly, firms must set the right KPIs, processes, monitoring, performance reviews and attitudes that fit their particular industry and circumstances.

Myth 2: Tone at the top is enough to change a firm’s risk culture. It isn’t. As the saying goes, “It takes a village.” An organisation’s risk culture may be influenced by the tone at the top, but it has to permeate all layers before it can be internalised.


Firms should take the following steps to beef up risk culture.

  • While it is critical to identify the factors that drive risk culture, firms must also identify impediments to risk culture. Shahrizal recommended that firms come up with a risk appetite statement that identifies risk and its impact on the various departments in an organisation, as well as the consequences of not managing these risks. For instance, management could assess KPIs from the perspective of what will happen if certain procedures are not followed, rather than from the viewpoint of just completing the tasks for the sake of fulfilling KPI requirements.
  • Extend or enhance the traditional lines of defence – internal controls, financial controls and internal audit – more robustly to tighten risk management.
  • Establish more channels to respond to risk once it is identified, or to escalate material risk issues to the appropriate authorities. For this to be effective, firms must put in place robust communication and information-sharing measures, backed by an environment of openness and transparency.
  • Take an integrated approach to risk management and culture. Risk affects all departments, sectors and units across the board; it cannot be addressed as a standalone matter. Businesses today need a risk management strategy that works in tandem with sustainability strategies. “You cannot have a “silo” culture when it comes to risk management strategy,” Shahrizal said. “You need to have specific strategy to address it, and the initiative has to be applied organisation-wide.”
Print Friendly, PDF & Email