Understanding more about an organisation’s risk culture and how effective it is in supporting business performance can provide actionable insights helping organisations better leverage their risk management investments and drive improved organisational outcomes. By Mark Victor

What really happens inside your organisation? When decision-makers, at all levels, prepare to make a business decision that has the potential to positively or negatively impact your business and the achievement of your objectives, will they consider the risk policies, processes and appetite tolerances that you have invested so much in developing? Whether decision-makers choose to make a considered and aligned decision is also dependent on how well their personal values support your corporate values.

What is clear is that cultivating a risk-intelligent culture is more than establishing a code of ethics and completing a risk assessment. Economic events have highlighted weaknesses in many organisations in the area of risk governance and management. They have also catalysed many organisations to devote more time to developing and implementing enterprise risk management frameworks, policies, procedures, and technologies.

Understanding more about an organisation’s risk culture and how effective it is in supporting business performance can therefore provide actionable insights helping organisations better leverage their risk management investments and drive improved organisational outcomes.


A risk culture encompasses the general awareness, attitudes, and behaviours of an organisation’s employees toward risk and how it is managed. A risk-intelligent culture recognises the people aspect of risk management but also includes the notion that organisations must accept sufficient risk to create value.

This is critical because people take responsibility for managing risk, documenting the lessons learned, and executing the risk plan. By encouraging a sound risk culture, organisations can thrive by creating value for their operations, employees, shareholders, and customers.

Key characteristics of a strong risk culture include commonality of purpose, values, and ethics; universal adoption and application; a learning organisation that emphasises risk culture; timely and honest communications; understanding of the value of effective risk management; responsibility and accountability, both individually and collectively; and encouraging an environment of constructive challenge. Our experience shows that the root cause of many business challenges can be attributed to a failure in one or more of these areas.


Culture is influenced by an organisation’s symbols, management systems, and behavioural norms.  Organisational symbols are the inherent interpretations of symbolic messages communicated throughout the organisation including the value statements, who and what is rewarded, and where resources are invested.

These symbols are reinforced by the management systems that define the organisational processes and infrastructure across the organisation, including the setting of goals and strategy development, organisation design, business processes, reporting and measurement, performance management and incentives, and communication methods.

Finally, behavioural norms dictate the accepted patterns of behaviour visible across an organisation, including how leaders, managers, and key influencers act with employees, what employees expect to be said or done, how people work, and how employees interact with peers, managers and internal customers.

When seeking to understand an organisation’s risk culture, the four main organisational influencers of risk culture (risk competence, motivation, relationships and organisational risk environment) can be properly assessed by analysing the key indicators of risk culture. These components of culture are focused both on the technical and behavioural aspects of culture to assist organisations in assessing the businesses overall attitude towards risk:

  • Risk competence: The collective risk management competence of the organisation, supported by the risk function and risk champions across the organisation. Training and awareness play a key role in embedding understanding across the organisation and in our experience awareness is often superficial and does not give staff the tools to manage situations that arise.
  • Organisation: How the organisation is structured and what is valued. This is strongly supported by the ethics framework and risk governance structures in place supporting the governance of risk at an executive and board level. The broader business operating model can be a key barrier to driving effective operations and often results in silo mentality and disconnected interfaces between processes.
  • Motivation: The reasons why people manage risk the way they do. The alignment to performance measures and how staff are incentivised plays a key role in aligning their motivation and the level of personal accountability that they take. From our experience, to be successful, performance and accountability need to be driven down to all levels of the organisation.
  • Relationships: How people in the organisation interact with each other. The level of transparency and effectiveness of communication has a direct impact on the embedding of an effective risk culture.

From my experience in developing and embedding risk systems in a number of organisations, the risk culture within an organisation plays a significant part in supporting the overall organisational maturity and capability in managing risk. Risk functions are increasingly expected to contribute towards achieving an organisation’s strategic objectives through the effective management and mitigation of downside risk and the identification and assessment of upside risks. The so-called ’tone at the top’ plays a key role in the value that these risk systems and the risk function can add.

Based on our global Deloitte experience a, number of key elements are critical in promoting a sound risk culture. In my experience this is easier said than done, but for any organisation essential to ensure that value is extracted from risk management at all levels of the organisation.

  • Build risk competence: The collective risk management competence of the organisation fosters collective wisdom and helps people understand the risks the organisation is taking. This comes from proactive sharing of leading practices and consulting others when in doubt.
  • Align motivational systems: The board and management should have an understanding and clear communication as to why the organisation manages risk the way it does. In addition, there should be a consistent theme as to what organisations are motivating people to do. How does an organisation convey that its employees can admit to making mistakes? An effective risk-intelligent organisation is one in which everyone takes personal accountability for managing risk.
  • Strengthen relationships: This focuses on how people in the organisation interact with others. Do employees, management, and directors all have a clear understanding and commitment to a risk-intelligent culture? Does management provide a trusting environment and constructive response to challenges? Is there an open and honest dialogue about risk? These are a few questions that boards can ask to strengthen and foster relationships at each level of the organisation.
  • Promote an organisational risk management infrastructure: Consider how the organisational environment is structured and what is valued. Each organisation typically sets up standards of expectations in the form of policies and procedures. Following the risk management policies and involving risk professionals in risk decisions are building blocks in establishing an effective board.

Organisations should not underestimate the behavioural aspects of managing risk, embedded in risk culture, as this is a crucial element in ensuring that the investment in risk frameworks, systems and processes deliver on the risk mandate.

AUTHOR l Mark Victor CA(SA) is Partner Risk Advisory – Johannesburg at Deloitte & Touche



The rise of a robot-artificial intelligence ‘culture’ is no longer far-fetched. As humans are enhanced by technology and become more like machines, robots are becoming infused with something like humanity. We are approaching what some call the new dawn of robo-humanity, writes Mark Shnaps

Computers might be modelled on human brains but human minds do not work just like computers. We are learning that our cognitive function and rational thinking depend on emotions.

Cognitive technologies have entered into the world of robo risk reduction. Current trends in this new age era are directing the way we manage risk. Deloitte Global predicts that by end of 2016 more than 80 of the world’s 100 largest enterprise software companies will have integrated cognitive technologies, a 25% increase on the prior year.


TOM (Tacit Object Modeller) was developed by Carl Wocke of Merlynn, a South African specialised software development company, and is currently one of the leaders in the field of artificial intelligence (AI). Carl is clearly seeing the trend in AI and his engagement in projects across the world is seeing the technology being deployed in multiple areas of risk reduction. Projects include risk management within corrections, banking, medical and utilities sectors.

Anthony Nathan, CEO of Commercialization Partners, sees the focus of AI in the area of risk reduction applied to high-level decision-makers within organisations. Anthony explains: ‘To date, no viable alternative solution exists to retain the value of expert know-how. AI technologies facilitate the capturing and retention of expert knowledge. This not only maintains and safeguards institutional expertise; it provides on-tap access to experts’ decision making capabilities without limitations. TOM is a powerful way to facilitate knowledge transfer and succession planning. Loss of key skill sets and knowledge is perhaps one of an organisations biggest risk areas today. TOM eliminates this risk and, in fact converts such a risk into a valuable asset.’


The robo-age poses some interesting questions in terms of the way we value a ‘cloned expert’. If a company takes out a traditional short-term insurance policy on the ‘life’ of a key employee, then perhaps this is the minimum value of an AI version of the skill set we are insuring.

Companies are allowed to capitalise the cost of technology where there is a realisable future financial benefit. The ability to capture the skills of an employee raises an important question with regards to the ability to capitalise and also value the intangible asset.

The question was raised to Monica Singer, CEO of Strate (Pty) Ltd. Monica is of the opinion that there is potential to recognise as an intangible asset the AI version of an employee skill. It was also her opinion that there is benefit with regard to corporate governance, based on the ability to retain key knowledge in the entity acquiring this technology. She sees this as an important responsibility of a company’s board of directors, with regards to taking care of knowledge transfer and succession planning.

In conclusion, it is important to realise that the way we do business and the way we access information in the ‘new age’ of technology is going to lead us into some very interesting accounting debates, challenging the basis of how we view and measure value, and the accounting treatment thereof.

AUTHOR: Mark Shnaps CA(SA) of Commercialization Partners


As a small business owner, your sole focus is to make sure your company grows and thrives. Risk-taking is usually at the top of your agenda. Can risk management focus your risk-taking efforts without impeding growth? By Michael Ferendinos

It is never too early for a small business to formalise its risk management efforts. The question is how can, or should, risk management add value. Risk management has traditionally been viewed as a compliance issue that is managed through a rules-based approach. This approach works for many risks that can significantly threaten the reputation of a company but is not a holistic approach that can be applied to the management of all risks. Countless disasters have not been prevented through rules-based risk management. World-renowned Harvard Business School professor Robert S Kaplan suggests following a new categorisation of risks that considers alternative approaches to the rules-based model. This will guide small businesses with regards to where higher tolerances exist for risk-taking. We first need to clarify what is meant by risk categories before addressing the new categorisation.

Companies often try to dissect their risks into various categories or groupings in an attempt to cover the full spectrum of risks that they face. The risk categories selected are usually dependent on the nature of the company and its associated industry. They can range from environmental, operational, technological, societal, and health and safety risk categories to those related to financial, market, political, economic and regulatory dynamics. This appears to be a good strategy on the surface but will most likely lead to you questioning the effectiveness of your risk management efforts down the road. As a small business owner, you may be left feeling overwhelmed by the number of risks that require immediate attention and budget allocation. The traditional approach to risk categorisation also brings about a silo mentality where the interdependency of risks is often overlooked.

Professor Kaplan suggests that all business risks should fall into one of three categories, namely preventable, strategy and external risks. Preventable risks are internal risks that arise from within a company and are often operational or behavioural in nature. Strategy risks are both internal and external to a company and entail voluntary risk taking in order to generate superior returns from its strategy. External risks occur outside a company’s influence or control and include political, economic, regulatory and environmental uncertainties.

Preventable risks are best managed through the rules-based compliance approach. These risks are controllable and should be avoided or eliminated as far as possible. Companies should have a low tolerance for these risks as they have no strategic benefit. Strategy risks cannot be managed through this approach, however, and require a risk reduction approach focusing on decreasing both the likelihood of the risk occurring and the consequence should it materialise. Companies should have a moderate tolerance for these risks because they are not inherently undesirable. External risks also require a slightly different approach by focusing on the effective identification of these risks and the reduction of their consequences. A company should have a moderate tolerance for these types of risks because they cannot be prevented from materialising.

Small businesses should manage preventable risks through rules and should hold constructive discussions at the correct leadership levels to manage strategy and external risks. This allows for greater risk taking in the strategy risk space in search of higher returns. In this case, more effective risk management will give small businesses a definite competitive advantage.

AUTHOR:  Michael Ferendinos is  Chief Risk Advisor, The Institute of Risk Management South Africa


The risk landscape for businesses is substantially changing in 2016. Fierce competition and cyber incidents rank as major new threats

The risk landscape for businesses is substantially changing in 2016. While businesses are less concerned about the impact of traditional industrial risks such as natural catastrophes or fire, they are increasingly worried about the impact of other disruptive events, fierce competition in their markets and cyber incidents.

These are key findings of the 2016 Allianz Risk Barometer, the fifth annual survey on corporate risks published by Allianz Global Corporate & Specialty (AGCS), which surveyed over 800 risk managers and insurance experts from more than 40 countries. Other salient points are:

  • Top business risks for Africa and the Middle East are appearing for the first time with macroeconomic developments, market developments, and changes in legislation and regulation leading the way.
  • Globally, business interruption (BI) remains the top risk for the fourth year in succession, with cyber-attacks, geopolitical instability and technology failure new potential drivers of BI losses.
  • The competitive market environment and cyber incidents appear in the top three global business risks for the first time.
  • Companies are worried about increasing sophistication of cyber-attacks but tend to underestimate technical IT failure as cause of costly outages.

According to the Allianz Risk Barometer the top three leading risks for businesses in Africa and Middle East are macroeconomic developments (44%), market developments (44%), and changes in legislation and regulation (32%). Political risks (war, terrorism and upheaval) rank higher than any other region. The area is the only one to rank power blackouts (10th) in the top 10. These risks are appearing for the first time for Africa and Middle East. Last year’s Africa and Middle East responses were included as part of Europe, Middle East and Africa region.

‘The biggest contraction in global trade since the financial crisis, BRICS and other emerging markets hitting a wall and a subdued knock-on-effect from the drop in commodity prices help ensure market and macro developments rank highly in this year’s Risk Barometer,’ says Ludovic Subran, chief economist at trade credit insurer Euler Hermes, a sister company of AGCS.

South Africa, Brazil, Russia, Nigeria and Malaysia are among those countries which have been negatively affected by cheaper commodity prices. ‘However, it is fascinating to see that, in many cases, the decline in oil and gas, iron ore and steel prices has stressed the supply chain more than it has benefited it,’ says Subran. ‘Sectors such as construction have not done as well as anticipated, because of structural difficulties. Further, some sectors, such as machinery and equipment, have seen the collateral damage of plummeting investment in the oil and gas industry.’

BI remains the top risk for businesses globally for the fourth year in succession. However, many companies are concerned that BI losses – which usually result from property damage – will increasingly be driven by cyber attacks, technical failure, or geopolitical instability as new ‘non-physical damage’ causes of disruption. Meanwhile, two of the major risers in this year’s Allianz Risk Barometer feature in the top three corporate risks for the first time with market developments ranking second and cyber incidents third. Cyber incidents are also cited as the most important long-term risk for companies in the next ten years. In contrast, natural catastrophes (third in Africa and the Middle East) drops two positions to fourth year-on-year, reflecting the fact that in 2015 losses from natural disasters reached their lowest level since 2009.

‘The corporate risk landscape is changing as many industrial sectors are undergoing a fundamental transformation,’ explains AGCS CEO Chris Fisher Hirs. ‘New technologies, increasing digitalisation and the Internet of Things are changing customer behaviour, industrial operations and business models, bringing a wealth of opportunities, but also raising awareness of the need for an enterprise-wide response to new challenges. As insurers we need to work together with our corporate clients to help them to address these new realities in a comprehensive manner.’


More than a third of responses (34%) cited market developments such as intensified competition or market volatility/stagnation as one of the three most important business risks in 2016, ranking this new survey category as the second top peril overall (in the 2015 Allianz Risk Barometer market developments risks were ranked separately, not as one collective peril).

Market developments are a particular concern in the engineering, financial services, manufacturing, marine and shipping, pharmaceutical and transportation sectors, where this risk ranks among the top three business risks respectively. In addition, this risk ranks as a top-two concern in Europe, Asia-Pacific and Africa and the Middle East.

Many businesses in Africa are facing a growing number of challenges which threaten their profitability and possibly also their business models. ‘Businesses constantly have to be on their toes, turning out new products, services or solutions in order to stay relevant to the customer and to thrive in this rapidly changing and globally competitive environment,’ explains AGCS Africa CEO Delphine Maïdou. ‘Innovation cycles are becoming rapidly shorter; market entry barriers are coming down; increasing digitalisation and new “disruptive” technologies have to be quickly adopted while potentially more agile start-ups are entering the game.’ At the same time businesses are also having to comply with changing or enforced regulation, increasing safety requirements or import/export restrictions.


Another area of increasing concern for businesses globally are cyber incidents which includes cyber-crime or data breaches, but also technical IT failures. Cyber incidents gained 11 percentage points year-on-year to move from fifth position (fifth in Africa and the Middle East) into the top three risks for the first time (28% of responses). Five years ago, cyber incidents were identified as a risk by just 1% of responses in the first Allianz Risk Barometer. Loss of reputation (69%) is the main cause of economic loss for businesses after a cyber incident, according to responses, followed by business interruption (60%) and liability claims after a data breach (52%). Companies are increasingly concerned about the growing sophistication of cyber attacks, according to the Allianz Risk Barometer. ‘Attacks by hackers are becoming more target-oriented, lasting for longer and can trigger a continuous penetration,’ explains Jens Krickhahn, cyber insurance expert at AGCS. While cyber attacks are increasing both in frequency and severity, companies should not underestimate the impact of an operational failure in today’s highly digital and connected industries. ‘A simple technical failure or user error can result in a major IT system outage disrupting supply chains or production,’ says Volker Muench, AGCS expert for property underwriting. ‘Early warning and better monitoring systems are necessary in order to prevent large cyber BI losses,’ says Krickhahn.


BI remains the top peril in the Allianz Risk Barometer for the fourth year in succession with 38% of responses (30% in Africa and the Middle East). Indeed, BI losses for businesses are increasing, typically accounting for a much higher proportion of the overall loss than a decade ago and often substantially exceeding the direct property loss, as AGCS insurance claims analysis shows. According to responses, major causes of BI feared most by companies are natural catastrophes (51%), closely followed by fire/explosion (46%). However, according to the survey’s findings, multinational companies are also increasingly worried about the disruptive impact of geopolitical instability as war or upheaval could impact their supply chains or their staff or assets could suffer from acts of terrorism.

‘Businesses need to prepare for a wider range of disruptive forces in 2016 and beyond,’ says Axel Theis, member of the Board of Management, Allianz SE. ‘The increasing impacts of globalisation, digitalisation and technological innovation pose fundamental challenges.’