Latest Products

Everyone's Talking About Culture

Thursday 13 July 2017

In Sydney, The GRC Professional sat down with Deborah Latimer, Director of boutique GRC Consultancy
Sector Seven, to talk about culture. The concept of organisational culture is a hot topic, but it is also one that is not necessarily well understood.

At the GRC2015 Conference, held in Melbourne, Deborah hosted a workshop, entitled Strategy and Risk: Changing the Dynamic, which focused on bringing risk and strategy together. 

GRC Professional: Why is everyone talking about culture?

Deborah: Culture is about getting the “want” into an organisation’s GRC.
Culture is a recognised driver of conduct risk. At the core of every definition of “culture”, you will find attitudes and behaviours. Attitudes and behaviours (both observable and not observable) often manifest at the organisational level as conduct risk. That is why our regulators have been leading a dialogue on culture.

For principles-based prudential regulators such as APRA, and conduct regulators like ASIC, there has been a natural progression over time from reliance on documented evidence of GRC programs and systems, to an increased reliance on evidence of how GRC programs are implemented ‘on the ground’, through to evidence of conduct risk approaches influenced by behavioural science, to the outcomes GRC program implementations produce, to finally arriving at culture as a key driver.

So, everyone is talking about culture because culture is a really exciting prospect for understanding and better dealing with organisational conduct risk, as well as changing customer outcomes for the better.

GRC Professional: So, the value of focusing on culture lies in its potential to influence both conduct risk and outcomes. You said culture is about getting the “want” into an organisation’s GRC—what did you mean by that?

Deborah: Well, it’s the key point for GRC practitioners, really. The whole culture dialogue is changing the GRC game by shifting the focus onto those attitudes and behaviours that drive conduct. It is attitudes and behaviours (culture) that make people want to govern an organisation well, to want to operate inside clear risk boundaries, and comply with obligations—or, conversely, not want to.

Let me give you an example on the “want” in relation to GRC. In 2010, a light plane crashed into the jungle in the Congo. Tragically, there were no survivors. Aboard the plane was the entire board of the Australian mining company Sundance Resources (and its risk consultant). Now, Sundance had GRC programs in place. In particular, its travel policy effectively prohibited more than two board members travelling together on the same flight. It also prevented anyone from chartering that flight because the service provider did not meet minimum safety standards. 

Notwithstanding the organisation’s GRC program, the whole board together chose to act as they did—thus, there was an absence of any “want”—individual or collective—in the GRC of Sundance.

GRC Professional: That’s a sobering example. What should GRC practitioners be doing about culture?

Deborah: For GRC practitioners to really get ahead in this new game, they will need to leave the GRC comfort zone and “lead” on culture. Here are three tips for getting started:
  • Collaborate: Step outside the chalk circles of “governance”, “risk management”, and “compliance” and collaborate creatively with one another. Cross the floor to the “human resources” team and get them on board as well.
  • Gauge: Cross-functionally brainstorm a set of culture indicia that provide a meaningful proxy diagnosis and measurement of your organisational culture, then diagnose and baseline measure the culture.
  • Collaborate: Analyse identified culture ‘hot spots’ and go and talk to the frontline business people in those areas about identified issues and what can be done about them.

Only then should GRC practitioners adjust existing documented GRC frameworks, programs, and systems to reflect the new insights on culture and conduct risk.

There will be more on culture and conduct risk for GRC practitioners at the 21st Annual GRC Conference 2017 in October. This year’s conference theme is “audacity”, and in the interests of promoting “audacious” behaviour, Deborah will be facilitating a workshop on how to lead when it comes to culture, in order to achieve better GRC outcomes for your organisation and its customers.


Deborah Latimer, Director, Sector Seven