An evaluation of the risk culture at management level in a South African government organisation

Abstract

A strong risk culture is critical for any organisation to manage its risks. Recent reports from the Auditor-General about a South African government institution (Auditor General of South Africa, 2014) demonstrated that its risks were not being adequately mitigated. The purpose of the study reported on here has therefore been to put this judgement to the test and, because no recognised instrument could be found to evaluate the risk culture, an instrument was developed. Many of the risk culture assessment frameworks available have been developed by consulting companies which could be of value to organisations however this study chose to focus mainly on academic literature. In this descriptive study we used a focus group to identify the possible strengths and weaknesses of the prevailing risk culture, following which a questionnaire was designed and used to assess the current risk culture of the organisation. The results were used to evaluate the risk culture with the aim of proposing steps in which to embed a risk culture. We found that the existing risk culture does not contribute to this organisation’s capacity to manage its risks. We also found that managers in this organisation are not encouraged to take risks to achieve their objectives and employees are not held accountable for the management of risks. In agreement with previous studies which found that training in risk management is important, this study suggests that training should be compulsory for all senior management. This study also found that factors of tone at the top, accountability, communication, risk competence and risk capacity are critical to embed a risk culture in an organisation. This study contributes to the existing literature by suggesting ways in which a risk culture could be embedded in an organisation. The results of this research could be useful to organisations, boards, and risk committees.