enabling risk intelligent cultures - deloitte

Enabling Risk Intelligent CulturesOur Services2021

03

Government Assistance Program | Enabling Risk Intelligent Cultures

While culture can be described as the ‘way we do things around here’, it is more than just the observed behaviours. It is carried through the symbols and stories of the business and emerges from the complex interactions between the people, the systems and processes and the often unspoken shared beliefs and assumptions that influence decision-making throughout the organisation.

The impact of corporate culture on decisions about risk is especially evident. Where the outcomes are uncertain, the information is incomplete or where the policies and procedures are silent on the right course of action, culture will play a strong role in guiding both the decision process and outcome.

Culture also shapes (and is shaped by) the way our policies and processes are designed and operate, how divisions are structured, what information is communicated (and what is not), how resources are expended and, in particular, drives incentives and rewards.

All of these organisational characteristics, and the ways they interact and accumulate, play a critical role in shaping how an organisation engages with risk, influencing what risks it takes or avoids and ultimately, how it harnesses the opportunities presented to it.

Risk Culture & Risk Management There is no “one size fits all” solution to risk management. How an organisation manages risk should align with, and support, its purpose, values, strategy, business model, and its risk appetite and tolerance. This is especially true in industries, where significant risk-based decisions are being made throughout the organisation on a daily basis.

The same is true for risk culture. A sound risk culture exists within an organisation when its employees’ understanding of and attitudes towards risk lead them to consistently make appropriate risk-based decisions. Consequently, an organisation’s risk culture drives the behaviours that influence day-to-day business practices.

A Risk Intelligent Culture occurs when the organisational culture aligns with its purpose, values and risk appetite and supports the right trade-offs between risks and opportunities to achieve its strategic objectives.

In managing and harnessing risk, understanding how culture enables or inhibits appropriate risk taking is critical.

Risk culture: What is it good for?

The elements of a Risk Intelligent Culture

A common foundation of shared purpose and values provides the ethical foundation. A risk intelligent culture ensures alignment between an individual’s ethics and values and those of the organisation.

Other key attributes include: • A learning organisation, where the collective ability to manage risk is continuously improving

• Timely, transparent and honest two-way communication, with people feeling comfortable to provide constructive challenge to others and respond positively to challenge themselves

• A shared risk vocabulary, with people able to understand the value of effective risk management, and to articulate that to others

• Individual and collective responsibility taken for risk management.

The Deloitte Risk Culture Framework consists of sixteen indicators, which include key attributes and levers of organisational risk culture, aligned to the four risk culture influencers: risk competence, motivation, relationships and organisation.

Risk competenceThe collective risk management competence of the organisation.

Relationships How people in the organisation interact with others.

Motivation The reasons why people manage risk the way that they do.

Organization How the organisational environment is structured and what is valued.

Risk Culture

Organisation

Risk

Competence

Motivation

Relationsh

ips

04

Deloitte Risk Advisory | Enabling Risk Intelligent Cultures

In managing and harnessing risk, understanding how culture enables or inhibits appropriate risk taking is critical.

Risk and Culture in 2021 and beyond

An organisation’s culture determines how risk is managed and harnessed, particularly under conditions of ambiguity and stress. Numerous inquiries and public scandals have shone the light on culture as the root cause of poor risk management, conduct and compliance failures, and significant loss and reputational damage.

Despite the ongoing focus, many organisations still find they have relatively immature risk cultures and are stuck in a reactive stance when it comes to managing risk. For these organisations, their culture remains a potential liability.

Some companies have made the shift to a culture where strong risk-based decision-making and behaviour are the norm and the culture enables stability and competitive advantage. Successful transformation has been achieved by those organisations who have gone beyond just complying with regulations to develop a sophisticated understanding of how direct and indirect influences shape the mindsets and behaviours of their people and govern the day-to-day trade-offs they make when balancing risk and opportunity.

What does a ‘good’ risk culture look like?While risk is often seen as something to avoid or minimise, appropriate risk-taking is critical for innovation and performance.

A strong risk culture exists when there are high levels of understanding and positive attitudes towards risk, enabling appropriate decisions and behaviour. This is observed when people are enabled to, and consistently, do the right thing – where achieving business outcomes is balanced with achieving the right customer outcomes, and where policies and processes empower people to do the right thing rather than find work arounds.

Successful risk cultures are those that have made the transition from reacting to events, to an active engagement with risk, supported by mature practices of risk identification and mitigation at all levels.

The evolution of risk culture: embedding ethics and purposeDoing the right thing, the right way, in a rapidly changing, uncertain and complex world can be difficult. While risk management often helps in deciding what can be done, the addition of ethics to the decision-making process helps navigate what should be done.

Through the Financial Services Royal Commission came the recognition that it is no longer enough to act just within the letter of the law, especially when significant risk-based decisions are being made throughout organisations on a daily basis. Without referencing the term ‘ethics’, the Hayne report advocates for embedded ethical reform.

Organisations must not only understand and manage many inter-connected risks, but also make tough trade-off decisions while balancing the positive and negative impacts on multiple stakeholder groups. When the path forward is unclear, people benefit from a clear understanding of what is most important and feeling confident their actions are aligned with their ethical obligations.

https://www.royalcommission.gov.au/royal-commission-misconduct-banking-superannuation-and-financial-services-industry


05

Should we takes precedence over can we.Embedding ethical foundations requires clarity and conviction in the organisation’s purpose, values and principles, which should align with the target risk culture.

The UK Financial Conduct Authority recently released a discussion paper focussed on how to drive purposeful culture in financial services, reflecting a growing understanding of the central role purpose and values play in defining and supporting culture by establishing what matters and guiding the decision making around what risks are acceptable. A focus on purposeful culture is the next evolution in a growing understanding of how important aligning risk is to the underlying integrity and impacts of a business. This focus is the next stage in the risk culture journey for organisations considering the risks to their organisation, as well as risk to customers and the broader society.

“My assessment of recent history is that there has not been a case of a major prudential or conduct failing in a organization which did not have among its root causes a failure of culture as manifested in governance, remuneration, risk management or tone from the top”Andrew Bailey, May 2016, CEO UK Financial Conduct Authority

Regulatory Perspective, Financial Services

The Australian Prudential Regulation Authority (APRA) and the Australian Securities and Investments Commission (ASIC) are driving increasing focus on the role of culture in influencing risk and conduct outcomes. The BEAR, (which is to become the Financial Accountability Regime, FAR) reinforced the gravity of culture-related failings identified through the Royal Commission and continues to drive focus on how organisations measure and manage their culture to support sound risk management and appropriate conduct.

In 2019, APRA announced the intention to strengthen and sharpen its supervision of risk culture, with a greater focus on maturity. From a regulatory perspective, APRA and ASIC have different interests with regard to risk culture.

While APRA is primarily concerned with risk culture as an indicator and driver of prudential soundness for the entities it regulates, ASIC articulates concern for culture as a key driver of conduct, and as it relates to promoting fair treatment of consumers and investors.

Risk and Culture through disruptionThe COVID-19 pandemic has had wide-ranging impacts on most organisations, from changes in working practices, increased uncertainty and changing customer needs. The impact of the pandemic and its subsequent economic affects on the risk landscape for businesses is still evolving.

Businesses are beginning to understand the long term impacts of COVID-19 on the way they operate. And are starting to understand the new risks this creates. The impacts of COVID-19 on organisational culture varies, but fair customer outcomes, physical safety and wellbeing of employees will continue to be a central focus for regulators and the community. Observing the changes in culture and behaviour is more challenging during this time, but it is no less important.

Many of the behaviours and mindsets which have emerged to cope during this period will actually be superior to those that came before. Virtual working has driven a focus on outcomes over process and, in some cases, greater autonomy has empowered teams to take accountability. As the recovery progresses, organisations should seek to understand which new practices lead to better risk outcomes, and should be retained for the future, and seek to address any that contribute to increased risk.

https://www.fca.org.uk/publications/discussion-papers/dp20-1-transforming-culture-financial-services-driving-purposeful-cultures

https://www.apra.gov.au/apra%E2%80%99s-evolving-approach-to-supervising-risk-culture




06


There is no one size fits all – a tailored risk culture approach is required. Our approach to risk culture is flexible, scalable, and will support you to achieve what matters most.

Our Approach

Our approach to strengthening risk culture is tailored to your organisation and will vary based on your risk and risk culture maturity, and objectives.

We will work with you to align your target risk culture, measurement approach and change initiatives with: • Ethical foundations: purpose, values and principles (Why does the organisation exist and what do you stand for?)

• Target risk culture: desired mindsets and behavioural norms across the organisation

• Strategy, risk appetite and risk management framework (What are you trying to achieve, how much risk are you willing to take and how will this be managed?)

Why does the organisation exist and what do you stand for? What are you trying to achieve? How much risk are you willing to take?

Our approach Deloitte Australia has helped shape the industry conversation on risk culture, leveraging external global research and thinking in our approaches.

Our methodology incorporates regulatory expectations from the APRA, as well as the ASIC. Our methodology is continuously evolving, keeping pace with increasing regulatory and community expectations, and is flexible across industries and regulatory environments.

We provide solutions for a broad range of clients of different sizes and stages of maturity. We use a tiered methodology to provide appropriate levels of sophistication for different organisational requirements and appetites.

Wherever you are on your journeyOur approach will aid you in strengthening the risk culture no matter where you are on your journey, helping you to maximise opportunities, achieve strategic objectives and manage risk effectively.

We support support you along the way from establishing clear ownership and governance, defining the target state, establishing ongoing measurement and reporting frameworks and tools, designing and implementing change initiatives, and helping you monitor the impact of initiatives.

Risk culture is not static, but a continuous process, which repeats and renews itself, suiting programmatic and ongoing approaches to strengthening and maturing risk culture.

Clear ownership and accountability for culture supported by appropriate governance.

A defined target risk culture state informed by the purpose, values and risk appetite of the business to allow measurement of progress.

A multi-source measurement framework appropriate to the size

and complexity of the business.

A program of continuous improvement to strengthen the risk culture the people,

process and systems.

Ongoing measurement of the impact of

change initiatives.Evaluating

changeOwning

risk culture

Defining risk

culture

Measuring & Monitoring

Changing


07

Building and sustaining a sound risk culture requires a robust supporting framework.

Strong risk cultures are owned and clearly definedNumerous inquiries and regulatory findings, including those of the Royal Commission into the financial sector have codified the accountability of the board and senior management for monitoring and managing organisational culture and ensuring appropriate risk behaviours are embedded across the organisation.

For companies regulated by APRA, specific requirements under Prudential Standard CPS 220 require that the board of regulated entities form a view of the risk culture of the business, the extent to which that culture supports the institution to consistently operate within its risk appetite and to identify and address any desirable changes to strengthen their risk culture. And to test if those changes have been effective.

Linking purpose, values and risk cultureWhile the purpose of the organisation defines why the organisation exists and the societal need it seeks to meet, this comes to life through the values and principles it adopts. A clear set of organisational values defines what good looks like for the business and builds a shared understanding, while the related principles outline what’s right. The principles provide tests to help us know we are making the right choices.

When clearly articulated and aligned with the risk appetite of the business, the purpose, values and principles provide the framework for building the shared understanding and mindsets across the business provide the bedrock for the organisation’s decision making and culture.

Defining a target risk culture state Working with leadership to establish the target risk culture state helps link the purpose and value with the risk appetite and strategy of the business and articulates the behaviours and mindsets that support the desired culture. A clear target state not only provides a basis for measuring where the culture of the business is now, but establishes the roadmap for the future.

How we can helpWe can help support you to establish a robust framework to establish ownership and governance, assist in clarifying and articulating the values and risk appetite of the organisation and develop a target state for your risk culture.

By designing a target risk culture state that is right for you and building the supporting frameworks, we help organisations establish and sustain their risk culture approach.

Our services include: • Eliciting the ethical framework of purpose, values and principles and supporting embedment across the business

• Designing target risk culture state • Risk culture framework development • Measuring risk culture • Changing risk culture • Risk transformation and change • CPS220 review • Board risk culture programs

08


Spotlight: Risk culture within a CPS220 Assessment

Aligned with recommendation 5.6 of the Hayne Report, we believe there are five critical components that make up a cohesive and comprehensive approach to risk culture within organisations. Using our methodology, we test an organisation’s approach against a number of assumptions that articulate ‘good practice’ when it comes to having a risk culture approach.

Our flexible model explores both the design effectiveness and operational effectiveness, meeting your obligations for your CPS220 Assessment, and allowing boards and executive teams to understand the effectiveness of their risk culture approach on risk management.

Desig

n Ef ectiveness

Operational ef ective

ness

Case Study: Risk culture framework in an international bank The Australian branch of a large international bank sought to undertake its first step in understanding and strengthening its risk culture, and develop a robust risk culture framework to guide a consistent approach to going forward.

Deloitte supported our client to implement a comprehensive and holistic approach to risk culture. This included conducting an organisation-wide survey and deep-dive risk culture assessment, which informed the development of a risk culture target state and action-planning with the Executive team. Through a 6 month period, we provided support and guidance to the internal risk team to develop a risk culture framework, including governance, accountabilities, measurement and reporting on risk culture. The organisation is now confident it is developing a robust risk culture framework that will enable ongoing measurement and reporting of risk culture to the Executive, Board and regulators, aligned to CPS220 requirements.


09

Providing reliable insight into strengths and gaps, enabling targeted insight-driven actions, and a robust approach to monitoring change.

Measuring and reporting risk culture

A comprehensive risk culture approach requires an appropriate measurement framework tailored to the size and complexity of the organisation. Whether covered by APRA regulations or not, in his final report of the Royal Commission, Hayne recommended all entities should, as often as reasonably possible, take proper steps to assess the entity’s culture, identify and address any problems, and determine whether change has occurred. To address all components of this recommendation, Boards and Senior Management teams require a robust approach to measuring and reporting on risk culture.

What is a robust approach?As culture measurement methodologies continue to evolve and mature, there is a key guiding principle organisations should consider.

Risk culture measurement must be holistic, using multi-source data and root-cause analysis to truly understand and enable change to occur.

Methods of assessmentThrough APRA’s review of self-assessments conducted in 2018, a key shortcoming observed was the overreliance on surface-level assessments (e.g. survey-only). The Prudential Regulator emphasized the need for organisations to use multi-source data and assessment techniques to inform (and subsequently address) root cause. Identifying the drivers of your risk culture change means leveraging the full range of available data for insights and to identify root causes.

Risk culture metrics should also be included in regular risk reporting to the board and management, building a statistical relationship between the cultural metrics and their impact upon other traditional risk management metrics.

Governance and reportingBoards and Senior Managements should be supported by governance and reporting structures that enable them to form an accurate, insightful and actionable view.

Risk categoriesOur approach to risk culture encompasses all risk classes managed through an organisation’s Risk Management Framework. We work with you to develop a customised approach tailored to your Framework, flexing up and down into specific categories based on your objectives and challenges.

We also frequently support organisations to conduct risk culture assessments with a specific risk lens, such as financial crime, cyber, health and safety, climate change, conduct and compliance.

10


DASHBOARDS & REPORTSTracking survey distribution, response and completions

QUANTITATIVE RESULTSResults by dimension and individual question, with appropriate comparisons

QUALITATIVE INSIGHTSSentiment analysis (Positive, Neutral, Negative), and thematic analysis

DEMOGRAPHIC ANALYSISComparisons across demographic groups with identification of statistical significance, with identification of ‘hot spots’

Case Study: Integrated risk and organisational culture framework for an international insurer

The subsidiary of a major international insurer sought an integrated approach to measuring the risk and organisational culture founded on their group-wide values.

Working with the leadership, we co-designed the desired target culture state and supporting behaviours across the organisation. We then reviewed previous assessments and data to determine the current culture state relative to their target and developed a road-map for change across the business. Based on this, we then designed the culture change program, identifying the key actions to deliver lasting change, along with detailed board reporting and high-level dashboards.

The client’s Board were able to confidently communicate an understanding of the organisation’s culture for the purposes of a regulatory self-assessment and able to develop insights to drive culture transformation.


11

Internal Audit can provide ongoing visibility of risk culture when equipped with the right capability.

Spotlight on Internal Audit

How we can helpThe approach taken to assessment may vary from providing behavioural insights related to internal audit findings through to deeper assessments of culture that explore mindsets, and underlying drivers of culture-related vulnerabilities. We work closely with clients to establish an approach tailored to the IA function and organisation, including:

Recognising the role internal audit can play in assessing cultureThe Internal Audit (IA) function is uniquely positioned to provide regular, timely and insightful perspectives on the way people think and behave across the organisation in the course of their work. The Association of Internal Auditors Australia has included specific recommendations for it’s members in using a variety of techniques to produce cultural insights and identify behavioural flags in their audit activities.

We have worked with numerous clients to develop and enhance Internal Audit’s capabilities to undertake a range of cultural and behavioural assessment activities. While the purpose of IA’s assessments vary depending on the positioning of IA within the organisation and the function’s maturity, all IA functions have a critical role to play in examining risk.

The influence of mindsets & behaviours on

control efectiveness

CONTROLS CULTURE

Assess the influence of mindsets & behaviours on risk management, including conduct and

compliance risk

RISK CULTURE & CONDUCT

Identify risks resulting from the misalignment

between the lived mindsets & behaviours, and the desired culture

ORGANISATIONAL CULTURE

Methodology A framework and approach that achieves IA’s objectives, aligned with existing methodologies within the organisation (e.g., purpose and values, RAS and RMF, Code of Conduct), leveraging data through advanced analytics, and fit-for-purpose given IA’s positioning and remit within the organisation.

Capability Identifying the competencies and technology required to deliver the methodology, building or acquiring the capability through customised development programs, and mapping out the pathway to maturity.

Implementation Developing and executing the implementation plan, which often includes piloting the methodology with the tailored support based on capability, providing confidence to stakeholders and enabling continuous improvement on the path to maturity.

Methodology Capability

Implementation

FrameworkApproach

Tools

CompetenciesDevelopment

Roadmap

Planning and executionTailored support

Continuous improvement

12


Case Study: Internal Culture AuditingA large global mining organisation sought to proactively strengthen its approach to risk management through the Global IA team, enabling the board to better oversee and monitor the organisation’s culture, and risk management.

A customised framework and hypothesis-based approach was developed aligned to the organisation’s values, to identify the target risk culture and enable assessment within each internal audit, leveraging quantitative and qualitative data. The approach ensured target risk-culture behaviours supported the strengthening of the overall organisational culture by being evidence-based, support by data and analysis and a focus on continuous improvement. Insights from the work undertake provided an assessment of the current state relative to the target state, and identification of opportunities to mature the risk culture over time.

Case Study: Risk and controls culture assessment in aged careAn aged and disability care provider sought to understand their culture, its impact on risk and control effectiveness and how they could strengthen it to meet a changing regulatory landscape and the risks stemming from COVID-19.

Deloitte was engaged to conduct an assessment of the drivers of cultural strengths and vulnerabilities across the business. A customised survey based on Deloitte’s Risk Culture model was designed and deployed, followed by in-depth structured interviews led by our risk culture specialists to gain insight into the culture drivers underpinning the effectiveness of their controls. The client is using these insights to target action to strengthen their control environment to meet their changing risk profile.


13

Strengthening an organisation’s risk culture requires both a focused effort and the direction of leadership.

Changing Culture

Changing organisational culture can be a long, slow process. For many organisations, it is not simply a transition from current state to desired state, but an ongoing evolution. Diligent tracking of progress, combined with the ability to adjust and adapt through the culture change journey is the key to success.

A regulatory imperative for changeIn 2018, APRA’s self-assessment review highlighted the prevalence of persistent systemic issues in the organisations assessed. APRA noted that this appeared to be underpinned the fact that organisations still did not always understand, assess or sufficiently address culture issues. Meanwhile, the Hayne report reinforced the need for organisations to ensure and sustain change; under Recommendation 5.6, Haynes further recommends

organisations to not only assess, identify, and deal with culture problems, but also determine whether these changes have been successful.

But where does culture change start?Culture change starts not only with a vision for the desired future state, but a thorough understanding of the current state.

The initial focus should be on building cultural awareness, predominantly through communications and education – but it shouldn’t end there. Cultural improvement will be likely to require meaningful changes to established ways of operating, using all the levers of change available. Once the desired risk culture has been established, the organisation should continually refine it to reflect ongoing changes in business strategy.

Throughout this process, leaders will play an important role in influencing and supporting the culture change.

A framework for culture changeOrganisational culture is built and maintained by the stories, symbols, actions (habits), influence (power sources), systems, and structures which form each organisation’s operating context. At Deloitte, we believe that we need to align culture to the purpose, values and risk appetite of an organisation through a systemic lens. Our work, worker, workplace model ensures you consider all the culture change levers that will enable a sustained transformation.

Process

Systems

Leadership

Behaviour

Organisational Design

Workspace Design

WorkThe systems and

processes that determine priority and focus

WorkerThe leadership capability and behaviours that bring

values to life

WorkplaceThe organisation and workplace design that

reinforce cultural values

https://www.apra.gov.au/sites/default/files/information_paper_self_assessment_of_governance_accountability_and_culture.pdf

14


Case Study: Cyber-secure culture at a major construction company

A real estate and construction firm needed to build a strong cyber awareness program and change the culture of security throughout the business. Deloitte was engaged to review the information security function and the current culture to build a roadmap to maturing their security culture. Combined with a cyber risk transformation, we designed a suite of awareness and training programs including digital learning modules, installations and awareness campaigns and a live hacking demonstration delivered at scale throughout the organisation. As a result of the work we delivered, the company has a fully integrated approach to cyber prevention.

Case Study: Big 4 Australian Bank

When a large Australian bank needed to increase awareness and build capacity to assess financial crime risks, we delivered a comprehensive program leveraging cutting-edge methodologies.

We developed and delivered a deep review into the cultural strengths and vulnerabilities of the division across a four-month period involving 120 interviews over two months across five countries. To address the identified underlying drivers and root causes of culture-related vulnerabilities, we developed an integrated AML leadership training and an immersive training experience to raise awareness and build the profile of the AML compliance teams.


15

Pulling different culture levers and the ability to adapt as change occurs is critical to achieving successful change.

Changing Culture (contd)

How we can helpDeloitte’s Work, Worker, Workplace model enables us to identify key culture levers that will help engender change. We can tailor our range of culture change programs, leadership masterclasses and coaching, staff training, and artefact development to suit different risk classes, enabling an uplift of your risk culture.

Our services include: • Culture transformation programs (design and delivery) • Risk transformation impact assessments • Risk leadership assessments and masterclasses • Risk culture awareness campaigns and training • Ethical and responsible decision-making frameworks • Ethics capability development programs

Spotlight: Risk Leadership

The way people think about, identify and manage risk, is heavily influenced by their leaders. Senior Leaders at the top of the organisation set the tone for risk, which is then cascaded down through each leadership level.

The ‘tone’ determines the workplace norms and accepted behaviours, and shapes the characteristics of the organisation which are beyond the reach of policies and systems. Setting the right tone for risk is what enables the organisation to harness positive risk opportunities, and manage the negative risks they are exposed to.

Our Risk Leadership Assessment provides evidence-based and targeted insights to guide leadership development and transform the tone leaders set, to achieve positive risk outcomes.

RISK

16


Spotlight: Responsible Decision-Making

As leaders we cast an ethical shadow, which our people follow. When it comes to the difficult decisions, where there may not always be a ‘good’ or a ‘right’ answer, there are steps you can take to help you find the right outcome.

01. Inform: understand the problem with the right people, and information to assess the options.

02. Decide: consider purpose values and principles in light of the problem.

03. Act and communicate: agree on the steps and communicate the decision.

04. Revise and evolve: measure the actions to ensure its desired impact on the business, people and the environment.

Case Study: Responsible decision-making in a global construction and engineering firmA global construction company wanted to meet changing stakeholder expectations on corporate responsibility by developing a responsible decision-making framework.

Reviewing key artefacts and past decisions, Deloitte helped the client define their unique decision-making framework. Workshops and interviews with executive staff and leaders within the organisations guided the structure of the framework. The decision-making framework is currently embedded within executive decision making, and is being embedded across the business and through systems and processes. The impact of the program has been faster and better decisions delivered through greater collaboration and with greater transparency, and is realised as a key condition in the business’ transformation to a sustainable future.


17

Evaluation should be a central consideration of risk and risk culture transformation programs and be focused on both the short and medium term outcomes and longer term impact.

Evaluating change initiatives

Evaluating the impact of risk culture transformation efforts is critical to demonstrate and embed lasting change. Combining best practice approaches from behavioural science and social impact measurement, we design an evaluation approach the causal logic of the change initiatives, the intended short medium and long-term outcomes and then measures how the program delivers.

Key principles:

01. Evaluation must be planned at the same time as the intervention.

. Changing risk culture is challenging, requiring simultaneous interventions targeting people, processes and systems. As such the outcomes can seem intangible and difficult to accurately measure. When evaluation is planned and designed as a central pillar of the transformation, it’s not only possible to evaluate whether the intended outcomes have been delivered after the transformation, but also to monitor progress during the implementation.

02. Be clear on the underlying logic of the intervention.

. Defining the program logic of the transformation provides the bedrock for the evaluation.

. A program logic statement, in it’s simplest form, is a series of cause-effect statements underlying the planned transformation. Understanding the multiple ‘if we do x, it will result in y’ connections provides a strong basis for both the strategy of the transformation and the evaluation.

03. Separate outputs from outcomes and define the right indicators

. Outputs are the tangible products of the intervention such as a training program or system implementation. The outcomes are the intended changes in risk management behaviour that the outputs are supposed to drive. Assessing the right indicators for short, medium and long terms outcomes allows a structured and reliable evaluation throughout the transformation program.

Intervention Planning Design Evaluation Baseline measurement Post-measurement

• Map the underlying logic of the transformation program and intended short, medium and long term outcomes.

• Develop a ideal target state of how people in different positions should think, feel and act about risk following the changes (mindsets and behaviours).

• Identify existing metrics related to the short, medium and long term outcomes.

• Develop targeted assessment methods to assess changes in mindsets and behaviours.

• Plan the evaluation to leverage the timeline and approach to rolling out the transformation.

• Undertake the measurement prior to rolling out the transformation program.

• Build a view of the relationships between different metrics and key trends and differences.

• Repeat the measurement following the intervention or at an appropriate time during the rollout.

• Analyse the change across the timepoints.

• Re-examine the relationships between the metrics and assess changes across the ecosystem.

Deloitte

225 George Street

Sydney, New South Wales

Australia

Tel: +61 2 9322 7000

Fax: +61 2 9322 7001

www.deloitte.com.au

This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms or their related entities (collectively, the “Deloitte organisation”) is, by means of this communication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser.

No representations, warranties or undertakings (express or implied) are given as to the accuracy or completeness of the information in this communication, and none of DTTL, its member firms, related entities, employees or agents shall be liable or responsible for any loss or damage whatsoever arising directly or indirectly in connection with any person relying on this communication. DTTL and each of its member firms, and their related entities, are legally separate and independent entities.

About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms, and their related entities (collectively, the “Deloitte organisation”). DTTL (also referred to as “Deloitte Global”) and each of its member firms and related entities are legally separate and independent entities, which cannot obligate or bind each other in respect of third parties. DTTL and each DTTL member firm and related entity is liable only for its own acts and omissions, and not those of each other. DTTL does not provide services to clients. Please see www.deloitte.com/about to learn more.

About Deloitte Asia Pacific Deloitte Asia Pacific Limited is a company limited by guarantee and a member firm of DTTL. Members of Deloitte Asia Pacific Limited and their related entities, each of which are separate and independent legal entities, provide services from more than 100 cities across the region, including Auckland, Bangkok, Beijing, Hanoi, Hong Kong, Jakarta, Kuala Lumpur, Manila, Melbourne, Osaka, Seoul, Shanghai, Singapore, Sydney, Taipei and Tokyo.

About Deloitte Australia The Australian partnership of Deloitte Touche Tohmatsu is a member of Deloitte Asia Pacific Limited and the Deloitte organisation. As one of Australia’s leading professional services firms, Deloitte Touche Tohmatsu and its affiliates provide audit, tax, consulting, risk advisory, and financial advisory services through approximately 8000 people across the country. Focused on the creation of value and growth, and known as an employer of choice for innovative human resources programs, we are dedicated to helping our clients and our people excel. For more information, please visit our web site at https://www2.deloitte.com/au/en.html.

Liability limited by a scheme approved under Professional Standards Legislation.

Member of Deloitte Asia Pacific Limited and the Deloitte organisation.

© 2021 Deloitte Touche Tohmatsu.

Designed by CoRe Creative Services. RITM0631482

Contact usVictoria WhitakerPartner | Risk Advisory

Ethics & Risk Culture

Sydney, Australia

+61 (0) 424 206 631

[email protected]

Liam O’NeillSenior Manager | Risk Advisory


Sydney, Australia

+61 (0) 400 012 604

[email protected]

Murray LawsonDirector | Risk Advisory


Sydney, Australia

+61 (0) 410 620 417

[email protected]

enabling risk intelligent cultures - deloitte

Documents