Companies are investing heavily in GRC tools, but often lack the ability to measure risk behaviour and culture, says Justin Greenstein

The Global Financial Crisis, when some of the world’s largest financial institutions failed or had to be bailed out due to excessive risk taking, companies around the world have invested heavily in their governance, risk and compliance capabilities (GRC), explained Justin Greenstein, a director of Business Olympian Group. Yet in spite of these GRC tools and techniques there are still failings, often when it comes to behaviour and risk culture.

Presenting as part of StrategicRISK’s #changingrisk series, Greenstein explained that in many cases, the misconduct uncovered by the recent Hayne Royal Commission in Australian, had occurred due to gaps in controls that had been exploited by employees. “Teams within organisations were starting to find where the gaps were and behaving in ways to circumvent those controls, in a way they could justify,” he explained. “They could say they were being customer-centric, rather than misselling products to people who couldn’t afford them.”

The challenge for risk managers is finding ways of measuring non-financial risks such as risk culture. Greenstein believes many traditional approaches to risk management need to shift so there is more of a focus on culture, with clear data points to help risk managers report their findings to the board.