A question of culture

Use of the term ‘risk culture’ is now commonplace. There is no question that risk management as an organisational discipline has come a long way, particularly in the last 10 years. Yet, whatever we choose to call it, how clear are we about risk culture? As Eric Holmquist put it ‘Risk culture. Profound, but at the same time meaningless. It means everything, it means nothing’ (Risk Culture, Op Risk and Compliance, 1 March 2007).

At a time when much effort is being focused on the more mechanistic aspects of risk management (ie the risk identification and assessment process, the loss event process, the risk policy, key risk indicators, etc), not only do we continue to see significant unexpected events that risk management was meant to help reduce but we often struggle to get genuine business support for the processes. While recent examples have been in the financial services, where there may be high reward for high risk (although perhaps not this high!), once again these events are often as a result of people’s actions and their underlying behaviours. Perhaps we should take a bit more time to understand and work with this risk culture phenomenon.

Risk culture

Risk culture represents a number of things: our willingness to take or avoid risk; the extent to which we are aware of, understand and communicate the risks we chose to take; and the activities we undertake, and their extent, in the management of risk. By the term ‘risk’ here, I mean both the risks and opportunities we choose to take and the risks and losses we are prepared to accept.

One could argue that these are the symptoms of a ‘good’ risk culture and that it is the organisational behaviours we display in conducting the above that constitutes the risk culture itself. It is these behaviours that are often overlooked, and perhaps more subtly, our level of awareness that all of this is going on as an organisational dynamic is generally limited.

Why is this aspect of risk management so often overlooked? In my experience this is a challenging area and all too easily left in the ‘difficult to deal with’ tray, while we plough ahead with the more mechanistic aspects of risk management. It is clear that while risk culture is not easy to describe, it is organisational culture that underpins it.

Organisational culture is an area that has been well described, and for which there is much experience and a mountain of literature. Without going into detail, there is one aspect that is important to mention. This is that an organisation’s risk culture is a sub-set of the organisation’s culture. Therefore if we want to have a chance of addressing our risk culture, it is important to understand our organisational culture and ensure that our risk management efforts align with it. This might appear like stating the obvious, but if we set ourselves lofty ambitions for risk management and the benefits it will bring, but do not include how we intend to affect organisational behaviours, we are likely to come unstuck.

Organisational culture

The Collins English Dictionary defines culture as concerning ‘ideas, beliefs, values and knowledge’. These are, most importantly, characteristics or attributes which we always associate with human beings. Indeed, most of the major risk events we are familiar with involve people and their behaviours. Even when these events are put down to systems or processes, the underlying cause is often the human involvement in them.

Organisational culture is built through tradition, history and structure. We often describe this as ‘the way we do things around here’, which is determined by the organisation’s legends, rituals, beliefs, values, norms and language. These inevitably reflect what it has been good at and what has worked in the past. While this may well be relevant for the future it would be dangerous to take that for granted – something I suspect many of us do.

Importantly, whatever we say about ‘the way we do things around here’ is not necessarily what is going on on the ground. In reality, the behaviours that are happening today are a representation of the culture today. This is, not surprisingly, heavily influenced by senior management and their present behaviour, which does not necessarily echo the past. My experience is that, while the legends may be fixed in the psyche, today’s behaviours are changing all the time and ‘consciously or otherwise managers set the standards for risk culture by the way they behave’ (Howitt, J, Mainelli M & Taylor C: Marionettes, or Masters of the Universe – The Human Factor in Operational Risk, a special edition of the RMA Journal May 2004).

This reflects the work on organisational culture by Edgar Schein, who suggests that the professed culture may not be reflected in the actual behaviours in the organisation and it is in these that the tacit assumptions and unspoken rules are found. The risk culture is as much about these tacit assumptions and unspoken rules as it is about the formal rules. At its simplest level this reminds me of the relationship we adults often have with children, that of the ‘do what I say not what I do’ kind. The members of the Enron board chose to waive the company’s code of ethics – one cannot write down rules to account for this!

While many of us will have experienced culture change programmes that have not delivered what they promised, it is accepted that organisational culture can be created. The universal lesson is that it is virtually impossible without commitment from top management and tangible benefits for everyone else. This then applies equally to risk culture.

Characteristics of risk culture

The characteristics of a strong risk culture are those which support the willingness to take or avoid risk; the extent to which we are aware of, understand and communicate, the risks we chose to take; and the activities we undertake, and to what extent, in the management of risk. I describe below those characteristics I would expect to see where a sound risk culture is established. No doubt they are not exhaustive.

Awareness Having a high level of awareness of risk is key. Unfortunately we have created such a lexicon for risk that it can end up in confusion rather than clarity and awareness – risks, issues and losses; inherent and residual risk; expected and unexpected loss; probability, likelihood, frequency and confidence levels. We speak of a desire for knowledgeable risk taking but what risk are we talking about? There is the frequent misperception that the objective is to eliminate risk rather than to manage it to an acceptable level, often brought about by an over emphasis on controls and their strength.

There is also a dangerous assumption in the often-heard statement ‘managing risk is something I do everyday’, or ‘managing risk is intuitive’.

“Organisational culture is built through tradition, history and structure

Of course these are true to some extent, or at least they should be, but there are different levels of competence. Competence in risk management, as for other skills, follows the stages described by the ‘conscious competency model’. These stages start with unconscious incompetence and move through conscious incompetence, conscious competence and finally unconscious competence. The dangerous assumption is therefore whether this ‘intuitiveness’ is competence (unconscious) or incompetence (unconscious).

One only has to speak to a handful of executives to discover that they are likely to have different levels of risk awareness, yet their behaviour is a cornerstone upon which the risk framework is built. As Einstein said: ‘Any fool can make things complicated – it takes a genius to make things simple’.

Responsibility People must not only take responsibility for what happens but they must be held accountable for it too. This sounds rather obvious but there is often ambiguity about responsibilities in cross functional or cross business processes, particularly where a risk caused in one area may have impact in another. The enemy of responsibility is blame culture – if we want people to avoid taking responsibility then blame them when something goes wrong.

A reflection of this attribute is where people are prepared to take on additional responsibility, particularly for those sometimes grey areas on the boundaries where there is a tendency to say ‘that’s not my problem’. When this works well it is a sign that people are interacting outside their silos.

Empowerment A close relative to responsibility is empowerment. Empowerment is about giving people the authority to make decisions, and that includes taking and accepting (and refusing) risk in those decisions. In a ‘power culture’, where a small number of individuals make the key decisions, not only do people feel disempowered but it can often slow down decision making. Effectively empowering people is not easy; it requires clear expectations to be set about boundaries, limits and escalation, and it is in these that risk plays an important role.

Openness, transparency and trust In a culture where we want openness and transparency about risk, we must build trust. Put simply by Stephen M Covey (The Speed of Trust, 2006 Free Press, Getting a Handle on Trust), ‘Trust means confidence. The opposite of trust – distrust – is suspicion’. As with responsibility, a blame culture is extremely damaging to openness, transparency and trust. This confidence is necessary for people to feel free to volunteer risks (potential future losses) without feeling they are opening themselves up for attack.

I know of one organisation where a risk management initiative has been to coach senior management in how to receive bad news and their staff in how to give bad news.

A learning culture The method by which we improve (our skills, our competencies, our processes) is by learning, and while we can learn from theory we learn better from experience. I suspect everyone agrees with this statement, yet how well do we use this opportunity to improve? As was once said, ‘The only mistake is not to learn from our mistakes’. So, conducting post mortems on major projects, initiatives and decisions is extremely valuable. Where this often falls down is that it is easy to focus on what may not have gone right, and if this is not done in the spirit of openness, transparency and trust, people are unlikely to fully engage. One can also learn from what went right as well as what went wrong.

The famous Toyota culture of continuous improvement is about everyone within the organisation, from executives to shop floor workers, being challenged to use their initiative and creativity to experiment and learn – and they are supported at every step. This is thinking ahead rather than just responding to events.

Communication (and clarity) In our fast moving world, communicating with clarity is becoming rarer, and there is an increasing danger of misunderstanding and ambiguity. How one communicates risk is a real example of this. We simplify risk to a sentence, or even a few words (‘reputation risk’) and expect everyone to have the same understanding. We need clear communication, we need to listen (to understand not to respond) and we need to be encouraged to challenge assumptions.

Developing a risk culture

So where does this leave us in developing our desired risk culture. First a reminder: there are no easy answers. Each organisation has, and probably needs, a different culture with different characteristics and risk culture, as a sub-set, has to work with this. Trying to empower people in a ‘power culture’ will be problematic! There are mechanisms to support risk management, and at their heart lie people, and people have behaviours. Nevertheless there are some steps that can be taken and here is my advice.

1 Understand the organisational culture and look at the characteristics of a sound risk culture It is important to understand the organisational culture, the ‘way things are done around here’, the tacit assumptions and unspoken rules, the legends and whether today’s behaviours still fit them. Look specifically at the characteristics described above and determine where the organisation is. It is gaps in these desired characteristics that one can then begin to address. Where awareness is low, it is likely that some training and education will be needed. Other barriers we will need to overcome in developing risk management include blame culture, silo behaviour, or too much focus on controls.

2 Reward and personal development Reward and personal development play an important part in ones ability to develop a sound risk culture. How organisations motivate and develop people has a bearing on the risks they end up taking, consciously or otherwise. Strong financial incentives can lead to results. They often also bring unintended consequences as we have again seen recently.

I find it interesting that risk management rarely appears in the competencies or values many organisations describe for themselves. The characteristics associated with good risk management are becoming better understood and some organisations are starting to include risk more explicitly in their competency matrix.

3 Commitment from the top and change management When preparing a plan, remember this requires a change in culture and the universal lesson applies, it is virtually impossible without commitment from top management and tangible benefits for everyone else. This won’t happen by accident – work has to be done to gain the commitment and demonstrate the benefits.