Risk Culture and Values
The foundations of your risk culture are your organisations culture.
A number of contacts have asked for reference lists or models that would help them think through risk culture and where they might start in order to build an improvement initiative. This post is an attempt to respond to those requests with a focus on values as a foundation for healthy risk practices. Further posts will deal with other aspects of risk management and the link to culture.
If your culture is healthy then your risk culture will be in a good place and will respond rapidly to appropriate risk management improvement initiatives. If your culture is unhealthy then it is almost certain your risk culture will be too.
Figure 1.
Much of my experience has been in organisations where physical safety of employees or the customer, as end user of the product, has been paramount e.g. mining, manufacturing and wine production and sales. This has led to very effective initiatives around safety such a as safety leadership, safety values, safety systems and so on. In the right hands this type of safety culture initiative is very effective.
However when tasked with improving “risk culture” in the organisation it is a much wider range of consciousness and capability that has to be considered. Figure 1 captures the breadth of consciousness required. We are not just looking at one aspect of the operations of the organisation which we can generalise principles of leadership too. We are certainly not just building a compliance function to meet regulatory risk.
We have to be able to improve risk management from the boardroom to the front line and from our strategic plan to our day-to-day work with customers and other stakeholders. The pressure to do this work is reflected in the headlines.
- The Macondo disaster (BP) can be attributed to an organisational culture and incentives that encouraged cost cutting and cutting of corners. (National Oil Spill Commission: Deepwater – Report to the President, January 2011)
- Underlying deficiencies in management, governance and culture made it prone to poor decisions. (FSA Chairman Lord Turner quoted in 2011 FSA Report on RBS)
- Target USA tried to open 130 stores across the country all at once
- Key individuals have enriched themselves at the expense of others–Lehman Bros CEO
- Key systems were attacked and are no longer working – MAERSK up to $300M in losses
- Money laundering for the Sinaloa cartel – HSBC
In Australia we have had six Royal Commissions and we currently have another two operating. They are all dealing with systemic failures of governance and culture in significant segments of our society.
Culture definition:
A pattern of shared basic assumptions that the group learned as it solved its problems of external adaptation and internal integration, that has worked well enough to be considered valid and, therefore, to be taught to new members as the correct way to perceive, think, and feel
– Ed Schein
I always start with Ed Shein’s powerful definition of culture. It specifies what it is that we are seeking to improve.
The foundations of a healthy and resilient culture are;
- Shared Vision and Purpose
- Shared positive norms, values, beliefs
This is as true for “risk culture” as it is for any critical factor in the organisations performance, for example Customer Service.
In Figure1. we see Level 1 values will support an environment of psychological safety and enable challenge of the status quo within the group. With risk work it is imperative to establish a baseline and in this case we want to know the values in use and create a gap analysis against Level 1 values to support an improvement plan.
The Level 1 values:
- Care
- Inclusion
- Trust
- Achievement
These values and values with similar themes will support a positive risk culture. These values help create a work environment where employees feel safe to speak up, trust their insights will be listened too and their work impacts the organisations performance. In other words these values will support the behaviour that is conducive to effective risk management practices
Risk Management typically seeks to address matters of:
- Ethics (moral values with regard to stakeholders)
- Risk appetite
- Enterprise risks (there is a wide range of these)
- Operational risks
The documents that we typically observe in a risk aware culture deal with the:
- Risk Frameworks, Principles, Policies and Process
- Risk Information systems
- Risk Function
- Risk Accountabilities
- Risk Behaviours
So what is the culture problem?
- Organisation culture is not uniform. Different departments, functions and business units have different cultures. So we must identify and embrace difference and build on it if we want a healthy risk culture.
- The culture of the governing cohort will be different to the rest of the organisation. We must understand and develop values coherence between levels of the hierarchy.
- Personal consciousness is not enough. The level of personal consciousness required and the group dynamics needed to learn how we got our strategy wrong; that our ethical range is too limited or that our business model is flawed is not common.
In Figure1. the values needed to engage with risks arising from disconcerting emerging challenges and opportunities are the Level 2 values.
These Level 2 values are:
- Openness
- Awareness
- Humility
- Ethics
These values, or values that capture similar themes, will support a positive risk culture within the governing cohort of the board, executive leadership and senior management.
These values help directors and executives inquire into feelings of dissonance as it arises from challenges to strategy, examine their concepts of value creation and destruction for stakeholders and reframe and nuance their understanding of how the business model interacts with the environment.
When a governing cohort is able to live these values appropriate risk management practices will be able to be developed and embedded. This assumes a level of strategic competence and intellectual horsepower normally associated with people in executive roles.
In summary risk culture benefits from Level 1 and Level 2 values. Level 1 values will support speaking up to either highlight problems or present new ideas for improvement while working to make improvements in the organisations performance. Level 2 values will support generative inquiry, adjustment of risk management strategy and reframing of ethical impacts on stakeholders as the environment changes and presents new information to us.
I have briefly covered off the Mindset or Worldview element of risk culture. Ultimately for a positive risk culture to manifest in improved decision making it must be supported with a “method” and a “business model”.
BRAKTEN CONSULTING will help you articulate your risk culture aligned to your strategic and financial goals.