Organisational cultures can either enable or inhibit effective risk management through either constructive or defensive behavioural norms respectively.
When there is constructive organisational culture, people want to, rather than have to, manage risks and do good risk management. And when there is a defensive organisational culture, people avoid doing good risk management and only do risk management when they have to or are being forced, either by management or regulators, merely as a tick-the-box compliance exercise.
An organisational culture that enables effective risk management is built on some of these constructive behavioural norms:
- Being clear about what’s expected and have clear examples of what they should be aiming for.
- Being clear realistic and challenging goals and objectives.
- Communication is comprehensive and regular.
- Communication is transparent, clear and an environment of honesty.
- Solving problems effectively.
- Strive for performance and customer excellence.
- Enjoyment from work.
- Produce high-quality products and services.
- Continuously learn, grow, and take on new and interesting work.
- Supportive of each other.
- Encourage others to learn, grow and perform their best at work.
- Help others think and decide for themselves.
- Being constructive and open to influence in dealing with others.
- Build strong relationships.
- Being friendly, approachable, trustworthy, and collaborative.
- Planning and thinking ahead are emphasised as are exploring options and opportunities.
- Encouraged to take moderate or calculated risks where it is well researched and thought out and serves the outcomes sought.
- Problem-solving involves all stakeholders so that issues can be anticipated, and contingencies provided.
- Calling out potential problems and barriers is encouraged so that mistakes are not covered up.
- Proactive prevention is a core strategy.
- Focus on continuous improvement. Forward-thinking, planning, exploring alternatives.
- Always challenging existing assumptions and forecasts – internally and externally.
- Aware of the cognitive bias to accept information that confirms.
- Communicates all aspects of risk-balanced and ethical decision-making regularly and relentlessly.
- Continually refines all risk management processes.
- Avoids leadership ‘kow-tow’ and sloppy group think.
- Encourages risk-taking, knowing that sometimes it will go wrong and may cost money.
- Has a continuous learning attitude.
Organisations with constructive behavioural norms can experience a situation where risk is being managed more proactively, especially through informal risk management mechanisms.
Collaborative ‘risk culture’
Constructive behavioural norms tend to lead to the creation of a collaborative ‘risk culture’. It focuses on participation, interaction, social networks, and teamwork in identifying and managing risks. This type of ‘risk culture’ values the sharing of risk information and collaborating on tasks, especially risk management activities.
Risks, issues and near misses are openly discussed among members of the organisation. Meetings about risk and performance are participative, supportive, and interactive.
A collaborative ‘risk culture’ that is built on constructive behavioural norms can only propel the organisation to take calculated or controlled risk-taking or make changes that have a lower risk of failure.
Defensive behaviours inhibit effective risk management
An organisational culture that can inhibit effective risk management is built on some of these defensive behavioural norms:
- Accountabilities and ownership are blurred, ambiguous or applied inconsistently.
- Communication is filtered and sketchy.
- Ad-hoc information is provided.
- Avoid conflict and keep relationships superficially pleasant.
- Be liked by others.
- Gain approval and support before deciding and acting.
- Follow rules, conform and don’t ‘rock the boat’.
- Make a good impression.
- Lack of initiative and slow action on issues that are identified.
- Covering up mistakes so as not to experience negative consequences through being blamed.
- Follow policies and procedures.
- Make popular rather than necessary decisions.
- Please those in positions of authority.
- Ask everyone what they think before acting.
- Avoid blame and shift responsibilities to others.
- Push decisions upwards.
- Take fewer chances.
- Lay low when things get tough.
- Gain influence by being critical and opposing the ideas of others.
- Find fault and focus on why ideas won’t work.
- Take charge and be controlling.
- Act forceful and tough.
- Play politics to gain influence.
- Compete rather than cooperate.
- Turn the job into a contest and out-perform peers.
- Avoid all mistakes.
- Work long hard hours.
- Do things perfectly, potentially missing deadlines.
- Making snap decisions without considering alternative solutions or all the facts before thinking through.
- Being set in thinking and not open to others’ influence.
- Being critical and wanting to maintain superiority (point scoring).
- Over-working a problem rather than dealing with it.
- Reactive damage control is a core strategy.
- Focus on short-term results.
- Trading off longer-term needs in favour of being seen to comply in the moment.
- “Getting through” the moment.
Organisations with defensive behavioural norms can experience a situation where risk is being managed more reactively from a compliance perspective, especially through formal risk management mechanisms.
Controlling ‘risk culture’
Defensive behavioural norms tend to lead to the creation of a controlling ‘risk culture’. It encompasses the attributes of formality, conformity, and dependability. This type of ‘risk culture’ may encourage members to make decisions that support safe courses of action. Information may not be shared quickly or easily.
This outcome may result in organisational members behaving in ways that conform to accountability and consistency while depriving them of decision-making opportunities. They are expected to follow defined processes and rules rather than use their judgement in decision-making. This may hinder responsible risk-taking or trying innovative approaches to managing risk, resulting in a culture of risk aversion, and possibly blaming others if it does not go to plan.
Many organisations use risk management as a box-ticking compliance exercise to develop a controlling ‘risk culture’. Characteristics of the controlling environment may help protect organisations from making reckless, excessively risky decisions, and enable them to develop coordination and stability.
Risk-averse culture
A controlling ‘risk culture’ that is built on defensive behavioural norms can only propel the organisation into risk aversion.
The signs of a risk-averse ‘risk culture’ include:
- Employees hear more “No” than “Yes” to their ideas.
- Employees make suggestions and receive no feedback.
- Employees submit ideas but see no implementation or action.
- Employees show signs of disengagement.
- Managers do not deliver, or when leadership lags or refuses to implement new strategies or concepts.
- Little or no cross-functional collaboration with each team working in silos.
Key differences between controlling and collaborative risk culture
The key differences between collaborative and controlling ‘risk cultures’ are shown in the table below. (Modified from Park, 2019)
Beware of complacency, reactivity and ‘good intent’
Boards may exhibit a high level of trust and confidence based on a collective belief that the organisation is ‘well run’ and ranking well on financial measures. This can also contribute to a level of complacency, reactive behaviours, overconfidence, and a ‘dulling of the senses’ within boards to signals that might have otherwise alerted them to a deterioration in the risk profile, and a movement outside of the risk appetite.
High levels of trust, ‘good intent’, and ‘over consulting’ can create a lack of intellectual curiosity and critical thinking about the ‘bigger picture’ and the full depth of risks.
Trust must be continuously validated through strong metrics together with healthy challenges and oversight. ‘Good intent’ must not be readily used to excuse poor risk outcomes.
References
Park, Y.J. (2019) ‘Risk Culture and Risk Management in the Australian Public Sector’, The Australian National University (Australia), ProQuest Dissertations Publishing 28758924.
Professional bio
As a Chartered Accountant with over 25 years of international risk management and corporate governance experience in the private, not-for-profit, and public sectors, Patrick helps individuals and organizations make better decisions to achieve better results as a corporate and personal trainer and coach at Practicalrisktraining.com.
Given that improving risk culture and maturity has become a top of mind for many executives and risk professionals, he has conducted in-depth research into the topic and written several articles, which can be found at https://practicalrisktraining.com/risk-culture.
Patrick has authored several eBooks including Strategic Risk Management Reimagined: How to Improve Performance and Strategy Execution.