Is your culture a healthy one?
Alexei Sidorenko has followed the trend and provided us with some help with “risk culture”.
I am not a fan of this latest fad.
I think we should focus on whether the culture of the organization is healthy, in that it promotes desired behaviors.
Last year, I wrote Is there an effective risk culture? It centered on the work of Horst Simon, who describes himself as a “Risk Culture Builder”. He defined risk culture:
- “Risk culture is the system of values and behaviours present in an organization that shapes risk decisions of management and employees. One element of risk culture is a common understanding of an organization and its business purpose” NC State ERM Initiative
- “Risk culture is a term describing the values, beliefs, knowledge, attitudes and understanding about risk shared by a group of people with a common purpose” Institute of Risk Management[1]
The year before, I covered work by the Institute of Internal Auditors Australia. They have a different set of definitions that I like more.
Culture is a characteristic of a group of people – the shared perceptions about what behaviour is ‘correct’, prioritised and likely to be rewarded. Organisations pursue many different strategic priorities and operate in different political, economic and social contexts, so their cultures vary.
Individual behaviour is affected by the way in which actions are rewarded or punished. In the workplace, people learn what is acceptable behaviour by observing the behaviour (including speech) of peers and managers. Behaviour that is repeated regularly becomes the norm, or ‘the way we do things around here’. Behaviour of managers and leaders is particularly important in demonstrating the priorities of the organisation.
Risk culture is an aspect of broader organisational culture. Risk culture refers to the behavioural norms that help or hinder effective risk management. Some definitions of risk culture also incorporate the group’s underlying values and assumptions about risk management, and others incorporate policies and systems. In large organisations, subcultures often form in different areas and even in specific teams with different managers. Internal audit teams should not assume that risk culture is consistent throughout an organisation, or even within a large division or function or tier of management of that organisation. Culture normally forms in groups of people that have regular interaction with one another, often with a common manager.
Does it make sense to focus on one dimension of culture, that relating to risk? Or should we recognize that there are many dimensions and they may actually be in tension if not conflict with each other – such as compliance, risk, and entrepreneurship.
In a 2018 post, I quoted Deloitte:
Culture matters, because a strong, positive corporate culture provides a framework not only for risk mitigation, but also for both short- and long-term value creation. It aligns values, goals, behaviors, and systems throughout the organization in ways that can have favorable impacts, both internally (for example, through positive employee engagement or by facilitating optimal performance or a strong safety record) and externally (through positive branding, reputation and competitive advantage).
On the other hand, a damaged or broken culture can create dysfunction throughout the organization and create risk to critical assets, including brand reputation, intellectual property, and talent. As recent developments demonstrate, these and other negative impacts can destroy value and, ultimately, the organization itself. An important takeaway from the above is that a strong, positive culture is an important asset of any organization that should be supported and protected. It is not merely a “soft” issue of interest to investors and the media; rather, it can be critical to the company’s growth and performance.
I then asked these ten questions:
- How have you defined the culture you want the organization to have?
- Does it include all forms of desired (and less desired) behavior?
- How have you communicated this to everybody involved in the organization’s success?
- How have you ensured everybody understands?
- Are there repercussions for unacceptable behavior, even if there is no breach of law?
- How do you know whether behaviors across the organization reflect the desired culture?
- What is the level of noncompliance, how do you know, and is it acceptable? If not, what are you doing about it?
- How often is culture discussed, measured, and who is involved?
- Do our employees agree our stated culture is appropriate and is in place? How do you know?
- How can you keep us assured of an appropriate culture, especially as the environment changes, including the onboarding of new management and staff, completion of acquisitions, and so on?
When I talk about “defining the culture”, I am talking about the need for the culture to:
- Encourage teamwork and the sharing of information?
- Focus on customer satisfaction?
- Be cognizant of the organization’s reputation and its standing within the community?
- Be ethical and compliant not only with applicable laws and regulations, but what is right and upholds the values of the organization?
- Promote the whole organization rather than individual or team success?
- Be entrepreneurial, creative, and imaginative, rather than stagnant?
- Respect, and develop every employee?
- Focus on longer-term success and growth rather than only the short-term?
- Be willing and able to take the right risks?
- Act and make decisions at the appropriate speed?
- Accept and not punish failures?
- Focus on quality?
- Have a strong work ethic?
Rather than asking about whether you have the risk culture you want, I prefer to talk about whether the organization’s culture promotes the healthy behaviors you need for continued success.
I also prefer to talk about how people make decisions rather than “risk culture”. When decisions are made:
- Are they made by the right people?
- Do they gather and use appropriate and reliable, timely and current information? Do they consult with others, especially others that may be affected by the decision?
- Are they made at the right speed (right time) given the gravity of the decision, the need to obtain relevant information, etc.?
- Are they adversely affected by individual or team bias?
Today’s post is complemented by a video where I discuss a number of healthy and unhealthy corporate cultures I have experienced. It helps me explain why I am more sensitive to other indicators of an unhealthy culture.
While risk culture is interesting, and there is some measure of value in understanding how risk attitudes are shaped, there are other dimensions that are usually more important and essential, making the difference between success and failure.
I welcome your comments.
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
Thanks for the mention, Norman. At least as far as my part goes you may be overthinking it. In my new CRO role I created an action plan for myself to action the softer side of integrating into decision making and shared it as a downloadable. Something every CRO should do in my opinion. How you call it risk culture or something is so not important, the actions remain the same.
I agree, Norman. “Risk” culture is really just “good” culture; the same as “risk management” is really just “effective management”.
Does it make sense to focus on just one dimension of culture, that is risk? No and clearly no because culture has many dimensions that are all important parts of creating organisational culture. One of the challenges is measuring culture in an effective and objective way that can be measured consistently, monitored, audited and changed to improve it and performance. Good article.
Its certainly true that risk management, like any other form of management can be described in terms of desirable behaviors. But the measure of success is the achievement of intended business results that the behaviors achieve and the ability to adapt.
In my experience with thousands of audit, risk, and other GRC disciplines and practitioners around the world success is not defined or measured. I have seen databases (evolved from manual workpapers to spreadsheets to sophisticated enterprise systems ) listing risks, controls, issues incidents, losses, audit findings and more with no link to each other, let alone any link whatsoever to any business objective or performance measure.
The question isn’t what culture or behaviors achieve results, the question is what intended and measurable results are necessary, what behaviors are required to support and grow the business. ”Culture”, as described must be designed to achieve the intended outcomes and to evolve as necessary.
Bruce, I agree that there has to be an emphasis on achieving enterprise objectives.
But I am confident you have seen how culture can affect, both positively and negatively, the behavior and therefore the actions and decisions necessary to achieve them.
We should be alert to undesirable behaviors and their root causes.
I strongly agree there is a big and (practically) mattering difference between “Risk Culture” and “Culture”. Much more to Cultureand its impact on success prospects, than attitude to Risk. In the important sense that you can have such a thing as a healthy Risk culture and yet far from have Success. At your Objectives. However we stress and insist, and remind, that Risk Management is effectively Objective Management; unless we claimed, in terms of definition of “Risk”, that everything that can stop the Objectives from being achieved is Risk; as far as the downside is concerned; and, correspondingly, everything that can make them be achieved is also Risk, its upside. Which would be far too much, to claim on behalf of RM. If Success results, it surely does not follow it must be because of (good) RM; and if Failure, it cannot automatically and exclusively be attributed to (bad) RM. The non-Risk Objective-impacting part of the “Culture”, is real, substantial, and could be the instrumental part, in Success or Failure.