Given that anthropologists can’t even agree on a common definition for culture — there are more than 150 different interpretations available — organisational culture can be similarly hard to pin down. But here are two definitions that we find helpful.
In Culturally Speaking Culture, 2nd edition Communication and Politeness Theory, the authors define it as:
‘Culture is a fuzzy set of basic assumptions and values, orientations to life, beliefs, policies, procedures and behavioural conventions that are shared by a group of people, and that influence (but do not determine) each member’s behaviour and his/her interpretations of the “meaning” of other people’s behaviour.’
And, from Wikipedia:
‘Organisational culture encompasses values and behaviours that contribute to the unique social and psychological environment of a business. The organisational culture influences the way people interact, the context within which knowledge is created, the resistance they will have towards certain changes, and ultimately the way they share (or the way they do not share) knowledge. Organisational culture represents the collective values, beliefs and principles of organisational members and is a product of factors such as history, product, market, technology, strategy, type of employees, management style, and national culture. Culture includes the organisation’s vision, values, norms, systems, symbols, language, assumptions, environment, location, beliefs and habits.’
Some academics describe organisational culture as a set of shared assumptions that guide behaviours.
It is also the pattern of such collective behaviours and assumptions that are taught to new organisational members as a way of perceiving and even thinking and feeling.
Thus, organisational culture affects the way people and groups interact with each other, clients and stakeholders. It may also affect how much employees identify with an organisation.
RISK CULTUREThere’s no doubt that risk culture, like sales culture or safety culture, is derived from the overall organisational culture. However, we’ve seen many examples of organisations that have a positive culture overall and yet don’t have a sound risk culture. This is especially true in organisations where the management of risk is seen by many employees as a compliance issue, not a means for guiding business decisions. The CEO and the C-suite team demonstrate what values are important by the way they behave — and these behaviours may not always match the values listed on the organisation’s website. What senior executives do, not what they say, will drive operating practices across the organisation and influence the way individuals behave in order to be accepted or fit in. This determines how risk is actually treated or ‘how things get done around here’.
HOW TO MEASURE RISK CULTURERisk culture, like organisational culture, is not tangible. You can’t touch it or see it, but you can observe the behaviours that flow from the culture.
Any effort to strengthen risk culture must begin by gathering evidence about current behaviours and attitudes towards managing risk at all levels of an organisation. This can be done by using some form of online survey like the Risk Culture Assessment or by other methods such as interviews or focus groups.
Once you have this evidence, use it to decide what behaviours need to stop, start or continue.
Some of the factors we’ve identified through our research and field work with clients as essential to achieving a positive and effective risk culture are illustrated in our Risk Culture Model (below). Where staff at all levels are strongly positive about each of the steps in the Risk Culture Model, the executive team will also show confidence that risks are being well managed.
RISK CULTURE MODEL: WHAT DOES POSITIVE RISK CULTURE LOOK LIKE?
LEADSHIPExecutives are seen to live the values and lead risk management and risk culture by example, holding people accountable.
WORKPLACE BEHAVIOURSPoor behaviours (e.g bullying, personal agendas and conflicts of interest) that damage risk culture are not tolerated.
COMMUNCIATIONStaff feedback about risk management is welcomed, bad news is not suppressed and whistleblowers are protected.
SUPPORTLeaders actively provide resources, training and support needed for positive Risk Culture to flourish.
ENGAGEMENTManaging risk is seen as a personal responsibility, integral to decision-making and part of performance evaluation.
RISK PRIORITYManaging risks is widely perceived as a priority for successful operation.
Enterprise-wide risk focus
THE RISK SIBLINGS: ALIKE BUT DIFFERENTAre risk culture and conduct risk two different names for the same thing or is conduct risk only one aspect of risk culture?
This seems to be an unresolved question in Australia. It’s not unusual to see risk culture and conduct risk referred to as two separate factors and then find these terms also used interchangeably.
However, two of Australia’s key regulators have made their positions clear. The Australian Securities and Investments Commission has defined conduct risk as ‘The risk of inappropriate, unethical or unlawful behaviour on the part of an organisation’s management or employees’.
And the Australian Prudential Regulation Authority (APRA) has noted in an information paper that risk culture can be thought of 2s the impact of organisational culture on risk management. It adds that organisational culture is often defined as: ‘… a system of shared values (that define what is important) and norms that define appropriate attitudes and behaviours for organisational members (how to feel and behave)’.
Former APRA deputy chair Ian Laughlin said if culture is ‘the way we do things around here’ then risk culture is ‘the way we do risk around here’.
Risk culture is the application of this concept to the way an organisation takes and manages risk. Risk culture is therefore not separate to organisational culture but reflects the influence of organisational culture on how risks are managed.
One of the more widely accepted definitions of risk culture is: ‘
The norms and traditions of behaviour of individuals and of groups within an organisation that determine the way in which they identify, understand, discuss, and act on the risks the organisation confronts and the risks it takes’.
CONDUCT RISKIf people want to be accepted and ‘fit in’, they follow the norms of ‘how things get done around here’. This is driven by the overall organisational culture and, as Wikipedia states, this comprises ‘... the collective values, beliefs and principles of organisational members’.
Factors that influence organisational culture include:
history, product, market, technology and strategy
type of employees, management style and national culture
norms, systems, symbols, language, assumptions, environment, location, beliefs and habits.
These factors produce collective values, beliefs and principles and influence the type of risk culture organisations develop.
That they include things like history, strategy, symbols, assumptions and beliefs shows that culture consists of much more than just behaviours.
Conduct risk is by definition only about behaviour: inappropriate, unethical or unlawful behaviour. It is not identical to risk culture, although it is influenced by the overall organisational culture and risk culture.
An important qualification is that while culture does influence behaviours, it doesn’t necessarily always determine the behaviour of each individual.
An organisation may have a positive risk culture and still be exposed to rogue behaviour by one or more individuals. However, there’s no doubt that a positive risk culture will significantly reduce exposure to conduct risk.
As we have demonstrated, when it comes to organisational culture, risk culture and conduct risk, influence flows down the family tree — but this doesn’t always prevent the younger sibling from acting in ways that disrupt the family.