Since 2008 Dawson and McDonald Consulting has been helping organisations to strengthen their risk culture.
Mostly, this starts with inviting every staff member or employee to complete our online Risk Culture Assessment, an in-depth exploration of attitudes to the management of risk.
One section of the assessment asks respondents to choose one of four options that they think best describes how risk management is perceived in their organisation.
Two options describe risk management in positive terms. The other two say 'in this organisation risk management is largely seen as:
- another task that distracts attention from the real work
- a ‘tick the box’ exercise completed at regular intervals for audit/compliance purposes.'
AN UNHELPFUL APPROACH
Consistently, across time and regardless of the type of business, between 25 and 33 per cent of people say that in their organisation, risk management is either a distraction from the real work or a ‘tick the box’ exercise.
In individual business units in some organisations, we’ve seen this rise to higher levels — in one case to over 70 per cent.
Even at 33 per cent, that means one in every three staff see risk management as a waste of time and effort that delivers no real value.
Building a strong risk culture is the best way to change these attitudes.
There has been much more attention on Risk Culture in the last year or so.
But looking at the Risk Culture Chain, it’s clear that in many organisations, more attention is still being paid to the left-hand side, dealing with policy, procedures and systems, and not enough to the right-hand side where leaders at all levels must be seen to live the organisation’s values.
This is what drives operational practices and these determine how individuals behave. It’s these learned behaviours, far more than policies, procedures and systems, that drive how risk is or is not managed.
WEAKNESS EXPOSED AT A GRANULAR LEVEL
When we run a risk culture assessment we often find that the aggregate data at organisational level suggests that risk culture, in most aspects, is reasonable or maybe even strong.
But when we analyse data at a more granular level, it’s very typical to find a number of business units or departments, locations or role types where risk culture is weak.
If you want to execute corporate strategy successfully, then you need to make sure that your risk culture at all levels is fully aligned with your risk management strategy
TO CHANGE RISK CULTURE, CHANGE BEHAVIOURS
Talking about the need to change culture is a tough conversation. You can’t see or touch culture so it’s hard to know where or how to start a change process.
The most practical place to start is by identifying behaviours that will support the risk culture that you want to develop and any that might damage it.
For more ideas about the impact of behaviour change, check out this really interesting case study from 2016, which is still used in international business schools.
ACT ON EVIDENCE
Frontline staff are often much more aware of operational risks than more senior executives or managers.
So if you’re planning action to strengthen your risk culture, then it’s really important to invite all members of staff to complete some form of assessment, so that you can base your actions on evidence, not assumptions.
The questions in our own assessment are in plain English, not about technical aspects of risk management — these are easy for staff to understand and score.
This Risk Culture model summarises what our experience shows to be the most important aspects of risk culture. We use several questions in each section to probe attitudes in depth.
STRENGTHENING RISK CULTURE
Once you’ve completed an assessment of your current risk culture, here are some of the ways you can use the evidence from the data
Act promptly to change behaviours/attitudes where scores are low (hotspots), indicating high probability of poor risk treatment.
Study behaviours in locations and business units with strong scores and develop models to be applied organisation-wide
Identify which business units/departments, locations or role types do not consider positive opportunities in risk and provide coaching
Plan effective communication, training and controls.
Introduce appropriate KPIs/KRIs — 'What gets measured gets done'
Investigate and take remedial action on strategic and operational risks disclosed by the data and free text
Develop a comprehensive, evidence-based plan of action to strengthen risk culture.
Acting on the evidence provided by the Risk Culture Assessment results in a stronger risk culture which is more closely aligned with your risk management strategy.
This strengthens risk maturity and resilience and underpins the execution of organisational strategy.
ABOUT THE AUTHORS
John P Dawson is an Honorary Life Fellow of ANZIIF.
He and Carmel McDonald are the co-owners of Dawson McDonald Consulting.
They’ve been running risk culture assessments since 2008 to help clients protect their organisations and build resilience.