The purpose of this paper is to offer some observations on organisational culture, risk culture and conduct risk and to encourage reflection on the differences and similarities between these three aspects of culture in organisations.
This is not a piece of academic research but results from our practical experience at DMC in helping clients to improve their risk culture and from our broader work with clients as Certified Performance Technologists, which requires a deep involvement in organisational culture.
The Principals of Dawson McDonald Consulting (DMC), John Dawson and Carmel McDonald, both have social science backgrounds.
Both have also achieved Certification by the International Society for Performance Improvement (ISPI) as experts in that field so naturally they have a close interest in what influences behaviour in organisations and how that impacts on organisational performance.
DMC has been helping private and public sector organisations for more than a decade to strengthen their Risk Cultures.
WHAT IS CULTURE?
Anthropologists do not appear to agree on a common definition of culture as more than 150 definitions are available. These disparate definitions apply at the level of a society and help to generate many varied definitions of organisational culture.
Here are two definitions that we find helpful in thinking about organisational culture.
‘Culture is a fuzzy set of basic assumptions and values, orientations to life, beliefs, policies, procedures and behavioural conventions that are shared by a group of people, and that influence (but do not determine) each member’s behaviour and his/her interpretations of the ‘meaning’ of other people’s behaviour.’
Note this stresses that culture influences an individual’s behaviour but does not determine it.
VISION, VALUES AND SYSTEMS
Wikipedia offers this definition of organisational culture:
‘Organizational culture encompasses values and behaviors that contribute to the unique social and psychological environment of a business.
'The organizational culture influences the way people interact, the context within which knowledge is created, the resistance they will have towards certain changes, and ultimately the way they share (or the way they do not share) knowledge.
'Organizational culture represents the collective values, beliefs and principles of organizational members and is a product of factors such as history, product, market, technology, strategy, type of employees, management style, and national culture; culture includes the organization's vision, values, norms, systems, symbols, language, assumptions, environment, location, beliefs and habits.'
Ravasi and Schultz (2006) characterise organisational culture as a set of shared assumptions that guide behaviors.
It is also the pattern of such collective behaviors and assumptions that are taught to new organizational members as a way of perceiving and, even thinking and feeling.
Thus, organisational culture affects the way people and groups interact with each other, with clients, and with stakeholders. In addition, organisational culture may affect how much employees identify with an organisation.
There is no doubt that risk culture, like sales culture or safety culture, is derived from the overall organisational culture.
However, we have seen many examples of organisations that have a positive culture overall and yet do not have a sound risk culture. This is especially true in organisations where the management of risk is seen by many staff as a compliance issue, not a means for guiding business decisions.
The CEO and the C suite team demonstrate what values are important in the organisation by the way they behave. These behaviours may not always match the Values listed on the organisation’s website.
What senior executives do, not what they say, will drive operating practices across the organisation and these will influence the way individuals behave in order to be accepted or fit in.
This determines how risk is actually treated, or ‘how things get done around here’.
BEHAVIOURS – SIGNPOSTS OF RISK CULTURE
Risk culture, like organisational culture, is not tangible - you can’t touch it or see it. You can observe the behaviours that flow from the culture.
Any effort to strengthen risk culture must begin by gathering evidence about current behaviours and attitudes towards managing risk at all levels of an organisation.
This can be done using some form of online survey like the Risk Culture Assessment we use at DMC to help our clients or it could be through other methods like interviews or focus groups.
Once you have this evidence you need to use it to decide what behaviours need to stop, start or continue.
We have written before about an outstanding case study in behavioural change and what can be achieved through a change in behaviours driven by the leadership team.
The factors we have identified through our research and field work with clients as essential to achieving a positive and effective risk culture are illustrated in our Risk Culture Model.
The evidence you gather about behaviours and attitudes to the management of risk must encompass people at all levels of your organisation.
There are sub-cultures within the overall organisational culture and the same is true of risk culture. Some of these risk sub-cultures can be dangerous.
Where staff at all levels are strongly positive about each of the steps in the Risk Culture Model the executive team will also show confidence that risks are being well managed.
RISK CULTURE & CONDUCT RISK
Are risk culture and conduct risk two different names for the same thing or is conduct risk only one aspect of risk culture?
This seems to be an unresolved question in the Australian context. It’s not unusual to see papers from consulting firms and others referring to risk culture and conduct risk as if these are two separate factors and then in the same papers find these terms used interchangeably.
THE REGULATORS’ VIEWS
However, two of Australia’s key regulators have made their positions clear.
The Australian Securities and Investments Commission (ASIC) is a conduct regulator and has defined conduct risk as:
‘The risk of inappropriate, unethical or unlawful behaviour on the part of an organisation’s management or employees’.2
The Australian Prudential Regulatory Authority (APRA) is also concerned about culture and risk. Former APRA Deputy Chair Ian Laughlin said that if culture is ‘the way we do things around here’, then risk culture is ‘the way we do risk around here’3
In an Information Paper4 on Risk Culture APRA defined risk culture thus:
RISK MANAGEMENT IMPACT
Risk culture can be thought of as the impact of organisational culture on risk management. A definition of organisational culture that is often cited is:
‘…a system of shared values (that define what is important) and norms that define appropriate attitudes and behaviours for organisational members (how to feel and behave)’.
Risk culture is the application of this concept to the way an organisation takes and manages risk.
Risk culture is therefore not separate to organisational culture, but reflects the influence of organisational culture on how risks are managed. One of the more widely accepted definitions of risk culture is:
‘the norms and traditions of behaviour of individuals and of groups within an organisation that determine the way in which they identify, understand, discuss, and act on the risks the organisation confronts and the risks it takes’.
In the same paper APRA provided this Risk Governance Architecture model to illustrate their views on governance and oversight.
CONDUCT RISK AND RISK CULTURE
If people want to be accepted and ‘fit in’, they follow the norms of ‘how things get done around here’. This is driven by the overall organisational culture and, as the Wikipedia reference above states, this comprises '... the collective values, beliefs and principles of organizational members’
Factors that influence organisational culture include:
- history, product, market, technology, strategy,
- type of employees, management style, and national culture
- norms, systems, symbols, language, assumptions, environment, location, beliefs and habits.
These same factors that produce collective values, beliefs and principles also influence the type of risk culture an organisation develops.
That these factors include such things as history, strategy, symbols, assumptions and beliefs shows clearly that culture consists of much more than just behaviours.
Conduct risk is by definition only about behaviour — ‘inappropriate, unethical or unlawful behaviour’.
Conduct risk is not identical to risk culture although it is definitely influenced by the overall organisational culture and by the risk culture.
An important qualification is that while culture does influence behaviours it does not necessarily always determine the behaviour of each individual.
An organisation may have a positive risk culture and still be exposed to rogue behaviour by one or more individuals. However, there is no doubt that a positive risk culture will significantly reduce exposure to conduct risk.
THREE MEMBERS OF THE SAME FAMILY
In thinking about the relationship between organisational culture, risk culture and conduct risk it may be helpful to think of these as three members of the same family.
Organisational culture is the parent, risk culture is the older sibling and conduct risk the younger. Influence flows down the family tree but this does not always prevent the younger sibling acting in ways that disrupt the family.
Contact us if you’d like more information on our full Risk Culture Assessment .
Spencer-Oatey, Helen, 1952-, ed. (2008) Culturally speaking: culture, communication and politeness theory, second edition. London, U.K. / New York, NY, U.S.A.: Continuum International Publishing Group
APRA information Paper - Risk Culture October 2016
Information paper - Self-assessments of governance, accountability and culture 22 May 2019
ABOUT THE AUTHORS
John P Dawson and Carmel McDonald are the co-owners of Dawson McDonald Consulting. They’ve been running Risk Culture Assessments since 2008 to help clients protect their organisations and build resilience. They can be reached at [email protected]