Positive risk culture

Joe Roberts outlines what constitutes a positive organisational risk culture and asks how it can be nurtured and embedded

It has been said that ‘culture eats strategy for breakfast’. It could also be added that it eats policies for lunch and systems for dinner!

Our experience has taught us that any governance process is only ever as good as the culture in which it operates, and this certainly applies to risk management.

So, what a positive culture looks like in terms of risk management? We would say it’s characterised by a healthy, balanced and realistic approach to risk.

Organisations with a positive culture are willing to take informed risks in pursuit of growth and opportunity, providing those risks are clearly understood, and they have robust, proportionate control measures in place to reduce the likelihood of them materialising and mitigate their impact if they do.

They have a shared understanding of its risk appetite – their preferred balance between threat and opportunity – and are risk-aware rather than risk averse.

They embrace change, recognising that the risks associated with maintaining the status quo are sometimes greater than the risks that will arise from doing things differently. When things have not worked out, it is honest with itself and with its stakeholders about what has happened and what it could do better. It learns from the experience and makes changes.

Ingredients of positive risk culture

So how can this culture be nurtured and embedded? It helps to think in terms of the ingredients of a positive risk culture.

The first of these is communication.

The global risk management standard ISO 31000 defines risk as ‘the impact of uncertainty of objectives’. This means that everyone in an organisation needs to know what the objectives are and how they can contribute towards achieving them. If there are muddled messages from the top and constantly changing priorities, employees will be confused about what success looks like and will not be able to identify the risks to success, much less mitigate them.

Leaders also need to open with their teams about the challenges their organisation is facing – and that means both internal challenges, such as budget shortfalls or staffing gaps, and external challenges, such as the state of the economy or the tactics of competitors.

Communication needs to be two-directional – bottom-up as well as top-down. Employees need to be able to share their concerns, report adverse incidents and make suggestions for improvements without fear, and with the confidence that they will be listened to. Different views and perspectives should be actively encouraged. That one team member who doesn’t seem to be on the same page as everyone else may just have spotted a deadly risk that no-one else has. By contrast, the rest of the team may be in the grip of groupthink, wrongly assuming that because something always worked in the past, it will work in the future to.

The second ingredient is the incentive structure in the organisation, which needs to align with is stated approach to managing risk.

Even if the board wants to encourage innovation, if there are few rewards for success but harsh penalties for failure, managers are unlikely to take risks in pursuit of innovation. Conversely, if a business is operating in a safety-critical industry and thus has a lower appetite for risk, it would be very unwise to tie bonus payments solely to cost-cutting and profitability!

The third element is information.

Organisations need management information that is timely, accurate, comprehensive and relevant. This will allow them to spot where risks are materialising and where the level of risk has increased or decreased. That information needs to be acted upon, usually by allocating resources and closer managerial attention to those areas of greatest risk.

The fourth and final ingredient is robust processes for risk management.

As we said at the start of this piece, processes alone are not enough. Nevertheless, they are essential. They also need to be applied consistently and not sit on a shelf gathering dust (or in a modern context, hidden away in a Sharepoint folder that nobody opens). Larger organisations, especially in the public sector, usually have an internal audit function which can provide assurance that the processes are working. Finally, it should be emphasised that ‘robust’ definitely does not mean complicated or bureaucratic. Risk management processes need to be straightforward and intuitive; over-engineered processes with lots of form-filling just create incentives for workarounds and non-compliance.

Bringing all these ingredients together is the job of leadership. The tone from the top is crucial – organisational leaders need to make clear that risk management matters and is everyone’s business. Anyone who is managing a service is responsible for managing the risks associated with that service. Risk management is not an administrative process, arguments about the RAG-rating on a report, or the job of some other department somewhere else. It is a fundamental part of management itself.