When mid-level managers don’t support their organisation’s risk culture there’s danger ahead, as these examples from our casebook show.
Is Risk Culture Organisation-wide?
When we work with organisations to assess the strengths and weaknesses of their risk culture their employees often raise really sensitive issues, like fraud and other behaviours that increase risk.
This often comes as a surprise to senior executives who believe they’ve worked hard to introduce and socialise a set of values and that these guide behaviour throughout the organisation.
This view rests on the false belief that the senior team has succeeded in embedding a single cohesive culture organisation-wide.
The reality for most organisations is that there is a desired culture, not a universal culture and certainly in relation to risk there are sub-cultures.
Risk Management Sub-cultures
Here are some concrete examples from our files.
- The HR unit in this government organisation had spent 12 months developing and rolling out a fraud policy and training all staff in its meaning and consequences. They were convinced that their hard work had virtually eliminated the possibility of fraud as a risk.
However, staff in two units geographically distant from the central office reported to us clear cases of fraud that were ongoing, involving a local manager and some staff.
- In a private sector organisation that placed great emphasis on workplace safety, frontline staff had asked their immediate manager several times to eliminate seriously unsafe work practices.
No action had been taken, apparently because the cost of doing so would have broken through the manager’s KPI on financial management, which was linked to his bonus.
- In another organisation a comprehensive program had been implemented to eliminate bullying and the senior team considered this had been very successful.
Staff at a location away from the head office reported serious ongoing bullying by their manager and team leaders. This was not a case of underperforming staff using bullying allegations as a defence.
- On one campus of a major hospital medical practitioners reported that they were under constant pressure from local managers to follow practices that saved money but increased clinical risk. This was not the experience of colleagues in other units.
You could say the first example was a case of corruption and the second was one manager ignoring a serious problem but both ran counter to the risk culture that senior executives had hoped was embedded.
The last two examples both involved several leaders at the operational level and again ran counter to senior executives’ expectations.
When we help organisations improve their risk culture we certainly find cases where not all members of the senior executive team are committed to the importance of having a sound risk culture but in each of these four cases all of the senior team were strongly supportive of a sound risk culture.
Middle managers can block Risk Culture
So these were four cases where that dreadful cliché “tone at the top” was really good but where the development of a sound risk culture had been stymied by individual operational managers.
Two of these organisations had Whistleblower programs but these were not trusted by staff.
You might think that each of these cases should have been picked up earlier by senior managers, the risk management unit or internal audit and maybe that’s true.
However, the reality for staff in many organisations today is that they are concerned about job security so there is a significant personal risk in starting to report the faults or failings of your direct manager to more senior managers within the organisation.
Both organisational culture and risk culture at the operational level are driven by the values and practices of middle managers and team leaders.
Unless this is monitored regularly by senior executives a dangerous risk subculture can develop.
Involve Your Front Line
Your frontline staff are the people who can give you true insights into whether you genuinely have an organisation-wide risk culture instead of just a compliance culture or something worse.
You can tap this information-rich resource by providing all staff with an opportunity to raise any concerns about risks to the organisation, staff, customers or other stakeholders. You can manage this yourself by conducting interviews, focus groups or internal surveys.
However you’re more likely to be able to clearly identify your risk culture hotspots by using an external party to gather staff perceptions. For this to be successful staff have to believe they can trust the external party and that they have the opportunity to raise issues anonymously.
Please feel free to share this because sharing ideas helps all of us to improve performance. What are your views?
To download our free Risk Culture Health Check click here.
About the Authors
John Dawson & Carmel McDonald are the co-owners of Dawson McDonald Consulting. They’ve been running Risk Culture Assessments since 2008 to help clients understand the strengths and weaknesses of their culture in managing risk, and how to strengthen it to protect their organisation and build resilience. They can be reached at firstname.lastname@example.org
In 2015 they published a book BUILD Your Business. Risk Managers will also find this helpful in communicating their message effectively
To get your copy of this book, or to download a free sample chapter, click here