Since 2008 we have been helping organisations to strengthen their Risk Culture. Mostly this starts with inviting every staff member/employee to complete our online Risk Culture Assessment. This is an in depth exploration of attitudes to the management of risk.
One section of the assessment asks respondents to choose one of four options that they think best describes how risk management is perceived in their organisation. Two options describe risk management in positive terms. The other two say “in this organisation risk management is largely seen as –
- another task that distracts attention from the real work
- a ‘tick the box’ exercise completed at regular intervals for audit/compliance purposes”
Consistently, regardless of the type of business, 25 – 33% of people say that in their organisation risk management is a distraction from the real work or a ‘tick the box’ exercise. In individual business units in some organisations we’ve seen this rise to higher levels – in one case to over 70%.
Even at 33% that means 1 in every 3 staff see risk management as a waste of time and effort that delivers no real value.
Building a strong Risk Culture is the best way to change these attitudes.
There has been much more attention on Risk Culture in the last year or so. But looking at the Risk Culture Chain, it’s clear that in many organisations more attention is still being paid to the left-hand side, dealing with policy, procedures and systems, and not enough to the right-hand side where leaders at all levels must be seen to live the organisation’s values. This is what drives operational practices and these determine how individuals behave.
It’s these learned behaviours, far more than policies, procedures and systems that drive how risk is or is not managed.
When we run a Risk Culture Assessment we often find that the aggregate data at organisational level suggests that Risk Culture, in most aspects, is reasonable or maybe even strong. But when we analyse data at a more granular level it’s very typical to find a number of business units/departments, locations or role types where risk culture is weak.
If you want to execute corporate strategy successfully then you need to make sure that your Risk Culture at all levels is fully aligned with your risk management strategy
To Change Risk Culture Change Behaviours
Talking about the need to change culture is a tough conversation. You can’t see or touch culture so it’s hard to know where or how to start a change process.
The most practical place to start is by identifying behaviours that will support the Risk Culture you want to develop and any that might damage it. For more ideas about the impact of behaviour change check out this really interesting case study, which is used in international business schools.
Act on Evidence.
Frontline staff are often much more aware of operational risks than more senior executives or managers.
So if you’re planning action to strengthen your Risk Culture then it’s really important to invite all members of staff to complete some form of assessment, so that you can base your actions on evidence, not assumptions.
The questions in our own assessment are in plain English, not about technical aspects of risk management – these are easy for staff to understand and score. This Risk Culture Model summarises what our experience shows to be the most important aspects of Risk Culture. We use several questions in each section to probe attitudes in depth.
Strengthening Risk Culture
Once you’ve completed an assessment of your current Risk Culture here are some of the ways you can use the evidence from the data –
- Act promptly to change behaviours/attitudes where scores are low (hotspots), indicating high probability of poor risk treatment.
- Study behaviours in locations and business units with strong scores and develop models to be applied organisation wide.
- Identify which business units/departments, locations or role types do not consider positive opportunities in risk and provide coaching
- Plan effective communication, training and controls.
- “What gets measured gets done” – introduce appropriate KPIs/KRIs
- Investigate and take remedial action on strategic and operational risks disclosed by the data and free text.
- Develop a comprehensive, evidence-based plan of action to strengthen Risk Culture.
If you choose to use our Risk Culture Assessment then you also get to benchmark the maturity of your organisational Risk Culture against other organisations.
Acting on the evidence provided by the Risk Culture Assessment results in a stronger Risk Culture which is more closely aligned with your Risk Management Strategy. This strengthens Risk Maturity and Resilience and underpins the execution of organisational strategy.
Take our short FREE test to see how your organisation scores on Risk Culture, click here.
If you’d like more information on our full Risk Culture Assessment – Contact us
About the Authors
John P Dawson & Carmel McDonald are the co-owners of Dawson McDonald Consulting. They’ve been running Risk Culture Assessments since 2008 to help clients protect their organisations and build resilience. They can be reached at email@example.com
Check out their book with their insights into how to achieve high performance –
BUILD Your Business. Risk Managers will also find this helpful in communicating their message effectively