In this series of five articles, we are exploring the importance of risk culture, distinguishing the risk culture from the organisational culture, looking at the drivers for good and bad cultures, discussing the measurement of culture, looking at the symptoms of a sickly risk culture and drawing some conclusions. Links to the other articles in the series can be found at the foot of this page.
In part three of this series I looked at some of the issues associated with measuring your culture. In this part I am exploring many of the typical symptoms that you might need to try and identify if you are to have a successful and vibrant risk culture.
There are many critical tumours that needs to be identified by any board:
- Type one: Significant deviations from the board espoused values. The values espoused by the board can diverge significantly from the values that are actually displayed by staff within the organisation. For example boards might well espouse values such as integrity, trustworthiness, customer focus, teamwork and so on. However, where selfishness, short-termism and individualism are the values displayed in day-to-day interactions, then there is likely to be an implosion of the organisation.
- Type two: Silo-based functioning. Where an organisation is facing complexity in its dealings internally or externally, typically they will succeed better where there is a multi-disciplinary response to the issues that are being faced now and into the future.
- Type three: Layered management reporting. Organisations that overly hierarchical can often suffer from buffers between layers that prevent important information reaching the most senior levels as the information is filtered lower down the organisation. While this might be fine for routine matters within any individual’s delegated authority, it does prevent new patterns or issues being spotted early enough for timely resolution.
- Type four: Excessive short-termism. Short-termists are likely to be more heavily influenced by the past than the future. They rarely see future discontinuities that need to be addressed early. Extrapolation from past behaviours is not necessarily good enough for dealing with new futures.
- Type five: Control (or risk control) management instead of risk management. organisations (including regulators) frequently mix up internal control with risk management, coming up with the phrase risk control. Exercising risk control is not the same as being proactive risk managers. Being risk controllers will give a false sense of security about an organisation’s ability to face the future.
- Type six: Individually obstructive nodes. Sometimes individual managers become critical to all risk reporting. This can be very dangerous as it puts all of the organisation’s risk communications into the hands of one or a few individuals, when it really needs to be vibrant across all managers, upwards and downwards.
- Type seven: Black holes. Sometimes it is difficult to discern any volume of conversations about risks or indeed the cultural norms of the organisation. Often this happens where there are serious problems within the organisation and a level of collusion that is unhealthy.
This is by no means a comprehensive list, but it illustrates the sort of problems that can be identified by carrying out an investigation of the cultural artefacts of the organisation, what we call Risk Conversations.
In part five of this series, I draw the discussion to a conclusion. If you would like to know more about these issues, continue reading here:
- Part 1: 300 years of failure
- Part 2: Long term versus short term
- Part 3: Measuring your culture
- Part 5: Conclusions
If you would like to discuss this further, please feel free to contact us here.