Organisational Culture as an Enabler of Risk Management

In today's rapidly evolving and volatile world, effective risk management has become a critical component of organisational and societal success. Organisational culture, a factor that is often overlooked, holds immense power in shaping the way risks are identified, assessed, and mitigated. This article delves into the intricate relationship between risk management and culture, exploring both the positive and negative ways in which organisational culture impacts risk management practices. We will also discuss the challenges faced by organisations trying to develop a risk-aware culture and provide insights into what can be done to overcome these challenges.

As we explore the nuances of risk culture throughout this article, consider the following: If the influence of culture on risk management is so important, why do we continue to witness organisations plagued by toxic cultures that lead to catastrophic risk management failures? What steps can we take to develop an effective risk-aware culture? How can a risk-aware culture drive long-term success and resilience?

What does it mean to have an 'effective' culture of risk management?

An effective culture of risk management refers to the shared values, beliefs, and behaviours within an organisation that collectively contribute to the identification, assessment, and mitigation of risks. This culture permeates all levels of the organisation, from leadership to operational staff, and plays a crucial role in shaping the organisation's approach to risk management. A risk-aware culture not only helps organisations navigate uncertainties, but also fosters resilience and adaptability in the face of ever-changing business landscapes.

Why is organisational risk culture critical?

Establishing a risk-aware culture is a balance between art and science, in which there is no 'one-size-fits-all' solution. The nature of organisational culture can yield both positive and negative outcomes on risk management.

Positive outcomes: A strong risk-aware culture can lead to better risk identification, mitigation, and overall resilience. When risk management is ingrained in the organisation's culture, employees at all levels are more likely to proactively identify and report potential risks. This enables the organisation to address risks before they escalate, reducing the likelihood of negative consequences.

For example, the energy company Royal Dutch Shell has long been recognised for its strong risk management culture. Shell's scenario planning approach, which involves developing multiple plausible future scenarios and assessing their potential impact on the business, has allowed the company to anticipate and adapt to various risks, including geopolitical shifts and fluctuations in oil prices. This proactive approach to risk management has contributed to Shell's long-term success and resilience in a volatile industry.

Negative outcomes: Conversely, a weak or misaligned culture can hinder risk management efforts and expose the organisation to greater risks. When risk management is not prioritised or integrated into the organisation's culture, employees may be less likely to identify and report risks, leading to a lack of awareness, preparedness and poor decision-making.

A recent notable example of weak risk management is the Boeing 737 MAX crisis. In 2019, two fatal crashes involving the Boeing 737 MAX aircraft occurred within a span of five months, resulting in the deaths of 346 people. Investigations into the incidents revealed that a combination of design flaws, inadequate pilot training, and insufficient regulatory oversight contributed to the tragedies.

Boeing's risk management failures included prioritising cost and time savings over safety, as well as a lack of transparency and communication with regulators and airlines. The company's decision to downplay the significance of the new Maneuvering Characteristics Augmentation System (MCAS) and not provide adequate training for pilots on the system was a critical factor in the incidents. Additionally, Boeing's relationship with the Federal Aviation Administration (FAA) raised concerns about the effectiveness of regulatory oversight and the potential for conflicts of interest.

The consequences of these risk management failures were extreme, including severe loss of life, the grounding of the entire 737 MAX fleet worldwide, significant financial losses for Boeing, damage to the company's reputation, and a loss of trust from customers, airlines, and regulators. This example highlights the importance of robust risk management practices and the potential consequences of weak risk management. Although Boeing claimed that safety was at the heart of their organisation, it is evident that such general statements (see below) do not conceal underlying shortcomings in risk management culture.

"Safety is at the core of who we are at Boeing, and ensuring safe and reliable travel on our airplanes is an enduring value and our absolute commitment to everyone." David Calhoun, Boeing CEO

In conclusion, the impact of organisational culture on risk management cannot be overstated.

A dual-approach to effective risk culture

An effective risk culture is not the responsibility of a single team or stakeholder. Developing, and more importantly, maintaining an effective culture requires a collaborative approach.

Top-down (Leadership) Focus: An effective culture of risk management requires a strong top-down approach, where leadership plays a crucial role in setting the tone and driving the risk management agenda. Leaders must demonstrate their commitment to risk management by actively engaging in risk discussions, setting clear expectations, and holding themselves and their teams accountable for risk-related decisions. By role modelling risk-aware behaviours and fostering a culture of transparency and open communication, leaders can create an environment where risk management is seen as a shared responsibility and an integral part of the organisation's strategic decision-making process.

Bottom-up (Operational) Focus: In addition to the top-down approach, an effective risk culture also needs a bottom-up focus. This is where operational-level employees are empowered to identify, assess, and manage risks within their respective areas of responsibility, in a timely and comprehensive manner. This involves providing employees with the necessary tools, training, and resources to understand and manage risks effectively. By fostering a sense of ownership and accountability for risk management at the operational level, organisations will be better equipped to navigate the complexities of today's business environment.

When adopting a dual-approach to risk culture, focusing on the following enablers is critical:

Navigating the obstacles: Challenges in cultivating a risk-aware culture

The complexity of modern business environments, coupled with the pressure to deliver short-term results, often leads to a focus on immediate gains rather than long-term sustainability and resilience. Whilst there are heterogenous factors that dictate the ability to cultivate a risk-aware culture at an organisational and industry level, there are several common inhibitors to the development of culture more broadly. These factors are outlined below:

• Resistance to change: Organisations often struggle to adapt to new ways of thinking and operating, particularly when it comes to risk management. This resistance can stem from a fear of the unknown, a reluctance to invest in new processes and systems, and/or a belief that existing practices are sufficient.
• Lack of leadership commitment: Without clear direction and support from senior leaders, risk management initiatives may be seen as a low priority or even a hindrance to achieving business objectives. A lack of commitment can result in insufficient resources being allocated to risk management efforts and a failure to embed risk awareness throughout the organisation.
• Inadequate communication: Organisations must ensure that risk information is shared openly and transparently, both internally and with external stakeholders. Poor communication can lead to misunderstandings, missed opportunities, and a lack of trust in the organisation's risk management processes.
• Short-term focus: In a world where businesses are under constant pressure to deliver results, it can be challenging to prioritise long-term risk management over short-term gains. This short-term focus can lead to a culture where risks are downplayed or ignored in favour of immediate rewards.
• Insufficient training and education: Building a risk-aware culture requires ongoing education and training for employees at all levels. Without a solid understanding of risk management principles and practices, employees may struggle to identify, assess, and mitigate risks effectively.
• Inadequate risk management processes and tools: Outdated or ineffective systems can hinder risk identification, assessment, and mitigation efforts, leading to a false sense of security and increased vulnerability.
• Lack of accountability and ownership: When responsibility for risk is not clearly defined, it can be easy for individuals and teams to overlook or downplay risks, leading to a culture of complacency.

By addressing inhibitors, organisations can build a risk-aware culture, fostering an environment where effective risk management leads to long-term success and resilience. The following section discusses essential elements to overcome these challenges.

"The culture of any organization is shaped by the worst behavior the leader is willing to tolerate." Gruenter and Whitaker, authors of "School Culture Rewired"

Blueprint for success: Strategies to foster a risk-aware culture

Creating a risk-aware culture requires a strategic approach where risk management is valued and integrated into daily operations. Whilst there is no 'silver bullet' to create an effective risk culture, there are common elements of best-practice, which are outlined below:

Leadership commitment and role modelling

When leaders demonstrate their commitment to risk management, it sets the tone for the entire organisation. Examples of how leaders can show their commitment include:

• Regularly discussing risk management in meetings and communications
• Allocating resources to risk management initiatives
• Encouraging employees to report risks and potential issues
• Recognising and rewarding employees who contribute to risk management efforts

Open communication and transparency

By promoting open dialogue and information sharing, organisations can ensure that risks are identified, assessed, and addressed effectively. Suggestions for promoting open communication include:

• Establishing channels for employees to report risks and concerns anonymously
• Sharing risk management updates and progress with all stakeholders
• Encouraging cross-functional collaboration to identify and address risks
• Providing regular training and updates on risk management policies and procedures

Employee engagement and empowerment

When employees are involved in risk management activities and decision-making, they are more likely to take ownership of risk management efforts. Strategies for involving employees include:

• Offering training and development opportunities related to risk management
• Encouraging employees to participate in risk assessments and mitigation planning
• Establishing risk management committees or working groups with representatives from all levels of the organisation
• Recognising and rewarding employees who proactively identify and address risks

Integration of risk into decision-making

By considering risk factors in every decision, organisations can make more informed choices, better anticipate potential challenges, and ensure the long-term success of their risk management efforts. Key aspects of integrating risk into decision-making include:

• Aligning risk management and resilient strategy with organisational strategic objectives
• Embedding risk management in key business processes such as financial planning and investment decisions
• Monitoring and reporting on risk performance through the development of leading and lagging metrics

Continuous learning and adaptability

By promoting a learning culture and encouraging adaptability, organisations can stay ahead of emerging risks and respond to changes in the business environment. Ways to promote a learning culture and encourage adaptability include:

• Conducting regular reviews of risk management processes and outcomes
• Encouraging employees to share lessons learned from risk management experiences
• Providing access to resources and tools for employees to stay informed about risk management trends and best practices
• Fostering a culture of innovation and continuous improvement

While each of these factors individually contribute to building a risk-aware culture, it is only when they are implemented as a cohesive system, tailored to the specific needs of the organisation, that the journey towards a truly risk-aware culture can be accelerated and sustained.

The tough questions: What organisations and leaders need to ask themselves

Organisations and leaders must boldly confront these critical questions, recognising that meaningful change demands a willingness to challenge and reassess existing risk management approaches. In doing so, the questions below can act as a starting point:

1. Are we fostering a culture of open communication and transparency, where employees feel comfortable discussing risks and potential issues without fear of retribution?
2. Do we prioritise safety, quality, and long-term success over short-term gains and cost-cutting measures?
3. Are our leaders and managers actively promoting a risk-aware culture and leading by example in their decision-making processes?
4. Do we have a robust system in place for monitoring and reporting risks, both internally and externally, to ensure all stakeholders are informed and can take appropriate action?
5. Are we effectively integrating risk management into our strategic planning and decision-making processes, considering both potential threats and opportunities?
6. Do we have a clear process for learning from past mistakes and incidents, and are we using these lessons to continuously improve our risk management practices?
7. Are we adequately considering the potential impact of our decisions on all stakeholders, including employees, customers, suppliers, regulators, and the wider community?
8. Are we prepared to make difficult decisions and take appropriate action when faced with significant risks, even if it means sacrificing short-term profitability or growth?

Summary

In conclusion, developing a risk-aware culture is an essential undertaking for organisations seeking to navigate the complexities of today's ever-changing business landscape. By championing risk management through leadership actions, cultivating open communication, empowering employees, integrating risk into decision-making, and nurturing continuous learning and adaptability, organisations can build a strong foundation for a risk-aware culture. While the journey may be challenging, the value it provides in terms of enhancing resilience and supporting long-term success cannot be overstated. I encourage organisations to embrace this call to action and unlock their full potential in managing risks and seizing opportunities.