Drivers of positive ‘risk culture’

Drivers of positive ‘risk culture’

People conclude what is expected of them is based on cues received from the forces that they face daily. These forces drive what they believe and how they should behave – in either constructive or defensive ways. These behaviours can either enables or inhibits effective risk management.

These forces also influence how people:

  1. View, identify, manage, and report risks.
  2. How do they use risk management processes to create value, make decisions, and set and achieve objectives.
  3. Improve organisational performance.

The attitude towards risks and risk management varies from person to person, from unit to unit, and from stakeholder to stakeholder. It can also be influenced by social context and surrounding culture.

How individuals perceive risks forms a significant part of ‘risk culture’ outcome. The attitudes of individuals may have a notable impact on the attitude of the whole organisation.

People can be more loss averse than others, have different attitudes towards different types of risks, or perceive many aspects of risks (e.g., whether the risk is known or unknown) in different ways. Experts may perceive certain risks in a completely different way than non-experts.

What drives behaviours and decision-making?

Based on an analysis of 25 perspectives, theories, and models that focus on decision-making and behaviour, the Behavioural Drivers Model seeks to answer the question, “Why do people do what they do?” ( Petit, 2019)

The conceptual model consists of a total of more than 130 possible drivers of behaviour, grouped into the following three categories:

  1. Psychology – Gathering individual cognitive and emotional drivers such as cognitive biases, interest, attitude, self-efficacy, intent, limited rationality, and personal characteristics.
  2. Sociology – Determinants related to interactions within organisations, groups, and society at large such as social influence, meta-norms, and context.
  3. Environment – Structural elements such as public sector institutions, government policies, infrastructures, and information.

Risk management can specifically be perceived in two ways under the sociology category:

  1. Perceptions of organisational practices (i.e., How we do things around here) that impact risk management.
  2. Perceptions of risk management (i.e., How risk management is practised around here).

How we do things around here

Perceptions of organisational practices, or how we do things around here, can either have a positive or negative impact on how risk management is practised, and risk is viewed in organisations.

Organisational practices that impact positive ‘risk culture’ and the risk management maturity:

  • Strategy and objectives – The extent to which the organisation can clearly articulate and implement its strategy and related objectives across all organisational layers, right down to each individual, to satisfy customers’ requirements and be successful. Every individual, team, and workgroup must be clear as to what success looks like and how success will be measured and rewarded. The appropriate organisational structures and design – vertically and horizontally – set the right foundation for strategy execution and achievement of objectives.
  • Structures – The extent to which the organisation is arranged, controlled, and operated with the appropriate structures, mechanisms, and arrangements by which:
    • Strategies and plans are formed and executed.
    • Communication and decision-making processes are implemented.
    • Accountable individuals, teams, and workgroups are empowered and involved to make decisions, perform at their best, and be held to account with the available resources and support.
  • Performance management – The extent to which the organisation monitors and reinforces individual performance.
  • Individual goal setting – The extent to which individual, team, and workgroup goals are designed to be positive, empowering, and motivating to achieve organisational goals and objectives.
  • Individual job design – The extent to which job design can transform inputs into outputs.
  • Communications – The extent to which people communicate and interact with each other. There are open and planned channels of communication outlining the ‘what’, ‘why’, and ‘how’ in all directions. Informal lines of communication are vital in underpinning the more formal organisational structures that supported risk management.
  • Leadership – The extent to which organisational leaders and managers demonstrate positive leadership and management behaviours and become aware of their behaviours.

How risk management is practised around here

Attitudes, perceptions, and feelings derived as an outcome of organisational cultures can influence how risk is viewed and how risk management is practised in organisations: (Paalanen, 2013; Park, 2019)

  • Formality – This relates to how the business is managed; how flexible or rigid organisational processes are; what is the attitude toward adhering to or bending rules, policies, and regulations; and how much intuition or judgement can be used. The two extreme ends of the formality spectrum:
    1. Formal – Formal rules, procedures and processes are used extensively in daily operations and the running of the business; risk management relies heavily on compliance with rules and procedures; processes are followed in the same way in all situations; there are many formal controls, checks and decision making; focus on risk management for compliance. Legislation, regulatory requirements, corporate codes, and professional codes of conduct have a direct effect on attitudes and practices about risk management.
    2. Informal – People rely on intuition and judgment in daily operations; risk management is intuition-based where there is accountability, agility, and freedom to decide; processes are flexible and situations are assessed case-by-case to create or protect value; there are only a few or minimal formal controls, checks and processes; focus on risk management for decision-making. Discussions about risk are more likely to focus on the exploitation of upside opportunities and connect strategy and risk in an implicit and unstructured way, potentially leading to inconsistent risk management decisions.

A range of formal and informal risk management mechanisms for organising risk management activities is listed in the table below. (ACCA, 2019)

Formal risk management mechanisms Informal risk management mechanisms
  • Risk management policy and framework.
  • Risk appetite statement and exposure limits.
  • Risk assessment templates and checklists.
  • Risk registers and documented risk profiles.
  • Ownership and accountability – i.e., risk and control owners documented in risk registers.
  • Risk team and specialists (first and second line).
  • Formalised risk networks, communities of practice, and champions.
  • Horizon scanning and emerging risk updates.
  • Process mapping and failure point analysis.
  • Control effectiveness testing.
  • Loss and near-miss data collection.
  • Customer complaints and feedback.
  • Risk reports (risk matrices, risk maps, and risk and control indicator reports) and risk reporting processes.
  • Systems for collecting, analysing, and reporting risk information.
  • Internal audit reports and action plans.
  • Risk management training, workshops, and forums.
  • Formalised meetings and committees on risk management.
  • Business plan that incorporates risks.
  • Intranet and email communication about risk management.
  • Formalised three-line model.
  • Performance management framework that focuses on risk management.
  • Operational processes incorporating risk management components.
  • ‘Tone from the top’ and the beliefs and actions of executives and senior management.
  • Role modelling of behaviours by leaders.
  • Ad-hoc phone calls; face-to-face and ‘water cooler’ conversations; and gatherings and interactions that cut across hierarchical layers, which are unplanned and spontaneous.
  • Walking the floor.
  • Ideas or knowledge sharing to identify common concerns and good practice.
  • Mentoring, especially second-line risk function mentoring first-line risk specialists.
  • Explaining and selling the benefits of formal mechanisms like risk registers.
  • Other activities influence attitudes, perceptions, and behaviours.
  • Networking and interaction with relevant risk management stakeholders.
  • Learning from risk management role models.
  • Informal risk champions who are passionate about risk and organisational success.
  • Informal discussions and conversations about risk and performance especially outside of formal meetings including ‘risk talk’.
  • Sharing stories and personal experiences about risk management and performance successes and failures.

 

Despite the importance of having both formal and informal mechanisms, organisations often favour and focus on establishing formal mechanisms, while underestimating the value of informal mechanisms. There is a tension between formal and informal risk management, where both do not co-exist easily in practice.

  • Decision-making – This relates to how much effort is spent to prepare for decisions, how fast decisions are made, how detailed decisions are, and when decisions are made. The two extreme ends of the decision-making spectrum:
    1. Deliberate – Gather as much information as possible for extensive analysis and decision-making; decisions are pushed up the hierarchy or made when planned.
    2. Dynamic – Decisions are made fast or even if there are large uncertainties; decisions are based on intuition or rules of thumb.
  • Risk acceptance – This relates to how risk is understood whether a risk is seen as an acceptable or unacceptable part of life, or is seen as a threat or variance. Every individual comes to an organisation with their perception of risk. The two extreme ends of the risk acceptance spectrum:
    1. Avoiding risk – Risk is something ‘bad’ that should be avoided; risk is seen as a threat; risk is quantified as actual values.
    2. Accepting risk – Risk is something that must be accepted as part of daily life; risk is seen as a deviation or variation; risk is qualified as an order of magnitude.
  • Focus – This relates to the primary focus of management and operations concerning risk and risk management. The two extreme ends of the focus spectrum:
    1. Technical – The focus is on technical factors and numeric parameters such as profit or production; risk management focuses on technical risks.
    2. Behavioural – The focus is on soft parameters and behavioural factors such as motivation, competence or reputational; risk management focuses on human factors (e.g., safety, reputation, competence).

Both formal and informal risk management is required

A risk register provides a formal risk management mechanism for reporting on the organisation’s risk profile. But the register may produce inaccurate or incomplete information if organisational members do not fully understand how to use it or may perceive it as bureaucratic, or purely for compliance purposes.

This is where informal mechanisms such as social networks and risk conversations come into play to complement formal mechanisms.

While formal risk management mechanisms can be used to provide a visible and stable structure and defined methodologies and governance, it is the informal risk management mechanisms that support the execution of these formal mechanisms and help to fill in any gaps, especially knowledge and application gaps.

People may even say that the important stuff is not the bit of paper with all the output on it. It is the conversations, understanding, buy-in and commitment that you have to fill that bit of paper in that matters most!

References

The Association of Chartered Certified Accountants (ACCA) (2019) ‘Risk and performance: Embedding risk management’. Available at: https://www.accaglobal.com/content/dam/ACCA_Global/professional-insights/embedding-risk/pi-embedding-risk-management.pdf

Paalanen, A. (2013) ‘Risk Culture – a descriptive model’, Masters Thesis, Aalto University – School of Business.

Petit, V. (2019). The Behavioural Drivers Model: A Conceptual Framework for Social and Behaviour Change Programming. UNICEF. Available at: https://www.unicef.org/mena/reports/behavioural-drivers-model