Tuesday 26 June 2012

When controls fail, will [risk] culture save your organisation?

Lee Glendon CBCI
The Institute of Risk Management is taking a brave step into an uncertain and very fuzzy area – understanding and influencing risk culture.   A six month project bringing together experts in organisational behaviour, culture and sociology presented a progress report last week to an audience of risk practitioners and stakeholders including the BCI.

The rationale for the project, which intends to publish a paper this October, is quite simple:  a successful Enterprise Risk Management (ERM) programme requires at least an understanding of an organisation’s risk culture, and ideally the tools to influence it.
The authors recognise this paper is not likely to be the last word on risk culture.  But it’s a coherent and valuable body of work, which is very much focused on practical guidance and not just theory. 
The objective of the project is to provide practitioners with insight and tools to do one or more of the following:
1)      Understand the existing risk culture and make risk management work as best as possible within this culture

2)      Change the risk culture

3)      Determine what kind of risk culture would make the organisation more successful

Culture is being defined as the values, beliefs, ethos, knowledge and understanding shared by a group of people with a common purpose.  Risk culture is seen as a subset of a “generic” culture.
The project is considering a number of diagnostic tools to help understand risk culture.   One essential tool, appropriately named the ABC model, asserts that while [risk] culture is hard to change in itself, if you understand that behaviour drives [risk] culture and attitudes in turn drive behaviour then you can start to understand, influence and control attitudes, with beneficial outcomes in [risk] culture.
One contributor made the contrast between the ethics of care and the ethics of obedience, which essentially showed that people care less at work than at home because of the need for obedience while at work.  To illustrate this point, an example was given of a large organisation that had 34,000 rules (imagine the poor folk who had the job of counting them!).
A rather liberating perspective was expressed when one person noted that risk management won’t avoid another banking system failure by creating more processes or building controls for the last crisis, instead resilience would be achieved through an effective risk culture.  When controls fail, you will be reliant on the risk culture of your organisation.
Naturally, as with modern risk thinking, there is an upside and downside perspective to risk culture.  Practitioners need to ask whether culture stops the organisation from doing things better.  For example, one test of culture is how long it takes to do something in an organisation compared with the need or requirement.  It was suggested that an understanding of the social activities (culture) is needed alongside a good technical competency in order for a project to be successful.
In summary, the work from the IRM is going to be a very useful input to our own work on organisational resilience and the role of culture in achieving it.  The paper from the IRM will be out for consultation between 20th July and 10th August – and BCI members are invited to respond (look out for notices in the BCI eBulletin).  The final paper is expected to be published in October 2012.

No comments:

Post a Comment