Lee Glendon CBCI |
The rationale for the project, which intends to publish a
paper this October, is quite simple: a
successful Enterprise Risk Management (ERM) programme requires at least an
understanding of an organisation’s risk culture, and ideally the tools to
influence it.
The authors recognise this paper is not likely to be the
last word on risk culture. But it’s a
coherent and valuable body of work, which is very much focused on practical
guidance and not just theory.
The objective of the project is to provide practitioners
with insight and tools to do one or more of the following:
1)
Understand the existing risk culture and make
risk management work as best as possible within this culture
2)
Change the risk culture
3)
Determine what kind of risk culture would make
the organisation more successful
Culture is being defined as the values, beliefs, ethos,
knowledge and understanding shared by a group of people with a common
purpose. Risk culture is seen as a
subset of a “generic” culture.
The project is considering a number of diagnostic tools to
help understand risk culture. One essential
tool, appropriately named the ABC model, asserts that while [risk] culture is
hard to change in itself, if you understand that behaviour drives [risk] culture
and attitudes in turn drive behaviour then you can start to understand,
influence and control attitudes, with beneficial outcomes in [risk] culture.
One contributor made the contrast between the ethics of care
and the ethics of obedience, which essentially showed that people care less at
work than at home because of the need for obedience while at work. To illustrate this point, an example was given
of a large organisation that had 34,000 rules (imagine the poor folk who had
the job of counting them!).
A rather liberating perspective was expressed when one
person noted that risk management won’t avoid another banking system failure by
creating more processes or building controls for the last crisis, instead resilience
would be achieved through an effective risk culture. When controls fail, you will be reliant on
the risk culture of your organisation.
Naturally, as with modern risk thinking, there is an upside
and downside perspective to risk culture.
Practitioners need to ask whether culture stops the organisation from
doing things better. For example, one
test of culture is how long it takes to do something in an organisation compared
with the need or requirement. It was
suggested that an understanding of the social activities (culture) is needed
alongside a good technical competency in order for a project to be successful.
In summary, the work from the IRM is going to be a very
useful input to our own work on organisational resilience and the role of
culture in achieving it. The paper from
the IRM will be out for consultation between 20th July and 10th
August – and BCI members are invited to respond (look out for notices in the
BCI eBulletin). The final paper is
expected to be published in October 2012.